Alert Conditions for Cloud Detect

Select the dropdown arrows below to expand each section to read more about the specific conditions.

Microsoft Graph - Directory Audit

activityDateTime	Indicates the date and time the activity was performed, this is in UTC and ISO 8061 format: ie. 2014-01-01T00:00:00Z
activityDisplayName	Indicates the activity name or the operation name (examples: "Create User" and "Add member to group"). For a list of activities logged, refer to Microsoft Entra audit log categories and activities
additionalDetails.@odata.type	Indicates additional details on the activity.
category	Indicates which resource category that’s targeted by the activity. For a list of activities logged, refer to Microsoft Entra audit log categories and activities.
correlationId	Indicates a unique ID that helps correlate activities that span across various services. Can be used to trace logs across services.
id	Indicates the unique ID for the activity.
initiatedBy	initiatedBy initiatedBy.App.AppId The application ID (client ID) of the app that initiated the activity. This helps you identify which registered app was responsible. initiatedBy.App.DisplayName The name of the application that initiated the activity, providing a user-friendly identifier. initiatedBy.App.ServicePrincipalId The service principal ID associated with the app. Each app in Azure AD has a service principal representing its identity within the directory. initiatedBy.App.ServicePrincipalName The service principal name (often the unique app name) linked to the app that initiated the activity. initiatedBy.User.DisplayName The display name of the user who initiated the activity.  initiatedBy.User.Id The unique user ID in Azure AD, useful for tracking the specific user involved. initiatedBy.User.IpAddress The IP address from which the activity originated, useful for identifying the source location or device. initiatedBy.User.UserPrincipalName The user principal name (UPN), often the user's login (like an email address), which provides a direct way to identify the user.
loggedByService	Indicates information about the user or app initiated by the activity.
operationType	Indicates the type of operation that was performed, like Add, Assign, Update, Unassign, and Delete.
result	Indicates the result of the activity, like success, failure, timeout, and unknownFutureValue
resultReason	Indicates the reason for failure if the result was a failure or timeout.
targetResources	targetResource targetResources.DisplayName The display name of the target resource impacted by the activity. This helps you identify the resource more easily by name. taretResources.GroupType If the target is a group, this specifies the type of group (e.g., Security or Microsoft 365), giving more context about the group’s function. targetResources.Id The unique identifier (ID) of the target resource, allowing precise tracking of the affected object in Azure AD. targetResources.ModifiedProperties.DisplayName The name or display label of a property on the target resource that was modified. This field is useful for understanding what specific attribute or setting was changed. targetResources.ModifiedProperties.NewValue The new value of the modified property after the activity, which records the outcome of the change. targetResources.ModifiedProperties.OldValue The original value of the modified property before the change, helping with comparisons and tracking modifications. targetResources.Type The type of the target resource (e.g., User, Group, Device), indicating the kind of Azure AD object involved in the activity. targetResources.UserPrincipalName For target resources that are user accounts, this field provides the user principal name (UPN), usually an email address, to identify the specific user.

 

