Document toolboxDocument toolbox

cloud.office365.management

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
3 min read
[ 1 Introduction ] [ 2 Source tables ] [ 3 Table structure ] [ 4 Field transformations ]

Introduction

This union table collects information from a set of tables from Office 365.

Source tables

The information displayed is extracted from the following tables:

  • cloud.office365.management.aip

  • cloud.office365.management.airinvestigation

  • cloud.office365.management.azureactivedirectory

  • cloud.office365.management.cca

  • cloud.office365.management.compliance

  • cloud.office365.management.compliancemanager

  • cloud.office365.management.corereporting

  • cloud.office365.management.crm

  • cloud.office365.management.dlpsensitiveinformationtype

  • cloud.office365.management.endpoint

  • cloud.office365.management.exchange

  • cloud.office365.management.mcas

  • cloud.office365.management.microsoftflow

  • cloud.office365.management.microsoftforms

  • cloud.office365.management.microsoftstream

  • cloud.office365.management.microsoftteams

  • cloud.office365.management.mip

  • cloud.office365.management.myanalytics

  • cloud.office365.management.officeapps

  • cloud.office365.management.onedrive

  • cloud.office365.management.onedriveforbusiness

  • cloud.office365.management.powerapps

  • cloud.office365.management.powerbi

  • cloud.office365.management.powerplatformadmin

  • cloud.office365.management.project

  • cloud.office365.management.publicendpoint

  • cloud.office365.management.quarantine

  • cloud.office365.management.rdl

  • cloud.office365.management.se

  • cloud.office365.management.securitycompliancecenter

  • cloud.office365.management.sharepoint

  • cloud.office365.management.skypeforbusiness

  • cloud.office365.management.threatintelligence

  • cloud.office365.management.workplaceanalytics

  • cloud.office365.management.yammer

  • cloud.office365.oldmanagement

Table structure

This is a set of columns displayed by this union table, which is the result of the collection of columns present in all sources tables:

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

Field

Data type

Extra Fields

Field

Data type

Extra Fields

eventdate

timestamp

 

hostname

str

 

type

str

 

Id

str

 

Workload

str

 

StatusTime

str

 

FeatureStatus

str

 

Status

str

 

StatusDisplayName

str

 

IncidentIds

str

 

WorkloadDisplayName

str

 

UserType

int4

 

timestamp

timestamp

 

Operation

str

 

Version

int4

 

LogonType

int4

 

MailboxOwnerSid

str

 

ExternalAccess

bool

 

OrganizationName

str

 

SessionId

str

 

ClientAddress

str

 

ClientIPAddress

str

 

ClientProcessName

str

 

ResultStatus

str

 

UserId

str

 

LogonUserSid

str

 

InternalLogonType

int4

 

OriginatingServer

str

 

UserKey

str

 

MailboxGuid

str

 

OrganizationId

str

 

RecordType

int4

 

ClientInfoString

str

 

MailboxOwnerUPN

str

 

CrossMailboxOperation

bool

 

AffectedItems

str

 

Folder_Id

str

 

Folder_Path

str

 

FoldersItemsStr

str

 

ForwardTo

str

 

Parameters_Raw

str

 

Item_Subject

str

 

Item_Attachments

str

 

Item_ParentFolder_Id

str

 

Item_ParentFolder_Path

str

 

ModifiedProperties

str

 

SendOnBehalfOfUserSmtp

str

 

SendAsUserSmtp

str

 

PolicyDetails

str

 

PolicyDetails_PolicyName_str

str

 

PolicyDetails_PolicyId_str

str

 

PolicyDetails_location_str

str

 

PolicyDetails_RuleMode_str

str

 

PolicyDetails_RuleName_str

str

 

PolicyDetails_RuleId_str

str

 

PolicyDetails_Severity_str

str

 

PolicyDetails_ManagementRuleId_str

str

 

Unique_PolicyDetails_location_str

str

 

PolicyDetails_confidence_str

str

 

PolicyDetails_count_str

str

 

PolicyDetails_sensitiveType_str

str

 

PolicyDetails_uniqueCount_str

str

 

PolicyDetails_ConditionsMatched_Name_str

str

 

PolicyDetails_ConditionsMatched_Value_str

str

 

PolicyDetails_ConditionMatchedInNewScheme_str

str

 

ExchangeMetaData_BCC

str

 

ExchangeMetaData_MessageID

str

 

ExchangeMetaData_From

str

 

ExchangeMetaData_CC

str

 

ExchangeMetaData_Sent

str

 

ExchangeMetaData_Subject

str

 

ExchangeMetaData_RecipientCount

int4

 

ExchangeMetaData_To

str

 

InterSystemsId

str

 

TargetUserId

str

 

Actor_ID_str

str

 

Actor_Type_str

str

 

ActorContextId

str

 

YammerNetworkId

int4

 

ActorUserId

str

 

ActorIpAddress

str

 

Client

str

 

ClientIP

str

 

LogonError

str

 

ApplicationId

str

 

Target_ID_str

str

 

Target_Type_str

str

 

IntraSystemId

str

 

ExtendedProperties_Name_str

str

 

ExtendedProperties_Value_str

str

 

ActorYammerUserId

int8

 

FileName

str

 

TargetContextId

str

 

AzureActiveDirectoryEventType

int4

 

VersionId

int8

 

FileId

int8

 

PostIncidentDocumentUrl

str

 

