Office 365 管理活动 API 架构Office 365 Management Activity API schema

Office 365 管理活动 API 架构作为两层数据服务提供:The Office 365 Management Activity API schema is provided as a data service in two layers:

  • 常见架构Common schema. 用于访问核心 Office 365 审核概念(如 Record Type、Creation Time、User Type 和 Action),以及提供核心维度(如 User ID)、具体位置细节(如 Client IP address)和特定于产品的属性(如 Object ID)的接口。The interface to access core Office 365 auditing concepts such as Record Type, Creation Time, User Type, and Action as well as to provide core dimensions (such as User ID), location specifics (such as Client IP address), and product-specific properties (such as Object ID). 它建立一致且统一的视图,以便用户使用适当参数在少数顶级视图中提取所有 Office 365 审核数据,并为所有数据源提供固定架构,从而极大地降低了学习成本。It establishes consistent and uniform views for users to extract all Office 365 audit data in a few top level views with the appropriate parameters, and provides a fixed schema for all the data sources, which significantly reduces the cost of learning. 常见架构源自于归每个产品团队(如 Exchange、SharePoint、Azure Active Directory、Yammer 和 OneDrive for Business)所有的产品数据。Common schema is sourced from product data that is owned by each product team, such as Exchange, SharePoint, Azure Active Directory, Yammer, and OneDrive for Business. Object ID 字段可由产品团队扩展,添加特定于产品的属性。The Object ID field can be extended by product teams to add product specific properties.

  • 特定于产品的架构Product-specific schema. 基于常见架构,提供一组特定于产品的属性;例如,SharePoint 架构、OneDrive for Business 架构以及 Exchange 管理员架构。Built on top of the Common schema to provide a set of product-specific attributes; for example, SharePoint schema, OneDrive for Business schema, and Exchange admin schema.

对于你自身的情况应使用哪个层?Which layer should you use for your scenario? 一般情况下,如果数据在较高层中可用,则不要回到较低层。In general, if the data is available in a higher layer, don't go back to a lower layer. 换言之,如果可在特定于产品的架构中满足数据要求,则不需要返回到常见架构。In other words, if the data requirement can be fit in a product-specific schema, you don't need to go back to the Common schema.

Office 365 管理 API 架构Office 365 Management API schemas

本文详细介绍了常见架构以及每个特定于产品的架构。This article provides details on the Common schema as well as each of the product specific schemas. 下表描述了可用的架构。The following table describes the available schemas.

架构名称Name of schema 说明Description
常见架构Common schema 用于提取 Record Type、User ID、Client IP、User Type 和 Action 以及核心维度,如用户属性(如 UserID)、位置属性(如 Client IP)和特定于产品的属性(如 Object ID)的视图。The view to extract Record Type, User ID, Client IP, User type and Action along with core dimensions such as user properties (such as UserID), location properties (such as Client IP), and product-specific properties (such as Object Id).
SharePoint 基本架构SharePoint Base schema 使用特定于所有 SharePoint 审核数据的属性扩展常见架构。Extends the Common schema with the properties specific to all SharePoint audit data.
SharePoint 文件操作SharePoint File Operations 使用特定于 SharePoint 中的文件访问和操作的属性扩展 SharePoint 基本架构。Extends the SharePoint Base schema with the properties specific to file access and manipulation in SharePoint.
SharePoint 共享架构SharePoint Sharing schema 使用特定于文件共享的属性扩展 SharePoint 基本架构。Extends the SharePoint Base schema with the properties specific to file sharing.
SharePoint 架构SharePoint schema 使用特定于 SharePoint 但与文件访问和操作无关的属性扩展 SharePoint基本架构。Extends the SharePoint Base schema with the properties specific to SharePoint, but unrelated to file access and manipulation.
项目架构Project schema 使用特定于 Project 的属性扩展 SharePoint 基本架构。Extends the SharePoint Base schema with the properties specific to Project.
Exchange 管理员架构Exchange Admin schema 使用特定于所有 Exchange 管理员审核数据的属性扩展常见架构。Extends the Common schema with the properties specific to all Exchange admin audit data.
Exchange 邮箱架构Exchange Mailbox schema 使用特定于所有 Exchange 邮箱审核数据的属性扩展常见架构。Extends the Common schema with the properties specific to all Exchange mailbox audit data.
Azure Active Directory 基本架构Azure Active Directory Base schema 使用特定于所有 Azure Active Directory 审核数据的属性扩展常见架构。Extends the Common schema with the properties specific to all Azure Active Directory audit data.
Azure Active Directory 帐户登录架构Azure Active Directory Account Logon schema 使用特定于所有 Azure Active Directory 登录事件的属性扩展 Azure Active Directory 基本架构。Extends the Azure Active Directory Base schema with the properties specific to all Azure Active Directory logon events.
Azure Active Directory 安全 STS 登录架构Azure Active Directory Secure STS Logon schema 使用特定于所有 Azure Active Directory 安全令牌服务 (STS) 登录事件的属性扩展 Azure Active Directory 基本架构。Extends the Azure Active Directory Base schema with the properties specific to all Azure Active Directory Secure Token Service (STS) logon events.
Azure Active Directory 架构Azure Active Directory schema 使用特定于所有 Azure Active Directory 审核数据的属性扩展常见架构。Extends the Common schema with the properties specific to all Azure Active Directory audit data.
DLP 架构DLP schema 使用特定于数据丢失防护事件的属性扩展常见架构。Extends the Common schema with the properties specific to Data Loss Prevention events.
安全与合规中心架构Security and Compliance Center schema 使用特定于所有安全与合规中心事件的属性扩展常见架构。Extends the Common schema with the properties specific to all Security and Compliance Center events.
安全与合规警报中心Security and Compliance Alerts schema 使用特定于所有 Office 365 安全与合规警报的属性扩展常见架构。Extends the Common schema with the properties specific to all Office 365 security and compliance alerts.
Yammer 架构Yammer schema 使用特定于所有 Yammer 事件的属性扩展常见架构。Extends the Common schema with the properties specific to all Yammer events.
数据中心安全基本架构Data Center Security Base schema 使用特定于所有数据中心安全审核数据的属性扩展常见架构。Extends the Common schema with the properties specific to all data center security audit data.
数据中心安全 Cmdlet 架构Data Center Security Cmdlet schema 使用特定于所有数据中心安全 cmdlet 审核数据的属性扩展数据中心安全基本架构。Extends the Data Center Security Base schema with the properties specific to all data center security cmdlet audit data.
Microsoft Teams 架构Microsoft Teams schema 使用特定于所有 Microsoft Teams 事件的属性扩展常见架构。Extends the Common schema with the properties specific to all Microsoft Teams events.
Microsoft Defender for Office 365 和威胁调查与响应架构Microsoft Defender for Office 365 and Threat Investigation and Response schema 使用特定于 Defender for Office 365 与威胁调查和响应数据的属性扩展常见架构。Extends the Common schema with the properties specific to Defender for Office 365 and threat investigation and response data.
自动调查和响应事件架构Automated investigation and response events schema 使用特定于 Office 365 自动调查和响应 (AIR) 事件的属性扩展常见架构。Extends the Common schema with the properties specific to Office 365 automated investigation and response (AIR) events. 要查看示例,请参阅技术社区博客:使用 Microsoft Defender for Office 365 和 O365 管理 API 改进 SOC 的有效性To see an example, see Tech Community blog: Improve the Effectiveness of your SOC with Microsoft Defender for Office 365 and the O365 Management API.
卫生事件架构Hygiene events schema 使用特定于 Exchange Online Protection 和 Microsoft Defender for Office 365 中的事件的属性扩展常见架构。Extends the Common schema with the properties specific to events in Exchange Online Protection and Microsoft Defender for Office 365.
Power BI 架构Power BI schema 使用特定于所有 Power BI 事件的属性扩展常见架构。Extends the Common schema with the properties specific to all Power BI events.
Dynamics 365 架构Dynamics 365 schema 使用特定于所有 Dynamics 365 事件的属性扩展常见架构。Extends the Common schema with the properties specific to Dynamics 365 events.
工作区分析架构Workplace Analytics schema 使用特定于所有 Microsoft 工作区分析事件的属性扩展常见架构。Extends the Common schema with the properties specific to all Microsoft Workplace Analytics events.
隔离架构Quarantine schema 使用特定于所有隔离事件的属性扩展常见架构。Extends the Common schema with the properties specific to all quarantine events.
Microsoft Forms 架构Microsoft Forms schema 使用特定于所有 Microsoft Forms 事件的属性扩展常见架构。Extends the Common schema with the properties specific to all Microsoft Forms events.
MIP 标签架构MIP label schema 使用特定于通过手动或自动方式应用到电子邮件的敏感度标签的属性扩展常见架构。Extends the Common schema with the properties specific to sensitivity labels manually or automatically applied to email messages.
通信合规性 Exchange 架构Communication compliance Exchange schema 使用特定于通信合规性冒犯性语言模型的属性扩展常见架构。Extends the Common schema with the properties specific to the Communication compliance offensive language model.

常见架构Common schema

EntityType 名称:AuditRecordEntityType Name: AuditRecord

参数Parameter 类型Type 强制?Mandatory? 说明Description
IdId Combination GUIDEdm.GuidCombination GUIDEdm.Guid Yes 审核记录的唯一标识符。Unique identifier of an audit record.
RecordTypeRecordType Self.AuditLogRecordTypeSelf.AuditLogRecordType Yes 记录指示的操作类型。The type of operation indicated by the record. 有关审核日志记录类型的详细信息表,请参阅 AuditLogRecordTypeSee the AuditLogRecordType table for details on the types of audit log records.
CreationTimeCreationTime Edm.DateEdm.Date Yes 用户执行活动时的协调世界时 (UTC) 日期和时间。The date and time in Coordinated Universal Time (UTC) when the user performed the activity.
OperationOperation Edm.StringEdm.String Yes 用户或管理员活动的名称。The name of the user or admin activity. 有关最常见操作/活动的说明,请参阅在 Office 365 保护中心搜索审核日志For a description of the most common operations/activities, see Search the audit log in the Office 365 Protection Center. 对于 Exchange 管理员活动,此属性标识已运行的 cmdlet 名称。For Exchange admin activity, this property identifies the name of the cmdlet that was run. 对于 DLp 事件,这可以是“DLP 架构”下描述的“DlpRuleMatch”、“DlpRuleUndo”或“DlpInfo”。For Dlp events, this can be "DlpRuleMatch", "DlpRuleUndo" or "DlpInfo", which are described under "DLP schema" below.
OrganizationIdOrganizationId Edm.GuidEdm.Guid Yes 组织 Office 365 租户的 GUID。The GUID for your organization's Office 365 tenant. 对于组织而言,该值始终相同,而不管它是在哪个 Office 365 服务中出现。This value will always be the same for your organization, regardless of the Office 365 service in which it occurs.
UserTypeUserType Self.UserTypeSelf.UserType Yes 执行操作的用户类型。The type of user that performed the operation. 有关用户类型的详细信息,请参阅 UserType 表。See the UserType table for details on the types of users.
UserKeyUserKey Edm.StringEdm.String Yes UserID 属性中标识的用户的备选 ID。An alternative ID for the user identified in the UserId property. 例如,此属性使用 passport 唯一 ID (PUID) 填充,用于 SharePoint、OneDrive for Business 和 Exchange 中用户执行的事件。For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. 此属性还可以为系统帐户执行的其他服务和事件中发生的事件指定与 UserID 属性相同的值。This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts.
WorkloadWorkload Edm.StringEdm.String No 其中发生活动的 Office 365 服务。The Office 365 service where the activity occurred.
ResultStatusResultStatus Edm.StringEdm.String No 指示操作(在 Operation 属性中指定)成功还是失败。Indicates whether the action (specified in the Operation property) was successful or not. 可能的值为:SucceededPartiallySucceededFailedPossible values are Succeeded, PartiallySucceeded, or Failed. 对于 Exchange 管理员活动,值为 TrueFalseFor Exchange admin activity, the value is either True or False.

重要说明:不同的工作负载可能会覆盖 ResultStatus 属性的值。Important: Different workloads may overwrite the value of the ResultStatus property. 例如,对于 Azure Active Directory STS 登录事件,ResultStatus 的“已成功”值仅指示 HTTP 操作成功;这并不意味着登录成功。For example, for Azure Active Directory STS logon events, a value of Succeeded for ResultStatus indicates only that the HTTP operation was successful; it doesn't mean the logon was successful. 若要确定实际登录是否成功,请参阅 Azure Active Directory STS 登录架构中的 LogonError 属性。To determine if the actual logon was successful or not, see the LogonError property in the Azure Active Directory STS Logon schema. 如果登录失败,则此属性的值将包含登录尝试失败的原因。If the logon failed, the value of this property will contain the reason for the failed logon attempt.
ObjectIdObjectId Edm.stringEdm.string No 对于 SharePoint 和 OneDrive for Business 活动,用户访问的文件或文件夹的完整路径名称。For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. 对于 Exchange 管理员审核日志,通过 cmdlet 修改的对象的名称。For Exchange admin audit logging, the name of the object that was modified by the cmdlet.
UserIDUserId Edm.stringEdm.string Yes 执行导致记录被记录的操作(在 Operation 属性中指定)的用户的 UPN(用户主体名称);例如 my_name@my_domain_nameThe UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. 注意,系统帐户执行的活动记录(例如 SHAREPOINT\system 或 NT AUTHORITY\SYSTEM)也包括在内。Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. 在 SharePoint 中,UserId 属性中的另一个数值显示为 app@sharepoint。In SharePoint, another value display in the UserId property is app@sharepoint. 这表明执行活动的“用户”是在 SharePoint 中拥有必要权限的应用程序,代表用户、管理员或服务执行组织范围内操作(例如,搜索 SharePoint 网站或 OneDrive 帐户)。This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. 有关详细信息,请参阅审核记录中的 app@sharepoint 用户For more information, see The app@sharepoint user in audit records.
ClientIPClientIP Edm.StringEdm.String Yes 记录活动时使用的设备的 IP 地址。The IP address of the device that was used when the activity was logged. IP 地址显示为 IPv4 或 IPv6 地址格式。The IP address is displayed in either an IPv4 or IPv6 address format.

对于某些服务,此属性中显示的值可能是代表用户调用服务的受信任应用程序(例如,Web 应用上的 Office)的 IP 地址,而不是执行活动的人员使用的设备的 IP 地址。For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity.

此外,对于与 Azure Active Directory 相关的事件,不会记录 IP 地址,并且 ClientIP 属性的值为 nullAlso, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null.
范围Scope Self.AuditLogScopeSelf.AuditLogScope No 此事件是由托管的 O365 服务还是本地服务器创建的?Was this event created by a hosted O365 service or an on-premises server? 可能的值为 onlineonpremPossible values are online and onprem. 请注意,SharePoint 是当前将事件从本地发送到 O365 的唯一工作负载。Note that SharePoint is the only workload currently sending events from on-premises to O365.

