Skip to content

Microsoft Office 365

Microsoft Office 365

About

Microsoft 365 is a suite of apps that help you stay connected and get things done

Product Details

Vendor URL: Microsoft Office 365

Product Type: Productivity Tools (SAAS)

Product Tier: Tier II

Integration Method: API

Integration URL: Microsoft Office 365 - Cyderes Documentation

Log Guide: Office 365 Log Guide

Parser Details

Log Format: JSON

Expected Normalization Rate: 98-100%

Data Label: OFFICE_365

Error Handling: If log is not valid, metadata event type is set to GENERIC_EVENT and metadata description is set with: "parsing error: not_valid_log: %{message}". In other parts of the parser, if things fail, the same error will be set with a more description additional error description, such as "parsing error: invalid_date: %{message}".

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
AadAppId src.resource.product_object_id
Action metadata.description
Activity target.resource.resource_subtype
ActivityId target.resource.product_object_id
ActorContextId src.resource.product_object_id
actorDescription metadata.description
actorDescription deviceName metadata.description
ActorYammerUserId target.user.userid
ad metadata.description
additional_clientapplication additional.fields
additional_EffectiveOrganization additional.fields
additional_name additional.fields
additional_userkey additional.fields
AddOnGuid target.resource.product_object_id
AddOnName target.resource.name
AddOnType target.resource.type
AdminActionDetail security_result.summary
AffectedItems.0.Id target.resource.id
ahost principal.hostname
alert_severity security_result.severity
AlertId metadata.product_log_id
AppDistributionMode target.resource.parent
Application principal.process.file.full_path
Application security_result.about.application
ApplicationDisplayName target.resource.name
ApplicationDisplayName target.resource.resource_subtype
ApplicationId target.resource.id
AppName principal.asset_id
auditScore security_result.confidence_details
azureTenantId principal.group.product_object_id
Case metadata.description
caseMember target.user.userid
Category security_result_category_details
CEF CS Fields Found security_result.summary
ChatThreadId target.asset.product_object_id
ClientApplication network.http.user_agent
ClientInfoString network.http.user_agent
ClientIP principal.asset.ip
ClientIP principal.ip
clientPort principal.port
ClientProcessName principal.process.file.full_path
ClientRequestId principal.process.pid
CmdletVersion metadata.product_version
CMSI extensions.auth.auth_details
Common.ApplicationId target.resource.product_object_id
Common.ApplicationName target.resource.name
Common.ProcessName target.resource.resource_subtype
Common.ProductVersion target.platform_version
CommunicationType principal.resource.resource_subtype
CommunicationType target.asset.category
companyName target.resource.name
ConsumptionMethod target.asset.category
CorrelationId src.asset.product_object_id
CrmOrganizationUniqueName principal.resource.name
cs1_field security_result.detection_fields
cs2_field security_result.detection_fields
cs3_field security_result.detection_fields
cs4 target.application
cs4_field security_result.detection_fields
cs5_field security_result.detection_fields
DashboardId target.asset.product_object_id
DatasetId target.resource.product_object_id
DatasetName target.resource.name
DataType metadata.description
DataType security_result.summary
DeepLinkUrl target.url
deleteMessage security_result.detection_fields
description metadata.description
DestFolder.Id target.resource.id
DestFolder.Path target.resource.name
DestinationFileName target.resource.name
DestinationRelativeUrl}/%{DestinationFileName target.file.full_path
destinationServiceName target.application
DEVICE target.resource.resource_type
deviceAddress observer.ip
deviceCustomString1 metadata.url_back_to_product
deviceEventClassId metadata.product_event_type
deviceId target.resource.id
deviceIds security_result.description
DeviceName principal.asset.hostname
DeviceName principal.hostname
DeviceName target.resource.name
deviceOptions security_result.summary
deviceProduct observer.application
dlprulematch.ExchangeMetaData.BCC network.email.bcc
dlprulematch.ExchangeMetaData.CC network.email.cc
dlprulematch.ExchangeMetaData.FileSize target.file.size
DoNotDistributeEvent_field security_result.detection_fields
dvc target.ip
dvchost target.hostname
EffectiveOrganization target.administrative_domain
email.subject network.email.subject
emailAddress target.group.email_addresses
EndpointMetaData.Application principal.application
EndpointMetaData.DeviceName principal.hostname
EndpointMetaData.EndpointOperation security_result.category_details
EndpointMetaData.OriginatingDomain src.domain.name
EndpointMetaData.TargetPrinterName target.asset.hostname
Entity metadata.product_name
EntityPath metadata.url_back_to_product
EventData target.group.product_object_id