Microsoft Graph - Risk Detection

activity	Describes the activity detected (e.g., sign-in, account activity), giving context about what triggered the risk detection.
activityDateTime	The exact date and time when the risky activity occurred, recorded in UTC.
additionalInfo	Extra details related to the risk detection. This might contain JSON data or key-value pairs providing context, such as user-agent or specific conditions that contributed to the risk score.
correlationId	A unique identifier linking multiple risk events related to the same activity or session, useful for tracing related detections.
detectedDateTime	The timestamp in UTC when the risk was initially detected by the system.
detectionTimingType	Specifies whether the detection is real-time (detected instantly) or offline (processed later).
id	The unique identifier for this risk detection instance, which allows for tracking and management of the specific risk event.
ipAddress	The IP address from which the activity originated, useful for identifying suspicious access locations.
lastUpdatedDateTime	The most recent time in UTC when this detection event was updated, often useful for tracking ongoing incidents.
location.City	The city associated with the IP address where the activity was detected, if available.
location.CountryOrRegion	The country or region associated with the IP address where the activity was detected.
location.GeoCoordinates.Altitude	The altitude associated with the geographical coordinates (if provided) for the location of the activity.
location.GeoCoordinates.Latitude	Latitude of the location associated with the IP address.
location.GeoCoordinates.Longitude	Longitude of the location associated with the IP address.
location.State	The state or region within the country associated with the IP address of the activity.
requestId	Unique identifier for the request associated with the risk detection, helpful for auditing and tracking purposes.
riskDetail	Provides more granular information about the nature of the risk, detailing specific risk factors or outcomes (e.g., user reported the activity, admin confirmed compromise).
riskEventType	The type of risk event (e.g., unfamiliarLocation, malwareInfectedUser, leakedCredentials). This categorizes the nature of the detected risk.
riskLevel	The level of risk assessed (e.g., low, medium, high), indicating the severity or priority of the detection.
riskState	Current state of the risk (e.g., atRisk, confirmedSafe, dismissed), showing whether the detection is active, resolved, or otherwise addressed.
source	Identifies where the risk detection originated, such as Azure AD Identity Protection, which can help determine the credibility and context of the risk detection.
tokenIssuerType	Specifies the type of token issuer (e.g., AzureAD, ADFS), providing context about the authentication source.
userDisplayName	The display name of the user associated with the risk detection.
userId	The unique identifier for the user in Azure AD, allowing tracking of detections specific to that user.
userPrincipalName	The user principal name (often the user’s email address) for identifying the user directly.

Note: Most Risk Detection alerts will require a P2/E5 Entra license. Please see the article below on which type of policies require this:

What are risks in Microsoft Entra ID Protection - Microsoft Entra ID Protection | Microsoft Learn

Some Risk Detection alerts may be hard to simulate as Microsoft does its own machine-learning algorithms to see if it is a false-positive alert, see this article:

Simulating risk detections in Microsoft Entra ID Protection - Microsoft Entra ID Protection | Microsoft Learn

Microsoft Graph - Security Alert

actorDisplayName	The adversary or activity group associated with this alert.
additionalData	A collection of other alert properties, including user-defined properties. Any custom details defined in the alert, and any dynamic content in the alert details, are stored here.
alertPolicyId	The ID of the policy that generated the alert, populated when there is a specific policy that generated the alert, whether configured by a customer or a built-in policy.
alertWebUrl	URL for the Microsoft 365 Defender portal alert page.
assignedTo	Owner of the alert, or null if no owner is assigned.
category	The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework.
classification	Specifies whether the alert represents a true threat.
comments	Array of comments created by the Security Operations (SecOps) team during the alert management process.
createdDateTime	Time when Microsoft 365 Defender created the alert.
description	String value describing each alert.
detectionSource	Detection technology or sensor that identified the notable component or activity.
detectorId	The ID of the detector that triggered the alert.
determination	Specifies the result of the investigation, whether the alert represents a true attack, and if so, the nature of the attack.
evidence	Collection of evidence related to the alert.
firstActivityDateTime	The earliest activity associated with the alert.
id	Unique identifier to represent the alert resource.
incidentId	Unique identifier to represent the incident this alert resource is associated with.
incidentWebUrl	URL for the incident page in the Microsoft 365 Defender portal.
lastActivityDateTime	The oldest activity associated with the alert.
lastUpdateDateTime	Time when the alert was last updated at Microsoft 365 Defender.
mitreTechniques	The attack techniques, as aligned with the MITRE ATT&CK framework.
productName	The name of the product which published this alert.
providerAlertId	The ID of the alert as it appears in the security provider product that generated the alert.
recommendedActions	Recommended response and remediation actions to take in the event this alert was generated.
resolvedDateTime	Time when the alert was resolved.
serviceSource	The service or product that created this alert.
severity	Indicates the possible impact on assets. The higher the severity, the bigger the impact. Typically, higher severity items require the most immediate attention.
status	The status of the alert.
tenantId	The Microsoft Entra tenant the alert was created in.
threatDisplayName	The threat associated with this alert.
threatFamilyName	Threat family associated with this alert.
title	Brief identifying string value describing the alert.

