Skip to main content
Skip table of contents

API - Office 365 Management Activity (Microsoft)

Office 365 (O365) allows customers to host their Office solution in the Microsoft cloud. With the proper credentials and configuration, the LogRhythm System Monitor can collect O365 management events from the following applications through the Office 365 Management Activity API:

  • SharePoint
  • OneDrive
  • Exchange
  • Azure Active Directory (Azure AD)
  • DLP
  • General

Device Details



Device Type

Cloud Subscription Services

Supported Model Name/Number


Supported Software Version(s)


Collection Method


Configurable Log Output?


Log Source Type

API - Office 365 Management Activity

Log Processing Policy

LogRhythm Default



Additional Information

Microsoft may change their setup from time to time. Some section names of the Azure Admin Portal may be slightly different.

Supported Log Messages

(List of LR Tags used to parse the log information for each message type)


Product Version

Supported Schema Fields

Add Member to Group MessagesN/A<session>, <command>, <objecttype>, <sender>, <process>, <vendorinfo>, <result>, <object>, <login>, <domain>, <sip>, <vmid>, <account>, <group>, <objectname>, <useragent>, <status>
Azure Active Directory MessagesN/A<session>, <command>, <objecttype>, <subject>, <process>, <result>, <tag1>, <account>, <login>, <domainorigin>, <sip>, <vmid>, <group>, <objectname>, <useragent>, <object>, <tag5>, <status>, <policy>
Catch All : Level 1 2N/A<command>, <objecttype>, <process><vendorinfo>, <useragent>
Data Loss Prevention 1N/A<session>, <command>, <process><vendorinfo>, <result>, <object><login>, <sip>, <sender>, <object>, <recipient>, <subject>, <poilcy>, <objectname>, <severity>
Exchange Email MessagesN/A<session>, <command>, <process>, <vendorinfo>, <result>, <object>, <login>, <domainorigin>, <account>, <domainimpacted>, <sessiontype>, <sender>, <group>, <useragent>, <sipv4>, <sipv6>, <sip>, <sport>, <version>, <subject>, <objectname>
MailBox SearchN/A<session>, <command>, <tag1>, <tag2>, <sender>, <process>, <vendorinfo>, <result>, <object>, <login>, <sip>, <sport>, <sessiontype>, <sname>, <domain>

Microsoft Apps Activity MessagesN/A<session>, <command>, <objecttype>, <tag1>, <process><vendorinfo>, <result>, <object><login>, <domainorigin>, <sip>, <sport>, <version>, <url>, <useragent>, <objectname>
Microsoft Teams MessagesN/A<session>, <command>, <process>, <vendorinfo>, <result>, <object>, <login>, <domain>, <sip>, <version>, <group>, <sname>, <tag1>, <objecttype>, <objectname>, <action>,
OneDrive MessagesN/A<command>, <session>, <process>, <vendorinfo>, <tag1>, <object>, <login>, <domain>, <sip>, <objectname>, <subject>, <useragent>, <account>
Power BI MessagesN/A<session>, <command>, <process>, <vendorinfo>, <result>, <object>, <login>, <domain>, <sip>, <action>, <objectname>, <useragent>
Security and Compliance Center MessagesN/A<session>, <command>, <process>, <vendorinfo>, <tag1>, <result>, <object>, <login>, <domain>, <sip>, <version>, <parentprocessname>, <objecttype>, <sender>, <subject>, <account>, <severity>
Sharepoint File MessagesN/A<session>, <command>, <tag1>, <process>, <vendorinfo>, <object>, <login>, <domain>, <sip>, <useragent>, <objectname>, <account>, <group>, <sessiontype>, <action>
Sway MessagesN/A<session>, <command>, <process>, <vendorinfo>, <object>, <login>, <domain>, <sip>, <version>, <useragent>, <url>
Threat Intelligence MessagesN/A<session>, <command>, <vendorinfo>, <login>, <domain>, <sip>, <hash>, <reason>, <url>, <sender>, <result>, <policy>, <tag2>, <action>, <tag3>, <recipient>, <subject>, <threatname>, <tag1>
Yammer MessagesN/A<session>, <command>, <process>, <vendorinfo>, <result>, <object>, <login>, <domain>, <sip>, <version>, <account>, <group>

Revision History

KB Version

Log Type

Change Type


 7.1.588.0 API - Office 365 Management ActivityParsing EnhancementParse extra fields
7.1.598.0API - Office 365 Management ActivityParsing Enhancement
7.1.598.0API - Office 365 Management ActivityParsing Enhancement
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.