枚举:AuditLogRecordType - 类型:Edm.Int32Enum: AuditLogRecordType - Type: Edm.Int32

AuditLogRecordTypeAuditLogRecordType

Value 成员名称Member name 说明Description
11 ExchangeAdminExchangeAdmin 来自 Exchange 管理员审核日志的事件。Events from the Exchange admin audit log.
22 ExchangeItemExchangeItem 来自 Exchange 邮箱审核日志的事件,用于对单个项执行的操作,例如创建或接收电子邮件。Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.
33 ExchangeItemGroupExchangeItemGroup 来自 Exchange 邮箱审核日志的事件,用于可对多个项执行的操作,例如移动或删除一个或多个电子邮件。Events from an Exchange mailbox audit log for actions that can be performed on multiple items, such as moving or deleted one or more email messages.
44 SharePointSharePoint SharePoint 事件。SharePoint events.
66 SharePointFileOperationSharePointFileOperation SharePoint 文件操作事件。SharePoint file operation events.
77 OneDriveOneDrive Skype for Business 事件。OneDrive for Business events.
88 AzureActiveDirectoryAzureActiveDirectory Azure Active Directory 事件。Azure Active Directory events.
99 AzureActiveDirectoryAccountLogonAzureActiveDirectoryAccountLogon Azure Active Directory OrgId 徽标事件(弃用)。Azure Active Directory OrgId logon events (deprecated).
1010 DataCenterSecurityCmdletDataCenterSecurityCmdlet 数据中心安全 cmdlet 事件。Data Center security cmdlet events.
1111 ComplianceDLPSharePointComplianceDLPSharePoint SharePoint 和 OneDrive for Business 中的数据丢失保护 (DLP) 事件。Data loss protection (DLP) events in SharePoint and OneDrive for Business.
1313 ComplianceDLPExchangeComplianceDLPExchange 通过统一 DLP 策略配置时,Exchange 中的数据丢失保护 (DLP) 事件。Data loss protection (DLP) events in Exchange, when configured via Unified DLP Policy. 不支持基于 Exchange 传输规则的 DLP 事件。DLP events based on Exchange Transport Rules are not supported.
1414 SharePointSharingOperationSharePointSharingOperation SharePoint 共享事件。SharePoint sharing events.
1515 AzureActiveDirectoryStsLogonAzureActiveDirectoryStsLogon Azure Active Directory 中安全令牌服务 (STS) 登录事件。Secure Token Service (STS) logon events in Azure Active Directory.
1616 SkypeForBusinessPSTNUsageSkypeForBusinessPSTNUsage Skype for Business 中的公共交换电话网络 (PSTN) 事件。Public Switched Telephone Network (PSTN) events from Skype for Business.
1717 SkypeForBusinessUsersBlockedSkypeForBusinessUsersBlocked 已阻止 Skype for Business 中的用户事件。Blocked user events from Skype for Business.
1818 SecurityComplianceCenterEOPCmdletSecurityComplianceCenterEOPCmdlet 来自安全与合规中心的 Admin 操作。Admin actions from the Security & Compliance Center.
1919 ExchangeAggregatedOperation (19)ExchangeAggregatedOperation 聚合 Exchange 邮箱审计事件。Aggregated Exchange mailbox auditing events.
2020 PowerBIAuditPowerBIAudit Power BI 事件。Power BI events.
2121 CRMCRM Dynamics 365 事件。Dynamics 365 events.
2222 YammerYammer Yammer 事件。Yammer events.
2323 SkypeForBusinessCmdletsSkypeForBusinessCmdlets Skype for Business 事件。Skype for Business events.
2424 DiscoveryDiscovery 通过在安全与合规中心中运行内容搜索和管理电子数据展示案例执行的电子数据展示活动事件。Events for eDiscovery activities performed by running content searches and managing eDiscovery cases in the Security & Compliance Center.
2525 MicrosoftTeamsMicrosoftTeams Microsoft Teams 中的事件。Events from Microsoft Teams.
2828 ThreatIntelligenceThreatIntelligence Exchange Online Protection 和 Microsoft Defender for Office 365 中的网络钓鱼和恶意软件事件。Phishing and malware events from Exchange Online Protection and Microsoft Defender for Office 365.
2929 MailSubmissionMailSubmission Exchange Online Protection 和 Microsoft Defender for Office 365 中的提交事件。Submission events from Exchange Online Protection and Microsoft Defender for Office 365.
3030 MicrosoftFlowMicrosoftFlow Microsoft Power Automate(以前称为 Microsoft Flow)事件。Microsoft Power Automate (formerly called Microsoft Flow) events.
3131 AeDAeD 高级电子数据展示事件。Advanced eDiscovery events.
3232 MicrosoftStreamMicrosoftStream Microsoft Stream 事件。Microsoft Stream events.
3333 ComplianceDLPSharePointClassificationComplianceDLPSharePointClassification 与 SharePoint 中 DLP 分类有关的事件。Events related to DLP classification in SharePoint.
3434 ThreatFinderThreatFinder Microsoft Defender for Office 365 中与活动相关的事件。Campaign-related events from Microsoft Defender for Office 365.
3535 ProjectProject Microsoft Project 事件。Microsoft Project events.
3636 SharePointListOperationSharePointListOperation Sharepoint 列表事件。SharePoint List events.
3737 SharePointCommentOperation (37)SharePointCommentOperation SharePoint 批注事件。SharePoint comment events.
3838 DataGovernanceDataGovernance 与安全与合规中心中的保留策略和保留标签相关的事件Events related to retention policies and retention labels in the Security & Compliance Center
3939 KaizalaKaizala Kaizala 事件。Kaizala events.
4040 SecurityComplianceAlertsSecurityComplianceAlerts 安全与合规警报信号。Security and compliance alert signals.
4141 ThreatIntelligenceUrlThreatIntelligenceUrl Microsoft Defender for Office 365 中的安全链接信息块时间和信息块覆盖事件。Safe links time-of-block and block override events from Microsoft Defender for Office 365.
4242 SecurityComplianceInsightsSecurityComplianceInsights 与 Office 365 安全与合规中心中的见解和报告有关的事件。Events related to insights and reports in the Office 365 security and compliance center.
4343 MIPLabelMIPLabel 与检测传输管道中(以手动或自动方式)标记了敏感度标签的电子邮件相关的事件。Events related to the detection in the Transport pipeline of email messages that have been tagged (manually or automatically) with sensitivity labels.
4444 WorkplaceAnalyticsWorkplaceAnalytics 工作区分析事件。Workplace Analytics events.
4545 PowerAppsAppPowerAppsApp Power Apps 事件。Power Apps events.
4646 PowerAppsPlanPowerAppsPlan 适用于 Power 应用的订阅计划事件。Subscription plan events for Power Apps.
4747 ThreatIntelligenceAtpContentThreatIntelligenceAtpContent 在 Microsoft Defender for Office 365 中,SharePoint、OneDrive for Business 和 Microsoft Teams 中的文件的网络钓鱼和恶意软件事件。Phishing and malware events for files in SharePoint, OneDrive for Business, and Microsoft Teams from Microsoft Defender for Office 365.
4848 LabelContentExplorerLabelContentExplorer 数据分类内容资源管理器相关的事件。Events related to data classification content explorer.
4949 TeamsHealthcareTeamsHealthcare 与 Microsoft Teams for Healthcare 中的患者应用程序相关的事件。Events related to the Patients application in Microsoft Teams for Healthcare.
5050 ExchangeItemAggregatedExchangeItemAggregated MailItemsAccessed 邮箱审核操作相关的事件。Events related to the MailItemsAccessed mailbox auditing action.
5151 HygieneEventHygieneEvent 与出站垃圾邮件保护相关的事件。Events related to outbound spam protection.
5252 DataInsightsRestApiAuditDataInsightsRestApiAudit 数据见解 REST API 事件。Data Insights REST API events.
5353 InformationBarrierPolicyApplicationInformationBarrierPolicyApplication 与信息屏障策略的应用有关的事件。Events related to the application of information barrier policies.
5454 SharePointListItemOperationSharePointListItemOperation SharePoint 列表项事件。SharePoint list item events.
5555 SharePointContentTypeOperationSharePointContentTypeOperation SharePoint 列表内容类型事件。SharePoint list content type events.
5656 SharePointFieldOperationSharePointFieldOperation SharePoint 列表字段事件。SharePoint list field events.
5757 MicrosoftTeamsAdminMicrosoftTeamsAdmin Teams 管理员事件。Teams admin events.
5858 HRSignalHRSignal 与支持内部风险管理解决方案的 HR 数据信号相关的事件。Events related to HR data signals that support the Insider risk management solution.
5959 MicrosoftTeamsDeviceMicrosoftTeamsDevice Teams 设备事件。Teams device events.
6060 MicrosoftTeamsAnalyticsMicrosoftTeamsAnalytics Teams 分析事件。Teams analytics events.
6161 InformationWorkerProtectionInformationWorkerProtection 有关已损坏用户警报的事件。Events related to compromised user alerts.
6262 CampaignCampaign Microsoft Defender for Office 365 中的电子邮件活动事件。Email campaign events from Microsoft Defender for Office 365.
6363 DLPEndpointDLPEndpoint Endpoint DLP 事件。Endpoint DLP events.
6464 AirInvestigationAirInvestigation 自动事件响应 (AIR) 事件。Automated incident response (AIR) events.
6565 QuarantineQuarantine 隔离事件。Quarantine events.
6666 MicrosoftFormsMicrosoftForms Microsoft Forms 事件。Microsoft Forms events.
6767 ApplicationAuditApplicationAudit 应用程序审核事件。Application audit events.
6868 ComplianceSupervisionExchangeComplianceSupervisionExchange 由通信合规性的冒犯性语言模型跟踪的事件。Events tracked by the Communication compliance offensive language model.
6969 CustomerKeyServiceEncryptionCustomerKeyServiceEncryption 与客户密钥加密服务相关的事件。Events related to the customer key encryption service.
7070 OfficeNativeOfficeNative 有关应用于 Office 文档的灵敏度标签的事件。Events related to sensitivity labels applied to Office documents.
7171 MipAutoLabelSharePointItemMipAutoLabelSharePointItem SharePoint 中自动标记的事件。Auto-labeling events in SharePoint.
7272 MipAutoLabelSharePointPolicyLocationMipAutoLabelSharePointPolicyLocation SharePoint 中自动标记的策略事件。Auto-labeling policy events in SharePoint.
7373 MicrosoftTeamsShiftsMicrosoftTeamsShifts Teams 排班事件。Teams Shifts events.
7575 MipAutoLabelExchangeItemMipAutoLabelExchangeItem Exchange 中自动标记的事件。Auto-labeling events in Exchange.
7676 CortanaBriefingCortanaBriefing 工作概述电子邮件事件。Briefing email events.
7777 搜索Search 有关在 SharePoint 和 Exchange 中执行搜索查询的事件。Events related to performing search queries in SharePoint and Exchange.
7878 WDATPAlertsWDATPAlerts 与 Windows Defender for Endpoint 生成的警报相关的事件。Events related to alerts generated by Windows Defender for Endpoint.
8181 MDATPAuditMDATPAudit Microsoft Defender for Endpoint 事件。Microsoft Defender for Endpoint events.
8282 SensitivityLabelPolicyMatchSensitivityLabelPolicyMatch 打开或重命名标有灵敏度标签的文件时生成的事件。Events generated when the file labeled with a sensitivity label is opened or renamed.
8383 SensitivityLabelActionSensitivityLabelAction 在应用、更新或从文件中删除灵敏度标签时生成的事件。Event generated when sensitivity labels are applied, updated, or removed from a file.
8484 SensitivityLabeledFileActionSensitivityLabeledFileAction 打开或重命名标有灵敏度标签的文件时生成的事件。Events generated when a file labeled with a sensitivity label is opened or renamed.
8585 AttackSimAttackSim 攻击模拟器事件。Attack simulator events.
8686 AirManualInvestigationAirManualInvestigation 有关自动化调查和响应 (AIR) 中手动调查的事件。Events related to manual investigations in Automated investigation and response (AIR).
8787 SecurityComplianceRBACSecurityComplianceRBAC 安全性和合规性 RBAC 事件。Security and compliance RBAC events.
8888 UserTrainingUserTraining Microsoft Defender for Office 365 中的攻击仿真程序培训事件。Attack simulator training events in Microsoft Defender for Office 365.
8989 AirAdminActionInvestigationAirAdminActionInvestigation 有关自动化调查和响应 (AIR) 中管理员活动的事件。Events related to admin actions in Automated investigation and response (AIR).
9090 MSTICMSTIC Microsoft Defender for Office 365 中的威胁智能事件。Threat intelligence events in Microsoft Defender for Office 365.
9191 PhysicalBadgingSignalPhysicalBadgingSignal 与支持内部风险管理解决方案的 无力标记信号相关的事件。Events related to physical badging signals that support the Insider risk management solution.
9393 AipDiscoverAipDiscover Azure 信息保护 (AIP) 扫描事件。Azure Information Protection (AIP) scanner events.
9494 AipSensitivityLabelActionAipSensitivityLabelAction AIP 敏感度标签事件。AIP sensitivity label events.
9595 AipProtectionActionAipProtectionAction AIP 保护事件。AIP protection events.
9696 AipFileDeletedAipFileDeleted AIP 文件删除事件。AIP file deletion events.
9797 AipHeartBeatAipHeartBeat AIP 检测信号事件。AIP heartbeat events.
9898 MCASAlertsMCASAlerts 由 Microsoft Cloud App Security 触发的警报对应的事件。Events corresponding to alerts triggered by Microsoft Cloud App Security.
9999 OnPremisesFileShareScannerDlpOnPremisesFileShareScannerDlp 有关扫描文件共享上的敏感数据的事件。Events related to scanning for sensitive data on file shares.
100100 OnPremisesSharePointScannerDlpOnPremisesSharePointScannerDlp 有关扫描 SharePoint 中敏感数据的事件。Events related to scanning for sensitive data in SharePoint.
101101 ExchangeSearchExchangeSearch 有关使用 Outlook 网页版 (OWA) 搜索邮箱项目的相关事件。Events related to using Outlook on the web (OWA) to search for mailbox items.
102102 SharePointSearchSharePointSearch 有关搜索组织的 SharePoint 主网站的事件。Events related to searching an organization's SharePoint home site.
103103 PrivacyInsightsPrivacyInsights 隐私洞察事件。Privacy insight events.
105105 MyAnalyticsSettingsMyAnalyticsSettings MyAnalytics 事件。MyAnalytics events.
106106 SecurityComplianceUserChangeSecurityComplianceUserChange 有关修改或删除用户的事件。Events related to modifying or deleting a user.
107107 ComplianceDLPExchangeClassificationComplianceDLPExchangeClassification Exchange DLP 分类事件。Exchange DLP classification events.
109109 MipExactDataMatchMipExactDataMatch 精确数据匹配 (EDM) 分类事件。Exact Data Match (EDM) classification events.

枚举:User Type - 类型:Edm.Int32Enum: User Type - Type: Edm.Int32

User TypeUser Type

Value 成员名称Member name 说明Description
00 RegularRegular 常规用户。A regular user.
11 ReservedReserved 保留的用户。A reserved user.
22 AdminAdmin 管理员。An administrator.
33 DcAdminDcAdmin Microsoft 数据中心操作员。A Microsoft datacenter operator.
44 SystemSystem 系统帐户。A system account.
55 ApplicationApplication 应用程序。An application.
66 ServicePrincipalServicePrincipal 服务主体。A service principal.
77 CustomPolicyCustomPolicy 自定义策略。A custom policy.
88 SystemPolicySystemPolicy 系统策略。A system policy.

枚举:AuditLogScope - 类型:Edm.Int32Enum: AuditLogScope - Type: Edm.Int32

AuditLogScopeAuditLogScope

Value 成员名称Member name 说明Description
00 OnlineOnline 此事件由托管的 O365 服务创建。This event was created by a hosted O365 service.
11 OnpremOnprem 此事件由本地服务器创建。This event was created by an on-premises server.

SharePoint 基本架构SharePoint Base schema

参数Parameter 类型Type 强制?Mandatory? 说明Description
SiteSite Edm.GuidEdm.Guid No 用户访问的文件或文件夹所在网站的 GUID。The GUID of the site where the file or folder accessed by the user is located.
ItemTypeItemType Edm.String String="Microsoft.Office.Audit.Schema.SharePoint.ItemType"Edm.String String="Microsoft.Office.Audit.Schema.SharePoint.ItemType" No 访问或修改的对象类型。The type of object that was accessed or modified. 有关对象类型的详细信息,请参阅 ItemType 表。See the ItemType table for details on the types of objects.
EventSourceEventSource Edm.String String="Microsoft.Office.Audit.Schema.SharePoint.EventSource"Edm.String String="Microsoft.Office.Audit.Schema.SharePoint.EventSource" No 识别在 SharePoint 中发生的事件。Identifies that an event occurred in SharePoint. 可能的值为 SharePointObjectModelPossible values are SharePoint or ObjectModel.
SourceNameSourceName Edm.StringEdm.String No 触发已审核操作的实体。The entity that triggered the audited operation. 可能的值为 SharePoint 或 ObjectModelPossible values are SharePoint or ObjectModel.
UserAgentUserAgent Edm.StringEdm.String No 有关用户客户端或浏览器的信息。Information about the user's client or browser. 此信息由客户端或浏览器提供。This information is provided by the client or browser.
MachineDomainInfoMachineDomainInfo Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No 有关设备同步操作的信息。Information about device sync operations. 只有在请求中存在该信息时才会报告该信息。This information is reported only if it's present in the request.
MachineIdMachineId Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No 有关设备同步操作的信息。Information about device sync operations. 只有在请求中存在该信息时才会报告该信息。This information is reported only if it's present in the request.

枚举:ItemType - 类型:Edm.Int32Enum: ItemType - Type: Edm.Int32

ItemTypeItemType

Value 成员名称Member name 说明Description
00 InvalidInvalid 项目不是其他项目类型(在此表中列出)。The item is none of the other item types (that are listed in this table).
11 FileFile 项目为文件。The item is a file.
55 FolderFolder 项目为文件夹。The item is a folder.
66 WebWeb 项目为 Web。The item is a Web.
77 SiteSite 项目为网站。The item is a site.
88 TenantTenant 项目为租户。The item is a tenant.
99 DocumentLibraryDocumentLibrary 项目为文档库。The item is a document library.
1111 PagePage 项目为页面。The item is a Page.

枚举:EventSource - 类型:Edm.Int32Enum: EventSource - Type: Edm.Int32

EventSourceEventSource

Value 成员名称Member name 说明Description
00 SharePointSharePoint 事件源是 SharePoint。The event source is SharePoint.
11 ObjectModelObjectModel 事件源是 ObjectModel。The event source is ObjectModel.

枚举:SharePointAuditOperation - 类型:Edm.Int32Enum: SharePointAuditOperation - Type: Edm.Int32

