Searching Events
Use the following search tokens to search in the Events tab under Monitor.
Use quotes or backticks within values to help you find all events that have the specified name.
Search for events by specifying the name. Choose values from: UserLoggedIn, Update application, Set domain authentication, Set federation settings on domain, Update application - Certificates and secrets management, Update service Prinicpal, Add service principal credentials, Add app role assignment grant to user, Add app role assignment to service principal, Consent to application, UserLoggedIn/UserLoginFailed, MailboxLogin, MailItemAccessed, FileAccessed, FileAccessedExtended
Example
Show events that have name as UserLoggedIn
name:"UserLoggedIn"
Search for connectors by specifying the connector type. Choose value from: OFFICE365, GOOGLE WORKSPACE, SALESFORCE, DROPBOX, ZOOM, SLACK
Example
Show all connectors of the type OFFICE365
connector.type:OFFICE365
Use a text value ##### to search all events having the specified connector name.
Example
Show results with name O365Connector1
connector.name:O365Connector1
Search for events based on the event category. Choose value from: Domain; Application, ServicePrincipal, SAMLToken, User, Powershell; Mailbox, WinRM, File
Example
Show all events of the category ServicePrincipal
category:"ServicePrincipal"
Search for events based on the type of the service. Choose value from: AzureActiveDirectory, ExchangeOnline, OneDrive
Example
Show all events of the service type AzureActiveDirectory
serviceType:"AzureActiveDirectory"
actionDetail.resultactionDetail.result
Search for events based on the actionDetail.result. Choose value from: Success, Fail
Example
Show all events of the results Success
actionDetail.result:"Success"
Search for events that have a specific actor ID.
Example
Show all events that have actor ID 98e0c33e-7acc-46d3-82ba-dd313ef4434f
actor.id:"98e0c33e-7acc-46d3-82ba-dd313ef4434f"
Search for events by specifying the actor's email addresses.
Example
Show all events attended by user having email address john_white@abc.com
actor.email:"john_white@abc.com"
Search for events based on the type of actor. Choose value from: User, ServicePrincipal, Application
Example
Show all events of the actor type User
actor.type:"User"
Search for events that have a specific origin IP.
Example
Show all events that have origin IP 40.79.154.194
origin.ip:"40.79.154.194"
origin.userAgentorigin.userAgent
Search for events that have a specific origin user agents.
Example
Show all events that have origin user agents as EvoSTS
origin.userAgent:"EvoSTS"
actionDetail.modifiedResources.resourceIdactionDetail.modifiedResources.resourceId
Search for events that have a specific resource ID.
Example
Show all events that have resource ID as 05e394a6-3d79-483b-abf2-5f39c5787196
actionDetail.modifiedResources.resourceId:"05e394a6-3d79-483b-abf2-5f39c5787196"
actionDetail.modifiedResources.resourceNameactionDetail.modifiedResources.resourceName
Search for events that have a specific resource name.
Example
Show all events that have resource name as Microsoft Graph
actionDetail.modifiedResources.resourceName:"Microsoft Graph"
Filter the connectors by selecting a sub-category. Choose value from: User/Group, Application, Global, File/Link Operation
Example
Show all connectors of the sub-category Application
subCategory:Application
Filter the connectors by selecting a severity. Choose value from: High, Low, Medium
Example
Show all connectors of severity High
severity:High