Use these search tokens below to search in the Events tab under Monitor.
and
Use a boolean query to express your query using
AND logic.
Example
Show findings with connector type GSUITE and access type Domain
connector.type: "GSUITE" and accessType:
"Domain"
not
Use a boolean query to express your query using
NOT logic.
Example
Show findings that are connector type "OFFICE365" but
not access type "External"
connector.type: "OFFICE365" not
accessType: "External"
or
Use a boolean query to express your query using
OR logic.
Example
Show findings with one of these access types
accessType: "Domain" or accessType:
"External"
name
Use quotes or backticks within values to help
you find all events that have the specified name.
Search for events by specifying the name. Choose values from:
UserLoggedIn, Update application, Set domain authentication, Set
federation settings on domain, Update application - Certificates
and secrets management, Update service Prinicpal, Add service
principal credentials, Add app role assignment grant to user,
Add app role assignment to service principal, Consent to application,
UserLoggedIn/UserLoginFailed, MailboxLogin, MailItemAccessed,
FileAccessed, FileAccessedExtended
Example
Show events that have name as UserLoggedIn
name:"UserLoggedIn"
connector.id
Search the connector by providing the unique id provided to
identify the connector.
Example
Show the connector having the id 100
connector.id:100
connector.type
Search for connectors by specifying the connector type. Choose
value from: OFFICE365, GSUITE, SALESFORCE
Example
Show all connectors of the type OFFICE365
connector.type:OFFICE365
type
Search for events by specifying the event type. Choose value
from: SettingsChange, PermissionChange, SAMLTokenAnomaly, PowershellMailboxLogin,
AADPowershellLogin, AADExchangeOnlinePowershellLogin, WinRMLogin,
NonMicrosoftAppMailItemAccess, NonMicrosoftAppFileAccess
Example
Show all events of the type PermissionChange
type:"PermissionChange"
category
Search for events based on the event category. Choose value
from: Domain; Application, ServicePrincipal, SAMLToken, User,
Powershell; Mailbox, WinRM, File
Example
Show all events of the category ServicePrincipal
category:"ServicePrincipal"
serviceType
Search for events based on the type of the service. Choose
value from: AzureActiveDirectory, ExchangeOnline, OneDrive
Example
Show all events of the service type AzureActiveDirectory
serviceType:"AzureActiveDirectory"
actionDetail.result
Search for events based on the actionDetail.result. Choose
value from: Success, Fail
Example
Show all events of the results Success
actionDetail.result:"Success"
actor.id
Search for events that have a specific actor ID.
Example
Show all events that have actor ID 98e0c33e-7acc-46d3-82ba-dd313ef4434f
actor.id:"98e0c33e-7acc-46d3-82ba-dd313ef4434f"
actor.email
Search for events by specifying the actor's email addresses.
Example
Show all events attended by user having email address testprod@qualyssscmsdev.com
actor.email:"testprod@qualyssscmsdev.com"
actor.type
Search for events based on the type of actor. Choose value
from: User, ServicePrincipal, Application
Example
Show all events of the actor type User
actor.type:"User"
origin.ip
Search for events that have a specific origin IP.
Example
Show all events that have origin IP 40.79.154.194
origin.ip:"40.79.154.194"
origin.userAgent
Search for events that have a specific origin user agents.
Example
Show all events that have origin user agents as EvoSTS
origin.userAgent:"EvoSTS"
actionDetail.modifiedResources.resourceId
Search for events that have a specific resource ID.
Example
Show all events that have resource ID as 05e394a6-3d79-483b-abf2-5f39c5787196
actionDetail.modifiedResources.resourceId:"05e394a6-3d79-483b-abf2-5f39c5787196"
actionDetail.modifiedResources.resourceName
Search for events that have a specific resource name.
Example
Show all events that have resource name as Microsoft Graph
actionDetail.modifiedResources.resourceName:"Microsoft Graph"