Office 365 (O365) allows customers to host their Office solution in the Microsoft cloud. With the proper credentials and configuration, the LogRhythm System Monitor can collect O365 management events from the following applications through the Office 365 Management Activity API:

  • SharePoint
  • OneDrive
  • Exchange
  • Azure Active Directory (Azure AD)
  • DLP
  • General

Device Details

Vendor

Microsoft

Device Type

Cloud Subscription Services

Supported Model Name/Number

N/A

Supported Software Version(s)

Cloud

Collection Method

API

Configurable Log Output?

No

Log Source Type

API - Office 365 Management Activity

Log Processing Policy

LogRhythm Default

Exceptions

N/A

Additional Information

Microsoft may change their setup from time to time. Some section names of the Azure Admin Portal may be slightly different.

https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema

Supported Log Messages

(List of LR Tags used to parse the log information for each message type)

Type

Product Version

Supported Schema Fields

Add Member to Group MessagesN/A<session>, <command>, <objecttype>, <sender>, <process>, <vendorinfo>, <result>, <object>, <login>, <domain>, <sip>, <vmid>, <account>, <group>, <objectname>, <useragent>, <status>
Azure Active Directory MessagesN/A<session>, <command>, <objecttype>, <subject>, <process>, <result>, <tag1>, <account>, <login>, <domainorigin>, <sip>, <vmid>, <group>, <objectname>, <useragent>, <object>, <tag5>, <status>, <policy>
Catch All : Level 1N/A<command>, <objecttype>, <process><vendorinfo>, <useragent>
Data Loss PreventionN/A<session>, <command>, <process><vendorinfo>, <result>, <object><login>, <sip>, <sender>, <object>, <recipient>, <subject>, <poilcy>, <objectname>, <severity>
Exchange Email MessagesN/A<session>, <command>, <process>, <vendorinfo>, <result>, <object>, <login>, <domainorigin>, <account>, <domainimpacted>, <sessiontype>, <sender>, <group>, <useragent>, <sipv4>, <sipv6>, <sip>, <sport>, <version>, <subject>, <objectname>
MailBox SearchN/A<session>, <command>, <tag1>, <tag2>, <sender>, <process>, <vendorinfo>, <result>, <object>, <login>, <sip>, <sport>, <sessiontype>, <sname>, <domain>

Microsoft Apps Activity MessagesN/A<session>, <command>, <objecttype>, <tag1>, <process><vendorinfo>, <result>, <object><login>, <domainorigin>, <sip>, <sport>, <version>, <url>, <useragent>, <objectname>
Microsoft Teams MessagesN/A<session>, <command>, <process>, <vendorinfo>, <result>, <object>, <login>, <domain>, <sip>, <version>, <group>, <sname>, <tag1>, <objecttype>, <objectname>, <action>,
OneDrive MessagesN/A<command>, <session>, <process>, <vendorinfo>, <tag1>, <object>, <login>, <domain>, <sip>, <objectname>, <subject>, <useragent>, <account>
Power BI MessagesN/A<session>, <command>, <process>, <vendorinfo>, <result>, <object>, <login>, <domain>, <sip>, <action>, <objectname>, <useragent>
Security and Compliance Center MessagesN/A<session>, <command>, <process>, <vendorinfo>, <tag1>, <result>, <object>, <login>, <domain>, <sip>, <version>, <parentprocessname>, <objecttype>, <sender>, <subject>, <account>, <severity>
Sharepoint File MessagesN/A<session>, <command>, <tag1>, <process>, <vendorinfo>, <object>, <login>, <domain>, <sip>, <useragent>, <objectname>, <account>, <group>, <sessiontype>, <action>
Sway MessagesN/A<session>, <command>, <process>, <vendorinfo>, <object>, <login>, <domain>, <sip>, <version>, <useragent>, <url>
Threat Intelligence MessagesN/A<session>, <command>, <vendorinfo>, <login>, <domain>, <sip>, <hash>, <reason>, <url>, <sender>, <result>, <policy>, <tag2>, <action>, <tag3>, <recipient>, <subject>, <threatname>, <tag1>
Yammer MessagesN/A<session>, <command>, <process>, <vendorinfo>, <result>, <object>, <login>, <domain>, <sip>, <version>, <account>, <group>

Revision History

KB Version

Log Type

Change Type

Details

 7.1.588.0 API - Office 365 Management ActivityParsing EnhancementParse extra fields
7.1.598.0API - Office 365 Management ActivityParsing Enhancement
7.1.598.0API - Office 365 Management ActivityParsing Enhancement