Versions Compared

Version Old Version 3 New Version 4
Changes made by

Marlon Morales

Marlon Morales

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Description

...

Log Structure

Expand
titleSample Office365SharePoint logof Office365SharePoint Event (in JSON format)
[
{
"AppAccessContext": {
"AADSessionId": "9a8cf76d-d754-3e2e-b10d-9bb87654f3b2",
"CorrelationId": "123455a0-807b-1111-cd61-7e477227f33a",
"UniqueTokenId": "aBCde-XYZUm77sUdZIgDDD"
},
"CreationTime": "2022-03-01T02:38:59",
"Id": "80c76bd2-9d81-4c57-a97a-accfc3443dca",
"Operation": "PageViewed",
"OrganizationId": "41463f53-8812-40f4-890f-865bf6e35190",
"RecordType": 4,
"UserKey": "1153977025279851686@contoso.onmicrosoft.com",
"UserType": 0,
"Version": 1,
"Workload": "SharePoint",
"ClientIP": "134.170.188.221",
"ObjectId": "https://contoso.sharepoint.com/_layouts/15/onedrive.aspx",
"UserId": "admin@contoso.onmicrosoft.com",
"CorrelationId": "123455a0-807b-1111-cd61-7e477227f33a",
"CustomUniqueId": true,
"EventSource": "SharePoint",
"ItemType": "Page",
"ListItemUniqueId": "f1c23344-5667-890f-1234-8ee1171747ad",
"Site": "9876ded5-e4df-32e1-b123-bcec4d5ce67a",
"UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36",
"WebId": "7777777a8-d0b9-001f-be0b-f9c12345cd48"
}
]

Table Fields

Field

Description

TABLE

Office365SharePoint

RECORDTYPE

Based on RecordType

is “4”,

, where this field indicates the operation performed by the record.
For this log type its value is 4.
See more details about RecordType here.

CUSTOMEVENT

CustomEvent - Optional string

Based on CustomEvent, where this field contains the optional string value for custom events.

EVENTDATA

EventData - Optional

Based on EventData, where this field contains the optional payload for custom events.

MODIFIEDPROPERTIES

ModifiedProperties - The property is included for admin events, such as adding a user as a member of a site or a site collection admin group.
The property includes the name of the property that was modified (for example, the Site Admin group), the new

Based on ModifiedProperties, a structure field that contains details such as: modified property, current value of the modified property

(such the user who was added as a site admin),

and the

previous

new value of the modified

object

property.

SNAREDATAMAP

All unclassified field

/s in the log

(s) parsed from this log type will be pushed into the SNAREDATAMAP.

Note: See other fields here, which are common among all SharePoint* log types.

...