成员名称Member name 说明Description
AccessInvitationAcceptedAccessInvitationAccepted 邀请查看或编辑共享文件(或文件夹)的收件人已通过单击邀请中的链接访问共享文件。The recipient of an invitation to view or edit a shared file (or folder) has accessed the shared file by clicking on the link in the invitation.
AccessInvitationCreatedAccessInvitationCreated 用户向其他人发出邀请(在其组织内部或外部)来查看或编辑 SharePoint 或 OneDrive for Business 网站上的共享文件或文件夹。User sends an invitation to another person (inside or outside their organization) to view or edit a shared file or folder on a SharePoint or OneDrive for Business site. 事件条目的详细信息标识共享文件的名称、接收邀请的用户以及发送邀请的人员所选择的共享权限的类型。The details of the event entry identifies the name of the file that was shared, the user the invitation was sent to, and the type of the sharing permission selected by the person who sent the invitation.
AccessInvitationExpiredAccessInvitationExpired 向外部用户发送的邀请过期。默认情况下,如果未接受邀请,向您组织之外的某个用户发送的邀请将在 7 天之后过期。An invitation sent to an external user expires. By default, an invitation sent to a user outside of your organization expires after 7 days if the invitation isn't accepted.
AccessInvitationRevokedAccessInvitationRevoked SharePoint 或 OneDrive for Business 中的网站管理员或网站或文档所有者撤回发送给组织外部用户的邀请。The site administrator or owner of a site or document in SharePoint or OneDrive for Business withdraws an invitation that was sent to a user outside your organization. 邀请只有在被接受之前才能撤回。An invitation can be withdrawn only before it's accepted.
AccessInvitationUpdatedAccessInvitationUpdated 在 SharePoint 或 OneDrive for Business 网站上创建并向其他人发送邀请以查看或编辑共享文件(或文件夹)的用户可以重新发送邀请。The user who created and sent an invitation to another person to view or edit a shared file (or folder) on a SharePoint or OneDrive for Business site resends the invitation.
AccessRequestApprovedAccessRequestApproved SharePoint 或 OneDrive for Business 中的网站管理员或网站或文档所有者批准用户访问网站或文档的请求。The site administrator or owner of a site or document in SharePoint or OneDrive for Business approves a user request to access the site or document.
AccessRequestCreatedAccessRequestCreated 用户请求访问 SharePoint 或 OneDrive for Business 中无权限访问的网站或文档。User requests access to a site or document in SharePoint or OneDrive for Business that they don't have permission to access.
AccessRequestRejectedAccessRequestRejected SharePoint 中的网站管理员或网站或文档所有者拒绝用户访问网站或文档的请求。The site administrator or owner of a site or document in SharePoint declines a user request to access the site or document.
ActivationEnabledActivationEnabled 用户可以对以下表单模板启用浏览器功能:不包含表单代码、要求完全信任、启用移动设备上的呈现功能或使用由服务器管理员管理的数据连接。Users can browser-enable form templates that don't contain form code, require full trust, enable rendering on a mobile device, or use a data connection managed by a server administrator.
AdministratorAddedToTermStoreAdministratorAddedToTermStore 已添加术语库管理员。Term store administrator added.
AdministratorDeletedFromTermStoreAdministratorDeletedFromTermStore 已删除术语库管理员。Term store administrator deleted.
AllowGroupCreationSetAllowGroupCreationSet 网站管理员或所有者向 SharePoint 或 OneDrive for Business 网站添加权限级别,允许分配该权限的用户为该网站创建组。Site administrator or owner adds a permission level to a SharePoint or OneDrive for Business site that allows a user assigned that permission to create a group for that site.
AppCatalogCreatedAppCatalogCreated 创建的应用程序目录为 SharePoint 环境提供自定义业务应用。App catalog created to make custom business apps available for your SharePoint Environment.
AuditPolicyRemovedAuditPolicyRemoved 文档生命周期策略已在网站集中删除。Document LifeCycle Policy has been removed for a site collection.
AuditPolicyUpdateAuditPolicyUpdate 文档生命周期策略已在网站集中更新。Document LifeCycle Policy has been updated for a site collection.
AzureStreamingEnabledSetAzureStreamingEnabledSet 视频门户所有者允许来自 Azure 的视频流。A video portal owner has allowed video streaming from Azure.
CollaborationTypeModifiedCollaborationTypeModified 网站(例如 intranet、extranet 或公共网站)上允许的协作类型已被修改。The type of collaboration allowed on sites (for example, intranet, extranet, or public) has been modified.
ConnectedSiteSettingModifiedConnectedSiteSettingModified 用户创建、修改或删除项目与项目网站之间的链接,或者修改 Project Web App 中链接的同步设置。User has either created, modified or deleted the link between a project and a project site or the user modifies the synchronization setting on the link in Project Web App.
CreateSSOApplicationCreateSSOApplication 在 Secure Store Service 中创建的目标应用程序。Target application created in Secure store service.
CustomFieldOrLookupTableCreatedCustomFieldOrLookupTableCreated 用户在 Project Web App 中创建自定义字段或查找表/项。User created a custom field or lookup table/item in Project Web App.
CustomFieldOrLookupTableDeletedCustomFieldOrLookupTableDeleted 用户在 Project Web App 中删除自定义字段或查找表/项。User deleted a custom field or lookup table/item in Project Web App.
CustomFieldOrLookupTableModifiedCustomFieldOrLookupTableModified 用户在 Project Web App 中修改自定义字段或查找表/项。User modified a custom field or lookup table/item in Project Web App.
CustomizeExemptUsersCustomizeExemptUsers 全局管理员自定义 SharePoint 管理中心的豁免用户代理列表。Global administrator customized the list of exempt user agents in SharePoint admin center. 可以指定哪些用户代理可以免于接收用于编制索引的整个 Web页面。You can specify which user agents to exempt from receiving an entire Web page to index. 这意味着,当指定为豁免的用户代理遇到 InfoPath 表单时,表单将作为 XML 文件而不是整个 Web 页面返回。This means when a user agent you've specified as exempt encounters an InfoPath form, the form will be returned as an XML file instead of an entire Web page. 这可以加速对 InfoPath 表单编制索引。This makes indexing InfoPath forms faster.
DefaultLanguageChangedInTermStore*DefaultLanguageChangedInTermStore* 术语库中的语言设置发生更改。Language setting changed in the terminology store.
DelegateModifiedDelegateModified 用户创建或修改 Project Web App 中的安全代理。User created or modified a security delegate in Project Web App.
DelegateRemovedDelegateRemoved 用户删除 Project Web App 中的安全代理。User deleted a security delegate in Project Web App.
DeleteSSOApplicationDeleteSSOApplication 删除了 SSO 应用程序。An SSO application was deleted.
eDiscoveryHoldAppliedeDiscoveryHoldApplied 就地保留置于内容源上。An In-Place Hold was placed on a content source. 通过使用 SharePoint 中的电子数据展示网站集(比如电子数据展示中心)来管理就地保存。In-Place Holds are managed by using an eDiscovery site collection (such as the eDiscovery Center) in SharePoint.
eDiscoveryHoldRemovedeDiscoveryHoldRemoved 从内容源中删除就地保留。An In-Place Hold was removed from a content source. 通过使用 SharePoint 中的电子数据展示网站集(比如电子数据展示中心)来管理就地保存。In-Place Holds are managed by using an eDiscovery site collection (such as the eDiscovery Center) in SharePoint.
eDiscoverySearchPerformedeDiscoverySearchPerformed 在 SharePoint 中使用电子数据展示网站集执行电子数据展示搜索。An eDiscovery search was performed using an eDiscovery site collection in SharePoint.
EngagementAcceptedEngagementAccepted 用户接受 Project Web App 中的资源预订。User accepts a resource engagement in Project Web App.
EngagementModifiedEngagementModified 用户修改 Project Web App 中的资源预订。User modifies a resource engagement in Project Web App.
EngagementRejectedEngagementRejected 用户拒绝 Project Web App 中的资源预订。User rejects a resource engagement in Project Web App.
EnterpriseCalendarModifiedEnterpriseCalendarModified 用户复制、修改或删除 Project Web App 中的企业日历。User copies, modifies or delete an enterprise calendar in Project Web App.
EntityDeletedEntityDeleted 用户删除 Project Web App 中的时间表。User deletes a timesheet in Project Web App.
EntityForceCheckedInEntityForceCheckedIn 用户在 Project Web App 中的日历、自定义字段或查找表上强制签入。User forces a checkin on a calendar, custom field or lookup table in Project Web App.
ExemptUserAgentSetExemptUserAgentSet 全局管理员向 SharePoint 管理中心的豁免用户代理列表添加用户代理。Global administrator adds a user agent to the list of exempt user agents in the SharePoint admin center.
FileAccessedFileAccessed 用户或系统帐户访问 SharePoint 或 OneDrive for Business 网站上的文件。User or system account accesses a file on a SharePoint or OneDrive for Business site. 系统帐户还可以生成 FileAccessed 事件。System accounts can also generate FileAccessed events.
FileCheckOutDiscardedFileCheckOutDiscarded 用户放弃(或撤消)签出的文件。这意味着将放弃签出文件时对其所做的更改,而不将其保存到文档库中的文档版本。User discards (or undos) a checked out file. That means any changes they made to the file when it was checked out are discarded, and not saved to the version of the document in the document library.
FileCheckedInFileCheckedIn 用户签入在 SharePoint 或 OneDrive for Business 文档库中签出的文档。User checks in a document that they checked out from a SharePoint or OneDrive for Business document library.
FileCheckedOutFileCheckedOut 用户签出位于 SharePoint 或 OneDrive for Business 文档库的文档。User checks out a document located in a SharePoint or OneDrive for Business document library. 用户可以对与其共享的文档执行签出和更改操作。Users can check out and make changes to documents that have been shared with them.
FileCopiedFileCopied 用户从 SharePoint 或 OneDrive for Business 网站复制文档。User copies a document from a SharePoint or OneDrive for Business site. 可以将复制的文件保存到网站上的另一个文件夹。The copied file can be saved to another folder on the site.
FileDeletedFileDeleted 用户从 SharePoint 或 OneDrive for Business 网站删除文档。User deletes a document from a SharePoint or OneDrive for Business site.
FileDeletedFirstStageRecycleBinFileDeletedFirstStageRecycleBin 用户从 SharePoint 或 OneDrive for Business 网站上的回收站删除文件。User deletes a file from the recycle bin on a SharePoint or OneDrive for Business site.
FileDeletedSecondStageRecycleBinFileDeletedSecondStageRecycleBin 用户从 SharePoint 或 OneDrive for Business 网站上的第二阶段回收站删除文件。User deletes a file from the second-stage recycle bin on a SharePoint or OneDrive for Business site.
FileDownloadedFileDownloaded 用户从 SharePoint 或 OneDrive for Business 网站下载文档。User downloads a document from a SharePoint or OneDrive for Business site.
FileFetchedFileFetched 此事件已被 FileAccessed 事件取代,并且已弃用。This event has been replaced by the FileAccessed event, and has been deprecated.
FileModifiedFileModified 用户或系统帐户修改位于 SharePoint 或 OneDrive for Business 网站上的文档内容或属性。User or system account modifies the content or the properties of a document located on a SharePoint or OneDrive for Business site.
FileMovedFileMoved 用户将文档从 SharePoint 或 OneDrive for Business 的当前位置移动到新位置。User moves a document from its current location on a SharePoint or OneDrive for Business site to a new location.
FilePreviewedFilePreviewed 用户在 SharePoint 或 OneDrive for Business 网站上预览文档。User previews a document on a SharePoint or OneDrive for Business site.
FileRenamedFileRenamed 用户在 SharePoint 或 OneDrive for Business 网站上重命名文档。User renames a document on a SharePoint or OneDrive for Business site.
FileRestoredFileRestored 用户从 SharePoint 或 OneDrive for Business 网站的回收站中恢复文档。User restores a document from the recycle bin of a SharePoint or OneDrive for Business site.
FileSyncDownloadedFullFileSyncDownloadedFull 用户建立同步关系,并首次成功从 SharePoint 或 OneDrive Business 文档库将文件下载到他们的计算机。User establishes a sync relationship and successfully downloads files for the first time to their computer from a SharePoint or OneDrive for Business document library.
FileSyncDownloadedPartialFileSyncDownloadedPartial 用户成功下载对 SharePoint 或 OneDrive for Business 文档库中的文件所做的任何更改。User successfully downloads any changes to files from SharePoint or OneDrive for Business document library. 此事件表明对文档库中的文件所做的任何更改已下载到用户计算机。This event indicates that any changes that were made to files in the document library were downloaded to the user's computer. 仅下载了更改,因为用户先前已下载文档库(如 FileSyncDownloadedFull 事件所示)。Only changes were downloaded because the document library was previously downloaded by the user (as indicated by the FileSyncDownloadedFull event).
FileSyncUploadedFullFileSyncUploadedFull 用户建立同步关系,并首次成功从他们的计算机将文件上传到 SharePoint 或 OneDrive Business 文档库。User establishes a sync relationship and successfully uploads files for the first time from their computer to a SharePoint or OneDrive for Business document library.
FileSyncUploadedPartialFileSyncUploadedPartial 用户成功上传对 SharePoint 或 OneDrive for Business 文档库上的文件所做的更改。User successfully uploads changes to files on a SharePoint or OneDrive for Business document library. 此事件表明对文档库文件的本地版本所做的任何更改都已成功上传到文档库。This event indicates that any changes made to the local version of a file from a document library are successfully uploaded to the document library. 仅上传更改,因为用户先前已上传这些文件(如 FileSyncUploadedFull 事件所示)。Only changes are unloaded because those files were previously uploaded by the user (as indicated by the FileSyncUploadedFull event).
FileUploadedFileUploaded 用户将文档上传到 SharePoint 或 OneDrive for Business 网站上的文件夹。User uploads a document to a folder on a SharePoint or OneDrive for Business site.
FileViewedFileViewed 此事件已被 FileAccessed 事件取代,并且已弃用。This event has been replaced by the FileAccessed event, and has been deprecated.
FolderCopiedFolderCopied 用户将文件夹从 SharePoint 或 OneDrive for Business 网站复制到 SharePoint 或 OneDrive for Business 的其他位置。User copies a folder from a SharePoint or OneDrive for Business site to another location in SharePoint or OneDrive for Business.
FolderCreatedFolderCreated 用户在 SharePoint 或 OneDrive for Business 网站上创建文件夹。User creates a folder on a SharePoint or OneDrive for Business site.
FolderDeletedFolderDeleted 用户从 SharePoint 或 OneDrive for Business 网站删除文件夹。User deletes a folder from a SharePoint or OneDrive for Business site.
FolderDeletedFirstStageRecycleBinFolderDeletedFirstStageRecycleBin 用户从 SharePoint 或 OneDrive for Business 网站上的回收站删除文件夹。User deletes a folder from the recycle bin on a SharePoint or OneDrive for Business site .
FolderDeletedSecondStageRecycleBinFolderDeletedSecondStageRecycleBin 用户从 SharePoint 或 OneDrive for Business 网站上的第二阶段回收站删除文件夹。User deletes a folder from the second-stage recycle bin on a SharePoint or OneDrive for Business site.
FolderModifiedFolderModified 用户在 SharePoint 或 OneDrive for Business 网站上修改文件夹。User modifies a folder on a SharePoint or OneDrive for Business site. 此事件包含文件夹元数据更改,如标签和属性。This event includes folder metadata changes, such as tags and properties.
FolderMovedFolderMoved 用户从 SharePoint 或 OneDrive for Business 网站移动文件夹。User moves a folder from a SharePoint or OneDrive for Business site.
FolderRenamedFolderRenamed 用户在 SharePoint 或 OneDrive for Business 网站上重命名文件夹。User renames a folder on a SharePoint or OneDrive for Business site.
FolderRestoredFolderRestored 用户从 SharePoint 或 OneDrive for Business 网站上的回收站恢复文件夹。User restores a folder from the Recycle Bin on a SharePoint or OneDrive for Business site.
GroupAddedGroupAdded 网站管理员或所有者为 SharePoint 或 OneDrive for Business 网站创建组,或者执行导致创建组的任务。Site administrator or owner creates a group for a SharePoint or OneDrive for Business site, or performs a task that results in a group being created. 例如,当用户首次创建共享文件的链接时,系统组会被添加到用户的 OneDrive for Business 网站中。For example, the first time a user creates a link to share a file, a system group is added to the user's OneDrive for Business site. 此事件也可以是用户使用编辑权限创建共享文件链接的结果。This event can also be a result of a user creating a link with edit permissions to a shared file.
GroupRemovedGroupRemoved 用户从 SharePoint 或 OneDrive for Business 网站删除组。User deletes a group from a SharePoint or OneDrive for Business site.
GroupUpdatedGroupUpdated 网站管理员或所有者更改 SharePoint 或 OneDrive for Business 网站的组设置。Site administrator or owner changes the settings of a group for a SharePoint or OneDrive for Business site. 这可能包括更改组名、可以查看或编辑组成员身份的人员,以及成员身份请求的处理方式。This can include changing the group's name, who can view or edit the group membership, and how membership requests are handled.
LanguageAddedToTermStoreLanguageAddedToTermStore 向术语库中添加了语言。Language added to the terminology store.
LanguageRemovedFromTermStoreLanguageRemovedFromTermStore 从术语库中删除了语言。Language removed from the terminology store.
LegacyWorkflowEnabledSetLegacyWorkflowEnabledSet 网站管理员或所有者向网站添加 SharePoint 工作流任务内容类型。Site administrator or owner adds the SharePoint Workflow Task content type to the site. 全局管理员还可以在 SharePoint 管理中心中对整个组织启用工作流。Global administrators can also enable work flows for the entire organization in the SharePoint admin center.
LookAndFeelModifiedLookAndFeelModified 用户修改快速启动、甘特图格式或组格式。User modifies a quick launch, gantt chart formats, or group formats. 或者用户在 Project Web App 中创建、修改或删除视图。Or the user creates, modifies, or deletes a view in Project Web App.
ManagedSyncClientAllowedManagedSyncClientAllowed 用户成功建立与 SharePoint 或 OneDrive for Business 网站的同步关系。User successfully establishes a sync relationship with a SharePoint or OneDrive for Business site. 同步关系之所以成功,是因为用户计算机是添加到域列表(称为“安全收件人列表”)的域成员,可以访问组织中的文档库。The sync relationship is successful because the user's computer is a member of a domain that's been added to the list of domains (called the safe recipients list) that can access document libraries in your organization. 有关详细信息,请参阅使用 SharePoint Online PowerShell 为安全收件人列表中的域启用 OneDrive 同步。For more information, see Use SharePoint Online PowerShell to enable OneDrive sync for domains that are on the safe recipients list.
MaxQuotaModifiedMaxQuotaModified 修改了网站的最大限额。The maximum quota for a site has been modified.
MaxResourceUsageModifiedMaxResourceUsageModified 修改了网站所允许的最大资源使用量。The maximum allowable resource usage for a site has been modified.
MySitePublicEnabledSetMySitePublicEnabledSet SharePoint 管理员设置了使用户拥有公共 MySites 的标志。The flag enabling users to have public MySites has been set by the SharePoint administrator.
NewsFeedEnabledSetNewsFeedEnabledSet 网站管理员或所有者启用 SharePoint 或 OneDrive for Business 网站的 RSS 源。Site administrator or owner enables RSS feeds for a SharePoint or OneDrive for Business site. 全局管理员可以在 SharePoint 管理中心中对整个组织启用 RSS 源。Global administrators can enable RSS feeds for the entire organization in the SharePoint admin center.
ODBNextUXSettingsODBNextUXSettings 已启用 OneDrive for Business 的新 UI。New UI for OneDrive for Business has been enabled.
OfficeOnDemandSetOfficeOnDemandSet 网站管理员启用 Office on Demand,允许用户访问最新版本的 Office 桌面应用程序。Site administrator enables Office on Demand, which lets users access the latest version of Office desktop applications. SharePoint 管理中心启用了 Office on Demand,并需要包括全套已安装的 Office 应用程序的 Office 365 订阅。Office on Demand is enabled in the SharePoint admin center and requires an Office 365 subscription that includes full, installed Office applications.
PageViewedPageViewed 用户在 SharePoint 网站或 OneDrive for Business 网站上查看页面。User views a page on a SharePoint site or OneDrive for Business site. 这不包括在浏览器上从 SharePoint 网站或 One Drive for Business 网站查看文档库文件。This does not include viewing document library files from a SharePoint site or One Drive for Business site on a browser.
PeopleResultsScopeSetPeopleResultsScopeSet 网站管理员创建或更改 SharePoint 网站人员搜索的结果来源。Site administrator creates or changes the result source for People Searches for a SharePoint site.
PermissionSyncSettingModifiedPermissionSyncSettingModified 用户修改 Project Web App 中的项目权限同步设置。User modifies the project permission sync settings in Project Web App.
PermissionTemplateModifiedPermissionTemplateModified 用户在 Project Web App 中创建、修改或删除权限模板。User creates, modifies or deletes a permissions template in Project Web App.
PortfolioDataAccessedPortfolioDataAccessed 用户访问 Project Web App 中的项目组合内容(驱动程序库、驱动程序优先顺序、项目组合分析)。User accesses portfolio content (driver library, driver prioritization, portfolio analyses) in Project Web App.
PortfolioDataModifiedPortfolioDataModified 用户在 Project Web App 中创建、修改或删除项目组合数据(驱动程序库、驱动程序优先顺序、项目组合分析)。User creates, modifies, or deletes portfolio data (driver library, driver prioritization, portfolio analyses) in Project Web App.
PreviewModeEnabledSetPreviewModeEnabledSet 网站管理员启用 SharePoint 网站的文档预览。Site administrator enables document preview for a SharePoint site.
ProjectAccessedProjectAccessed 用户访问 Project Web App 中的项目内容。User accesses project content in Project Web App.
ProjectCheckedInProjectCheckedIn 用户签入他们从 Project Web App 中签出的项目。User checks in a project that they checked out from a Project Web App.
ProjectCheckedOutProjectCheckedOut 用户签出位于 Project Web App 的项目。User checks out a project located in a Project Web App. 用户可以签出他们有权打开的项目并对其进行更改。Users can check out and make changes to projects that they have permission to open.
ProjectCreatedProjectCreated 用户在 Project Web App 中创建项目。User creates a project in Project Web App.
ProjectDeletedProjectDeleted 用户在 Project Web App 中删除项目。User deletes a project in Project Web App.
ProjectForceCheckedInProjectForceCheckedIn 用户强制在 Project Web App 中签入项目。User forces a check in on a project in Project Web App.
ProjectModifiedProjectModified 用户在 Project Web App 中修改项目。User modifies a project in Project Web App.
ProjectPublishedProjectPublished 用户在 Project Web App 中发布项目。User publishes a project in Project Web App.
ProjectWorkflowRestartedProjectWorkflowRestarted 用户在 Project Web App 中重新启动工作流。User restarts a workflow in Project Web App.
PWASettingsAccessedPWASettingsAccessed 用户通过 CSOM 访问 Project Web App 设置。User access the Project Web App settings via CSOM.
PWASettingsModifiedPWASettingsModified 用户修改 Project Web App 配置。User modifies the a Project Web App configuration.
QueueJobStateModifiedQueueJobStateModified 用户取消或重启 Project Web App 中的队列作业。User cancels or restarts a queue job in Project Web App.
QuotaWarningEnabledModifiedQuotaWarningEnabledModified 修改了存储配额警告。Storage quota warning modified.
RenderingEnabledRenderingEnabled 启用浏览器功能的表单模板将由 InfoPath Forms Services 呈现。Browser-enabled form templates will be rendered by InfoPath forms services.
ReportingAccessedReportingAccessed 用户访问 Project Web App 中的报告终结点。User accessed the reporting endpoint in Project Web App.
ReportingSettingModifiedReportingSettingModified 用户修改 Project Web App 中的报告配置。User modifies the reporting configuration in Project Web App.
ResourceAccessedResourceAccessed 用户访问 Project Web App 中的企业资源内容。User accesses an enterprise resource content in Project Web App.
ResourceCheckedInResourceCheckedIn 用户签入他们从 Project Web App 中签出的企业资源。User checks in an enterprise resource that they checked out from Project Web App.
ResourceCheckedOutResourceCheckedOut 用户签出位于 Project Web App 的企业资源。User checks out an enterprise resource located in Project Web App.
ResourceCreatedResourceCreated 用户在 Project Web App 中创建企业资源。User creates an enterprise resource in Project Web App.
ResourceDeletedResourceDeleted 用户在 Project Web App 中删除企业资源。User deletes an enterprise resource in Project Web App.
ResourceForceCheckedInResourceForceCheckedIn 用户在 Project Web App 中强制签入企业资源。User forces a checkin of an enterprise resource in Project Web App.
ResourceModifiedResourceModified 用户在 Project Web App 中修改企业资源。User modifies an enterprise resource in Project Web App.
ResourcePlanCheckedInOrOutResourcePlanCheckedInOrOut 用户签入或签出 Project Web App 中的资源计划。User checks in or out a resource plan in Project Web App.
ResourcePlanModifiedResourcePlanModified 用户在 Project Web App 中修改资源计划。User modifies a resource plan in Project Web App.
ResourcePlanPublishedResourcePlanPublished 用户在 Project Web App 中发布资源计划。User publishes a resource plan in Project Web App.
ResourceRedactedResourceRedacted 用户在 Project Web App 中编辑企业资源,删除所有个人信息。User redacts an enterprise resource removing all personal information in Project Web App.
ResourceWarningEnabledModifiedResourceWarningEnabledModified 修改了资源配额警告。Resource quota warning modified.
SSOGroupCredentialsSetSSOGroupCredentialsSet 在 Secure Store Service 中设置了组凭据。Group credentials set in Secure store service.
SSOUserCredentialsSetSSOUserCredentialsSet 在 Secure Store Service 中设置了用户凭据。User credentials set in Secure store service.
SearchCenterUrlSetSearchCenterUrlSet 设置了搜索中心 URL。Search center URL set.
SecondaryMySiteOwnerSetSecondaryMySiteOwnerSet 用户向其 MySite 添加了第二所有者。A user has added a secondary owner to their MySite.
SecurityCategoryModifiedSecurityCategoryModified 用户在 Project Web App 中创建、修改或删除安全类别。User creates, modifies or deletes a security category in Project Web App.
SecurityGroupModifiedSecurityGroupModified 用户在 Project Web App 中创建、修改或删除安全组。User creates, modifies or deletes a security group in Project Web App.
SendToConnectionAddedSendToConnectionAdded 全局管理员在 SharePoint 管理中心中的“记录管理”页上创建新“发送至”连接。Global administrator creates a new Send To connection on the Records management page in the SharePoint admin center. “发送至”连接指定文档存储库或记录中心设置。A Send To connection specifies settings for a document repository or a records center. 创建“收件人”连接时,内容管理器可以将文档提交到指定位置。When you create a Send To connection, a Content Organizer can submit documents to the specified location.
SendToConnectionRemovedSendToConnectionRemoved 全局管理员在 SharePoint 管理中心的“记录管理”页上删除“发送至”连接。Global administrator deletes a Send To connection on the Records management page in the SharePoint admin center.
SharedLinkCreatedSharedLinkCreated 用户在 SharePoint 或 OneDrive for Business 中创建共享文件的链接。User creates a link to a shared file in SharePoint or OneDrive for Business. 此链接可以发送给其他人,以便授予其对文件的访问权限。This link can be sent to other people to give them access to the file. 用户可创建两个类型的链接:允许用户查看和编辑共享文件的链接,或仅允许用户查看文件的链接。A user can create two types of links: a link that allows a user to view and edit the shared file, or a link that allows the user to just view the file.
SharedLinkDisabledSharedLinkDisabled 用户禁用(永久)为共享文件而创建的链接。User disables (permanently) a link that was created to share a file.
SharingInvitationAccepted*SharingInvitationAccepted* 用户接受共享文件或文件夹的邀请。User accepts an invitation to share a file or folder. 当用户与其他用户共享文件时,将记录此事件。This event is logged when a user shares a file with other users.
SharingRevokedSharingRevoked 用户取消共享以前与其他用户共享的文件或文件夹。当用户停止与其他用户共享文件时,会记录此事件。User unshares a file or folder that was previously shared with other users. This event is logged when a user stops sharing a file with other users.
SharingSetSharingSet 用户与组织内的其他用户共享位于 SharePoint 或 OneDrive for Business 中的文件或文件夹。User shares a file or folder located in SharePoint or OneDrive for Business with another user inside their organization.
SiteAdminChangeRequestSiteAdminChangeRequest 用户请求添加为 SharePoint 网站集的网站集管理员。User requests to be added as a site collection administrator for a SharePoint site collection. 网站集管理员具有网站集和所有子网站的完全控制权限。Site collection administrators have full control permissions for the site collection and all subsites.
SiteCollectionAdminAdded*SiteCollectionAdminAdded* 网站集管理员或所有者添加人员,作为 SharePoint 或 OneDrive for Business 网站的网站集管理员。Site collection administrator or owner adds a person as a site collection administrator for a SharePoint or OneDrive for Business site. 网站集管理员具有网站集和所有子网站的完全控制权限。Site collection administrators have full control permissions for the site collection and all subsites.
SiteCollectionCreatedSiteCollectionCreated 全局管理员在 SharePoint 组织中创建新的网站集。Global administrator creates a new site collection in your SharePoint organization.
SiteRenamedSiteRenamed 网站管理员或所有者重命名 SharePoint 或 OneDrive for Business 网站Site administrator or owner renames a SharePoint or OneDrive for Business site
StatusReportModifiedStatusReportModified 用户在 Project Web App 中创建、修改或删除状态报告。User creates, modifies or deletes a status report in Project Web App.
SyncGetChangesSyncGetChanges 用户在 SharePoint 或 OneDrive for Business 的操作任务栏中单击“同步”,以便将对文档库中的文件所做的任何更改都同步到他们的计算机。User clicks Sync in the action tray on in SharePoint or OneDrive for Business to synchronize any changes to file in a document library to their computer.
TaskStatusAccessedTaskStatusAccessed 用户在 Project Web App 中访问一个或多个任务的状态。User accesses the status of one or more tasks in Project Web App.
TaskStatusApprovedTaskStatusApproved 用户在 Project Web App 中批准一个或多个任务的状态更新。User approves a status update of one or more tasks in Project Web App.
TaskStatusRejectedTaskStatusRejected 用户在 Project Web App 中拒绝一个或多个任务的状态更新。User rejects a status update of one or more tasks in Project Web App.
TaskStatusSavedTaskStatusSaved 用户在 Project Web App 中保存一个或多个任务的状态更新。User saves a status update of one or more tasks in Project Web App.
TaskStatusSubmittedTaskStatusSubmitted 用户在 Project Web App 中提交一个或多个任务的状态更新。User submits a status update of one or more tasks in Project Web App.
TimesheetAccessedTimesheetAccessed 用户访问 Project Web App 中的时间表。User accesses a timesheet in Project Web App.
TimesheetApprovedTimesheetApproved 用户审批 Project Web App 中的时间表。User approves timesheet in Project Web App.
TimesheetRejectedTimesheetRejected 用户拒绝 Project Web App 中的时间表。User rejects a timesheet in Project Web App.
TimesheetSavedTimesheetSaved 用户保存 Project Web App 中的时间表。User saves a timesheet in Project Web App.
TimesheetSubmittedTimesheetSubmitted 用户在 Project Web App 中提交状态时间表。User submits a status timesheet in Project Web App.
UnmanagedSyncClientBlockedUnmanagedSyncClientBlocked 用户尝试从不是组织域成员或者是尚未添加到可访问组织文档库的域列表(称为“安全收件人列表”)的域成员的计算机与 SharePoint 或 OneDrive for Business 网站建立同步关系。User tries to establish a sync relationship with a SharePoint or OneDrive for Business site from a computer that isn't a member of your organization's domain or is a member of a domain that hasn't been added to the list of domains (called the safe recipients list) that can access document libraries in your organization. 不允许同步关系,并阻止用户计算机在文档库上同步、下载或上传文件。The sync relationship is not allowed, and the user's computer is blocked from syncing, downloading, or uploading files on a document library. 有关此功能的信息,请参阅使用 Windows PowerShell cmdlet 为安全收件人列表中的域启用 OneDrive 同步For information about this feature, see Use Windows PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list.
UpdateSSOApplicationUpdateSSOApplication Secure Store Service 中更新了目标应用程序。Target application updated in Secure store service.
UserAddedToGroupUserAddedToGroup 网站管理员或所有者向 SharePoint 或 OneDrive for Business 网站上的组添加人员。Site administrator or owner adds a person to a group on a SharePoint or OneDrive for Business site. 向组添加人员授予用户已分配给组的权限。Adding a person to a group grants the user the permissions that were assigned to the group.
UserRemovedFromGroupUserRemovedFromGroup 网站管理员或所有者从 SharePoint 或 OneDrive for Business 网站上的组删除人员。Site administrator or owner removes a person from a group on a SharePoint or OneDrive for Business site. 删除该人员后,不再向其授予已分配给组的权限。After the person is removed, they no longer are granted the permissions that were assigned to the group.
WorkflowModifiedWorkflowModified 用户在 Project Web App 中创建、修改或删除 Enterprise Project 类型或 Workflow 阶段。User creates, modifies, or deletes an Enterprise Project Type or Workflow phases or stages in Project Web App.

