Intune

Audit Log Properties

PropertyProperty descriptionValues

ActivityType

The action that the admin takes.

Create, Delete, Patch, Action, SetReference, RemoveReference, Get, Search

ActorType

Person taking the action.

Unknown = 0, ItPro, IW, System, Partner, Application, GuestUser

Category

The pane where the action took place.

Other = 0, Enrollment = 1, Compliance = 2, DeviceConfiguration = 3, Device = 4, Application = 5, EBookManagement = 6, ConditionalAccess= 7, OnPremiseAccess= 8, Role = 9, SoftwareUpdates =10, DeviceSetupConfiguration = 11, DeviceIntent = 12, DeviceIntentSetting = 13, DeviceSecurity = 14, GroupPolicyAnalytics = 15, AssignmentFilter = 16, RemoteHelp = 17, OrganizationalMessage = 18, EndpointPrivilegeMgmt = 19, DeviceInventory = 20

ActivityResult

Whether the action is successful or not

Success = 1

Permissions to access logs:

Table nameDescription

Microsoft Entra interactive and non-interactive sign-ins

Microsoft Entra service principal and managed identity sign-ins

Files, IP addresses, URLs, users, or devices associated with alerts

Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity, including severity information and threat categorization

Behavior data types in Microsoft Defender for Cloud Apps

Alerts from Microsoft Defender for Cloud Apps

Events involving accounts and objects in Office 365 and other cloud apps and services

Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection

Certificate information of signed files obtained from certificate verification events on endpoints

File creation, modification, and other file system events

DLL loading events

Machine information, including OS information

Sign-ins and other authentication events on devices

Network connection and related events

Network properties of devices, including physical adapters, IP and MAC addresses, as well as connected networks and domains

Process creation and related events

Creation and modification of registry entries

Hardware and firmware information of devices as checked by Defender Vulnerability Management

Defender Vulnerability Management assessment events including configuration and attack surface area states

Metadata for assessment events collected in the DeviceTvmInfogathering table

Microsoft Defender Vulnerability Management assessment events, indicating the status of various security configurations on devices

Knowledge base of various security configurations used by Microsoft Defender Vulnerability Management to assess devices; includes mappings to various standards and benchmarks

Evidence info about where a specific software was detected on a device

Inventory of software installed on devices, including their version information and end-of-support status

Software vulnerabilities found on devices and the list of available security updates that address each vulnerability

Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available

Information about files attached to emails

Microsoft 365 email events, including email delivery and blocking events

Security events that occur post-delivery, after Microsoft 365 delivers the emails to the recipient mailbox

Information about URLs on emails

Microsoft Security Exposure Management exposure graph edge information provides visibility into relationships between entities and assets in the graph

Microsoft Security Exposure Management exposure graph node information, about organizational entities and their properties

Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller.

Account information from various sources, including Microsoft Entra ID

Authentication events on Active Directory and Microsoft online services

Queries for Active Directory objects, such as users, groups, devices, and domains

Safe Links clicks from email messages, Teams, and Office 365 apps

Last updated