Reference mapping for the Portable Audit eXporter (PAX) v1.11.2
Purview Audit Log Processor. Each row below shows how a specific nested JSON path in the raw audit record
(the AuditData blob, its CopilotEventData sub-object, and the surrounding CSV envelope)
is lifted into one column of the flat output consumed by the
AI-in-One Dashboard — Rollup Edition and any other downstream tool (Splunk, Fabric, ADX, etc.).
Tip: click any row to expand a description of what the field represents and the known set of possible values. Descriptions are sourced from the Microsoft 365 Management Activity API and Copilot audit schemas on Microsoft Learn; value lists are illustrative — Microsoft adds new workload operations and Copilot surfaces continuously.
Pick a scenario and a destination tool. Emits a starter query against the columns this scenario actually needs.
Pick a goal, see the 6–10 columns you actually need plus the recommended filter. Click any field chip to jump to its row in the full mapping below.
The most common invocations of PAX_Purview_Audit_Log_Processor_v1.11.2.ps1. PowerShell 7+ required.
The stuff that burns people. Read this before you write your first query.
Two real-shaped AuditData JSON examples and a note on how each becomes flat row(s).