SharePoint 文件操作SharePoint file operations

在安全与合规中心内搜索审核日志的“文件和文件夹活动”部分列出的与文件相关的 SharePoint 事件使用此架构。The file-related SharePoint events listed in the "File and folder activities" section in Search the audit log in security and compliance center use this schema.

参数Parameter 类型Type 强制?Mandatory? 说明Description
SiteUrlSiteUrl Edm.StringEdm.String Yes 用户访问的文件或文件夹所在网站的 URL。The URL of the site where the file or folder accessed by the user is located.
SourceRelativeUrlSourceRelativeUrl Edm.StringEdm.String No 包含用户访问文件的文件夹的 URL。The URL of the folder that contains the file accessed by the user. SiteURLSourceRelativeURLSourceFileName 参数的值组合与 ObjectID 属性的值相同,它是用户访问的文件的完整路径名称。The combination of the values for the SiteURL, SourceRelativeURL, and SourceFileName parameters is the same as the value for the ObjectID property, which is the full path name for the file accessed by the user.
SourceFileNameSourceFileName Edm.StringEdm.String Yes 用户访问的文件或文件夹名称。The name of the file or folder accessed by the user.
SourceFileExtensionSourceFileExtension Edm.StringEdm.String No 用户访问的文件的文件扩展名。The file extension of the file that was accessed by the user. 如果访问对象是一个文件夹,则此属性为空。This property is blank if the object that was accessed is a folder.
DestinationRelativeUrlDestinationRelativeUrl Edm.StringEdm.String No 在其中复制或移动文件的目标文件夹的 URL。The URL of the destination folder where a file is copied or moved. SiteURLDestinationRelativeURLDestinationFileName 参数的值组合与 ObjectID 属性的值相同,它是复制的文件的完整路径名称。The combination of the values for SiteURL, DestinationRelativeURL, and DestinationFileName parameters is the same as the value for the ObjectID property, which is the full path name for the file that was copied. 此属性仅对 FileCopied 和 FileMoved 事件显示。This property is displayed only for FileCopied and FileMoved events.
DestinationFileNameDestinationFileName Edm.StringEdm.String No 复制或移动的文件的名称。The name of the file that is copied or moved. 此属性仅对 FileCopied 和 FileMoved 事件显示。This property is displayed only for FileCopied and FileMoved events.
DestinationFileExtensionDestinationFileExtension Edm.StringEdm.String No 复制或移动的文件的文件扩展名。The file extension of a file that is copied or moved. 此属性仅对 FileCopied 和 FileMoved 事件显示。This property is displayed only for FileCopied and FileMoved events.
UserSharedWithUserSharedWith Edm.StringEdm.String No 与之共享资源的用户。The user that a resource was shared with.
SharingTypeSharingType Edm.StringEdm.String No 分配给与之共享资源的用户的共享权限的类型。The type of sharing permissions that were assigned to the user that the resource was shared with. 通过 UserSharedWith 参数标识此用户。This user is identified by the UserSharedWith parameter.

SharePoint 共享架构SharePoint Sharing schema

与文件共享相关的 SharePoint 事件。The file share-related SharePoint events. 它们不同于与文件和文件夹相关的事件,因为用户正在执行对另一个用户有一定影响的操作。They are different from file- and folder-related events in that a user is taking an action that has some effect on another user. 有关 SharePoint 共享架构信息,请参阅在 Office 365 审核日志中使用共享审核For information about the SharePoint Sharing schema, see Use sharing auditing in the Office 365 audit log.

参数Parameter 类型Type 强制?Mandatory? 说明Description
TargetUserOrGroupNameTargetUserOrGroupName Edm.StringEdm.String No 存储与之共享资源的目标用户或组的 UPN 或名称。Stores the UPN or name of the target user or group that a resource was shared with.
TargetUserOrGroupTypeTargetUserOrGroupType Edm.StringEdm.String No 标识目标用户或组是成员、来宾、组还是合作伙伴。Identifies whether the target user or group is a Member, Guest, Group, or Partner.
EventDataEventData XML 代码XML code No 传达有关已发生的共享操作的后续信息,例如向组中添加用户或授予编辑权限。Conveys follow-up information about the sharing action that has occurred, such as adding a user to a group or granting edit permissions.

SharePoint 架构SharePoint schema

在安全与合规中心内搜索审核日志中列出的 SharePoint 事件(除了文件和文件夹事件)使用此架构。The SharePoint events listed in Search the audit log in security and compliance center (excluding the file and folder events) use this schema.

参数Parameter 类型Type 强制?Mandatory? 说明Description
CustomEventCustomEvent Edm.StringEdm.String No 自定义事件的可选字符串。Optional string for custom events.
EventDataEventData Edm.StringEdm.String No 自定义事件的可选负载。Optional payload for custom events.
ModifiedPropertiesModifiedProperties Collection(ModifiedProperty)Collection(ModifiedProperty) No 属性包含在管理员事件中,例如将用户添加为网站或网站集管理组的成员。The property is included for admin events, such as adding a user as a member of a site or a site collection admin group. 该属性包括已修改属性的名称(例如,Site Admin 组)、已修改属性的新值(例如添加为网站管理员的用户)和已修改对象的先前值。The property includes the name of the property that was modified (for example, the Site Admin group), the new value of the modified property (such the user who was added as a site admin), and the previous value of the modified object.

Project 架构Project schema

参数Parameter 类型Type 强制?Mandatory? 说明Description
EntityEntity Edm.StringEdm.String Yes 审核针对的 ProjectEntityProjectEntity the audit was for.
ActionAction Edm.StringEdm.String Yes 采取的 ProjectActionProjectAction that was taken.
OnBehalfOfResIdOnBehalfOfResId Edm.GuidEdm.Guid No 代表其执行操作的资源 ID。The resource Id the action was taken on behalf of.

枚举:Project Action - 类型:Edm.Int32Enum: Project Action - Type: Edm.Int32

Project 操作Project action

成员名称Member name 说明Description
AcceptedAccepted 用户接受事件或工作流。The user accepted an event or workflow.
AccessedAccessed 用户访问实体。The user accessed an entity.
ActivatedActivated 用户激活实体、事件或工作流。The user activated an entity, event or workflow.
CancelledCancelled 用户取消事件或工作流。The user cancelled an event or workflow.
CheckedInCheckedIn 用户签入实体。The user check in an entity.
CheckedOutCheckedOut 用户签出实体。The user checkout an entity.
CopiedCopied 用户复制实体。The user copied an entity.
CreatedCreated 用户创建实体。The user created an entity.
DeactivatedDeactivated 用户停用实体。The user deactivated an entity.
DeletedDeleted 用户删除实体。The user deleted an entity.
ExportedExported 用户导出实体。The user exported an entity.
ForceCheckedInForceCheckedIn 用户强制签入实体。The user caused an entity to be force checked in.
ModifiedModified 用户修改实体。The user modified an entity.
PublishedPublished 用户发布实体。The user published an entity.
RedactedRedacted 用户编辑实体。The user redacted an entity.
RejectedRejected 用户拒绝实体。The user rejected an entity.
RestartedRestarted 用户重启事件或工作流。The user restarted an event or workflow.
SavedSaved 用户保留实体。The user saved an entity.
SentSent 用户发送实体。The user sent an entity.
SubmittedSubmitted 用户提交进行审阅的实体或工作流。The user submitted an entity for review or workflow.

枚举:Project Entity - 类型:Edm.Int32Enum: Project Entity - Type: Edm.Int32

Project 实体Project entity

成员名称Member name 说明Description
CustomFieldCustomField 表示企业自定义域。Represents an enterprise custom field.
DriverDriver 表示项目组合驱动程序。Represents a portfolio driver.
DriverPrioritizationDriverPrioritization 表示项目组合优先顺序。Represents a portfolio prioritization.
EngagementEngagement 表示资源预订。Represents a resource engagement.
EnterpriseCalendarEnterpriseCalendar 表示企业资源日历。Represents a enterprise resource calendar.
EnterpriseProjectTypeEnterpriseProjectType 表示企业项目类型。Represents an enterprise project type.
FiscalPeriodFiscalPeriod 表示会计期间。Represents a fiscal period.
GanttChartFormatGanttChartFormat 表示甘特图格式。Represents a gantt chart format.
GroupingFormatGroupingFormat 表示视图分组格式。Represents a view grouping format.
LineClassificationLineClassification 表示时间表行分类。Represents a timesheet line classification.
LookupTableLookupTable 表示企业版查找表。Represents a enterprise lookup table.
PermissionTemplatePermissionTemplate 表示安全权限模板。Represents a security permission template.
PortfolioAnalysisPortfolioAnalysis 表示项目组合分析。Represents a portfolio analysis.
ProjectProject 表示一个项目。Represents a project.
QueueJobQueueJob 表示队列作业。Represents a queue job.
QuickLaunchQuickLaunch 表示快速启动项。Represents a quick launch item.
ReportingReporting 表示报告终结点。Represents the reporting endpoint.
ResourceResource 表示企业资源。Represents an enterprise resource.
ResourcePlanResourcePlan 表示与项目关联的资源计划。Represents a resource plan associated with A project.
SecurityCategorySecurityCategory 表示安全类别。Represents a security category.
SecurityGroupSecurityGroup 表示安全组。Represents a security group.
SettingSetting 表示 Project Web App 设置Represents a Project Web App setting
StatusingStatusing 表示任务状态更新。Represents a task status update.
StatusReportStatusReport 表示状态报告。Represents a status report.
TimeReportingPeriodTimeReportingPeriod 表示时间表的一段时间Represents a period of time for a timesheet
TimesheetTimesheet 表示时间表实体。Represents a timesheet entity.
TimesheetAuditLogTimesheetAuditLog 表示时间表审核日志。Represents a timesheet audit log.
TimesheetManagerTimesheetManager 表示时间表管理员。Represents the manager of a timesheet.
UserDelegateUserDelegate 表示其他用户的用户委派。Represents a user delegation for another user.
ViewView 表示视图定义。Represents a view definition.
WorkflowPhaseWorkflowPhase 表示工作流中的阶段。Represents a phase in a workflow.
WorkflowStageWorkflowStage 表示工作流中的阶段。Represents a stage in a workflow.

Exchange 管理员架构Exchange Admin schema

参数Parameters 类型Type 强制Mandatory 说明Description
ModifiedObjectResolvedNameModifiedObjectResolvedName Edm.StringEdm.String No 这是通过 cmdlet 修改的对象的用户友好名称。This is the user friendly name of the object that was modified by the cmdlet. 只有当 cmdlet 修改对象时才会记录此参数。This is logged only if the cmdlet modifies the object.
参数Parameters Collection(Common.NameValuePair)Collection(Common.NameValuePair) No 与 Operations 属性中标识的 cmdlet 结合使用的所有参数的名称和值。The name and value for all parameters that were used with the cmdlet that is identified in the Operations property.
ModifiedPropertiesModifiedProperties Collection(Common.ModifiedProperty)Collection(Common.ModifiedProperty) No 该属性包含在管理员事件中。The property is included for admin events. 该属性包括已修改属性的名称、已修改属性的新值和已修改对象的先前值。The property includes the name of the property that was modified, the new value of the modified property, and the previous value of the modified object.
ExternalAccessExternalAccess Edm.BooleanEdm.Boolean Yes 指定 cmdlet 是由组织中的用户、Microsoft 数据中心人员或数据中心服务帐户,还是由委托的管理员运行。Specifies whether the cmdlet was run by a user in your organization, by Microsoft datacenter personnel or a datacenter service account, or by a delegated administrator. False 表示 cmdlet 由组织中的某人运行。The value False indicates that the cmdlet was run by someone in your organization. True 表示 cmdlet 由数据中心人员、数据中心服务帐户或委托的管理员运行。The value True indicates that the cmdlet was run by datacenter personnel, a datacenter service account, or a delegated administrator.
OriginatingServerOriginatingServer Edm.StringEdm.String No 从中执行 cmdlet 的服务器的名称。The name of the server from which the cmdlet was executed.
OrganizationNameOrganizationName Edm.StringEdm.String No 租户名称。The name of the tenant.

Exchange 邮箱架构Exchange Mailbox schema

参数Parameters 类型Type 强制Mandatory 说明Description
LogonTypeLogonType Self.LogonTypeSelf.LogonType No 指示访问邮箱并执行已记录操作的用户类型。Indicates the type of user who accessed the mailbox and performed the operation that was logged.
InternalLogonTypeInternalLogonType Self.LogonTypeSelf.LogonType No 仅供内部使用。Reserved for internal use.
MailboxGuidMailboxGuid Edm.StringEdm.String No 访问邮箱的 Exchange GUID。The Exchange GUID of the mailbox that was accessed.
MailboxOwnerUPNMailboxOwnerUPN Edm.StringEdm.String No 拥有已访问邮箱的人员的电子邮件地址。The email address of the person who owns the mailbox that was accessed.
MailboxOwnerSidMailboxOwnerSid Edm.StringEdm.String No 邮箱所有者的 SID。The SID of the mailbox owner.
MailboxOwnerMasterAccountSidMailboxOwnerMasterAccountSid Edm.StringEdm.String No 邮箱所有者帐户的主帐户 SID。Mailbox owner account's master account SID.
LogonUserSidLogonUserSid Edm.StringEdm.String No 执行操作的用户的 SID。The SID of the user who performed the operation.
LogonUserDisplayNameLogonUserDisplayName Edm.StringEdm.String No 执行操作的用户的用户友好名称。The user-friendly name of the user who performed the operation.
ExternalAccessExternalAccess Edm.BooleanEdm.Boolean Yes 如果登录用户的域与邮箱所有者的域不同,则为 true。This is true if the logon user's domain is different from the mailbox owner's domain.
OriginatingServerOriginatingServer Edm.StringEdm.String No 这是操作的源位置。This is from where the operation originated.
OrganizationNameOrganizationName Edm.StringEdm.String No 租户名称。The name of the tenant.
ClientInfoStringClientInfoString Edm.StringEdm.String No 有关用于执行此操作的电子邮件客户端的信息,如浏览器版本、Outlook 版本和移动设备信息。Information about the email client that was used to perform the operation, such as a browser version, Outlook version, and mobile device information.
ClientIPAddressClientIPAddress Edm.StringEdm.String No 记录操作时使用的设备的 IP 地址。The IP address of the device that was used when the operation was logged. IP 地址显示为 IPv4 或 IPv6 地址格式。The IP address is displayed in either an IPv4 or IPv6 address format.
ClientMachineNameClientMachineName Edm.StringEdm.String No 托管 Outlook 客户端的计算机名称。The machine name that hosts the Outlook client.
ClientProcessNameClientProcessName Edm.StringEdm.String No 用于访问邮箱的电子邮件客户端。The email client that was used to access the mailbox.
ClientVersionClientVersion Edm.StringEdm.String No 电子邮件客户端版本。The version of the email client .

枚举:LogonType - 类型:Edm.Int32Enum: LogonType - Type: Edm.Int32

LogonTypeLogonType

Value 成员名称Member name 说明Description
00 OwnerOwner 邮箱所有者。The mailbox owner.
11 AdminAdmin 对某人的邮箱具有管理权限的人员。A person with administrative privileges for someone's mailbox.
22 DelegatedDelegated 对某人的邮箱具有委派权限的人员。A person with the delegate privileges for someone's mailbox.
33 TransportTransport Microsoft 数据中心的传输服务。A transport service in the Microsoft datacenter.
44 SystemServiceSystemService 中Microsoft 数据中心的服务帐户A service account in the Microsoft datacenter
55 BestAccessBestAccess 仅供内部使用。Reserved for internal use.
66 DelegatedAdminDelegatedAdmin 委派的管理员。A delegated administrator.

