Searching Events

Use these search tokens below to search in the Events tab under Monitor.

name

Use quotes or backticks within values to help you find all events that have the specified name.

Search for events by specifying the name. Choose values from: UserLoggedIn, Update application, Set domain authentication, Set federation settings on domain, Update application - Certificates and secrets management, Update service Prinicpal, Add service principal credentials, Add app role assignment grant to user, Add app role assignment to service principal, Consent to application, UserLoggedIn/UserLoginFailed, MailboxLogin, MailItemAccessed, FileAccessed, FileAccessedExtended

Example

Show events that have name as UserLoggedIn

name:"UserLoggedIn"

connector.id

Search the connector by providing the unique id provided to identify the connector.

Example

Show the connector having the id 100

connector.id:100

connector.type

Search for connectors by specifying the connector type. Choose value from: OFFICE365, GOOGLE WORKSPACE, SALESFORCE

Example

Show all connectors of the type OFFICE365

connector.type:OFFICE365

type

Search for events by specifying the event type. Choose value from: SettingsChange, PermissionChange, SAMLTokenAnomaly, PowershellMailboxLogin, AADPowershellLogin, AADExchangeOnlinePowershellLogin, WinRMLogin, NonMicrosoftAppMailItemAccess, NonMicrosoftAppFileAccess

Example

Show all events of the type PermissionChange

type:"PermissionChange"

category

Search for events based on the event category. Choose value from: Domain; Application, ServicePrincipal, SAMLToken, User, Powershell; Mailbox, WinRM, File

Example

Show all events of the category ServicePrincipal

category:"ServicePrincipal"

serviceType

Search for events based on the type of the service. Choose value from: AzureActiveDirectory, ExchangeOnline, OneDrive

Example

Show all events of the service type AzureActiveDirectory

serviceType:"AzureActiveDirectory"

actionDetail.result

Search for events based on the actionDetail.result. Choose value from: Success, Fail

Example

Show all events of the results Success

actionDetail.result:"Success"

actor.id

Search for events that have a specific actor ID.

Example

Show all events that have actor ID 98e0c33e-7acc-46d3-82ba-dd313ef4434f

actor.id:"98e0c33e-7acc-46d3-82ba-dd313ef4434f"

actor.email

Search for events by specifying the actor's email addresses.

Example

Show all events attended by user having email address testprod@qualyssscmsdev.com

actor.email:"testprod@qualyssscmsdev.com"

actor.type

Search for events based on the type of actor. Choose value from: User, ServicePrincipal, Application

Example

Show all events of the actor type User

actor.type:"User"

origin.ip

Search for events that have a specific origin IP.

Example

Show all events that have origin IP 40.79.154.194

origin.ip:"40.79.154.194"

origin.userAgent

Search for events that have a specific origin user agents.

Example

Show all events that have origin user agents as EvoSTS

origin.userAgent:"EvoSTS"

actionDetail.modifiedResources.resourceId

Search for events that have a specific resource ID.

Example

Show all events that have resource ID as 05e394a6-3d79-483b-abf2-5f39c5787196

actionDetail.modifiedResources.resourceId:"05e394a6-3d79-483b-abf2-5f39c5787196"

actionDetail.modifiedResources.resourceName

Search for events that have a specific resource name.

Example

Show all events that have resource name as Microsoft Graph

actionDetail.modifiedResources.resourceName:"Microsoft Graph"