 

Office 365 Management Activity - Audit - Exchange

AppId	The ID of the application involved in the operation, useful for identifying the app responsible for specific actions.
ClientAppId	The unique identifier for the object (e.g., user, group, or resource) impacted by the action.
ClientInfoString	Contains information about the client application, such as its version, platform, and other details. Useful for understanding the client environment.
ClientIP/ClientIPAddress	The IP address from which the client accessed the service, helping in tracking the source location of activities.
ClientRequestId	The unique ID associated with the client’s request. This is useful for tracing individual requests across services.
CreationTime	The date and time when the event or activity was recorded, providing a timestamp in UTC.
ExternalAccess	Indicates whether the access or operation originated from an external network or organization.
Id	A unique identifier for the audit event, allowing precise reference to a specific log entry.
InternalLogonType	Specifies the type of logon for internal access, categorizing the session (e.g., application, admin access, etc.).
Item.Attachments	Contains information on any attachments associated with an email item, if applicable.
Item.Id	The identifier for a specific item (e.g., email or calendar item) within the mailbox.
Item.InternetMessageId	The unique Internet message ID for an email, used to track specific messages across email systems.
Item.IsRecord	Indicates whether the item is a “record” as per retention policies.
Item.ParentFolder.Id	The identifier for the parent folder containing the item, useful for organizing and locating items within the mailbox structure.
Item.ParentFolder.Path	The full path of the parent folder for the item, providing hierarchical context for where the item is stored.
Item.SizeInBytes	The size of the item (in bytes), useful for monitoring storage usage and identifying large items.
Item.Subject	The subject line of the item, such as an email’s subject or a calendar item’s title.
LogonType	Describes the type of logon event, indicating whether it was user-driven, programmatic, or administrative.
LogonUserSid	The Security Identifier (SID) for the user logging in, useful for mapping users in a security context.
MailboxGuid	The unique identifier for the mailbox involved in the operation, useful for tracking mailbox-specific activities.
MailboxOwnerSid	The SID of the mailbox owner, linking back to the user account owning the mailbox.
MailboxOwnerUPN	The User Principal Name (UPN) of the mailbox owner, often resembling an email address.
ModifiedProperties	Details of any properties modified in this event, useful for tracking changes to settings or attributes.
Operation	The specific action or operation performed (e.g., Send, Move, Delete). This is crucial for identifying what was done in the audit event.
OrganizationId	The unique identifier for the organization in Microsoft 365.
OrganizationName	The name of the organization, providing a readable identifier for multi-tenant setups.
OriginatingServer	The server on which the operation originated, often useful in troubleshooting and understanding backend flow.
RecordType	A numeric or named value indicating the type of record or event in the log (e.g., ExchangeAdmin, ExchangeItem, etc.).
ResultStatus	Indicates the outcome of the operation, typically values like Success, Failure, or Partial.
UserId	The identifier of the user who initiated or was involved in the activity, useful for tracking individual actions.
UserKey	Often the same as UserId, used as an alternative identifier in certain contexts.
UserType	Specifies the type of user (e.g., Member, Guest, Admin), providing more context on the user’s role or permission level.
Version	The version of the log schema used for this record, which can help interpret schema changes or updates over time.
Workload	Specifies the Office 365 service involved in the activity (e.g., Exchange, SharePoint, Teams), helping to categorize events based on the service or workload involved.

 

