API - Office 365 Management Activity (Microsoft)

Office 365 (O365) allows customers to host their Office solution in the Microsoft cloud. With the proper credentials and configuration, the LogRhythm System Monitor can collect O365 management events from the following applications through the Office 365 Management Activity API:

SharePoint
OneDrive
Exchange
Azure Active Directory (Azure AD)
DLP
General

Device Details

Vendor	Microsoft
Device Type	Cloud Subscription Services
Supported Model Name/Number	N/A
Supported Software Version(s)	Cloud
Collection Method	API
Configurable Log Output?	No
Log Source Type	API - Office 365 Management Activity
Log Processing Policy	LogRhythm Default
Exceptions	N/A
Additional Information	Microsoft may change their setup from time to time. Some section names of the Azure Admin Portal may be slightly different. https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema

Supported Log Messages

(List of LR Tags used to parse the log information for each message type)

Type	Product Version	Supported Schema Fields
Add Member to Group Messages	N/A	<session>, <command>, <objecttype>, <sender>, <process>, <vendorinfo>, <result>, <object>, <login>, <domain>, <sip>, <vmid>, <account>, <group>, <objectname>, <useragent>, <status>
Azure Active Directory Messages	N/A	<session>, <command>, <objecttype>, <subject>, <process>, <result>, <tag1>, <account>, <login>, <domainorigin>, <sip>, <vmid>, <group>, <objectname>, <useragent>, <object>, <tag5>, <status>, <policy>
Catch All : Level 1 2	N/A	<command>, <objecttype>, <process><vendorinfo>, <useragent>
Data Loss Prevention 1	N/A	<session>, <command>, <process><vendorinfo>, <result>, <object><login>, <sip>, <sender>, <object>, <recipient>, <subject>, <poilcy>, <objectname>, <severity>
Exchange Email Messages	N/A	<session>, <command>, <process>, <vendorinfo>, <result>, <object>, <login>, <domainorigin>, <account>, <domainimpacted>, <sessiontype>, <sender>, <group>, <useragent>, <sipv4>, <sipv6>, <sip>, <sport>, <version>, <subject>, <objectname>
MailBox Search	N/A	<session>, <command>, <tag1>, <tag2>, <sender>, <process>, <vendorinfo>, <result>, <object>, <login>, <sip>, <sport>, <sessiontype>, <sname>, <domain>
Microsoft Apps Activity Messages	N/A	<session>, <command>, <objecttype>, <tag1>, <process><vendorinfo>, <result>, <object><login>, <domainorigin>, <sip>, <sport>, <version>, <url>, <useragent>, <objectname>
Microsoft Teams Messages	N/A	<session>, <command>, <process>, <vendorinfo>, <result>, <object>, <login>, <domain>, <sip>, <version>, <group>, <sname>, <tag1>, <objecttype>, <objectname>, <action>,
OneDrive Messages	N/A	<command>, <session>, <process>, <vendorinfo>, <tag1>, <object>, <login>, <domain>, <sip>, <objectname>, <subject>, <useragent>, <account>
Power BI Messages	N/A	<session>, <command>, <process>, <vendorinfo>, <result>, <object>, <login>, <domain>, <sip>, <action>, <objectname>, <useragent>
Security and Compliance Center Messages	N/A	<session>, <command>, <process>, <vendorinfo>, <tag1>, <result>, <object>, <login>, <domain>, <sip>, <version>, <parentprocessname>, <objecttype>, <sender>, <subject>, <account>, <severity>
Sharepoint File Messages	N/A	<session>, <command>, <tag1>, <process>, <vendorinfo>, <object>, <login>, <domain>, <sip>, <useragent>, <objectname>, <account>, <group>, <sessiontype>, <action>
Sway Messages	N/A	<session>, <command>, <process>, <vendorinfo>, <object>, <login>, <domain>, <sip>, <version>, <useragent>, <url>
Threat Intelligence Messages	N/A	<session>, <command>, <vendorinfo>, <login>, <domain>, <sip>, <hash>, <reason>, <url>, <sender>, <result>, <policy>, <tag2>, <action>, <tag3>, <recipient>, <subject>, <threatname>, <tag1>
Yammer Messages	N/A	<session>, <command>, <process>, <vendorinfo>, <result>, <object>, <login>, <domain>, <sip>, <version>, <account>, <group>

Revision History

KB Version	Log Type	Change Type	Details
7.1.588.0	API - Office 365 Management Activity	Parsing Enhancement	Parse extra fields
7.1.598.0	API - Office 365 Management Activity	Parsing Enhancement	Parsed Appname field into <objectname> tag in Microsoft Apps Activity Messages MPE rule Parsed Userkey field into <login>& <domain> & User field to <subject> in Azure Active Directory Messages MPE rule
7.1.598.0	API - Office 365 Management Activity	Parsing Enhancement	Parsed Attachments field into <objectname> tag in Exchange Email Messages MPE rule Parsed Request Type field into <policy> tag in Azure Active Directory Messages MPE rule