ExchangeMailboxAuditGroupRecord 架构ExchangeMailboxAuditGroupRecord schema

参数Parameters 类型Type 强制?Mandatory? 说明Description
FolderFolder Self.ExchangeFolderSelf.ExchangeFolder No 一组项目的所在文件夹。The folder where a group of items is located.
CrossMailboxOperationsCrossMailboxOperations Edm.BooleanEdm.Boolean No 指示操作是否涉及多个邮箱。Indicates if the operation involved more than one mailbox.
DestMailboxIdDestMailboxId Edm.GuidEdm.Guid No 仅当 CrossMailboxOperations 参数为 True 时设置。Set only if the CrossMailboxOperations parameter is True. 指定目标邮箱的 GUID。Specifies the target mailbox GUID.
DestMailboxOwnerUPNDestMailboxOwnerUPN Edm.StringEdm.String No 仅当 CrossMailboxOperations 参数为 True 时设置。Set only if the CrossMailboxOperations parameter is True. 指定目标邮箱所有者的 UPN。Specifies the UPN of the owner of the target mailbox.
DestMailboxOwnerSidDestMailboxOwnerSid Edm.StringEdm.String No 仅当 CrossMailboxOperations 参数为 True 时设置。Set only if the CrossMailboxOperations parameter is True. 指定目标邮箱的 SID。Specifies the SID of the target mailbox.
DestMailboxOwnerMasterAccountSidDestMailboxOwnerMasterAccountSid Edm.StringEdm.String No 仅当 CrossMailboxOperations 参数为 True 时设置。Set only if the CrossMailboxOperations parameter is True. 指定对目标邮箱所有者主帐户 SID 的 SID。Specifies the SID for the master account SID of the target mailbox owner.
DestFolderDestFolder Self.ExchangeFolderSelf.ExchangeFolder No 用于移动等操作的目标文件夹。The destination folder, for operations such as Move.
FoldersFolders Collection(Self.ExchangeFolder)Collection(Self.ExchangeFolder) No 涉及操作的源文件夹信息;例如,如果选择文件夹然后删除。Information about the source folders involved in an operation; for example, if folders are selected and then deleted.
AffectedItemsAffectedItems Collection(Self.ExchangeItem)Collection(Self.ExchangeItem) No 有关组中每个项目的信息。Information about each item in the group.

ExchangeMailboxAuditRecord 架构ExchangeMailboxAuditRecord schema

参数Parameters 类型Type 强制?Mandatory? 说明Description
ItemItem Self.ExchangeItemSelf.ExchangeItem No 表示在对其执行操作的项Represents the item upon which the operation was performed
ModifiedPropertiesModifiedProperties Collection(Edm.String)Collection(Edm.String) No 待定TBD
SendAsUserSmtpSendAsUserSmtp Edm.StringEdm.String No 所模拟的用户的 SMTP 地址。SMTP address of the user who is being impersonated.
SendAsUserMailboxGuidSendAsUserMailboxGuid Edm.GuidEdm.Guid No 所访问的用于发送邮件的邮箱的 Exchange GUID。The Exchange GUID of the mailbox that was accessed to send email as.
SendOnBehalfOfUserSmtpSendOnBehalfOfUserSmtp Edm.StringEdm.String No 代表其发送电子邮件的用户的 SMTP 地址。SMTP address of the user on whose behalf the email is sent.
SendOnBehalfOfUserMailboxGuidSendOnBehalfOfUserMailboxGuid Edm.GuidEdm.Guid No 所访问的代表发送邮件的邮箱的 Exchange GUID。The Exchange GUID of the mailbox that was accessed to send mail on behalf of.

ExchangeItem 复杂类型ExchangeItem complex type

参数Parameters 类型Type 强制?Mandatory? 说明Description
IdId Edm.StringEdm.String Yes 存储 ID。The store ID.
SubjectSubject Edm.StringEdm.String No 访问的邮件的主题行。The subject line of the message that was accessed.
ParentFolderParentFolder Edm.ExchangeFolderEdm.ExchangeFolder No 项目所在的文件夹名称。The name of the folder where the item is located.
AttachmentsAttachments Edm.StringEdm.String No 附加到邮件中的所有项的名称和文件大小列表。A list of the names and file size of all items that are attached to the message.

ExchangeFolder 复杂类型ExchangeFolder complex type

参数Parameters 类型Type 强制?Mandatory? 说明Description
IdId Edm.StringEdm.String Yes 文件夹对象的存储 ID。The store ID of the folder object.
PathPath Edm.StringEdm.String No 访问的邮件所在的邮箱文件夹的名称。The name of the mailbox folder where the message that was accessed is located.

Azure Active Directory 基本架构Azure Active Directory Base schema

参数Parameters 类型Type 强制?Mandatory? 说明Description
AzureActiveDirectoryEventTypeAzureActiveDirectoryEventType Self.AzureActiveDirectoryEventTypeSelf.AzureActiveDirectoryEventType Yes Azure AD 事件的类型。The type of Azure AD event.
ExtendedPropertiesExtendedProperties Collection(Common.NameValuePair)Collection(Common.NameValuePair) No Azure AD 事件的扩展属性。The extended properties of the Azure AD event.
ModifiedPropertiesModifiedProperties Collection(Common.ModifiedProperty)Collection(Common.ModifiedProperty) No 该属性包含在管理员事件中。This property is included for admin events. 该属性包括已修改属性的名称、已修改属性的新值和已修改属性的先前值。The property includes the name of the property that was modified, the new value of the modified property, and the previous value of the modified property.

枚举:AzureActiveDirectoryEventType - 类型 - Edm.Int32Enum: AzureActiveDirectoryEventType - Type -Edm.Int32

AzureActiveDirectoryEventTypeAzureActiveDirectoryEventType

成员名称Member name 说明Description
AccountLogonAccountLogon 帐户登录事件。The account login event.
AzureApplicationAuditEventAzureApplicationAuditEvent Azure 应用程序安全事件。The Azure application security event.

Azure Active Directory 帐户登录架构Azure Active Directory Account Logon schema

参数Parameters 类型Type 强制?Mandatory? 说明Description
ApplicationApplication Edm.StringEdm.String No 触发帐户登录活动的应用程序,如 Office 15。The application that triggers the account login event, such as Office 15.
ClientClient Edm.StringEdm.String No 有关客户端设备、设备 OS 和用于帐户登录事件的设备浏览器的详细信息。Details about the client device, device OS, and device browser that was used for the of the account login event.
LoginStatusLoginStatus Edm.Int32Edm.Int32 Yes 此属性直接来自 OrgIdLogon.LoginStatus。This property is from OrgIdLogon.LoginStatus directly. 各种有趣的登录失败映射可以通过警报算法来完成。The mapping of various interesting logon failures could be done by alerting algorithms.
UserDomainUserDomain Edm.StringEdm.String Yes 租户标识信息 (TII)。The Tenant Identity Information (TII).

枚举:CredentialType - 类型:Edm.Int32Enum: CredentialType - Type: Edm.Int32

Value 成员名称Member name 说明Description
-1-1 OtherOther 其他身份验证。Other authentication.
00 PasswordPassword 用户凭据是用户名和密码。User credential is username and password.
11 MobilePhoneMobilePhone 用户凭据是移动电话。User credential is mobile phone.
22 SecretQuestionSecretQuestion 用户凭据是机密问题。User credential is secret question.
33 SecurePinSecurePin 用户凭据是安全 PIN。User credential is secure PIN.
44 SecurePinResetSecurePinReset 用户凭据是安全 PIN 重置。User credential is secure PIN reset.
1111 EasyIDEasyID 用户凭据是 EasyID。User credential is EasyID.
1414 PasswordIndexCredentialTypePasswordIndexCredentialType 用户凭据是 PasswordIndexCredentialType。User credential is PasswordIndexCredentialType.
1616 DeviceDevice 用户凭据是设备。User credential is a device.
1717 ForeignRealmIndexForeignRealmIndex 用户凭据是 ForeignRealmIndex。User credential is ForeignRealmIndex.

枚举:LoginType - 类型:Edm.Int32Enum: LoginType - Type: Edm.Int32

Value 成员名称Member name 说明Description
-1-1 OtherOther 其他 i 类型。Other i type.
11 InitialAuthInitialAuth 使用初始身份验证登录Login with initial authentication
22 CookieCopyCookieCopy 使用 cookie 登录。Login with cookie.
33 SilentReAuthSilentReAuth 通过无提示重新身份验证登录。Login with silent re-authentication.

枚举:AuthenticationMethod - 类型:Edm.Int32Enum: AuthenticationMethod - Type: Edm.Int32

Value 成员名称Member name 说明Description
00 MinMin 身份验证方法是 MinThe authentication method is a Min
11 PasswordPassword 身份验证方法是密码。The authentication method is a password.
22 DigestDigest 身份验证方法是摘要。The authentication method is a digest.
33 ProxyAuthProxyAuth 身份验证方法是 ProxyAuth。The authentication method is a ProxyAuth.
44 InfoCardInfoCard 身份验证方法是 InfoCard。The authentication method is an InfoCard
55 DATokenDAToken 身份验证方法是 DAToken。The authentication method is a DAToken.
66 Sha1RememberMyPasswordSha1RememberMyPassword 身份验证方法是 Sha1RememberMyPassword。The authentication method is a Sha1RememberMyPassword.
77 LMPasswordHashLMPasswordHash 身份验证方法是 LMPasswordHash。The authentication method is an LMPasswordHash.
88 ADFSFederatedTokenADFSFederatedToken 身份验证方法是 ADFSFederatedToken。The authentication method is an ADFSFederatedToken.
99 EIDEID 身份验证方法是 EID。The authentication method is an EID.
1010 DeviceIDDeviceID 身份验证方法是 DeviceID。The authentication method is a DeviceID.
1111 MD5MD5 身份验证方法是 MD5。The authentication method is MD5.
1212 EncProxyPasswordHashEncProxyPasswordHash 身份验证方法是 EncProxyPasswordHash。The authentication method is a EncProxyPasswordHash.
1313 LWAFederationLWAFederation 身份验证方法是 LWAFederation。The authentication method is a LWAFederation.
1414 Sha1HashedPasswordSha1HashedPassword 身份验证方法是 Sha1HashedPassword。The authentication method is a Sha1HashedPassword.
1515 SecurePinSecurePin 身份验证方法是安全 Pin。The authentication method is a secure Pin.
1616 SecurePinResetSecurePinReset 身份验证方法是安全 PIN 重置。The authentication method is a secure PIN reset.
1717 SAML20PostSimpleSignSAML20PostSimpleSign 身份验证方法是 SAML20PostSimpleSign。The authentication method is a SAML20PostSimpleSign.
1818 SAML20PostSAML20Post 身份验证方法是 SAML20Post。The authentication method is a SAML20Post.
1919 OneTimeCodeOneTimeCode 身份验证方法是一次性代码。The authentication method is a one-time code.

Azure Active Directory 架构Azure Active Directory schema

参数Parameters 类型Type 强制?Mandatory? 说明Description
ActorActor Collection(Self.IdentityTypeValuePair)Collection(Self.IdentityTypeValuePair) No 执行操作的用户或服务主体。The user or service principal that performed the action.
ActorContextIdActorContextId Edm.StringEdm.String No 参与者所属组织的 GUID。The GUID of the organization that the actor belongs to.
ActorIpAddressActorIpAddress Edm.StringEdm.String No IPV4 或 IPV6 地址格式的参与者 IP 地址。The actor's IP address in IPV4 or IPV6 address format.
InterSystemsIdInterSystemsId Edm.StringEdm.String No 在 Office 365 服务的组件之间跟踪操作的 GUID。The GUID that track the actions across components within the Office 365 service.
IntraSystemsIdIntraSystemsId Edm.StringEdm.String No Azure Active Directory 生成的用来跟踪操作的 GUID。The GUID that's generated by Azure Active Directory to track the action.
SupportTicketIdSupportTicketId Edm.StringEdm.String No 在“代表操作”情况下针对操作的客户支持票证 ID。The customer support ticket ID for the action in "act-on-behalf-of" situations.
TargetTarget Collection(Self.IdentityTypeValuePair)Collection(Self.IdentityTypeValuePair) No 对其执行操作(由 Operation 属性标识)的用户。The user that the action (identified by the Operation property) was performed on.
TargetContextIdTargetContextId Edm.StringEdm.String No 目标用户所属组织的 GUID。The GUID of the organization that the targeted user belongs to.

复杂类型 IdentityTypeValuePairComplex Type IdentityTypeValuePair

参数Parameters 类型Type 强制?Mandatory? 说明Description
IDID Edm.StringEdm.String Yes 给定类型的标识值。The value of the identity given the type.
TypeType Self.IdentityTypeSelf.IdentityType Yes 标识类型。The type of the identity.

枚举:IdentityType - 类型:Edm.Int32Enum: IdentityType - Type: Edm.Int32

IdentityTypeIdentityType

成员名称Member name 说明Description
ClaimClaim 标识是用于授权目的的声明。The identity is a claim for authorization purpose.
NameName 审核操作参与者或目标标识显示名称。The audit action actor or target identity display name.
OtherOther 参与者标识是其他类型,例如由 Office 365 服务生成的 GUID 的 ObjectId。The identity of the actor is other type, such as the ObjectId in GUID generated by the Office 365 service.
PUIDPUID 审核操作参与者或目标 passport 唯一 ID (PUID)。The audit action actor or the target passport unique ID (PUID).
SPNSPN 如果操作是由 Office 365 服务执行的,服务主体的身份。The identity of a service principal if the action is performed by the Office 365 service.
UPNUPN 用户主体名称。The user principal name.

Azure Active Directory 安全令牌服务 (STS) 登录架构Azure Active Directory Secure Token Service (STS) Logon schema

参数Parameters 类型Type 强制?Mandatory? 说明Description
ApplicationIdApplicationId Edm.StringEdm.String No 表示正在请求登录的应用程序的 GUID。The GUID that represents the application that is requesting the login. 可以通过 Azure Active Directory Graph API 查找显示名称。The display name can be looked up via the Azure Active Directory Graph API.
ClientClient Edm.StringEdm.String No 客户端设备信息,由执行登录的浏览器提供。Client device information, provided by the browser performing the login.
ErrorCodeErrorCode Edm.StringEdm.String No 对于失败的登录("操作"属性的值为 UserLoginFailed),此属性包含 Azure Active Directory STS (AADSTS) 错误代码。For failed logins (where the value for the Operation property is UserLoginFailed), this property contains the Azure Active Directory STS (AADSTS) error code. 有关这些错误代码的说明,请参阅 身份验证和授权错误For descriptions of these error codes, see Authentication and authorization error codes. 登录名 0 表示登录成功。A value of 0 indicates a successful login.
LogonErrorLogonError Edm.StringEdm.String No 对于登录失败,此属性包含用户可阅读的登录失败原因说明。For failed logins, this property contains a user-readable description of the reason for the failed login.

DLP 架构DLP schema

DLP 事件可用于 Exchange Online、SharePoint Online 和 OneDrive For Business。DLP events are available for Exchange Online, SharePoint Online, and OneDrive For Business. 请注意,Exchange 中的 DLP 事件仅适用于基于统一 DLP 策略的事件(例如通过安全与合规中心配置的事件)。Note that DLP events in Exchange are only available for events based on unified DLP policy (e.g. configured via Security & Compliance Center). 不支持基于 Exchange 传输规则的 DLP 事件。DLP events based on Exchange Transport Rules are not supported.

在常见架构中,DLP(数据丢失防护)事件始终具有 UserKey=“DlpAgent”。DLP (Data Loss Prevention) events will always have UserKey="DlpAgent" in the common schema. 有三种类型的 DlpEvents,它们被存储为常见架构的 Operation 属性值:There are three types of DlpEvents that are stored as the value of the Operation property of the common schema:

  • DlpRuleMatch:表示匹配某个规则。DlpRuleMatch - This indicates a rule was matched. Exchange 和 SharePoint Online 和 OneDrive for Business 中存在这些事件。These events exist in both Exchange and SharePoint Online and OneDrive for Business. 对于 Exchange,它包含误报和重写信息。For Exchange it includes false positive and override information. 对于 SharePoint Online 和 OneDrive for Business,误报和重写会生成单独事件。For SharePoint Online and OneDrive for Business, false positive and overrides generate separate events.

  • DlpRuleUndo:仅存在于 SharePoint Online 和 OneDrive for Business 中,指示以前应用的策略操作已“撤销”,因为用户指定误报/重写,或者因为文件不再受策略的制约(由于策略更改或文档内容的更改)。DlpRuleUndo - These only exist in SharePoint Online and OneDrive for Business, and indicate a previously applied policy action has been "undone" – either because of false positive/override designation by user, or because the document is no longer subject to policy (either due to policy change or change to content in doc).

  • DlpInfo:仅存在于 SharePoint Online 和 OneDrive for Business 中,指示指定的误报,但没有“撤销”任何操作。DlpInfo - These only exist in SharePoint Online and OneDrive for Business and indicate a false positive designation but no action was "undone."

参数Parameters 类型Type 强制Mandatory 说明Description
SharePointMetaDataSharePointMetaData Self.SharePointMetadataSelf.SharePointMetadata No 说明 SharePoint 或 OneDrive for Business 中有关包含敏感信息的文档的元数据。Describes metadata about the document in SharePoint or OneDrive for Business that contained the sensitive information.
ExchangeMetaDataExchangeMetaData Self.ExchangeMetadataSelf.ExchangeMetadata No 介绍有关包含敏感信息的电子邮件的元数据。Describes metadata about the email message that contained the sensitive information.
ExceptionInfoExceptionInfo Edm.StringEdm.String No 确定策略不再适用的原因和/或最终用户指出的有关误报和/或重写的任何信息。Identifies reasons why a policy no longer applies and/or any information about false positive and/or override noted by the end user.
PolicyDetailsPolicyDetails Collection(Self.PolicyDetails)Collection(Self.PolicyDetails) Yes 有关触发 DLP 事件的一个或多个策略的信息。Information about 1 or more policies that triggered the DLP event.
SensitiveInfoDetectionIsIncludedSensitiveInfoDetectionIsIncluded BooleanBoolean Yes 指示事件是否包含来自源内容的敏感数据类型和相关上下文的值。Indicates whether the event contains the value of the sensitive data type and surrounding context from the source content. 访问敏感数据需要 Azure Active Directory 中的“读取包括敏感详细信息的 DLP 策略事件”权限。Accessing sensitive data requires the "Read DLP policy events including sensitive details" permission in Azure Active Directory.

SharePointMetadata 复杂类型SharePointMetadata complex type

参数Parameters 类型Type 强制?Mandatory? 说明Description
FromFrom Edm.StringEdm.String Yes 触发事件的用户。The user who triggered the event. 这将是 FileOwner、LastModifier 或 LastSharer。This will be either the FileOwner, LastModifier, or LastSharer.
itemCreationTimeitemCreationTime Edm.DateEdm.Date Yes 记录事件时的 UTC 日期时间戳。Datetimestamp in UTC of when event logged.
SiteCollectionGuidSiteCollectionGuid Edm.GuidEdm.Guid Yes 网站集的 GUID。The GUID of the site collection.
SiteCollectionUrlSiteCollectionUrl Edm.StringEdm.String Yes SharePoint 网站名称。Name of the SharePoint site.
FileNameFileName Edm.StringEdm.String Yes 路径名称。Name of the path.
FileOwnerFileOwner Edm.StringEdm.String Yes 文档所有者。The document owner.
FilePathUrlFilePathUrl Edm.StringEdm.String Yes 文档的 URLThe URL of the document
DocumentLastModifierDocumentLastModifier Edm.StringEdm.String Yes 上次修改文档的用户。The user who last modified the document.
DocumentSharerDocumentSharer Edm.StringEdm.String Yes 上次修改共享文档的用户。The user who last modified sharing of the document.
UniqueIdUniqueId Edm.StringEdm.String Yes 标识文件的 guid。A guid that identifies the file.
LastModifiedTimeLastModifiedTime Edm.DateTimeEdm.DateTime Yes 上次修改文档时的 UTC 时间戳。Timestamp in UTC for when doc was last modified.

ExchangeMetadata 复杂类型ExchangeMetadata complex type

参数Parameters 类型Type 强制?Mandatory? 说明Description
MessageIDMessageID Edm.StringEdm.String Yes 触发事件的电子邮件消息 ID。The message ID of the email that triggered the event.
FromFrom Edm.StringEdm.String Yes 发送电子邮件的用户。The user who sent the email.
ToTo Collection(Edm.String)Collection(Edm.String) No 邮件“收件人”行上的电子邮件地址集合。A collection of email addresses that were on the To line of the message.
CCCC Collection(Edm.String)Collection(Edm.String) No 邮件“抄送”行上的电子邮件地址集合。A collection of email addresses that were on the CC line of the message.
BCCBCC Collection(Edm.String)Collection(Edm.String) No 邮件“密件抄送”行上的电子邮件地址集合。A collection of email addresses that were on the BCC line of the message.
SubjectSubject Edm.StringEdm.String Yes 电子邮件主题。Subject of the email message.
发件箱Sent Edm.DateTimeEdm.DateTime Yes 发送电子邮件时的 UTC 时间。The time in UTC of when the email was sent.
RecipientCountRecipientCount Edm.Int32Edm.Int32 Yes 邮件“收件人”、“抄送”和“密件抄送”行上的所有收件人总数。The total number of all recipients on the TO, CC, and BCC lines of the message.

PolicyDetails 复杂类型PolicyDetails complex type

参数Parameters 类型Type 强制?Mandatory? 说明Description
PolicyIdPolicyId Edm.GuidEdm.Guid Yes 此事件 DLP 策略的 guid。The guid of the DLP policy for this event.
PolicyNamePolicyName Edm.StringEdm.String Yes 此事件 DLP 策略的友好名称。The friendly name of the DLP policy for this event.
RulesRules Collection(Self.Rules)Collection(Self.Rules) Yes 关于策略中匹配此事件的规则的信息。Information about the rules within the policy that were matched for this event.