Office 365 Management - Audit - General

Actor.ID	The unique identifier for the actor (e.g., user, application, or system) who performed the action. This helps in tracking who or what initiated the event.
Actor.Type	The type of actor initiating the action (e.g., User, Application). This helps in distinguishing between user-initiated and application-based actions.
ActorContextId	The context ID for the actor, typically used to group related actions or sessions together for a single entity.
ActorIpAddress	The IP address from which the actor initiated the action, useful for identifying the origin of the request.
Target.Id	The unique identifier for the target (e.g., user, group, or resource) affected by the action.
Target.Type	The type of target impacted by the action (e.g., User, Device, Group), helping identify the nature of the affected resource.
TargetContextId	The context ID associated with the target, which can link related actions or sessions for a specific target.
ApplicationId	The unique identifier for the application involved in the event, often called the Client ID. This helps track application-based activities.
AzureActiveDirectoryEventType	Specifies the type of Azure AD event (e.g., UserLogin, PasswordReset). This categorizes the nature of the Azure AD action.
ClientIP	The client’s IP address that accessed the Azure AD service, helpful for tracing client locations and identifying access patterns.
CreationTime	The date and time in UTC when the audit record was created, providing a timestamp for the event.
Operation	The specific operation performed (e.g., AddUser, UpdateGroup, DeleteDevice), indicating the action that was taken in Azure AD or Microsoft 365.
OrganizationId	The unique identifier for the Microsoft 365 organization or Azure AD tenant involved in the event.
Workload	Specifies the service or workload where the action occurred (e.g., AzureAD, SharePoint, Teams). This helps categorize actions based on the service.
DeviceProperties.Name	The name of a device property associated with the event, providing specific details about the device.
DeviceProperties.Value	The value of the specified device property, which can include details like the device model, operating system, or other metadata.
ExtendedProperties.Name	The name of an extended property associated with the event, often providing additional context specific to the event.
ExtendedProperties.Value	The value of the specified extended property, containing extra details that may not fit into predefined fields.
Id	A unique identifier for the audit record, allowing for precise reference to the specific log entry.
InterSystemsId	Identifies a system-level ID that links events across systems or platforms, often used in complex multi-system environments.
IntraSystemsId	An identifier for events within a single system, helping to correlate and trace intra-system activities.
ObjectId	The ID of the specific object associated with the event (e.g., a user account, application, or resource), useful for identifying affected entities.
RecordType	A value that specifies the type of audit record, categorizing the record into groups like AzureAD, AuditLog, or other event types.
ResultStatus	The outcome of the operation (e.g., Success, Failure), providing immediate insight into whether the action was completed as expected.
ErrorNumber	A code representing any error that occurred during the action, useful for troubleshooting failed actions or requests.
SupportTicketId	The ID of a related support ticket if the operation is associated with a Microsoft support incident, aiding in connecting audit logs with support cases.
UserId	The unique identifier for the user involved in the event, allowing tracking of individual user actions.
UserKey	Often the same as UserId, serving as an alternative unique identifier for the user.
UserType	Specifies the type of user (e.g., Member, Guest, Admin), providing context on the user’s role or permissions in the organization.
Version	The version of the log schema, indicating the specific structure in use, which is important for interpreting log data consistently.

 

Office365 Management - Audit - Microsoft Entra ID

Actor.ID	The unique identifier for the entity (e.g., user or application) that performed the action.
Actor.Type	Specifies the type of actor initiating the action (e.g., User, Application), helping distinguish between actions by users and apps.
ActorContextId	The context identifier for the actor, grouping related actions or sessions tied to the actor.
ActorIpAddress	The IP address from which the actor initiated the action, useful for tracking location or investigating suspicious activities.
Target.ID	The unique identifier for the object (e.g., user, group, or resource) impacted by the action.
Target.Type	The type of target affected by the action (e.g., User, Device, Group), categorizing the nature of the impacted resource.
TargetContextId	Contextual ID associated with the target, linking related actions or sessions for a specific entity.
ApplicationId	The application’s unique identifier (often called the Client ID) involved in the event.
AzureActiveDirectoryEventType	Specifies the type of Entra ID event (e.g., UserLogin, PasswordReset), categorizing the event type.
ClientIP	The IP address of the client accessing the service, helpful for tracing client locations and identifying access sources.
CreationTime	The date and time in UTC when the event was created.
Operation	Specifies the action or operation performed (e.g., AddUser, DeleteGroup), detailing what happened during the event.
OrganizationId	The identifier for the Microsoft Entra ID tenant (organization) where the action occurred, useful for multi-tenant environments.
Workload	Specifies the service or workload involved in the event (e.g., AzureAD, Exchange, Teams), categorizing the activity based on the service.
DeviceProperties.Name	The name of a device property associated with the event, providing details about the device involved in the action.
DeviceProperties.Value	The value of the specified device property, such as device model or operating system.
ExtendedProperties.Name	The name of any extended properties associated with the event, adding extra context beyond standard fields.
ExtendedProperties.Value	The value of the specified extended property, containing additional event-specific information.
Id	A unique identifier for the event record, allowing for precise reference.
InterSystemsId	An identifier that links events across systems, used to correlate activities across different environments.
IntraSystemsId	An identifier for events within a single system, useful for tracking related events.
ModifiedProperties	Details of any properties that were modified during the event, providing before-and-after information.
ObjectId	The identifier of the primary object involved (e.g., user account or resource), helpful for identifying the main entity in an operation.
RecordType	A value specifying the type of event (e.g., AuditLog, SignInLog), used to categorize the log entry.
ResultStatus	The result of the operation (e.g., Success, Failure), indicating the outcome.
ErrorNumber	A code representing an error that occurred during the operation, useful for troubleshooting failures.
SupportTicketId	An identifier for any related support ticket, connecting events to customer support cases if applicable.
UserId	The unique identifier for the user involved in the event, providing a reference to the user account.
UserKey	Often the same as UserId, serving as an alternative unique identifier for the user.
UserType	Specifies the user’s type (e.g., Member, Guest, Admin), providing context on the user's role or permissions.
Version	The version of the log schema used, helping ensure consistency when interpreting logs.

