Microsoft Office 365¶
About¶
Microsoft 365 is a suite of apps that help you stay connected and get things done
Product Details¶
Vendor URL: Microsoft Office 365
Product Type: Productivity Tools (SAAS)
Product Tier: Tier II
Integration Method: API
Integration URL: Microsoft Office 365 - Cyderes Documentation
Log Guide: Office 365 Log Guide
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 98-100%
Data Label: OFFICE_365
Error Handling: If log is not valid, metadata event type is set to GENERIC_EVENT and metadata description is set with: "parsing error: not_valid_log: %{message}". In other parts of the parser, if things fail, the same error will be set with a more description additional error description, such as "parsing error: invalid_date: %{message}".
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| AadAppId | src.resource.product_object_id |
| Action | metadata.description |
| Activity | target.resource.resource_subtype |
| ActivityId | target.resource.product_object_id |
| ActorContextId | src.resource.product_object_id |
| actorDescription | metadata.description |
| actorDescription deviceName | metadata.description |
| ActorYammerUserId | target.user.userid |
| ad | metadata.description |
| additional_clientapplication | additional.fields |
| additional_EffectiveOrganization | additional.fields |
| additional_name | additional.fields |
| additional_userkey | additional.fields |
| AddOnGuid | target.resource.product_object_id |
| AddOnName | target.resource.name |
| AddOnType | target.resource.type |
| AdminActionDetail | security_result.summary |
| AffectedItems.0.Id | target.resource.id |
| ahost | principal.hostname |
| alert_severity | security_result.severity |
| AlertId | metadata.product_log_id |
| AppDistributionMode | target.resource.parent |
| Application | principal.process.file.full_path |
| Application | security_result.about.application |
| ApplicationDisplayName | target.resource.name |
| ApplicationDisplayName | target.resource.resource_subtype |
| ApplicationId | target.resource.id |
| AppName | principal.asset_id |
| auditScore | security_result.confidence_details |
| azureTenantId | principal.group.product_object_id |
| Case | metadata.description |
| caseMember | target.user.userid |
| Category | security_result_category_details |
| CEF CS Fields Found | security_result.summary |
| ChatThreadId | target.asset.product_object_id |
| ClientApplication | network.http.user_agent |
| ClientInfoString | network.http.user_agent |
| ClientIP | principal.asset.ip |
| ClientIP | principal.ip |
| clientPort | principal.port |
| ClientProcessName | principal.process.file.full_path |
| ClientRequestId | principal.process.pid |
| CmdletVersion | metadata.product_version |
| CMSI | extensions.auth.auth_details |
| Common.ApplicationId | target.resource.product_object_id |
| Common.ApplicationName | target.resource.name |
| Common.ProcessName | target.resource.resource_subtype |
| Common.ProductVersion | target.platform_version |
| CommunicationType | principal.resource.resource_subtype |
| CommunicationType | target.asset.category |
| companyName | target.resource.name |
| ConsumptionMethod | target.asset.category |
| CorrelationId | src.asset.product_object_id |
| CrmOrganizationUniqueName | principal.resource.name |
| cs1_field | security_result.detection_fields |
| cs2_field | security_result.detection_fields |
| cs3_field | security_result.detection_fields |
| cs4 | target.application |
| cs4_field | security_result.detection_fields |
| cs5_field | security_result.detection_fields |
| DashboardId | target.asset.product_object_id |
| DatasetId | target.resource.product_object_id |
| DatasetName | target.resource.name |
| DataType | metadata.description |
| DataType | security_result.summary |
| DeepLinkUrl | target.url |
| deleteMessage | security_result.detection_fields |
| description | metadata.description |
| DestFolder.Id | target.resource.id |
| DestFolder.Path | target.resource.name |
| DestinationFileName | target.resource.name |
| DestinationRelativeUrl}/%{DestinationFileName | target.file.full_path |
| destinationServiceName | target.application |
| DEVICE | target.resource.resource_type |
| deviceAddress | observer.ip |
| deviceCustomString1 | metadata.url_back_to_product |
| deviceEventClassId | metadata.product_event_type |
| deviceId | target.resource.id |
| deviceIds | security_result.description |
| DeviceName | principal.asset.hostname |
| DeviceName | principal.hostname |
| DeviceName | target.resource.name |
| deviceOptions | security_result.summary |
| deviceProduct | observer.application |
| dlprulematch.ExchangeMetaData.BCC | network.email.bcc |
| dlprulematch.ExchangeMetaData.CC | network.email.cc |
| dlprulematch.ExchangeMetaData.FileSize | target.file.size |
| DoNotDistributeEvent_field | security_result.detection_fields |
| dvc | target.ip |
| dvchost | target.hostname |
| EffectiveOrganization | target.administrative_domain |
| email.subject | network.email.subject |
| emailAddress | target.group.email_addresses |
| EndpointMetaData.Application | principal.application |
| EndpointMetaData.DeviceName | principal.hostname |
| EndpointMetaData.EndpointOperation | security_result.category_details |
| EndpointMetaData.OriginatingDomain | src.domain.name |
| EndpointMetaData.TargetPrinterName | target.asset.hostname |
| Entity | metadata.product_name |
| EntityPath | metadata.url_back_to_product |
| EventData | target.group.product_object_id |
| EventDeepLink | metadata.url_back_to_product |
| eventId | metadata.product_log_id |
| EventSource | principal.hostname |
| EventSource | src.application |
| ExchangeDetails.From | network.email.from |
| ExchangeMetaData.From | network.email.from |
| ExchangeMetaData.Subject | network.email.subject |