Rules 复杂类型Rules complex type

参数Parameters 类型Type 强制?Mandatory? 说明Description
RuleIdRuleId Edm.GuidEdm.Guid Yes 此事件 DLP 规则的 guid。The guid of the DLP rule for this event.
RuleNameRuleName Edm.StringEdm.String Yes 此事件 DLP 规则的友好名称。The friendly name of the DLP rule for this event.
ActionsActions Collection(Edm.String)Collection(Edm.String) No 由于 DLP RuleMatch 事件而采取的操作列表。A list of actions taken as a result of a DLP RuleMatch event.
OverriddenActionsOverriddenActions Collection(Edm.String)Collection(Edm.String) No 先前采取的由于 DLPRuleUndo 事件而撤销的操作列表。A list of actions previously taken that were now undone as a result of a DLPRuleUndo event.
SeveritySeverity Edm.StringEdm.String No 规则匹配的严重性(低、中和高)。The severity (Low, Medium and High) of the rule match.
RuleModeRuleMode Edm.StringEdm.String Yes 指示 DLP 规则是否设置为“强制使用”、“在通知情况下审核”或“仅审核”。Indicate whether the DLP Rule was set to Enforce, Audit with Notify, or Audit only.
ConditionsMatchedConditionsMatched Self.ConditionsMatchedSelf.ConditionsMatched No 关于此事件匹配规则条件的详细信息。Details about what conditions of the rule were matched for this event.

ConditionsMatched 复杂类型ConditionsMatched complex type

参数Parameters 类型Type 强制?Mandatory? 说明Description
SensitiveInformationSensitiveInformation Collection(Self.SensitiveInformation)Collection(Self.SensitiveInformation) No 有关检测到的敏感信息类型的信息。Information about the type of sensitive information detected.
DocumentPropertiesDocumentProperties Collection(NameValuePair)Collection(NameValuePair) No 有关触发规则匹配的文档属性的信息。Information about document properties that triggered a rule match.
OtherConditionsOtherConditions Collection(NameValuePair)Collection(NameValuePair) No 描述匹配的任何其他条件的键值对列表。A list of key value pairs describing any other conditions that were matched.

SensitiveInformation 复杂类型SensitiveInformation complex type

参数Parameters 类型Type 强制?Mandatory? 说明Description
ConfidenceConfidence Edm.IntEdm.Int Yes 匹配检测的模式的置信度。The confidence of pattern that matched the detection.
CountCount Edm.IntEdm.Int Yes 检测到的敏感实例数。The number of sensitive instances detected.
SensitiveTypeSensitiveType Edm.GuidEdm.Guid Yes 识别检测到的敏感数据类型的 guid。A guid that identifies the type of sensitive data detected.
SensitiveInformationDetectionsSensitiveInformationDetections Self.SensitiveInformationDetectionsSelf.SensitiveInformationDetections No 包含具有以下详细信息的敏感信息数据的对象数组 - 匹配值和匹配值上下文。An array of objects that contain sensitive information data with the following details – matched value and context of matched value.

SensitiveInformationDetections 复杂类型SensitiveInformationDetections complex type

只有已拥有“读取 DLP 敏感数据”权限的用户,才能通过活动源 API 访问 DLP 敏感数据。DLP sensitive data is only available in the activity feed API to users that have been granted "Read DLP sensitive data" permissions.

参数Parameters 类型Type 强制?Mandatory? 说明Description
DetectionsDetections Collection(Self.Detections)Collection(Self.Detections) Yes 检测到的敏感信息数组。An array of sensitive information that was detected. 信息包含键值对,其中值 = 匹配值(如Information contains key value pairs with Value = matched value (eg. SSN 的信用卡值),上下文 = 来自包含匹配值的源内容的摘要。Value of credit card of SSN) and Context = an excerpt from source content that contains the matched value.
ResultsTruncatedResultsTruncated Edm.BooleanEdm.Boolean Yes 指示日志是否由于大量结果而被截断。Indicates if the logs were truncated due to large number of results.

ExceptionInfo 复杂类型ExceptionInfo complex type

参数Parameters 类型Type 强制?Mandatory? 说明Description
ReasonReason Edm.StringEdm.String No 对于 DLPRuleUndo 事件,这说明了为什么规则不再适用,原因可能是以下 3 个中的一个:重写、文档更改或策略更改For a DLPRuleUndo event, this indicates why the rule no longer applies, which can be one of 3 reasons: Override, Document Change, or Policy Change
FalsePositiveFalsePositive Edm.BooleanEdm.Boolean No 指示用户是否将此事件指定为误报。Indicates whether the user designated this event as a false positive.
JustificationJustification Edm.StringEdm.String No 如果用户选择重写策略,则可以在此捕获任何用户指定的理由。If the user chose to override policy, any user-specified justification is captured here.
RulesRules Collection(Edm.Guid)Collection(Edm.Guid) No 每个指定为误报或重写的规则或未撤销操作的规则的 guid 集合。A collection of guids for each rule that was designated as a false positive or override, or for which an action was undone.

安全与合规中心架构Security and Compliance Center schema

参数Parameters 类型Type 强制Mandatory 说明Description
StartTimeStartTime Edm.DateEdm.Date No 执行 cmdlet 时的日期和时间。The date and time at which the cmdlet was executed.
ClientRequestIdClientRequestId Edm.StringEdm.String No 可用于将此 cmdlet 与安全与合规中心 UX 操作关联起来的 GUID。A GUID that can be used to correlate this cmdlet with the Security & Compliance Center UX operations. 此信息仅供 Microsoft 支持部门使用。This information is only used by Microsoft support.
CmdletVersionCmdletVersion Edm.StringEdm.String No 执行 cmdlet 时的内部版本号。The build version of the cmdlet when it was executed.
EffectiveOrganizationEffectiveOrganization Edm.StringEdm.String No 受 cmdlet 影响的组织 GUID。The GUID for the organization impacted by the cmdlet. (弃用:此参数以后将停止显示。)(Deprecated: This parameter will stop appearing in the future.)
UserServicePlanUserServicePlan Edm.StringEdm.String No 分配给执行 cmdlet 的用户的 Exchange Online Protection 服务计划。The Exchange Online Protection service plan assigned to the user that executed the cmdlet.
ClientApplicationClientApplication Edm.StringEdm.String No 如果 cmdlet 是由应用程序(而非远程 PowerShell)执行的,则此字段包含该应用程序的名称。If the cmdlet was executed by an application, as opposed to remote PowerShell, this field contains that application's name.
参数Parameters Edm.StringEdm.String No 与不包含个人身份信息的 cmdlet 结合使用的参数的名称和值。The name and value for parameters that were used with the cmdlet that do not include Personally Identifiable Information.
NonPiiParametersNonPiiParameters Edm.StringEdm.String No 与包含个人身份信息的 cmdlet 结合使用的参数的名称和值。The name and value for parameters that were used with the cmdlet that include Personally Identifiable Information. (弃用:此字段将在以后停止显示,其内容将与 Parameters 字段合并。)(Deprecated: This field will stop appearing in the future and its content merged with the Parameters field.)

安全与合规警报架构Security and Compliance Alerts schema

警报信号包括:Alert signals include:

这些事件的 UserId 和 UserKey 始终为 SecurityComplianceAlerts。The UserId and UserKey of these events are always SecurityComplianceAlerts. 有三种类型的警报事件,它们被存储为常见架构的 Operation 属性值:There are three types of alert events that are stored as the value of the Operation property of the common schema:

  • AlertTriggered:由于策略匹配而生成新警报。AlertTriggered - A new alert is generated due to a policy match.

  • AlertEntityGenerated:向警报添加新实体。AlertEntityGenerated - A new entity is added to an alert. 此事件仅适用于基于安全与合规中心的警报策略生成的警报。This event is only applicable to alerts generated based on Alert policies in the security and compliance center. 每个生成的警报都可与一个或多个上述事件相关联。Each generated alert can be associated with one or multiple of these events. 例如,如果任何用户在 5 分钟内删除了超过 100 个文件,则定义警报策略以触发警报。For example, an alert policy is defined to trigger an alert if any user deletes more than 100 files in 5 minutes. 如果两个用户几乎同时超过阈值,则会有两个 AlertEntityGenerated 事件,但只有一个 AlertTriggered 事件。If two users exceed the threshold around the same time, there will be two AlertEntityGenerated events, but only one AlertTriggered event.

  • AlertUpdated - 已对警报的元数据进行更新。AlertUpdated - An update was made to the metadata of an alert. 当警报的状态发生更改以及在有人向该警报添加评论时,将记录此事件(例如,从 “活动” 更改为 “已解决”)。This event is logged when the status of an alert is changed (for example, from "Active" to "Resolved") and when someone adds a comment to the alert.

参数Parameters 类型Type 强制Mandatory 说明Description
AlertIdAlertId Edm.GuidEdm.Guid Yes 警报的 GUID。The Guid of the alert.
AlertTypeAlertType Self.StringSelf.String Yes 警报的类型。Type of the alert. 警报类型包括:Alert types include:
  • 系统警报System

  • 自定义警报Custom

NameName Edm.StringEdm.String Yes 警报的名称。Name of the alert.
PolicyIdPolicyId Edm.GuidEdm.Guid No 触发了警报的策略的 GUID。The Guid of the policy that triggered the alert.
StatusStatus Edm.StringEdm.String No 警报的状态。Status of the alert. 状态包括:Statuses include:
  • 活动Active

  • 正在调查Investigating

  • 已解决Resolved

  • 已解除Dismissed

SeveritySeverity Edm.StringEdm.String No 警报的严重性。Severity of the alert. 严重性级别包括:Severity levels include:
  • Low

  • Medium

  • High

类别Category Edm.StringEdm.String No 警报的类别。Category of the alert. 类别包括:Categories include:
  • AccessGovernanceAccessGovernance

  • DataGovernanceDataGovernance

  • DataLossPreventionDataLossPrevention

  • InsiderRiskManagementInsiderRiskManagement

  • MailFlowMailFlow

  • ThreatManagementThreatManagement

  • 其他Other

SourceSource Edm.StringEdm.String No 警报的来源。Source of the alert. 来源包括:Sources include:
  • Office 365 安全与合规中心Office 365 Security & Compliance

  • 云应用安全Cloud App Security

CommentsComments Edm.StringEdm.String No 查看过警报的用户留下的注释。Comments left by the users who have viewed the alert. 默认情况下为“新警报”。By default, it's "New alert".
DataData Edm.StringEdm.String No 警报或警报实体的详细数据 blob。The detailed data blob of the alert or alert entity.
AlertEntityIdAlertEntityId Edm.StringEdm.String No 警报实体的标识符。The identifier for the alert entity. 此参数仅适用于 AlertEntityGenerated 事件。This parameter is only applicable to AlertEntityGenerated events.
EntityTypeEntityType Edm.StringEdm.String No 警报或警报实体的类型。Type of the alert or alert entity. 实体类型包括:Entity types include:
  • UserUser

  • RecipientsRecipients

  • SenderSender

  • MalwareFamilyMalwareFamily

此参数仅适用于 AlertEntityGenerated 事件。This parameter is only applicable to AlertEntityGenerated events.

Yammer 架构Yammer schema

在安全与合规中心搜索审核日志中列出的 Yammer 事件将使用此架构。The Yammer events listed in Search the audit log in the Security & Compliance Center will use this schema.

参数Parameters 类型Type 强制Mandatory 说明Description
ActorUserIdActorUserId Edm.StringEdm.String No 执行操作的用户的电子邮件。Email of user that performed the operation.
ActorYammerUserIdActorYammerUserId Edm.Int64Edm.Int64 No 执行操作的用户的 ID。ID of user that performed the operation.
DataExportTypeDataExportType Edm.StringEdm.String No 如果数据导出包括邮件、备注、文件、主题、用户和组,则返回“data”;如果数据导出仅包括用户,则返回“user”。Returns "data" if data export includes messages, notes, files, topics, users and groups; returns "user" if data export includes users only.
FileIdFileId Edm.Int64Edm.Int64 No 操作中的文件 ID。ID of the file in the operation.
FileNameFileName Edm.StringEdm.String No 操作中的文件名称。Name of the file in the operation. 如果与操作不相关,将显示空白。Will appear blank if not relevant to the operation.
GroupNameGroupName Edm.StringEdm.String No 操作中的组名称。Name of the group in the operation. 如果与操作不相关,将显示空白。Will appear blank if not relevant to the operation.
IsSoftDeleteIsSoftDelete Edm.BooleanEdm.Boolean No 如果网络数据保留策略设置为“软删除”,返回“true”;如果网络数据保留策略设置为“硬删除”,则返回“false”。Returns "true" if the network's data retention policy is set to Soft Delete; returns "false" if the network's data retention policy is set to Hard Delete.
MessageIdMessageId Edm.Int64Edm.Int64 No 操作中的消息 ID。ID of the message in the operation.
YammerNetworkIdYammerNetworkId Edm.Int64Edm.Int64 No 执行操作的用户的网络 ID。Network ID of the user that performed the operation.
TargetUserIdTargetUserId Edm.StringEdm.String No 操作中的目标用户的电子邮件。Email of target user in the operation. 如果与操作不相关,将显示空白。Will appear blank if not relevant to the operation.
TargetYammerUserIdTargetYammerUserId Edm.Int64Edm.Int64 No 操作中的目标用户的 ID。ID of target user in the operation.
VersionIdVersionId Edm.Int64Edm.Int64 No 操作中文件的版本 ID。Version ID of the file in the operation.

数据中心安全基本架构Data Center Security Base schema

参数Parameters 类型Type 强制?Mandatory? 说明Description
DataCenterSecurityEventTypeDataCenterSecurityEventType Self.DataCenterSecurityEventTypeSelf.DataCenterSecurityEventType Yes 锁定框中的 cmdlet 事件的类型。The type of cmdlet event in lock box.

枚举:DataCenterSecurityEventType - 类型:Edm.Int32Enum: DataCenterSecurityEventType - Type: Edm.Int32

DataCenterSecurityEventTypeDataCenterSecurityEventType

成员名称Member name 说明Description
DataCenterSecurityCmdletAuditEventDataCenterSecurityCmdletAuditEvent 这是 cmdlet 审核类型事件的枚举值。This is the enum value for cmdlet audit type event.

数据中心安全 Cmdlet 架构Data Center Security Cmdlet schema

参数Parameters 类型Type 强制?Mandatory? 说明Description
StartTimeStartTime Edm.DateEdm.Date Yes Cmdlet 执行的开始时间。The start time of the cmdlet execution.
EffectiveOrganizationEffectiveOrganization Edm.StringEdm.String Yes 提升/cmdlet 面向的租户的名称。The name of the tenant that the elevation/cmdlet was targeted at.
ElevationTimeElevationTime Edm.DateEdm.Date Yes 提升的开始时间。The start time of the elevation.
ElevationApproverElevationApprover Edm.StringEdm.String Yes Microsoft 管理员名称。The name of a Microsoft manager.
ElevationApprovedTimeElevationApprovedTime Edm.DateEdm.Date No 批准提升的时间戳。The timestamp for when the elevation was approved.
ElevationRequestIdElevationRequestId Edm.GuidEdm.Guid Yes 提升请求的唯一标识符。A unique identifier for the elevation request.
ElevationRoleElevationRole Edm.StringEdm.String No 为其请求提升的角色。The role the elevation was requested for.
ElevationDurationElevationDuration Edm.Int32Edm.Int32 Yes 提升处于活动状态的持续时间。The duration for which the elevation was active.
GenericInfoGenericInfo Edm.StringEdm.String No 用于注释和其他通用信息。Used for comments and other generic information.

Microsoft Teams 架构Microsoft Teams schema

参数Parameters 类型Type 强制?Mandatory? 说明Description
MessageIdMessageId Edm.StringEdm.String No 聊天或频道消息的标识符。An identifier for a chat or channel message.
MembersMembers Collection(Self.MicrosoftTeamsMember)Collection(Self.MicrosoftTeamsMember) No 团队中的用户列表。A list of users within a Team.
TeamNameTeamName Edm.StringEdm.String No 审核中的团队名称。The name of the team being audited.
TeamGuidTeamGuid Edm.GuidEdm.Guid No 审核中团队的唯一标识符。A unique identifier for the team being audited.
ChannelTypeChannelType Edm.StringEdm.String No 审核中的频道类型(标准/私有)。The type of channel being audited (Standard/Private).
ChannelNameChannelName Edm.StringEdm.String No 审核中的频道名称。The name of the channel being audited.
ChannelGuidChannelGuid Edm.GuidEdm.Guid No 审核中的频道的唯一标识符。A unique identifier for the channel being audited.
ExtraPropertiesExtraProperties Collection(Self.KeyValuePair)Collection(Self.KeyValuePair) No 额外属性的列表。A list of extra properties.
AddOnTypeAddOnType Self.AddOnTypeSelf.AddOnType No 生成此事件的加载项类型。The type of add-on that generated this event.
AddonNameAddonName Edm.StringEdm.String No 生成此事件的加载项名称。The name of the add-on that generated the event.
AddOnGuidAddOnGuid Edm.GuidEdm.Guid No 生成此事件的加载项的唯一标识符。A unique identifier for the add-on that generated the event.
TabTypeTabType Edm.StringEdm.String No 仅用于选项卡事件。Only present for tab events. 生成此事件的选项卡类型。The type of tab that generated the event.
名称Name Edm.StringEdm.String No 仅用于设置事件。Only present for settings events. 已更改的设置的名称。Name of the setting that changed.
OldValueOldValue Edm.StringEdm.String No 仅用于设置事件。Only present for settings events. 设置的旧值。Old value of the setting.
NewValueNewValue Edm.StringEdm.String No 仅用于设置事件。Only present for settings events. 设置的新值。New value of the setting.

MicrosoftTeamsMember 复杂类型MicrosoftTeamsMember complex type

参数Parameters 类型Type 强制?Mandatory? 说明Description
UPNUPN Edm.StringEdm.String No 用户的用户主体名称。The user principal name of the user.
RoleRole Self.MemberRoleTypeSelf.MemberRoleType No 团队中用户的角色。The role of the user within the team.
DisplayNameDisplayName Edm.StringEdm.String No 用户的显示名称。The display name of the user.

枚举:MemberRoleType - 类型:Edm.Int32Enum: MemberRoleType - Type: Edm.Int32

MemberRoleTypeMemberRoleType

Value 成员名称Member name 说明Description
00 MemberMember 属于团队成员的用户。A user who is a member of the team.
11 OwnerOwner 担任团队所有者的用户。A user who is the owner of the team.
22 GuestGuest 不属于团队成员的用户。A user who is not a member of the team.

KeyValuePair 复杂类型KeyValuePair complex type

参数Parameters 类型Type 强制?Mandatory? 说明Description
Key Edm.StringEdm.String No 键值对的键。The key of the key-value pair.
Value Edm.StringEdm.String No 键值对的值。The value of the key-value pair.

枚举:AddOnType - 类型:Edm.Int32Enum: AddOnType - Type: Edm.Int32

AddOnTypeAddOnType

Value 成员名称Member name 说明Description
11 BotBot Microsoft Teams 机器人。A Microsoft Teams bot.
22 ConnectorConnector Microsoft Teams 连接器。A Microsoft Teams connector.
33 TabTab Microsoft Teams 选项卡。A Microsoft Teams tab.

Microsoft Defender for Office 365 和威胁调查与响应架构Microsoft Defender for Office 365 and Threat Investigation and Response schema

Microsoft Defender for Office 365 和威胁调查与响应事件适用于拥有 Defender for Office 365 计划 1、Defender for Office 365 计划 2 或 E5 订阅的 Office 365 客户。Microsoft Defender for Office 365 and Threat Investigation and Response events are available for Office 365 customers who have an Defender for Office 365 Plan 1, Defender for Office 365 Plan 2, or an E5 subscription. Defender for Office 365 源中的每个事件都与确定包含威胁的以下事件相对应:Each event in the Defender for Office 365 feed corresponds to the following that were determined to contain a threat:

备注

Microsoft Defender for Office 365 和 Office 365 威胁调查和响应(以前称为 Office 365 威胁智能)功能现在是 Defender for Office 365 计划 2 的一部分,具有附加的威胁保护功能。Microsoft Defender for Office 365 and Office 365 Threat Investigation and Response (formerly known as Office 365 Threat Intelligence) capabilites are now part of Defender for Office 365 Plan 2, with additional threat protection capabilities. 若要了解详细信息,请参阅 Microsoft Defender for Office 365 计划和定价以及 Defender for Office 365 服务说明To learn more, see Microsoft Defender for Office 365 plans and pricing and the Defender for Office 365 Service Description.