EventDeepLink metadata.url_back_to_product
eventId metadata.product_log_id
EventSource principal.hostname
EventSource src.application
ExchangeDetails.From network.email.from
ExchangeMetaData.From network.email.from
ExchangeMetaData.Subject network.email.subject
executionResult security_result.description
ExternalAccess_field security_result.detection_fields
externalId metadata.product_log_id
f3u principal.user.userid
f3u target.user.userid
FileExtension target.file.mime_type
FileName target.file.full_path
FileSize target.file.size
FileSizeBytes target.file.size
FileSyncBytesCommitted src.file.size
FileSyncBytesCommitted target.file.size
flexString1 src.application
flexString1_field security_result.detection_fields
FlowConnectorNames metadata.description
FlowConnectorNames target.resource.name
FlowConnectorNames target.resource.type
FlowDetailsUrl metadata.url_back_to_product
FlowDetailsUrl target.url
Folder target.resource.type
Folder.Id src.resource.id
Folder.Path src.resource.name
Form target.resource.type
FormId target.resource.id
FormName target.resource.name
fromAddress security_result.detection_fields
full_path target.file.full_path
groupId target.group.product_object_id
groupMembers security_result.description
groupName target.group.group_display_name
host principal.hostname
Id metadata.product_log_id
Id target.resource.id
Id target.resource.parent
Id target.resource.product_object_id
Id target.user.employee_id
ImportSource target.resource.resource_subtype
ImportType target.resource.type
InstanceUrl principal.process.file.full_path
InstanceUrl target.url
intermediary intermediary
InternetMessageId metadata.url_back_to_product
IntraSystemId principal.resource.product_object_id
Item.Id network.email.mail_id
Item.Id target.resource.id
Item.ParentFolder.Id target.resource.id
Item.ParentFolder.MemberRights security_result.description
Item.ParentFolder.MemberUpn target.user.userid
Item.ParentFolder.Name target.resource.name
Item.ParentFolder.Path target.file.full_path
Item.ParentFolder.Path target.resource.name
Item.SizeInBytes src.file.size
ItemAttachments_field security_result.detection_fields
ItemName target.resource.name
ItemType target.application
ItemType target.resource.type
ItemUrl target.url
jmails.email_addresses target.user.email_addresses
json_data.Intent json_data.AlertDisplayName metadata.description
json_data.MachineName principal.hostname
ListItemUniqueId principal.asset_id
ListItemUniqueId target.resource.product_object_id
location.region_latitude float
location.region_longitude float
LogonError security_result.description
LogonType extensions.auth.auth_details
LogonUserSid principal.user.windows_sid
MachineId principal.asset.product_object_id
MailboxItem target.resource.type
MailboxOwnerSid target.user.windows_sid
MailboxOwnerUPN target.user.email_addresses
MailboxOwnerUPN target.user.userid
mailKey network.email.mail_id
MDATPDeviceId target.resource.id
mechanism extensions.auth.mechanism
Members.0.DisplayName target.user.user_display_name
Message metadata.description
message security_result.description
MessageURLs.0 target.url
msg metadata.product_event_type
msg_json_log.additional.0.value principal.hostname
msg_json_log.metadata.description metadata.description
msg_json_log.metadata.product_name metadata.product_name
msg_json_log.metadata.product_version metadata.product_version
msg_json_log.metadata.vendor_name metadata.vendor_name
name metadata.description
Name security_result.description
Name security_result.summary
ObjectId metadata.product_log_id
ObjectId src.file.full_path
ObjectId target.file.full_path
ObjectId target.group.group_display_name
ObjectId target.group.product_object_id
ObjectId target.process.file.full_path
ObjectId target.process.pid
ObjectId target.resource.id
ObjectId target.resource.product_object_id
ObjectId target.url
ObjectId target.user.product_object_id
ObjectId target.user.user_display_name
ObjectId target.user.userid
ObjectType security_result.summary
Operation metadata.product_event_type
Operation security_result_category_details
Operation UserAgent metadata.description
OperationDetails metadata.description
Organization Id principal.resource.name
OrganizationId principal.resource.id
OrganizationName principal.resource.name
OrganizationName target.administrative_domain
originatingHost src.hostname
OriginatingServer src.hostname
osName target.platform
osVersion target.platform_version
P1Sender_mail network.email.from
P2Sender_mail network.email.bounce_address
Parameters target.process.command_line
paramName paramValue metadata.description
ParentFolder src.resource.name
ParentFolder src.resource.parent
ParentFolder Path src.resource.name
ParentFolder_Id_exists src.resource.product_object_id
ParentFolder_Name_exists src.resource.name
ParentFolder_Name_exists src.resource.parent
ParentFolder_Path_exists src.resource.parent
path target.file.full_path
Policy security_result.rule_name
PolicyAction security_result.action_details
