<span class="pill kill-chain">appDisplayName</span>
<span class="pill kill-chain">appId</span>
<span class="pill kill-chain">clientAppUsed</span>
<span class="pill kill-chain">conditionalAccessStatus</span>
<span class="pill kill-chain">correlationId</span>
<span class="pill kill-chain">createdDateTime</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">deviceDetail.browser</span>
<span class="pill kill-chain">deviceDetail.deviceId</span>
<span class="pill kill-chain">deviceDetail.displayName</span>
<span class="pill kill-chain">deviceDetail.isCompliant</span>
<span class="pill kill-chain">deviceDetail.isManaged</span>
<span class="pill kill-chain">deviceDetail.operatingSystem</span>
<span class="pill kill-chain">deviceDetail.trustType</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">id</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">ipAddress</span>
<span class="pill kill-chain">isInteractive</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">location.city</span>
<span class="pill kill-chain">location.countryOrRegion</span>
<span class="pill kill-chain">location.geoCoordinates.altitude</span>
<span class="pill kill-chain">location.geoCoordinates.latitude</span>
<span class="pill kill-chain">location.geoCoordinates.longitude</span>
<span class="pill kill-chain">location.state</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">resourceDisplayName</span>
<span class="pill kill-chain">resourceId</span>
<span class="pill kill-chain">riskDetail</span>
<span class="pill kill-chain">riskLevelAggregated</span>
<span class="pill kill-chain">riskLevelDuringSignIn</span>
<span class="pill kill-chain">riskState</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">status.additionalDetails</span>
<span class="pill kill-chain">status.errorCode</span>
<span class="pill kill-chain">status.failureReason</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">userDisplayName</span>
<span class="pill kill-chain">userId</span>
<span class="pill kill-chain">userPrincipalName</span>
</div>
Data Source: M365 Copilot Graph API
Description
Access Logs from M365 Copilot access via Graph API
Details
| Property | Value |
|---|---|
| Source | AuditLogs.SignIns |
| Sourcetype | o365:graph:api |
Supported Apps
- Splunk Add-on for Microsoft Office 365 (version 4.9.0)
Event Fields
Fields
Example Log
1{"id": "7fbc0a97-7f78-4cc8-9377-dc94d2ad1e00", "createdDateTime": "2025-09-30T12:34:20Z", "userDisplayName": "Rod Soto", "userPrincipalName": "rodsoto@rodsoto.onmicrosoft.com", "userId": "bfb8c366-0406-41a5-b3e3-328f4a3b4484", "appId": "9199bf20-a13f-4107-85dc-02114787ef48", "appDisplayName": "One Outlook Web", "ipAddress": "127.0.0.1", "clientAppUsed": "Browser", "correlationId": "8fe7aa9b-42c8-b52e-c6f2-8e4dfc07996b", "conditionalAccessStatus": "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Exchange Online", "resourceId": "00000002-0000-0ff1-ce00-000000000000", "status": {"errorCode": 0, "failureReason": "Other.", "additionalDetails": "MFA requirement satisfied by claim in the token"}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 140.0.0", "isCompliant": false, "isManaged": false, "trustType": ""}, "location": {"city": "Miami", "state": "Florida", "countryOrRegion": "US", "geoCoordinates": {"altitude": null, "latitude": 25.76286, "longitude": -80.31196}}, "appliedConditionalAccessPolicies": []}
Source: GitHub | Version: 1