TargetUserOrGroupType and TargetUserOrGroupName missing in OfficeActivity Schema

%3CLINGO-SUB%20id%3D%22lingo-sub-1047614%22%20slang%3D%22en-US%22%3ETargetUserOrGroupType%20and%20TargetUserOrGroupName%20missing%20in%20OfficeActivity%20Schema%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1047614%22%20slang%3D%22en-US%22%3E%3CP%3EI%20noticed%20that%20the%20following%20are%20missing%20from%20the%20schema%20in%20OfficeActivity%20logs%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CP%3E%3CSTRONG%3ETargetUserOrGroupType%3A%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EIdentifies%20whether%20the%20target%20user%20or%20group%20is%20a%20Member%2C%20Guest%2C%20SharePointGroup%2C%20SecurityGroup%2C%20or%20Partner.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3E%3CSTRONG%3ETargetUserOrGroupName%3A%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EStores%20the%20UPN%20or%20name%20of%20the%20target%20user%20or%20group%20that%20a%20resource%20was%20shared%20with%20(User%20B%20in%20the%20previous%20example).%3C%2FP%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSPAN%3EThis%20is%20key%20information%20to%20determine%20whether%20information%20was%20shared%20with%20a%20Guest%20identity%20or%20a%20Member%20identity.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20only%20thing%20I%20found%20regarding%20this%20issue%20was%20a%20feedback%20post%20from%20September%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%2Fsuggestions%2F38501344-add-targetuser-and-targetgroup-from-the-sharepoint%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%2Fsuggestions%2F38501344-add-targetuser-and-targetgroup-from-the-sharepoint%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIs%20this%20going%20to%20be%20added%20in%20the%20near%20future%3F%20Or%20is%20there%20a%20possible%20work%20around%20to%20get%20this%20information%20into%20a%20query%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ETh%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1063732%22%20slang%3D%22en-US%22%3ERe%3A%20TargetUserOrGroupType%20and%20TargetUserOrGroupName%20missing%20in%20OfficeActivity%20Schema%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1063732%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F418279%22%20target%3D%22_blank%22%3E%40leoszalkowski%3C%2FA%3E%26nbsp%3B%3A%20thanks%20for%20the%20input%2C%20we%20will%20look%20into%20that.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E~%20Ofer%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1065849%22%20slang%3D%22en-US%22%3ERe%3A%20TargetUserOrGroupType%20and%20TargetUserOrGroupName%20missing%20in%20OfficeActivity%20Schema%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1065849%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3BGreat!%20Thank%20you.%20Please%20let%20me%20know%20if%2Fwhen%20there%20will%20be%20a%20solution%20for%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

I noticed that the following are missing from the schema in OfficeActivity logs:

  • TargetUserOrGroupType: Identifies whether the target user or group is a Member, Guest, SharePointGroup, SecurityGroup, or Partner.

  • TargetUserOrGroupName: Stores the UPN or name of the target user or group that a resource was shared with (User B in the previous example).

This is key information to determine whether information was shared with a Guest identity or a Member identity. 

 

The only thing I found regarding this issue was a feedback post from September: https://feedback.azure.com/forums/920458-azure-sentinel/suggestions/38501344-add-targetuser-and-targ...

 

Is this going to be added in the near future? Or is there a possible work around to get this information into a query?

 

Th

2 Replies
Highlighted

@leoszalkowski : thanks for the input, we will look into that.

 

~ Ofer

Highlighted

@Ofer_Shezaf Great! Thank you. Please let me know if/when there will be a solution for this.