Severity

str

 

Title

str

 

Comments

str

 

AffectedWorkloadDisplayNames

str

 

AlertEntityId

str

 

Messages_MessageText_str

str

 

Messages_PublishedTime_str

str

 

ChannelGuid

str

 

LogonUserDisplayName

str

 

RecipientUPN

str

 

ApplicationDisplayName

str

 

MessageType

str

 

EventSource

str

 

DestinationRelativeUrl

str

 

MachineId

str

 

WebId

str

 

SendOnBehalfOfUserMailboxGuid

str

 

ExtraProperties_Key_str

str

 

ExtraProperties_Value_str

str

 

SharingPermission

int4

 

ObjectName

str

 

SharingType

str

 

DataflowRefreshScheduleType

str

 

TenantName

str

 

CustomUniqueId

bool

 

DatasetId

str

 

SiteUrl

str

 

Parameters_Name_str

str

 

Parameters_Value_str

str

 

ImportType

str

 

ImportId

str

 

PolicyId

str

 

ItemName

str

 

Datasets_DatasetId_str

str

 

Datasets_DatasetName_str

str

 

ImplicitShare

str

 

ImportDisplayName

str

 

ItemType

str

 

WorkSpaceName

str

 

DestFolder_Path

str

 

DestFolder_Id

str

 

UniqueSharingId

str

 

TargetUserOrGroupName

str

 

FlowConnectorNames

str

 

FileSyncBytesCommitted

str

 

CorrelationId

str

 

Members_DisplayName_str

str

 

Members_UPN_str

str

 

Members_Role_str

str

 

AddOnGuid

str

 

DashboardName

str

 

IsSuccess

bool

 

AlertId

str

 

ListTitle

str

 

ReportType

str

 

AffectedWorkloadNames

str

 

FlowDetailsUrl

str

 

TargetYammerUserId

int8

 

ImpactDescription

str

 

BrowserName

str

 

OperationProperties_Value_str

str

 

OperationProperties_Name_str

str

 

ReportId

str

 

DestMailboxOwnerSid

str

 

DestMailboxOwnerMasterAccountSid

str

 

AffectedUserCount

int4

 

Category

str

 

MachineDomainInfo

str

 

ListBaseType

str

 

DestMailboxId

str

 

TabType

str

 

Activity

str

 

DestinationFileExtension

str

 

UserUPN

str

 

ListId

str

 

SourceRelativeUrl

str

 

UserTypeInitiated

int4

 

EndTime

str

 

SendAsUserMailboxGuid

str

 

ActionType

str

 

SourceFileExtension

str

 

DashboardId

str

 

ClientApplicationId

str

 

DestMailboxOwnerUPN

str

 

MailboxOwnerMasterAccountSid

str

 

SensitiveInfoDetectionIsIncluded

bool

 

Schedules_RefreshFrequency

str

 

Schedules_Days_str

str

 

Schedules_Time_str

str

 

Schedules_TimeZone

str

 

TeamName

str

 

WorkspaceId

str

 

DataflowType

str

 

SourceFileName

str

 

FeatureDisplayName

str

 

EntityPath

str

 

TeamGuid

str

 

ResourceTitle

str

 

Classification

str

 

ListBaseTemplateType

str

 

DestinationFileName

str

 

AffectedTenantCount

int8

 

DatasetName

str

 

LicenseDisplayName

str

 

Feature

str

 

StartTime

str

 

TargetUserOrGroupType

str

 

DataConnectivityMode

str

 

LastUpdatedTime

str

 

ReportName

str

 

EntityType

str

 

OperationDetails

str

 

UserAgent

str

 

AlertType

str

 

Name

str

 

CmdletVersion

str

 

ImportSource

str

 

SkypeForBusinessEventType

int4

 

AddOnType

int4

 

DoNotDistributeEvent

bool

 

ChannelName

str

 

ListItemUniqueId

str

 

ObjectId

str

 

AttachmentData

json

 

DeliveryAction

str

 

DetectionMethod

str

 

DetectionType

str

 

Directionality

str

 

EventDeepLink

str

 

InternetMessageId

str

 

LatestDeliveryLocation

str

 

MessageTime

str

 

NetworkMessageId

str

 

OriginalDeliveryLocation

str

 

P1Sender

str

 

P2Sender

str

 

Policy

str

 

PolicyAction

str

 

Recipients

str

 

SenderIp

str

 

Subject

str

 

ThreatsAndDetectionTech

str

 

Verdict

str

 

SourceLocationType

int4

 

Platform

int4

 

Application

str

 

FileExtension

str

 

DeviceName

str

 

MDATPDeviceId

str

 

FileSize

int4

 

FileType

str

 

Hidden

bool

 

Actions

json

 

AlertLinks

json

 

Data

json

 

DeepLinkUrl

str

 

EndTimeUtc

timestamp

 

InvestigationId

str

 

InvestigationName

str

 

InvestigationType

str

 

LastUpdateTimeUtc

timestamp

 

StartTimeUtc

timestamp

 

Source

str

 

message

str

 

hostchain

str

✓

tag

str

✓

rawTagged

str

 

rawMessage

str

 

Field transformations

Even though all source tables have several features in common, they have some particularities that make it necessary to undergo a set of transformations to harmonize them for the union table. The most common transformations comprise changes in the data type or the application of rules when several columns in the source table feed a single column in the union table. You can find below the detailed list of transformations in each source table.