 

Office 365 Management- Audit - SharePoint

Actor.ID	The unique identifier of the entity (user, app, or system) that performed the action in O365 or SharePoint.
Actor.Type	The type of entity initiating the action, such as User, System, or Application, which helps distinguish between human and automated actions.
ActorContextId	Contextual ID for grouping events or sessions associated with the actor, useful for tracking related activities across sessions.
ActorIpAddress	The IP address from which the actor initiated the action, helping identify the origin of the event and monitor suspicious access.
Target.ID	The unique identifier for the object affected by the action, such as a document, folder, or list item.
Target.Type	Specifies the type of target, which can be a File, Folder, List, Document Library, or Site. This helps categorize the impacted resource.
TargetContextId	A contextual ID associated with the target for grouping related activities, aiding in session and access tracking within O365 or SharePoint.
ApplicationId	The unique identifier of the application involved in the event. In O365, this might represent applications interacting with SharePoint, like Teams or OneDrive.
AzureActiveDirectoryEventType	Specifies the type of Azure AD event (e.g., UserLogin or FileAccess). This field classifies the event type in Entra ID or O365.
ClientIP	The IP address of the client used to access the service, which can indicate the location or source of access.
CreationTime	The timestamp when the log entry was created (in UTC), which is essential for tracking event chronology.
Operation	The action taken (e.g., ViewedFile, DeletedFile, CreatedSite), providing specifics on what activity took place.
OrganizationId	A unique identifier for the Office 365 tenant or organization involved in the event, helpful for multi-tenant or multi-org environments.
Workload	Specifies the O365 service where the action took place, such as SharePoint, OneDrive, or Exchange, categorizing the log by workload.
DeviceProperties.Name	The name of a device property, like the operating system or browser type, related to the activity.
DevicesProperties.Value	The value of the device property, giving details such as OS version or device model.
ExtendedProperties.Name	Name of an additional property associated with the event, which can contain contextual information specific to O365 or SharePoint.
ExtendedProperties.Value	The value of the extended property, containing more information beyond the standard fields.
Id	The unique identifier for the audit record itself, allowing precise reference to the log entry.
InterSystemsId	An identifier that correlates actions across systems, particularly useful in complex multi-system O365 setups.
IntraSystemsId	Identifier for tracking related actions within the same system, useful in large, integrated SharePoint environments.
ObjectId	ID of the main object involved in the event (e.g., a specific file or site), which helps identify the primary entity impacted by the operation.
RecordType	A code or value indicating the log type (e.g., Audit.SharePoint, Audit.OneDrive), categorizing the entry by service.
ResultStatus	The outcome of the action, such as Success or Failure, providing insight into whether the operation was completed.
ErrorNumber	A code representing any error encountered during the action, useful for diagnosing failures or issues.
SupportTicketId	A unique identifier for a Microsoft support ticket related to the action, if applicable, linking the event to a customer support case.
UserId	The identifier of the user involved in the activity, tracking user-specific actions.
UserKey	Often the same as UserId, acting as an alternative unique identifier for the user.
UserType	Specifies the user’s type (e.g., Member, Guest, Admin), adding context on the user’s permissions.
Version	The schema version of the log entry, helpful for consistency in interpreting log fields.