principalUser principal.user.email_addresses
principalUser principal.user.userid
principalUser targetUser metadata.description
processValue processArgs principal.process.command_line
product_version metadata.product_version
protocol network.application_protocol
Query security_result.description
record_type_field security_result.detection_fields
reid target.resource.id
RelativeUrl target.url
relayhost observer.hostname
Report target.resource.type
ReportId target.resource.id
ReportName target.resource.name
ReportType target.resource.type
requestClientApplication principal.application
resource.name target.resource.name
resource.type target.resource.type
ResourceTitle target.resource.name
ResourceUrl network.http.referral_url
ResultStatus security_result.action_details
ResultStatus security_result.summary
role principal.user.attribute.roles
roles target.user.attribute.roles
securityDescription security_result.description
securityRuleId security_result.rule_id
securityRuleName security_result.rule_name
securitySeverity security_result.severity
securitySummary security_result.summary
Sender network.email.from
SenderIp src.ip
SendOnBehalfOfUserSmtp target.user.userid
ServiceName src.application
ServiceName Operation Message metadata.description
Severity security_result.severity
severity security_result.severity_details
Sha1 target.file.sha1
Sha256 target.file.sha256
SharingType metadata.description
sip principal.ip
SiteUrl network.http.referral_url
SiteUrl principal.url
SiteUrl src.url
SiteUrl target.url
Source security_result.description
sourceDnsDomain network.dns_domain
SourceFileExtension target.file.mime_type
SourceFileName src.file.full_path
SourceFileName target.file.full_path
SourceFileName target.resource.name
SourceRelativeUrl src.url
SourceRelativeUrl target.resource.parent
SourceRelativeUrl SourceFileName src.file.full_path
sourceUserName principal.user.email_addresses
sourceUserName principal.user.userid
src principal.ip
src_geoip.city_name principal.location.city
src_geoip.country_name principal.location.country_or_region
src_geoip.latitude principal.location.region_latitude
src_geoip.longitude principal.location.region_longitude
src_geoip.region_code principal.location.state
src_ip principal.ip
srcUserUID src.user.product_object_id
STORAGE_OBJECT target.resource.resource_type
Subject network.email.subject
TableName target.resource.parent
targetApp target.application
targetEmail target.user.email_addresses
TargetFilePath target.file.full_path
targetGroupId target.group.product_object_id
targetGroupName target.group.group_display_name
targetId target.application
targetService target.resource.id
targetUser target.user.email_addresses
targetUser target.user.userid
targetUserId target.user.user_display_name
TargetUserOrGroupName target.user.group_identifiers
TargetUserOrGroupType target.user.group_identifiers
TASK target.resource.resource_type
TeamGuid target.group.product_object_id
TeamGuid target.resource.id
TeamGuid target.user.group_identifiers
TeamName principal.group.group_display_name
TeamName target.group.group_display_name
TeamName target.resource.name
temp_actor_id principal.user.product_object_id
temp_deviceProperties.Value principal.asset.hostname
temp_deviceProperties.Value principal.asset.product_object_id
temp_object_id target.resource.product_object_id
temp_target_id target.group.product_object_id
temp_target_id target.user.product_object_id
tempActorName.ID src.user.userid
tempDevicePropertiesOS principal.asset.platform_software.platform_version
tempIdentity target.group.group_display_name
tempMembers target.user.userid
tempModifiedProperties.NewValue target.asset.product_object_id
tempObject.NewValue metadata.description
tempPermission target.user.attribute.permissions
tempReceivers network.email.to
tempRecordType principal.resource.attribute.roles
tempRole principal.user.attribute.roles
temprole target.user.attribute.roles
temptargetName.ID target.user.user_display_name
tempUserType principal.user.attribute.roles
tenantId principal.group.product_object_id
tenantValue identity identityValue metadata.description
ThreadID target.resource.id
timaildata.Recipients network.email.to
trc target.user.userid
ttr security_result.summary
url target.url
user_agent network.http.user_agent
UserAgent network.http.user_agent
UserClaims security_result.description
userdomain principal.administrative_domain
userid principal.user.userid
UserId target.user.product_object_id
UserId target.user.userid
UserType_field security_result.detection_fields
Version metadata.product_version
VirusInfo target.resource.resource_subtype
WINDOWS principal.asset.platform_software.platform
Workload metadata.description
Workload src.application
Workload target.application
Workload Operation targetId metadata.description
WorkSpaceName target.resource.parent
WorkSpaceName target.resource.parent
WorkSpaceName target.resource.resource_subtype
YammerNetworkId target.resource.parent

