Searching Events
Use the following search tokens to search in the Events tab under Monitor.
Use quotes or backticks within values to help you find all events that have the specified name.
Search for events by specifying the name. Choose values from: UserLoggedIn, Update application, Set domain authentication, Set federation settings on domain, Update application - Certificates and secrets management, Update service Prinicpal, Add service principal credentials, Add app role assignment grant to user, Add app role assignment to service principal, Consent to application, UserLoggedIn/UserLoginFailed, MailboxLogin, MailItemAccessed, FileAccessed, FileAccessedExtended
Example
Show events that have event.name as UserLoggedIn
event.name:"UserLoggedIn"
Search for connectors by specifying the connector type. Choose value from: OFFICE365, GOOGLE WORKSPACE, SALESFORCE, DROPBOX, ZOOM, SLACK
Example
Show all connectors of the type OFFICE365
connector.type:OFFICE365
Use a text value ##### to search all events having the specified connector name.
Example
Show results with event.name O365Connector1
connector.name:O365Connector1
Search for events based on the event category. Choose value from: Domain; Application, ServicePrincipal, SAMLToken, User, Powershell; Mailbox, WinRM, File
Example
Show all events of the event.category ServicePrincipal
event.category:"ServicePrincipal"
event.serviceTypeevent.serviceType
Search for events based on the type of the service. Choose value from: AzureActiveDirectory, ExchangeOnline, OneDrive
Example
Show all events of the service type AzureActiveDirectory
event.serviceType:"AzureActiveDirectory"
Search for events based on the actionDetail.result. Choose value from: Success, Fail
Example
Show all events of the results Success
event.result:"Success"
Search for events that have a specific user ID.
Example
Show all events that have actor ID 98e0c33e-7acc-46d3-82ba-dd313ef4434f
user.id:"98e0c33e-7acc-46d3-82ba-dd313ef4434f"
Search for events by specifying the user's email addresses.
Example
Show all events attended by user having email address [email protected]
user.email:"[email protected]"
Search for events based on the type of user. Choose value from: User, ServicePrincipal, Application
Example
Show all events of the actor type User
user.type:"User"
event.source.ipevent.source.ip
Search for events that have a specific source IP.
Example
Show all events that have source IP 40.79.154.194
event.source.ip:"40.79.154.194"
event.source.userAgentevent.source.userAgent
Search for events that have a specific origin user agents.
Example
Show all events that have origin user agents as EvoSTS
event.source.userAgent:"EvoSTS"
event.modifiedResource.resourceIdevent.modifiedResource.resourceId
Search for events that have a specific resource ID.
Example
Show all events that have resource ID as 05e394a6-3d79-483b-abf2-5f39c5787196
event.modifiedResource.resourceId:"05e394a6-3d79-483b-abf2-5f39c5787196"
event.modifiedResource.resourceNameevent.modifiedResource.resourceName
Search for events that have a specific resource name.
Example
Show all events that have resource event.name as Microsoft Graph
event.modifiedResource.resourceName:"Microsoft Graph"
event.subCategoryevent.subCategory
Filter the connectors by selecting a sub-category. Choose value from: User/Group, Application, Global, File/Link Operation
Example
Show all connectors of the sub-category Application
event.subCategory:Application
Filter the connectors by selecting a severity. Choose value from: High, Low, Medium
Example
Show all connectors of event.severity High
event.severity:High