 

Office 365 Management - DLP - All

Actor.ID	The unique identifier for the user, application, or service that performed the action (e.g., a user attempting to access or share sensitive data).
Actor.Type	Specifies the type of actor initiating the action, such as User, Application, or System, helping to differentiate between human actions and automated processes.
ActorContextId	A contextual identifier for grouping related activities by the same actor, helpful for tracking session-based or context-based events.
ActorIpAddress	The IP address from which the actor performed the action, often used to pinpoint the location or identify unusual access patterns in DLP scenarios.
Target.ID	The unique identifier for the data or object impacted by the DLP action, such as a document or email containing sensitive data.
Target.Type	Specifies the type of resource affected (e.g., File, Email, Document Library), providing insight into what kind of content was involved.
TargetContextId	Contextual ID linked to the target, grouping related events affecting the same resource.
ApplicationId	The application’s unique identifier involved in the event, often useful for tracking the app that might have triggered a DLP policy (e.g., Exchange Online, OneDrive).
AzureActiveDirectoryEventType	Specifies the type of event in Entra ID (formerly Azure AD), such as a user’s login that could initiate a DLP scan or action.
ClientIP	The IP address of the client accessing the service, potentially useful in DLP scenarios for tracking access to sensitive data.
CreationTime	The UTC timestamp when the log record was created, providing timing details for compliance and event correlation.
Operation	The specific action taken (e.g., AccessedSensitiveData, BlockedShare, PolicyViolationDetected). This gives information on the DLP action applied, such as blocking access or triggering a warning.
OrganizationId	The unique identifier for the O365 organization or tenant involved, relevant in multi-tenant environments for event isolation.
Workload	Specifies the service where the DLP action took place (e.g., SharePoint, OneDrive, Exchange), helping categorize the action by workload for DLP events.
DeviceProperties.Name	The name of the device property, such as DeviceType or OperatingSystem, providing metadata about the device used in the event.
DeviceProperties.Value	The specific value of the device property, offering details like the device model, OS version, or browser used to access sensitive data.
ExtendedProperties.Name	The name of additional event-related properties, often containing extra information specific to the DLP policy or detection type.
ExtedndedProperties.Value	The value of the extended property, adding context or details beyond standard fields, such as specific content types or keywords flagged by DLP.
Id	A unique identifier for the audit event, allowing for easy referencing and troubleshooting.
InterSystemsId	An identifier used to correlate actions across multiple systems, potentially useful in integrated DLP scenarios with cross-system data movement.
IntraSystemsId	Identifier for correlating related actions within the same system, often helpful for tracking activity within a single DLP workload.
ObjectId	The primary object impacted by the DLP action (e.g., a sensitive file or email), giving direct reference to the item involved.
RecordType	Specifies the type of audit log record (e.g., DLPPolicyMatch, DLPPolicyAction), classifying the entry by record type for organization and filtering.
ResultStatus	The outcome of the action (e.g., Success, Failure), indicating whether the DLP action was completed as expected.
ErrorNumber	A code that represents any error encountered, useful for troubleshooting failed DLP actions.
SupportTicketId	An ID for a related Microsoft support ticket if the DLP action or policy incident is associated with a customer support case.
UserId	The unique identifier for the user involved in the event, often used in DLP to track who attempted to access or share sensitive data.
UserKey	An alternative identifier for the user, sometimes identical to UserId.
UserType	Specifies the user’s type (e.g., Member, Guest, External), useful for understanding the actor’s permissions or role within the organization, especially relevant in DLP scenarios.
Version	The schema version of the log entry, ensuring consistency in log structure interpretation.

 

Works Cited