电子邮件事件Email message events

参数Parameters 类型Type 强制?Mandatory? 说明Description
AttachmentDataAttachmentData Collection(Self.AttachmentData)Collection(Self.AttachmentData) No 有关触发事件的电子邮件中附件的数据。Data about attachments in the email message that triggered the event.
DetectionTypeDetectionType Edm.StringEdm.String Yes 检测类型(例如,“Inline” - 在传递时检测到;“Delayed” - 在传递后检测到;“ZAP” - 消息由零时差自动清除删除)。The type of detection (for example, Inline - detected at delivery time; Delayed - detected after delivery; ZAP - messages removed by Zero hour auto purge). 使用 ZAP 检测类型的事件通常前面是“Delayed”检测类型的邮件。Events with ZAP detection type will typically be preceded by a message with a Delayed detection type.
DetectionMethodDetectionMethod Edm.StringEdm.String Yes Defender for Office 365 用于检测的方法或技术。The method or technology used by Defender for Office 365 for the detection.
InternetMessageIdInternetMessageId Edm.StringEdm.String Yes Internet 邮件 ID。The Internet Message Id.
NetworkMessageIdNetworkMessageId Edm.StringEdm.String Yes Exchange Online 网络消息 ID。The Exchange Online Network Message Id.
P1SenderP1Sender Edm.StringEdm.String Yes 电子邮件发件人的返回路径。The return path of sender of the email message.
P2SenderP2Sender Edm.StringEdm.String Yes 电子邮件的发件人。The from sender of the email message.
PolicyPolicy Self.PolicySelf.Policy Yes 与电子邮件相关的筛选策略类型(例如,“反垃圾邮件”或“反钓鱼”)和相关操作类型(例如,“高可信度垃圾邮件”、“垃圾邮件”或“网络钓鱼”)。The type of filtering policy (for example Anti-spam or Anti-phish) and related action type (such as High Confidence Spam, Spam, or Phish) relevant to the email message.
PolicyPolicy Self.PolicyActionSelf.PolicyAction Yes 与电子邮件相关的筛选策略中配置的操作(例如,“移动到垃圾邮件文件夹”或“隔离”)。The action configured in the filtering policy (for example, Move to Junk Mail folder or Quarantine) relevant to the email message.
P2SenderP2Sender Edm.StringEdm.String Yes 电子邮件的“发件人:”。The From: sender of the email message.
RecipientsRecipients Collection(Edm.String)Collection(Edm.String) Yes 电子邮件的收件人数组。An array of recipients of the email message.
SenderIpSenderIp Edm.StringEdm.String Yes 提交 Office 365 电子邮件的 IP 地址。The IP address that submitted the email of Office 365. IP 地址显示为 IPv4 或 IPv6 地址格式。The IP address is displayed in either an IPv4 or IPv6 address format.
SubjectSubject Edm.StringEdm.String Yes 邮件的主题行。The subject line of the message.
VerdictVerdict Edm.StringEdm.String Yes 邮件裁定。The message verdict.
MessageTimeMessageTime Edm.DateEdm.Date Yes 接收或发送电子邮件的协调世界时 (UTC) 日期和时间。Date and time in Coordinated Universal Time (UTC) the email message was received or sent.
EventDeepLinkEventDeepLink Edm.StringEdm.String Yes 指向资源管理器中的电子邮件事件的深层链接或 Office 365 安全与合规中心中的实时报表。Deep-link to the email event in Explorer or Real-time reports in the Office 365 Security & Compliance Center.

AttachmentData 复杂类型AttachmentData complex type

AttachmentDataAttachmentData

参数Parameters 类型Type 强制?Mandatory? 说明Description
FileNameFileName Edm.StringEdm.String Yes 附件的文件名。The file name of the attachment.
FileTypeFileType Edm.StringEdm.String Yes 附件的文件类型。The file type of the attachment.
FileVerdictFileVerdict Self.FileVerdictSelf.FileVerdict Yes 文件恶意软件裁定。The file malware verdict.
MalwareFamilyMalwareFamily Edm.StringEdm.String No 文件恶意软件系列。The file malware family.
SHA256SHA256 Edm.StringEdm.String Yes 文件 SHA256 哈希。The file SHA256 hash.

枚举:FileVerdict - 类型:Edm.Int32Enum: FileVerdict - Type: Edm.Int32

FileVerdictFileVerdict

Value 成员名称Member name 说明Description
00 GoodGood 未检测到任何威胁。No threats detected.
11 BadBad 在附件中发现恶意软件。Malware found in attachment.
-1-1 ErrorError 扫描/分析错误。Scan / analysis error.
-2-2 TimeoutTimeout 扫描/分析超时。Scan / analysis timeout.
-3-3 PendingPending 扫描/分析未完成。Scan / analysis not complete.

枚举:Policy - 类型:Edm.Int32Enum: Policy - Type: Edm.Int32

策略类型和操作类型Policy type and action type

Value 成员名称Member name 说明Description
11 Anti-spam, HSPMAnti-spam, HSPM 反垃圾邮件策略中的高可信度垃圾邮件 (HSPM) 操作。High Confidence Spam (HSPM) action in the Anti-spam policy.
22 Anti-spam, SPMAnti-spam, SPM 反垃圾邮件策略中的垃圾邮件 (SPM) 操作。Spam (SPM) action in the Anti-spam policy.
33 Anti-spam, BulkAnti-spam, Bulk 反垃圾邮件策略中的批量操作。Bulk action in the Anti-spam policy.
44 Anti-spam, PHSHAnti-spam, PHSH 反垃圾邮件策略中的网络钓鱼 (PHSH) 操作。Phish (PHSH) action in the Anti-spam policy.
55 Anti-phish, DIMPAnti-phish, DIMP 反钓鱼策略中的域模拟 (DIMP) 操作。Domain Impersonation (DIMP) action in the Anti-phish policy.
66 Anti-phish, UIMPAnti-phish, UIMP 反钓鱼策略中的用户模拟 (UIMP) 操作。User Impersonation (UIMP) action in the Anti-phish policy.
77 Anti-phish, SPOOFAnti-phish, SPOOF 反钓鱼策略中的欺骗操作。Spoof action in the Anti-phish policy.
88 Anti-phish, GIMPAnti-phish, GIMP 反钓鱼策略中的邮箱智能操作。Mailbox intelligence action in the Anti-phish policy.
99 Anti-malware, AMPAnti-malware, AMP 反恶意软件策略中的恶意软件策略操作。Malware policy action in the Anti-malware policy.
1010 安全附件、SAPSafe attachment, SAP Defender for Office 365 策略安全附件中的策略操作。Policy action in the Safe attachments in Defender for Office 365 policy.
1111 Exchange transport rule, ETRExchange transport rule, ETR Exchange 传输规则中的策略操作。Policy action in the Exchange Transport Rule.
1212 Anti-malware, ZAPMAnti-malware, ZAPM 应用于零时差自动清除 (ZAP) 的反恶意软件策略中的恶意软件策略操作。Malware policy action in the Anti-malware policy applied to Zero-hour auto purge (ZAP).
1313 Anti-phish, ZAPPAnti-phish, ZAPP 应用于 ZAP 的反钓鱼策略中的钓鱼策略操作。Phish policy action in the Anti-phish policy applied to ZAP.
1414 Anti-phish, ZAPSAnti-phish, ZAPS 应用于 ZAP 的反垃圾邮件策略中的垃圾邮件策略操作。Spam policy action in the Anti-spam policy applied to ZAP.
1515 反垃圾邮件、高可信度钓鱼电子邮件 (HPHISH)Anti-spam, High confidence phish email (HPHISH) 反垃圾邮件策略中的高可信度钓鱼策略操作。High confidence Phish policy action in Anti-spam policy.
1717 反垃圾邮件、出站垃圾邮件策略 (OSPM)Anti-spam, Outbound spam policy (OSPM) 反垃圾邮件中出站垃圾邮件筛选策略中的策略操作。Policy action in the outbound spam filter policy in Anti-spam.

枚举:PolicyAction - 类型:Edm.Int32Enum: PolicyAction - Type: Edm.Int32

策略操作Policy action

Value 成员名称Member name 说明Description
00 MoveToJMFMoveToJMF 策略操作是移动到“垃圾邮件”文件夹。Policy action is to move to Junk Mail folder.
11 AddXHeaderAddXHeader 策略操作是将 X 标头添加到电子邮件。Policy action is to add X-header to the email message.
22 ModifySubjectModifySubject 策略操作是使用筛选策略指定的信息修改电子邮件中的主题。Policy action is to modify subject in the email message with information specified by the filtering policy.
33 RedirectRedirect 策略操作是将电子邮件重定向到筛选策略指定的电子邮件地址。Policy action is to redirect email message to email address specificed by the filtering policy.
44 DeleteDelete 策略操作是删除电子邮件。Policy action is to delete (drop) the email message.
55 QuarantineQuarantine 策略操作是隔离电子邮件。Policy action is to quarantine the email message.
66 NoActionNoAction 策略被配置为不对电子邮件执行任何操作。Policy is configured to take no action on the email message.
77 BccMessageBccMessage 策略操作是将电子邮件密送至筛选策略指定的电子邮件地址。Policy action is to Bcc the email message to email address specificed by the filtering policy.
88 ReplaceAttachmentReplaceAttachment 策略操作是按照筛选策略指定的信息更换电子邮件中的附件。Policy action is to replace the attachment in the email message as specified by the filtering policy.

URL 单击时事件URL time-of-click events

参数Parameters 类型Type 强制?Mandatory? 说明Description
UserIDUserId Edm.StringEdm.String Yes 单击 URL 的用户的标识符(例如电子邮件地址)。Identifier (for example, email address) for the user who clicked on the URL.
AppNameAppName Edm.StringEdm.String Yes 从中单击 URL 的 Office 365 服务(例如邮件)。Office 365 service from which the URL was clicked (for example, Mail).
URLClickActionURLClickAction Self.URLClickActionSelf.URLClickAction Yes URL 的单击操作基于组织针对 Defender for Office 365 中的安全链接的策略。Click action for the URL based on the organization's policies for Safe Links in Defender for Office 365.
SourceIdSourceId Edm.StringEdm.String Yes 从中单击 URL 的 Office 365 服务的标识符(例如,对于邮件而言,这是 Exchange Online 网络消息 ID)。Identifier for the Office 365 service from which the URL was clicked (for example, for mail this is the Exchange Online Network Message Id).
TimeOfClickTimeOfClick Edm.DateEdm.Date Yes 用户单击 URL 时的协调世界时 (UTC) 日期和时间。The date and time in Coordinated Universal Time (UTC) when the user clicked the URL.
URLURL Edm.StringEdm.String Yes 用户单击 URL。URL clicked by the user.
UserIpUserIp Edm.StringEdm.String Yes 单击 URL 的用户的 IP 地址。The IP address for the user who clicked the URL. IP 地址显示为 IPv4 或 IPv6 地址格式。The IP address is displayed in either an IPv4 or IPv6 address format.

枚举:URLClickAction - 类型:Edm.Int32Enum: URLClickAction - Type: Edm.Int32

URLClickActionURLClickAction

Value 成员名称Member name 说明Description
22 BlockpageBlockpage Defender for Office 365 中的安全链接阻止用户导航到该 URL。User blocked from navigating to the URL by Safe Links in Defender for Office 365.
33 PendingDetonationPagePendingDetonationPage Defender for Office 365 中的安全链接向用户显示引爆待定页。User presented with the detonation pending page by Safe Links in Defender for Office 365.
44 BlockPageOverrideBlockPageOverride Defender for Office 365 中的安全链接阻止用户导航到该 URL;但用户忽略阻碍以导航到该 URL。User blocked from navigating to the URL by Safe Links in Defender for Office 365; however user overrode block to navigate to the URL.
55 PendingDetonationPageOverridePendingDetonationPageOverride Defender for Office 365 中的安全链接向用户显示引爆页;但用户忽略以导航到该 URL。User presented with the detonation page by Safe Links in Defender for Office 365; however user overrode to navigate to the URL.

文件事件File events

参数Parameters 类型Type 强制?Mandatory? 说明Description
FileDataFileData Self.FileDataSelf.FileData Yes 有关触发事件的文件的数据。Data about the file that triggered the event.
SourceWorkloadSourceWorkload Self.SourceWorkloadSelf.SourceWorkload Yes 找到该文件的工作负载和服务(例如 SharePoint Online、OneDrive for Business 或 Microsoft Teams)Workload or service where the file was found (for example, SharePoint Online, OneDrive for Business, or Microsoft Teams)
DetectionMethodDetectionMethod Edm.StringEdm.String Yes Microsoft Defender for Office 365 用于检测的方法或技术。The method or technology used by Microsoft Defender for Office 365 for the detection.
LastModifiedDateLastModifiedDate Edm.DateEdm.Date Yes 创建文件或上次修改文件时的协调世界时 (UTC) 日期和时间。The date and time in Coordinated Universal Time (UTC) when the file was created or last modified.
LastModifiedByLastModifiedBy Edm.StringEdm.String Yes 创建或上次修改文件的用户的标识符(例如,电子邮件地址)。Identifier (for example, an email address) for the user who created or last modified the file.
EventDeepLinkEventDeepLink Edm.StringEdm.String Yes 指向资源管理器中的文件事件的深层链接或安全与合规中心中的实时报表。Deep-link to the file event in Explorer or Real-time reports in the Security & Compliance Center.

FileData 复杂类型FileData complex type

FileDataFileData

参数Parameters 类型Type 强制?Mandatory? 说明Description
DocumentIdDocumentId Edm.StringEdm.String Yes SharePoint、OneDrive 或 Microsoft Teams 中文件的唯一标识符。Unique identifier for the file in SharePoint, OneDrive, or Microsoft Teams.
FileNameFileName Edm.StringEdm.String Yes 触发事件的文件的名称。Name of the file that triggered the event.
FilePathFilePath Edm.StringEdm.String Yes SharePoint、OneDrive 或 Microsoft Teams 中文件的路径(位置)。Path (location) for the file in SharePoint, OneDrive, or Microsoft Teams.
FileVerdictFileVerdict Self.FileVerdictSelf.FileVerdict Yes 文件恶意软件裁定。The file malware verdict.
MalwareFamilyMalwareFamily Edm.StringEdm.String No 文件恶意软件系列。The file malware family.
SHA256SHA256 Edm.StringEdm.String Yes 文件 SHA256 哈希。The file SHA256 hash.
FileSizeFileSize Edm.StringEdm.String Yes 文件大小(以字节为单位)。Size for the file in bytes.

枚举:SourceWorkload - 类型:Edm.Int32Enum: SourceWorkload - Type: Edm.Int32

SourceWorkloadSourceWorkload

Value 成员名称Member name
00 SharePoint OnlineSharePoint Online
11 OneDrive for BusinessOneDrive for Business
22 Microsoft TeamsMicrosoft Teams

Office 365 中的自动调查和响应事件Automated investigation and response events in Office 365

Office 365 自动调查和响应 (AIR) 事件适用于订阅了 Microsoft Defender for Office 365 计划 2 或 Office 365 E5 的 Office 365 客户。将根据调查状态的变化记录调查事件。Office 365 automated investigation and response (AIR) events are available for Office 365 customers who have a subscription that includes Microsoft Defender for Office 365 Plan 2 or Office 365 E5. 将根据调查状态的变化记录调查事件。Investigation events are logged based on a change in investigation status. 例如,当管理员执行将调查状态从“挂起的操作”更改为“已完成”的操作时,将记录一个事件。For example, when an administrator takes an action that changes the status of an investigation from Pending Actions to Completed, an event is logged.

目前,仅记录自动调查事件。Currently, only automated investigation are logged. (手动生成调查的事件即将提供。)将记录以下状态值:(Events for manually generated investigations are coming soon.) The following status values are logged:

  • 已开始调查Investigation Started
  • 未发现威胁No threats found
  • 已由系统终止Terminated by System
  • 挂起的操作Pending Action
  • 发现威胁Threats Found
  • 已修正Remediated
  • 已失败Failed
  • 已通过限制终止Terminated by throttling
  • 已由用户终止Terminated By User
  • 正在运行Running

主调查架构Main investigation schema

名称Name 类型Type 说明Description
InvestigationIdInvestigationId Edm.StringEdm.String 调查 ID/GUIDInvestigation ID/GUID
InvestigationNameInvestigationName Edm.StringEdm.String 调查的名称Name of the investigation
InvestigationTypeInvestigationType Edm.StringEdm.String 调查的类型。Type of the investigation. 可以是下列值之一:Can take one of the following values:
- 用户报告的邮件- User-Reported Messages
- 零时差自动清除恶意软件- Zapped Malware
- 零时差自动清除网络钓鱼- Zapped Phish
- URL 裁定更改- Url Verdict Change

(目前尚未提供手动调查,即将推出。)(Manual investigations are currently not available and are coming soon.)

LastUpdateTimeUtcLastUpdateTimeUtc Edm.DateEdm.Date 上次更新调查的 UTC 时间UTC time of the last update for an investigation
StartTimeUtcStartTimeUtc Edm.DateEdm.Date 调查的开始时间Start time for an investigation
状态Status Edm.StringEdm.String 调查的状态,正在运行、挂起的操作等。State of investigation, Running, Pending Actions, etc.
DeeplinkURLDeeplinkURL Edm.StringEdm.String Office 365 安全与合规中心中的调查的深度链接 URLDeep link URL to an investigation in Office 365 Security & Compliance Center
操作Actions 集合 (Edm.String)Collection (Edm.String) 调查建议的操作集合Collection of actions recommended by an investigation
DataData Edm.StringEdm.String 数据字符串,其中包含有关调查实体的更多详细信息,以及有关调查警报的信息。Data string which contains more details about investigation entities, and information about alerts related to the investigation. 实体位于数据 Blob 内的单独节点中。Entities are available in a separate node within the data blob.

操作Actions

字段Field 类型Type 说明Description
IDID Edm.StringEdm.String 操作 IDAction ID
ActionTypeActionType Edm.StringEdm.String 操作的类型,如电子邮件修正The type of the action, such as email remediation
ActionStatusActionStatus Edm.StringEdm.String 值包括:Values include:
- 挂起- Pending
- 正在运行- Running
- 正在等待资源- Waiting on resource
- 已完成- Completed
- 已失败- Failed
ApprovedByApprovedBy Edm.StringEdm.String 如果自动批准,则为 Null;否则,则为用户名/ID(即将推出)Null if auto approved; otherwise, the username/id (this is coming soon)
TimestampUtcTimestampUtc Edm.DateTimeEdm.DateTime 操作状态更改的时间戳The timestamp of the action status change
ActionIdActionId Edm.StringEdm.String 操作的唯一标识符Unique identifier for action
InvestigationIdInvestigationId Edm.StringEdm.String 调查的唯一标识符Unique identifier for investigation
RelatedAlertIdsRelatedAlertIds Collection(Edm.String)Collection(Edm.String) 有关调查的警报Alerts related to an investigation
StartTimeUtcStartTimeUtc Edm.DateTimeEdm.DateTime 操作创建的时间戳Timestamp of action creation
EndTimeUtcEndTimeUtc Edm.DateTimeEdm.DateTime 操作最终状态更新时间戳Action final status update timestamp
资源标识符Resource Identifiers Edm.StringEdm.String 包含 Azure Active Directory 租户 ID。Consists of the Azure Active Directory tenant ID.
实体Entities Collection(Edm.String)Collection(Edm.String) 按操作列出的一个或多个受影响的实体List of one or more affected entities by action
相关警报 IDRelated Alert IDs Edm.StringEdm.String 与调查相关的警报Alert related to an investigation

实体Entities

MailMessage(电子邮件)MailMessage (email)

字段Field 类型Type 说明Description
类型Type Edm.StringEdm.String “邮件-消息”"mail-message"
文件Files 集合 (Self.File)Collection (Self.File) 有关此邮件附件中的文件的详细信息Details about the files of this message's attachments
收件人Recipient Edm.StringEdm.String 此邮件的收件人The recipient of this mail message
URLUrls 集合 (Self.URL)Collection(Self.URL) 此邮件中包含的 URLThe Urls contained in this mail message
发件人Sender Edm.StringEdm.String 发件人的电子邮件地址The sender's email address
SenderIPSenderIP Edm.StringEdm.String 发件人的 IP 地址The sender's IP address
ReceivedDateReceivedDate Edm.DateTimeEdm.DateTime 此邮件的接收日期The received date of this message
NetworkMessageIdNetworkMessageId Edm.GuidEdm.Guid 此邮件消息的网络消息 IDThe network message id of this mail message
InternetMessageIdInternetMessageId Edm.StringEdm.String 此邮件消息的 Internet 消息 IDThe internet message id of this mail message
SubjectSubject Edm.StringEdm.String 此邮件的主题The subject of this mail message

IPIP

字段Field 类型Type 说明Description
类型Type Edm.StringEdm.String “ip”"ip"
地址Address Edm.StringEdm.String 字符串形式的 IP 地址,例如 127.0.0.1The IP address as a string, such as 127.0.0.1

URLURL

字段Field 类型Type 说明Description
类型Type Edm.StringEdm.String “url”"url"
URLUrl Edm.StringEdm.String 实体指向的完整 URLThe full URL to which an entity points

邮箱(也相当于用户)Mailbox (also equivalent to the user)

字段Field 类型Type 说明Description
类型Type Edm.StringEdm.String “邮箱”"mailbox"
MailboxPrimaryAddressMailboxPrimaryAddress Edm.StringEdm.String 邮箱的主要地址The mailbox's primary address
DisplayNameDisplayName Edm.StringEdm.String 邮箱的显示名称The mailbox's display name
UPNUpn Edm.StringEdm.String 邮箱的 UPNThe mailbox's UPN

文件File

字段Field 类型Type 说明Description
类型Type Edm.StringEdm.String “文件”"file"
名称Name Edm.StringEdm.String 不带路径的文件名The file name without path
FileHashesFileHashes 集合 (Edm.String)Collection (Edm.String) 与文件关联的文件哈希The file hashes associated with the file

FileHashFileHash

字段Field 类型Type 说明Description
类型Type Edm.StringEdm.String “filehash”"filehash"
算法Algorithm Edm.StringEdm.String 哈希算法类型,可为以下值之一:The hash algorithm type, which can be one of these values:
- 未知- Unknown
- MD5- MD5
- SHA1- SHA1
- SHA256- SHA256
- SHA256AC- SHA256AC
Value Edm.StringEdm.String 哈希值The hash value

MailClusterMailCluster

字段Field 类型Type 说明Description
类型Type Edm.StringEdm.String “MailCluster”"MailCluster"
确定所讨论的实体类型Determines the type of entity being discussed
NetworkMessageIdsNetworkMessageIds 集合 (Edm.String)Collection (Edm.String) 作为邮件群集一部分的邮件消息 ID 列表List of the mail message IDs that are part of the mail cluster
CountByDeliveryStatusCountByDeliveryStatus 集合 (Edm.String)Collections (Edm.String) 通过 DeliveryStatus 字符串表示的邮件消息计数Count of mail messages by DeliveryStatus string representation
CountByThreatTypeCountByThreatType 集合 (Edm.String)Collections (Edm.String) 通过 ThreatType 字符串表示的邮件消息计数Count of mail messages by ThreatType string representation
威胁Threats 集合 (Edm.String)Collections (Edm.String) 作为邮件群集一部分的邮件消息威胁数。The threats of mail messages that are part of the mail cluster. 威胁包括网络钓鱼和恶意软件等值。Threats include values like Phish and Malware.
查询Query Edm.StringEdm.String 用于标识邮件群集消息的查询The query that was used to identify the messages of the mail cluster
QueryTimeQueryTime Edm.DateTimeEdm.DateTime 查询时间The query time
MailCountMailCount Edm.IntEdm.int 作为邮件群集一部分的邮件消息数The number of mail messages that are part of the mail cluster
SourceSource 字符串String 邮件群集的来源;群集源的值。The source of the mail cluster; the value of the cluster source.

