SharePoint Online JSON Log File
The JSON log file format is used to send SharePoint Online activity monitoring data to Enterprise Auditor v10.0 consoles. The following information lists all of the attributes generated by SharePoint Online Activity Monitor into a JSON log file:
Base Schema
The following table details lists of attributes for base schema generated by SharePoint Online Activity Monitor.
| Attribute Name | Description | Example |
|---|---|---|
| TimeLogged | Event time (UTC) | 2019-03-14T18:13:39.0 00Z |
| ActivityType | Constant "SharePoint" | SharePointOnline |
| AgentHost | Host name where agent is installed. | sphost |
| Source | SharePoint, SharePointFileOperation, SharePointListOperation, SharePointListItemOperation, SharePointContentTypeOperation, SharePointFieldOperation, SharePointSharingOperation, ComplianceDLPSharePoint, ComplianceDLPSharePointClassification | SharePointFileOperation |
| Id | Unique id of an audit record | 5ed5f834-7609-4ea6-df9b-08d76f79a875 |
| EventType | AccessInvitationCreated AccessInvitationExpired AccessInvitationRevoked AccessInvitationUpdated AccessRequestApproved AccessRequestCreated AccessRequestRejected ActivationEnabled AdministratorAddedToTermStore AdministratorDeletedFromTermStore AllowGroupCreationSet AppCatalogCreated AuditPolicyRemoved AuditPolicyUpdate AzureStreamingEnabledSet CollaborationTypeModified ConnectedSiteSettingModified CreateSSOApplication CustomFieldOrLookupTableCreated CustomFieldOrLookupTableDeleted CustomFieldOrLookupTableModified CustomizeExemptUsers DefaultLanguageChangedInTermStore DelegateModified DelegateRemoved DeleteSSOApplication eDiscoveryHoldApplied eDiscoveryHoldRemoved eDiscoverySearchPerformed EngagementAccepted EngagementModified EngagementRejected EnterpriseCalendarModified EntityDeleted EntityForceCheckedIn ExemptUserAgentSet FileAccessed FileCheckOutDiscarded FileCheckedIn FileCheckedOut FileCopied FileDeleted FileDeletedFirstStageRecycleBin FileDeletedSecondStageRecycleBin FileDownloaded FileFetched FileModified FileMoved FilePreviewed FileRenamed FileRestored FileSyncDownloadedFull FileSyncDownloadedPartial FileSyncUploadedFull FileSyncUploadedPartial FileUploaded FileViewed FolderCopied FolderCreated FolderDeleted FolderDeletedFirstStageRecycleBin FolderDeletedSecondStageRecycleBin FolderModified FolderMoved FolderRenamed FolderRestored GroupAdded GroupRemoved GroupUpdated LanguageAddedToTermStore LanguageRemovedFromTermStore LegacyWorkflowEnabledSet LookAndFeelModified ManagedSyncClientAllowed MaxQuotaModified MaxResourceUsageModified MySitePublicEnabledSet NewsFeedEnabledSet ODBNextUXSettings OfficeOnDemandSet PageViewed PeopleResultsScopeSet PermissionSyncSettingModified PermissionTemplateModified PortfolioDataAccessed PortfolioDataModified PreviewModeEnabledSet ProjectAccessed ProjectCheckedIn ProjectCheckedOut ProjectCreated ProjectDeleted ProjectForceCheckedIn ProjectModified ProjectPublished ProjectWorkflowRestarted PWASettingsAccessed PWASettingsModified QueueJobStateModified QuotaWarningEnabledModified RenderingEnabled ReportingAccessed ReportingSettingModified ResourceAccessed ResourceCheckedIn ResourceCheckedOut ResourceCreated ResourceDeleted ResourceForceCheckedIn ResourceModified ResourcePlanCheckedInOrOut ResourcePlanModified ResourcePlanPublished ResourceRedacted ResourceWarningEnabledModified SSOGroupCredentialsSet SSOUserCredentialsSet SearchCenterUrlSet SecondaryMySiteOwnerSet SecurityCategoryModified SecurityGroupModified SendToConnectionAdded SendToConnectionRemoved SharedLinkCreated SharedLinkDisabled SharingInvitationAccepted SharingRevoked SharingSet SiteAdminChangeRequest SiteCollectionAdminAdded SiteCollectionCreated SiteRenamed StatusReportModified SyncGetChanges TaskStatusAccessed TaskStatusApproved TaskStatusRejected TaskStatusSaved TaskStatusSubmitted TimesheetAccessed TimesheetApproved TimesheetRejected TimesheetSaved TimesheetSubmitted UnmanagedSyncClientBlocked UpdateSSOApplication UserAddedToGroup UserRemovedFromGroup WorkflowModified | FileDeleted |
| OrganizationId | Organization tenant ID | 86e5dcbf-56e9-4452-8c43-1e99f0e9aabd |
| UserType | Type of the user performed the operation. | Regular |
| UserId | The UPN of the user who performed the operation | user1@stealthbitstechnologie.onmicrosoft.com |