Product Event Types

Description metadata.event_type
not_valid_log, invalid_date, AlertUpdated, AlertTriggered, SearchQueryPerformed, AlertUpdated or AlertTriggered or AlertEntityGenerated, Get-CaseHoldPolicy or Get-ComplianceCase or Get-ComplianceSearchAction or Get-ComplianceSearch or New-ComplianceCase, ProjectCheckedOut, ValidaterbacAccessCheck, Update StsRefreshTokenValidFrom Timestamp, CrmDefaultActivity, CrmDefaultActivity GENERIC_EVENT
SupervisoryReviewOLAudit, DlpRuleMatch, TIMailData EMAIL_TRANSACTION
MailboxLogin, MipLabel, HardDelete or SoftDelete, MailItemsAccessed, SendOnBehalf or SendAs or Send or Update, Set-CASMailbox or Set-Mailbox, Set-Contact or Set-MailContact or Set-MailUser EMAIL_UNCATEGORIZED
FileCreated FILE_CREATION
Add group GROUP_CREATION
Delete group, Remove-UnifiedGroup GROUP_DELETION
Add member to group, Remove member from group, AddedToGroup, Set-DistributionGroup or Update-DistributionGroupMember, Update group GROUP_MODIFICATION
Create, FolderCreated or SiteCollectionCreated, SubmitResponse, TeamCreated, Add device, CaseAdded RESOURCE_CREATION
SoftDelete, Delete device, DeleteFlow, SiteDeleted RESOURCE_DELETION
Update device RESOURCE_PERMISSIONS_CHANGE
CrmDefaultActivity SERVICE_UNSPECIFIED
Set-InboxRule,New-InboxRule SETTING_CREATION
Set-CalendarProcessing SETTING_MODIFICATION
HeartBeat STATUS_HEARTBEAT
Reset user password or Change user password or Delete application password for user, USER_CHANGE_PASSWORD
Add app role assignment grant to user, Add owner to group, MemberRoleChanged, MemberAdded or MemberRemoved, Add OAuth2PermissionGrant, GenerateEmbedToken, SiteCollectionAdminAdded, TeamsAdminAction, AddFolderPermissions or ModifyFolderPermissions or RemoveFolderPermissions, Add-MailboxPermission, Set-User, Consent to application USER_CHANGE_PERMISSIONS
TeamsSessionStarted, StreamCreateVideoComment or StreamCreateVideo or StreamEditUserSettings or StreamEditVideoPermissions or StreamEditVideo or StreamInvokeVideoSetLink or StreamInvokeVideoUpload or StreamInvokeVideoView, Get-CsTeamsUpgradeOverridePolicy USER_COMMUNICATION
Add user USER_CREATION
Delete user USER_DELETION
UserLoggedIn or UserLoginFailed USER_LOGIN
Access, FileAccessed or FileAccessedExtended or FileCheckedOut or FilePreviewed or SecureLinkUsed, ProjectAccessed, ViewedSearchExported or SearchExportDownloaded or SearchStarted or SearchUpdated or SearchViewed, FolderBind, ListViewed, ManagedSyncClientAllowed USER_RESOURCE_ACCESS
Create, FolderCreated or SiteCollectionCreated, FolderCreated or SiteCollectionCreated, TeamCreated USER_RESOURCE_CREATION
SoftDelete, Disable account, DeleteFlow USER_RESOURCE_DELETION
Update, ViewReport, ClientViewSignaled or PagePrefetched or PageViewed or PageViewedExtended, ClientViewSignaled or PagePrefetched or PageViewed or PageViewedExtended, CreateResponse or EditForm, FileCheckedIn or FileModified or FileModifiedExtended, ListColumnUpdated or ListContentTypeUpdated or SiteContentTypeUpdated, FileMoved, FileSyncUploadedFull, FolderModified, ListColumnCreated or ListItemCreated or ListItemDeleted or ListUpdated, FileDownloaded, FileSyncDownloadedFull, Add registered owner to device or Add registered users to device, MoveToDeletedItems or Move, Set Company Information, UpdateInboxRules, Update service principal USER_RESOURCE_UPDATE_CONTENT
SharingRevoked USER_RESOURCE_UPDATE_PERMISSIONS
Change user license, Update user, Add contact USER_UNCATEGORIZED

