cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unified Audit Logs - UserAgents field

Andre-86
Copper Contributor

‎Jun 14 2023 02:30 AM

‎Jun 14 2023 02:30 AM

Unified Audit Logs - UserAgents field

Hi,

 

I'm investigating access logs pulled from Unified Audit Logs for OneDrive online, specifically. The UserAgent field value is populeted with multiple values all starting with 'onenotemodernsync...' and the Operations column is populated with either 'FileAccessed' OR 'FileModified'.

 

I am trying to understand what the user is doing or when this value would occur, if anyone can provide some insight that would be much appreciated.

 

Regards

Andre

Labels:
460 Views
0 Likes
3 Replies
Reply
3 Replies
Vasil Michev

‎Jun 14 2023 08:22 AM

‎Jun 14 2023 08:22 AM

Re: Unified Audit Logs - UserAgents field

Looks like activities corresponding to the background sync process when you have a OneNote opened in the desktop app and make changes to it. Check the ClientAppId/ClientAppName value to confirm.
0 Likes
Reply
Andre-86

‎Jun 14 2023 06:54 PM

‎Jun 14 2023 06:54 PM

Re: Unified Audit Logs - UserAgents field

Appreciate the response.

The ClientAppName is just random numbers - not very insightful. Is there any way to desipher the random numbers?

"ClientAppName":"2d4d3d8e-2be3-4bef-9f87-XXXXXXXX"
0 Likes
Reply
Vasil Michev

‎Jun 15 2023 07:37 AM

‎Jun 15 2023 07:37 AM

Re: Unified Audit Logs - UserAgents field

If you paste the value in your favorite search engine, it will come up with the following: https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-i...
To me, it looks like the regular OneNote sync processes, as mentioned above, so you can safely ignore such entries.
0 Likes
Reply