| UserName | Name of the user who performed the operation | User1 |
| UserLogin | An alternative ID of the user. "DlpAgent" for DLP events | i:0h.f/membership/10033fff8a7ae322@live.com |
| ClientIP | IP address of the user or a trusted application | 75.155.180.82 |
| Protocol | Protocol: HTTPS | HTTPS |
| Workload | Office 365 service where the activty occurred. | SharePoint |
| ResultStatus | Succeeded, ParticallySucceeded, Failed, True, False | ParticallySucceeded |
| AbsoluteUrl | Full path of the file/folder accessed by the user | https://stealthbitstechnologie-my.sharepoint.com/personal/sgiles_stealthbitstechnologie_onmicrosoft_com/personal/myfiles/21ded |
| Scope | Was this event created by a hosted O365 service or an on-premises server? online or onprem | |
| SiteId | Guid of the site | aef1ad6b-11c5-4b25-a669-b5f8379f8c55 |
| ItemType | Object type: File, Folder, Web, Site, Tenant, DocumentLibrary, Page, Differs from SP types | File |
| ItemTitle | ||
| EventSource | SharePoint or ObjectModel | SharePoint |
| UserAgent | User client or browser | |
| MachineDomainInfo | Information about device sync operations | |
| MachineId | Information about device sync operations | |
| UpdateType | Added, Removed, or Updated | Added |
| Version | The new version of the document/version of deleted document | 1 |
File/Folder Operations
The following table details lists of attributes for file/folder operations generated by SharePoint Online Activity Monitor.
| Attribute Name | Description | Example |
|---|---|---|
| SiteUrl | URL of the site | https://example-url.sharepoint.com/ |
| DocLocation | Relative URL of the file or document accessed by the user | Shared Documents/100 Sensitive Docs/Document.docx |
| SourceRelativeUrl | The URL of the folder that contains the file accessed by the user. The combination of the values for the SiteURL, SourceRelativeURL, and SourceFileName parameters is the same as the value for the AbsoluteUrl property | Shared Documents/100 Sensitive Docs |
| SourceFileName | File or folder name | My Document.docx |
| SourceFileExtension | File extension | docx |
| NewDocLocation | A relative URL to which the object is copied or moved | Shared Documents/100 Sensitive Docs/Copy.docx |
| DestinationRelativeUrl | Only for EventType: FileCopied, FileMoved The URL of the destination folder where a file is copied or moved. | Shared Documents/100 Sensitive Docs |
| DestinationFileName | Only for EventType: FileCopied, FileMoved The name of the file that is copied or moved. | Copy.docx |
| DestinationFileExtension | Only for EventType: FileCopied, FileMoved | docx |
Sharing
The following table details lists of attributes for sharing generated by SharePoint Online Activity Monitor by Sharing.
| Attribute Name | Description |
|---|---|
| SharingType | The type of sharing permissions that were assigned to the user that the resource was shared with |
| TargetUserOrGroupName | UPN or name of the target user or group that a resource was shared with |
| TargetUserOrGroupType | Member, Guest, Group, or Partner |
| EventData |
Other SharePoint Events
The following table details lists of attributes for other SharePoint events generated by SharePoint Online Activity Monitor by Sharing.
| Attribute Name | Description |
|---|---|
| CustomEvent | |
| EventData | Optional payload |
| ModifiedProperties | The property is included for admin events, such as adding a user as a member of a site or a site collection admin group. The property includes the name of the property that was modified, old, and new value |
DLP Events
The following table details lists of attributes for DLP events generated by SharePoint Online Activity Monitor by Sharing.
| Attribute Name | Description | Example |
|---|---|---|
| SharePointMetaData | Metadata about the document that contained the sensitive information | https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#sharepointmetadata-complex-type |
| ExceptionInfo | Reasons why a policy no longer applies and any information about false positive or override | |
| PolicyDetails | Policy(s) that triggered the event | https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#policydetails-complex-type |
| SensitiveInfoDetectionIsIncluded | Indicates whether the event contains the value of the sensitive data type |