Log Sample

{"Actor":[{"ID":"8a684ab2-99db-4bb3-b63a-e4df50f9a0c6","Type":0},{"ID":"john.doe@domain.com","Type":5}],"ActorContextId":"e87d1b53-abbc-4959-9da0-222596aae7e1","ActorIpAddress":"127.0.0.1","ApplicationId":"ad9a4fbf-ccf6-4173-91af-ebd18698f1ab","AzureActiveDirectoryEventType":1,"ClientIP":"10.1.1.1","CreationTime":"2021-09-23T00:05:50","DeviceProperties":[{"Name":"Id","Value":"432cd0bc-f4ef-4bb4-a744-a008a4e97c32"},{"Name":"DisplayName","Value":"USER-PC01"},{"Name":"OS","Value":"Windows"},{"Name":"BrowserType","Value":"Other"},{"Name":"IsCompliant","Value":"True"},{"Name":"IsCompliantAndManaged","Value":"True"},{"Name":"TrustType","Value":"2"},{"Name":"SessionId","Value":"ed8545b1-5461-4023-bf2e-faba31e5494d"}],"ErrorNumber":"0","ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Windows-AzureAD-Authentication-Provider/1.0"},{"Name":"UserAuthenticationMethod","Value":"8"},{"Name":"RequestType","Value":"OAuth2:Token"}],"Id":"689f70d1-a3f4-4697-9b67-726444c85165","InterSystemsId":"0febb8ab-5d7e-4248-a174-9b536f6c61b6","IntraSystemId":"6502aca4-e991-4bec-aba4-e1528325db0e","ModifiedProperties":[],"ObjectId":"00000002-0000-0000-c000-000000000000","Operation":"UserLoggedIn","OrganizationId":"e87d1b53-abbc-4959-9da0-222596aae7e1","RecordType":15,"ResultStatus":"Success","SupportTicketId":"","Target":[{"ID":"00000002-0000-0000-c000-000000000000","Type":0}],"TargetContextId":"e87d1b53-abbc-4959-9da0-222596aae7e1","UserId":"JSmith@domain.com","UserKey":"d606a355-e74b-497c-a8e6-d2645fdfe009","UserType":0,"Version":1,"Workload":"AzureActiveDirectory"}

Sample Parsing

metadata.product_log_id: "689f70d1-a3f4-4697-9b67-726444c85165"
metadata.event_timestamp.seconds: 1632355550
metadata.event_type: USER_LOGIN
metadata.vendor_name: "Microsoft"
metadata.product_name: "Office 365"
metadata.product_event_type: "UserLoggedIn"
metadata.description: "User Login - AzureActiveDirectory"
additional.fields.key: "UserKey"
additional.fields.value.string_value: "d606a355-e74b-497c-a8e6-d2645fdfe009"
principal.user.userid: "john.doe@domain.com"
principal.user.email_addresses: "john.doe@domain.com"
principal.ip: "10.1.1.1"
principal.application: "AzureActiveDirectory"
principal.resource.id: "e87d1b53-abbc-4959-9da0-222596aae7e1"
principal.name: "Organization Id"
principal.product_object_id: "6502aca4-e991-4bec-aba4-e1528325db0e"
src.resource.product_object_id: "e87d1b53-abbc-4959-9da0-222596aae7e1"
security_result.summary: "User login successful"
security_result.action: ALLOW
network.http.user_agent: "Windows-AzureAD-Authentication-Provider/1.0"
extensions.auth.type: MACHINE
extensions.mechanism: REMOTE

Parser Alerting

if [Operation] == "AlertTriggered"