Unified Audit Logs - UserAgents field

Copper Contributor



I'm investigating access logs pulled from Unified Audit Logs for OneDrive online, specifically. The UserAgent field value is populeted with multiple values all starting with 'onenotemodernsync...' and the Operations column is populated with either 'FileAccessed' OR 'FileModified'.


I am trying to understand what the user is doing or when this value would occur, if anyone can provide some insight that would be much appreciated.




3 Replies
Looks like activities corresponding to the background sync process when you have a OneNote opened in the desktop app and make changes to it. Check the ClientAppId/ClientAppName value to confirm.
Appreciate the response.

The ClientAppName is just random numbers - not very insightful. Is there any way to desipher the random numbers?

If you paste the value in your favorite search engine, it will come up with the following: https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-i...
To me, it looks like the regular OneNote sync processes, as mentioned above, so you can safely ignore such entries.