detection.wiki

Microsoft 365, Entra ID & Azure telemetry sources

Microsoft 365 Unified Audit Log

Each RecordType (a published AuditLogRecordType enum member, both a name and a numeric ID) is modeled as an M365-<RecordType> provider, grouped under its Workload. Each Operation within it is an event.

RecordTypeIDWorkloadOperations
Azure Active Directory / Entra ID events8AzureActiveDirectory12
Azure AD STS logon events15AzureActiveDirectory1
Azure AD Identity Protection risk detections294AzureActiveDirectory0
Exchange admin activity1Exchange24
Exchange mailbox activities (per-item)2Exchange7
DLP policy matches in Exchange13Exchange0
Defender for Office 365 threat intelligence events28Exchange1
User mail submission / reporting events29Exchange0
Defender for Office 365 URL threat intelligence41Exchange0
Defender for Office 365 ATP content threat intelligence47Exchange0
Exchange mailbox item operations (aggregated)50Exchange1
Exchange Online Protection hygiene events51Exchange1
Information worker protection events61Exchange0
Defender for Office 365 campaign events62Exchange0
Exchange Online Protection quarantine events65Exchange0
DLP Exchange classification events107Exchange0
Data lifecycle management events in Exchange285Exchange0
Skype for Business / Teams PowerShell cmdlet events23MicrosoftTeams2
Microsoft Teams activity25MicrosoftTeams4
Security & Compliance Center EOP cmdlet activity18SecurityComplianceCenter0
Defender for Office 365 campaign events34SecurityComplianceCenter0
Security & Compliance Center alert events40SecurityComplianceCenter3
Security & Compliance Center insights events42SecurityComplianceCenter0
HR connector signal events58SecurityComplianceCenter0
Endpoint DLP policy events63SecurityComplianceCenter0
Automated Investigation and Response (AIR) investigation events64SecurityComplianceCenter0
AIR manually triggered investigation events86SecurityComplianceCenter0
Security & Compliance Center RBAC events87SecurityComplianceCenter0
AIR admin remediation action events89SecurityComplianceCenter0
Microsoft Threat Intelligence Center events90SecurityComplianceCenter0
Physical badging signal events91SecurityComplianceCenter0
Microsoft Defender for Cloud Apps alert events98SecurityComplianceCenter10
Security & Compliance Center user change events106SecurityComplianceCenter0
Insider Risk Management scoped user insights292SecurityComplianceCenter0
Microsoft Purview Insider Risk cases306SecurityComplianceCenter0
Microsoft Purview Insider Risk alerts307SecurityComplianceCenter0
Insider Risk Management scoped user events308SecurityComplianceCenter0
SharePoint site and admin activity4SharePoint2
SharePoint file operations6SharePoint5
DLP policy matches in SharePoint11SharePoint0
SharePoint and OneDrive sharing operations14SharePoint3
DLP SharePoint classification events33SharePoint0
Data lifecycle management events in SharePoint286SharePoint0

Corpus-demand-gated against the Sigma product:m365, Elastic o365.audit, and Sentinel OfficeActivity rule sets, plus a curated high-value seed. See the M365 coverage matrix for which rules cover which operations.

Microsoft Entra ID directory audit

Entra ID has no numeric event IDs. The audit log's per-record discriminator is OperationName (= activityDisplayName). The single Microsoft Entra ID audit logs provider catalogs 87 operations, each modeled as an event. Sign-in telemetry has no per-operation discriminator (OperationName is always Sign-in activity), so it is covered by the coverage matrix rather than event pages.

Entra rules share the azure platform facet with the Azure resource plane. See the Azure AD coverage matrix for the dual AuditLogs / SigninLogs rule view, and the Entra ID sign-in telemetry reference for the sign-in side (no per-operation event pages).

Azure resource-plane (Activity log)

The Azure Activity log records ARM control-plane operations. Each operation embeds its resource-provider namespace (e.g. Microsoft.Compute/virtualMachines/write), so the catalog models each namespace as an Azure-<namespace> provider and each ARM operationName as an event.

Resource providerNamespaceOperations
Azure AD Hybrid Health ServiceMicrosoft.ADHybridHealthService2
Azure AuthorizationMicrosoft.Authorization2
Azure AutomationMicrosoft.Automation7
Azure ComputeMicrosoft.Compute6
Azure Container RegistryMicrosoft.ContainerRegistry2
Azure Event HubsMicrosoft.EventHub2
Azure MonitorMicrosoft.Insights1
Azure Key VaultMicrosoft.KeyVault21
Azure Arc KubernetesMicrosoft.Kubernetes28
Azure Machine LearningMicrosoft.MachineLearningServices0
Azure NetworkMicrosoft.Network47
Azure PortalMicrosoft.Portal1
Azure Resource ManagerMicrosoft.Resources3
Microsoft Defender for CloudMicrosoft.Security1
Azure StorageMicrosoft.Storage7
Azure SubscriptionMicrosoft.Subscription1

Corpus-demand-gated against the Sigma azure.activitylogs and Sentinel AzureActivity rule sets. The catalog stores each operation in its standard ARM spelling. Sentinel writes the same operation in all caps under OperationNameValue, but the two still match because the comparison ignores case.

Why M365 and Entra ID stay separate

The M365 Unified Audit Log AzureActiveDirectory RecordType and the Entra ID AuditLogs table both record directory activity, but they are distinct pipelines with different schemas and non-identical coverage (the UAL captures only the directory changes that affect M365 services, while Entra AuditLogs is the comprehensive record). Rules pick one pipeline, so each attributes to its own provider. The same operation can even differ by literal: the UAL writes Add member to role. (trailing period) where Entra writes Add member to role.