卫生事件架构Hygiene events schema

与出站垃圾邮件保护相关的卫生事件。Hygiene events are related to outbound spam protection. 这些事件与被限制发送电子邮件的用户相关。These events are related to users who are restricted from sending email. 有关更多信息,请参阅:For more information, see:

参数Parameters 类型Type 强制?Mandatory? 说明Description
AuditAudit Edm.StringEdm.String No 与卫生事件相关的系统信息。System information related to the hygiene event.
EventEvent Edm.StringEdm.String No 卫生事件的类型。The type of hygiene event. 此参数的值为 已列出已从列表中删除The values for this parameter are Listed or Delisted.
EventIdEventId Edm.Int64Edm.Int64 No 卫生事件类型的 ID。The ID of the hygiene event type.
EventValueEventValue Edm.StringEdm.String No 受影响的用户。The user who was impacted.
ReasonReason Edm.StringEdm.String No 有关卫生事件的详细信息。Details about the hygiene event.

Power BI 架构Power BI schema

在 Office 365 保护中心搜索审核日志中列出的 Power BI 事件将使用此架构。The Power BI events listed in Search the audit log in the Office 365 Protection Center will use this schema.

参数Parameters 类型Type 强制?Mandatory? 说明Description
AppNameAppName Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No 发生事件的应用名称。The name of the app where the event occurred.
DashboardNameDashboardName Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No 发生事件的仪表板名称。The name of the dashboard where the event occurred.
DataClassificationDataClassification Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No 数据分类(如果有),针对发生事件的仪表板。The data classification, if any, for the dashboard where the event occurred.
DatasetNameDatasetName Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No 发生事件的数据集名称。The name of the dataset where the event occurred.
MembershipInformationMembershipInformation Collection(MembershipInformationType) Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"Collection(MembershipInformationType) Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No 与组相关的成员身份信息。Membership information about the group.
OrgAppPermissionOrgAppPermission Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No 组织应用(整个组织、特定用户或特定组)的权限列表。Permissions list for an organizational app (entire organization, specific users, or specific groups).
ReportNameReportName Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No 发生事件的报表名称。The name of the report where the event occurred.
SharingInformationSharingInformation Collection(SharingInformationType) Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"Collection(SharingInformationType) Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No 与向其发送共享邀请的人员相关的信息。Information about the person to whom a sharing invitation is sent.
SwitchStateSwitchState Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No 与不同租户级开关的状态相关的信息。Information about the state of various tenant level switches.
WorkSpaceNameWorkSpaceName Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No 发生事件的工作区名称。The name of the workspace where the event occurred.

MembershipInformationType 复杂类型MembershipInformationType complex type

参数Parameters 类型Type 强制?Mandatory? 说明Description
MemberEmailMemberEmail Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No 组的电子邮件地址。The email address of the group.
状态Status Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No 目前尚未填充。Not currently populated.

SharingInformationType 复杂类型SharingInformationType complex type

参数Parameters 类型Type 强制?Mandatory? 说明Description
RecipientEmailRecipientEmail Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No 共享邀请的收件人的电子邮件地址。The email address of the recipient of a sharing invitation.
RecipientNameRecipientName Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No 共享邀请的收件人的名称。The name of the recipient of a sharing invitation.
ResharePermissionResharePermission Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true"Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No 授予此收件人的权限。The permission being granted to the recipient.

Dynamics 365 架构Dynamics 365 schema

Dynamics 365 事件中与模型驱动应用相关的事件的审核记录同时使用基操作架构和实体操作架构。The audit records for events related to model-driven apps in Dynamics 365 events use both a base and an entity operation schema. 了解更多信息,请参阅启用和禁用活动日志记录For more information, see Enable and use Activity Logging.

Dynamics 365 基本架构Dynamics 365 base schema

参数Parameters 类型Type 强制?Mandatory? 说明Description
CrmOrganizationUniqueNameCrmOrganizationUniqueName Edm.StringEdm.String Yes 组织的唯一名称。The unique name of the organization.
InstanceUrlInstanceUrl Edm.StringEdm.String Yes 实例的 URL。The URL to the instance.
ItemUrlItemUrl Edm.StringEdm.String No 发出日志记录的 URL。The URL to the record emitting the log.
ItemTypeItemType Edm.StringEdm.String No 实体的名称。The name of the entity.
UserAgentUserAgent Edm.StringEdm.String No 组织中用户 GUID 的唯一标识符。The unique identifier of the user GUID in the organization.
字段Fields Collection(Common.NameValuePair)Collection(Common.NameValuePair) No 一个 JSON 对象,包含已创建或更新的属性键值对。A JSON object that contains the property key-value pairs that were created or updated.

Dynamics 365 实体操作架构Dynamics 365 entity operation schema

Dynamics 365 中模型驱动应用程的实体事件使用此架构在 Dynamics 365 基本架构上构建。Entity events from model-driven apps in Dynamics 365 use this schema to build on the Dynamics 365 base schema. 此架构包含有关触发已审核事件的实体操作的信息。This schema includes information about the entity operation that triggered the audited event.

参数Parameters 类型Type 强制?Mandatory? 说明Description
entityIdEntityId Edm.GuidEdm.Guid No 实体的唯一标识符。The unique identifier of the entity.
EntityNameEntityName Edm.StringEdm.String Yes 组织中实体的名称。The name of the entity in the organization. 实体示例包含 contactauthenticationExample of entities include contact or authentication.
邮件Message Edm.StringEdm.String Yes 此参数包含对实体执行的相关操作。。This parameter contains the operation that was performed in related to the entity. 例如,如果创建了新联系人,邮件属性值为 Create,则 EntityName 属性的对应值为 contactFor example, if a new contact was created, the value of the Message property is Create and the corresponding value of the EntityName property is contact.
查询Query Edm.StringEdm.String No 执行 FetchXML 操作时所用的筛选查询参数。The parameters of the filter query that was used while executing the FetchXML operation.
PrimaryFieldValuePrimaryFieldValue Edm.StringEdm.String No 指示实体的主要字段的属性值。Indicates the value for the attribute that is the primary field for the entity.

工作区分析架构Workplace Analytics schema

在 Office 365 安全与合规中心搜索审核日志中列出的工作区分析事件将使用此架构。The WorkPlace Analytics events listed in Search the audit log in the Office 365 Security & Compliance Center will use this schema.

参数Parameters 类型Type 强制?Mandatory? 说明Description
WpaUserRoleWpaUserRole Edm.StringEdm.String No 执行操作的用户的工作区分析角色。The Workplace Analytics role of the user who performed the action.
ModifiedPropertiesModifiedProperties 集合 (Common.ModifiedProperty)Collection (Common.ModifiedProperty) No 该属性包括已修改属性的名称、已修改属性的新值和已修改属性的先前值。This property includes the name of the property that was modified, the new value of the modified property, and the previous value of the modified property.
OperationDetailsOperationDetails 集合 (Common.NameValuePair)Collection (Common.NameValuePair) No 已更改的设置的扩展属性列表。A list of extended properties for the setting that was changed. 每个属性都将具有 NameValueEach property will have a Name and Value.

隔离架构Quarantine schema

在 Office 365 安全与合规中心搜索审核日志中列出的隔离事件将使用此架构。The quarantine events listed in Search the audit log in the Office 365 Security & Compliance Center will use this schema. 有关隔离的详细信息,请参阅 Office 365 中的隔离电子邮件For more information about quarantine, see Quarantine email messages in Office 365.

参数Parameters 类型Type 强制?Mandatory? 说明Description
RequestTypeRequestType Self.RequestTypeSelf.RequestType No 由用户执行的隔离请求的类型。The type of quarantine request performed by a user.
RequestSourceRequestSource Self.RequestSourceSelf.RequestSource No 隔离请求的来源可以是安全与合规中心 (SCC)、cmdlet 或 URLlink。The source of a quantine request can come from the Security & Compliance Center (SCC), a cmdlet, or a URLlink.
NetworkMessageIdNetworkMessageId Edm.StringEdm.String No 已隔离的电子邮件的网络消息 ID。The network message id of quarantined email message.
ReleaseToReleaseTo Edm.StringEdm.String No 电子邮件的收件人。The recipient of the email message.

Enum: RequestType - Type: Edm.Int32Enum: RequestType - Type: Edm.Int32

Value 成员名称Member name 说明Description
00 预览Preview 这是用户请求预览被认为有危害的电子邮件。This is a request from a user to preview an email message that is deemed to be harmful.
11 删除Delete 这是用户请求删除被认为有危害的电子邮件。This is a request from a user to delete an email message that is deemed to be harmful.
22 发布Release 这是用户请求发布被认为有危害的电子邮件。This is a request from a user to release an email message that is deemed to be harmful.
33 导出Export 这是用户请求导出被认为有危害的电子邮件。This is a request from a user to export an email message that is deemed to be harmful.
44 ViewHeaderViewHeader 这是用户请求查看被认为有危害的电子邮件标头。This is a request from a user to view the header an email message that is deemed to be harmful.

Enum: RequestSource - Type: Edm.Int32Enum: RequestSource - Type: Edm.Int32

Value 成员名称Member name 说明Description
00 SCCSCC 安全与合规中心 (SCC) 是用户请求的来源,用户可预览、删除、发布、导出或查看潜在有危害电子邮件可能源头的标头。The Security & Compliance center (SCC) is the source where the request from a user to preview, delete, release, export, or view the header of a potentially harmful email message can originate from.
11 CmdletCmdlet Cmdlet 是用户请求的来源,用户可预览、删除、发布、导出或查看潜在有危害电子邮件可能源头的标头。A cmdlet is the source where the request from a user to preview, delete, release, export, or view the header of a potentially harmful email message can originate from.
22 URLlinkURLlink 它是是用户请求的来源,用户可预览、删除、发布、导出或查看潜在有危害电子邮件可能源头的标头。This is a source where the request from a user to preview, delete, release, export, or view the header of potentially harmful email message can originate from.

Microsoft Forms 架构Microsoft Forms schema

Office 365 安全与合规中心 搜索审核日志"中列出的 Microsoft Forms 将使用此架构。The Microsoft Forms events listed in Search the audit log in the Office 365 Security & Compliance Center will use this schema.

参数Parameters 类型Type 强制?Mandatory? 说明Description
FormsUserTypesFormsUserTypes Collection(Self.FormsUserTypes)Collection(Self.FormsUserTypes) Yes 执行操作的用户的角色。The role of the user who performed the action. 此参数的值为“管理员”、“所有者”、“响应者人”或“合著者”。The values for this parameter are Admin, Owner, Responder, or Coauthor.
SourceAppSourceApp Edm.StringEdm.String Yes 指示操作是来自 Forms 网站还是其他应用。Indicates if the action is from Forms website or from another App.
FormNameFormName Edm.StringEdm.String No 当前表单的名称。The name of the current form.
FormIdFormId Edm.StringEdm.String No 目标表单的 ID。The Id of the target form.
FormTypesFormTypes Collection(Self.FormTypes)Collection(Self.FormTypes) No 指示这是表单、测验还是调查。Indicates whether this is a Form, Quiz, or Survey.
ActivityParametersActivityParameters Edm.StringEdm.String No 包含活动参数的 JSON 字符串。JSON string containing activity parameters. 有关更多详细信息,请参阅在 Office 365 安全与合规中心搜索审核日志See Search the audit log in the Office 365 Security & Compliance Center for more details.

枚举:FormsUserTypes - 类型:Edm.Int32Enum: FormsUserTypes - Type: Edm.Int32

FormsUserTypesFormsUserTypes

Value 表单用户类型Form User Type 说明Description
00 管理员Admin 有权访问表单的管理员。An administrator who has access to the form.
11 所有者Owner 担任表单所有者的用户。A user who is the owner of the form.
22 响应者Responder 已向表单提交回复的用户。A user who has submitted a response to a form.
33 合著者Coauthor 已使用表单所有者提供的协作链接登录和编辑表单的用户。A user who has used a collaboration link provided by the form owner to login and edit a form.

枚举:FormTypes - 类型:Edm.Int32Enum: FormTypes - Type: Edm.Int32

FormTypesFormTypes

Value 表单类型Form Types 说明Description
00 表单Form 使用“新建表单”选项创建的表单。Forms that are created with the New Form option.
11 测验Quiz 使用“新建测验”选项创建的测验。Quizzes that are created with the New Quiz option. 测验是表单的一种特殊类型,包含得分值、自动和手动评分、批注等附加功能。A quiz is a special type of form that includes additional features such as point values, auto and manual grading, and commenting.
22 调查Survey 使用“新建调查”选项创建的调查。Surveys that are created with the New Survey option. 调查是表单的一种特殊类型,包含 CMS 集成和对流程规则的支持等附加功能。A survey is a special type of form that includes additional features such as CMS integration and support for Flow rules.

MIP 标签架构MIP label schema

如果 Microsoft 365 检测到由应用了敏感度标签的传输管道中的代理处理的电子邮件,将触发 Microsoft 信息保护 (MIP) 标签架构中的事件。Events in the Microsoft Information Protection (MIP) label schema are triggered when Microsoft 365 detects an email message processed by agents in the Transport pipeline that has a sensitivity label applied to it. 敏感度标签可能是手动或自动应用的,也可能是在传输管道内部或外部应用的。The sensitivity label may have been applied manually or automatically, and it may have been applied within or outside of the Transport pipeline. 可通过自动应用标签策略将敏感度标签自动应用于电子邮件。Sensitivity labels can be automatically applied to email messages by auto-apply label policies.

此审核架构的目的即表示全部带有敏感度标签的电子邮件活动的总和。The intent of this audit schema is to represent the sum of all email activity that involves sensitivity labels. 换言之,对于向组织中用户发送或发送的每封电子邮件,应存在一个记录的审核活动,并应用了敏感度标签,而不考虑何时或如何应用敏感度标签。In other words, there should be an recorded audit activity for each email message that is sent to or from users in the organization that has a sensitivity label applied to it, regardless of when or how the sensitivity label was applied. 有关敏感度标签的详细信息,请参阅:For more information about sensitivity labels, see:

参数Parameters 类型Type 强制?Mandatory? 说明Description
发件人Sender Edm.StringEdm.String No 电子邮件的“发件人”字段中的电子邮件地址。The email address in the From field of the email message.
收件人Receivers Collection(Edm.String)Collection(Edm.String) No 电子邮件的“收件人”、“抄送”和“密件抄送”字段中的所有电子邮件地址。All email addresses in the To, CC, and Bcc fields of the email message.
ItemNameItemName Edm.StringEdm.String No 电子邮件的“主题”字段中的字符串。The string in the Subject field of the email message.
LabelIdLabelId Edm.GuidEdm.Guid No 应用于电子邮件的敏感度标签的 GUID。The GUID of the sensitiviy label applied to the email message.
LabelNameLabelName Edm.StringEdm.String No 应用于电子邮件的敏感度标签的名称。The name of the sensitivity label applied to the email message.
LabelActionLabelAction Edm.StringEdm.String No 敏感度标签所指定的操作会在邮件进入邮件传输管道之前应用于电子邮件。The actions specified by the sensitivity label that were applied to the email message before the message entered the mail transport pipeline.
LabelAppliedDateTimeLabelAppliedDateTime Edm.DateEdm.Date No 将敏感度标签应用于电子邮件的日期。The date the sensitivity label was applied to the email message.
ApplicationModeApplicationMode Edm.StringEdm.String No 指定敏感度标签应用于电子邮件的方式。Specifies how the sensitivity label was applied to the email message. Privileged 值表示用户已手动应用该标签。The Privileged value indicates the label was manually applied by a user. Standard 值表示标签已由客户端或服务端标记流程自动应用。The Standard value indicates the label was auto-applied by a client-side or service-side labeling process.

通信合规性 Exchange 架构Communication compliance Exchange schema

Office 365 审核日志中列出的通信合规性事件使用此架构。The communication compliance events listed in the Office 365 audit log use this schema. 这包括当电子邮件内容包含由反垃圾邮件模型识别的冒犯性语言时生成的 SupervisoryReviewOLAudit 操作的审核记录,匹配准确率 >= 99.5%。This includes audit records for the SupervisoryReviewOLAudit operation that's generated when email message content contains offensive language identified by anti-spam models with a match accuracy of >= 99.5%.

参数Parameters 类型Type 强制?Mandatory? 说明Description
ExchangeDetailsExchangeDetails ExchangeDetailsExchangeDetails No 触发 SupervisoryReviewOLAudit 事件的电子邮件属性。Properties of the email message that triggered the SupervisoryReviewOLAudit event.

Enum: ExchangeDetails - Type: ExchangeDetailsEnum: ExchangeDetails - Type: ExchangeDetails

ExchangeDetailsExchangeDetails

成员名称Member name 类型Type 说明Description
NetworkMessageIdNetworkMessageId Edm.GuidEdm.Guid 此邮件消息的网络消息 ID。The network message ID of the email message.
InternetMessageIdInternetMessageId Edm.StringEdm.String 此邮件消息的 Internet 消息 ID。The internet message ID of the email message.
AttachmentDataAttachmentData 集合 (AttachmentDetails)Collection(AttachmentDetails) 有关附加到电子邮件的文件的信息。Information about files attached to the email message.
收件人Recipients Collection(Edm.String)Collection(Edm.String) 电子邮件的“收件人”、“抄送”和“密件抄送”字段中的电子邮件地址。The email addresses in the To, Cc, and Bcc fields of the email message.
主题Subject Edm.StringEdm.String 电子邮件的“主题”字段中的文本。The text in the Subject field of the email message.
MessageTimeMessageTime Edm.DateEdm.Date 发送电子邮件的日期和时间。The date and time the email message was sent.
FromFrom Edm.StringEdm.String 电子邮件的“发件人”字段中的电子邮件地址。The email address in the From field of the email message.
方向性Directionality Edm.StringEdm.String 电子邮件的初始状态。The origination status of the email message.

Enum: AttachmentDetails - Type: Edm.Int32Enum: AttachmentDetails - Type: Edm.Int32

AttachmentDetailsAttachmentDetails

成员名称Member name 类型Type 说明Description
FileNameFileName Edm.StringEdm.String 附加到电子邮件的文件的名称。The name of the file attached to the email message.
FileTypeFileType Edm.StringEdm.String 附加到电子邮件的文件的文件扩展名。The file extension of the file attached to the email message.
SHA256SHA256 Edm.StringEdm.String 附加到电子邮件的文件的 SHA-256 哈希。The SHA-256 hash of the file attached to the email message.