Descriptions are from the Office MS site when a definition existed.
GMT String of the time
The ID of the report entry. The ID uniquely identifies the report entry.
The name of the user or admin activity. The value of this property corresponds to the value that was selected in the Activities drop down list. If Show results for all activities was selected, the report will included entries for all user and admin activities for all services. For a description of the operations/activities that are logged in the Office 365 audit log, see the Audited activities tab in Search the audit log in the Office 365 Security & Compliance Center. For Exchange admin activity, this property identifies the name of the cmdlet that was run.
The GUID for your Office 365 organization.
The type of operation indicated by the record. The following values indicate the record type.
An alternative ID for the user identified in the UserIDproperty. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint. This property also might specify the same value as the UserID property for events occurring in other services and events performed by system accounts.
Indicates the version number of the activity (identified by the Operation property) that’s logged.
The Office 365 service where the activity occurred. The possible values for this property are: SharePoint OneDrive Exchange AzureActiveDirectory DataCenterSecurity Compliance Sway SecurityComplianceCenter PowerBI MicrosoftTeams ThreatIntelligence
The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.
SharePoints version of ClientIP
For Exchange admin audit logging, the name of the object that was modified by the cmdlet. For SharePoint activity, the full URL path name of the file or folder accessed by a user. For Azure AD activity, the name of the user account that was modified.
The user who performed the action (specified in the Operation property) that resulted in the record being logged. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included in the audit log.
Identity information about the tenant organization of the user (actor) who performed the action.
Unlisted Attribute. The attribute appears to relate a request with its response. Appears in Sharepoint logs when a search is followed by an FileUploaded.
Identifies that an event occurred in SharePoint. Possible values are SharePoint and ObjectModel. (Sharepoint)
For Exchange admin activity, specifies whether the cmdlet was run by a user in your organization, by Microsoft datacenter personnel or a datacenter service account, or by a delegated administrator. The value False indicates that the cmdlet was run by someone in your organization. The value True indicates that the cmdlet was run by datacenter personnel, a datacenter service account, or a delegated administrator. For Exchange mailbox activity, specifies whether a mailbox was accessed by a user outside your organization. (Exchange)
The type of object that was accessed or modified. Possible values include File, Folder, Web, Site, Tenant, and DocumentLibrary. (SharePoint)
The GUID of the site where the file or folder accessed by the user is located. (Sharepoint)
Information about the user’s browser. This information is provided by the browser. (Sharepoint)
Unlisted Attribute. Web Hash Identifier
The MS DOS file extension used for application mapping
The URL used to connect to this resource
The filename by itself with extension
The relative directory. This plus site, plus filename is the complete URL
Indicates a record from the Exchange admin audit log.
Indicates a record from the Exchange mailbox audit log for an operation performed on a singled mailbox item.
Also indicates a record from the Exchange mailbox audit log. This record type indicates the operation was performed on multiple items in the source mailbox (such as moving multiple items to the Deleted Items folder or permanently deleting multiple items).
Indicates a site admin operation in SharePoint, such as an administrator or user assigning permissions to a site.
Indicates a file or folder-related operation in SharePoint, such as a user viewing or modifying a file.
Indicates an admin operation performed in Azure Active Directory.
Indicates OrgId logon events in Azure Active Directory. This record type is being deprecated.
Indicates security cmdlet events that were performed by Microsoft personnel in the data center.
Indicates Data loss protection (DLP) events in SharePoint.
Indicates Sway events.
Indicates sharing events in SharePoint.
Indicates Secure Token Service (STS) logon events in Azure Active Directory.
Indicates Security & Compliance Center events.
Indicates Power BI events.
Indicates Yammer events.
Indicates eDiscovery events. This record type indicates activities that were performed by running content searches and managing eDiscovery cases in the Security & Compliance Center. For more information, see Search for eDiscovery activities in the Office 365 audit log. 25, 26, or 27 - Indicates Microsoft Teams events.