| executionResult | security_result.description |
| ExternalAccess_field | security_result.detection_fields |
| externalId | metadata.product_log_id |
| f3u | principal.user.userid |
| f3u | target.user.userid |
| FileExtension | target.file.mime_type |
| FileName | target.file.full_path |
| FileSize | target.file.size |
| FileSizeBytes | target.file.size |
| FileSyncBytesCommitted | src.file.size |
| FileSyncBytesCommitted | target.file.size |
| flexString1 | src.application |
| flexString1_field | security_result.detection_fields |
| FlowConnectorNames | metadata.description |
| FlowConnectorNames | target.resource.name |
| FlowConnectorNames | target.resource.type |
| FlowDetailsUrl | metadata.url_back_to_product |
| FlowDetailsUrl | target.url |
| Folder | target.resource.type |
| Folder.Id | src.resource.id |
| Folder.Path | src.resource.name |
| Form | target.resource.type |
| FormId | target.resource.id |
| FormName | target.resource.name |
| fromAddress | security_result.detection_fields |
| full_path | target.file.full_path |
| groupId | target.group.product_object_id |
| groupMembers | security_result.description |
| groupName | target.group.group_display_name |
| host | principal.hostname |
| Id | metadata.product_log_id |
| Id | target.resource.id |
| Id | target.resource.parent |
| Id | target.resource.product_object_id |
| Id | target.user.employee_id |
| ImportSource | target.resource.resource_subtype |
| ImportType | target.resource.type |
| InstanceUrl | principal.process.file.full_path |
| InstanceUrl | target.url |
| intermediary | intermediary |
| InternetMessageId | metadata.url_back_to_product |
| IntraSystemId | principal.resource.product_object_id |
| Item.Id | network.email.mail_id |
| Item.Id | target.resource.id |
| Item.ParentFolder.Id | target.resource.id |
| Item.ParentFolder.MemberRights | security_result.description |
| Item.ParentFolder.MemberUpn | target.user.userid |
| Item.ParentFolder.Name | target.resource.name |
| Item.ParentFolder.Path | target.file.full_path |
| Item.ParentFolder.Path | target.resource.name |
| Item.SizeInBytes | src.file.size |
| ItemAttachments_field | security_result.detection_fields |
| ItemName | target.resource.name |
| ItemType | target.application |
| ItemType | target.resource.type |
| ItemUrl | target.url |
| jmails.email_addresses | target.user.email_addresses |
| json_data.Intent json_data.AlertDisplayName | metadata.description |
| json_data.MachineName | principal.hostname |
| ListItemUniqueId | principal.asset_id |
| ListItemUniqueId | target.resource.product_object_id |
| location.region_latitude | float |
| location.region_longitude | float |
| LogonError | security_result.description |
| LogonType | extensions.auth.auth_details |
| LogonUserSid | principal.user.windows_sid |
| MachineId | principal.asset.product_object_id |
| MailboxItem | target.resource.type |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerUPN | target.user.email_addresses |
| MailboxOwnerUPN | target.user.userid |
| mailKey | network.email.mail_id |
| MDATPDeviceId | target.resource.id |
| mechanism | extensions.auth.mechanism |
| Members.0.DisplayName | target.user.user_display_name |
| Message | metadata.description |
| message | security_result.description |
| MessageURLs.0 | target.url |
| msg | metadata.product_event_type |
| msg_json_log.additional.0.value | principal.hostname |
| msg_json_log.metadata.description | metadata.description |
| msg_json_log.metadata.product_name | metadata.product_name |
| msg_json_log.metadata.product_version | metadata.product_version |
| msg_json_log.metadata.vendor_name | metadata.vendor_name |
| name | metadata.description |
| Name | security_result.description |
| Name | security_result.summary |
| ObjectId | metadata.product_log_id |
| ObjectId | src.file.full_path |
| ObjectId | target.file.full_path |
| ObjectId | target.group.group_display_name |
| ObjectId | target.group.product_object_id |
| ObjectId | target.process.file.full_path |
| ObjectId | target.process.pid |
| ObjectId | target.resource.id |
| ObjectId | target.resource.product_object_id |
| ObjectId | target.url |
| ObjectId | target.user.product_object_id |
| ObjectId | target.user.user_display_name |
| ObjectId | target.user.userid |
| ObjectType | security_result.summary |
| Operation | metadata.product_event_type |
| Operation | security_result_category_details |
| Operation UserAgent | metadata.description |
| OperationDetails | metadata.description |
| Organization Id | principal.resource.name |
| OrganizationId | principal.resource.id |
| OrganizationName | principal.resource.name |
| OrganizationName | target.administrative_domain |
| originatingHost | src.hostname |
| OriginatingServer | src.hostname |
| osName | target.platform |
| osVersion | target.platform_version |
| P1Sender_mail | network.email.from |
| P2Sender_mail | network.email.bounce_address |
| Parameters | target.process.command_line |
| paramName paramValue | metadata.description |
| ParentFolder | src.resource.name |
| ParentFolder | src.resource.parent |
| ParentFolder Path | src.resource.name |
| ParentFolder_Id_exists | src.resource.product_object_id |
| ParentFolder_Name_exists | src.resource.name |
| ParentFolder_Name_exists | src.resource.parent |
| ParentFolder_Path_exists | src.resource.parent |
| path | target.file.full_path |
| Policy | security_result.rule_name |
| PolicyAction | security_result.action_details |
| principalUser | principal.user.email_addresses |
| principalUser | principal.user.userid |
| principalUser targetUser | metadata.description |
| processValue processArgs | principal.process.command_line |
| product_version | metadata.product_version |
| protocol | network.application_protocol |
| Query | security_result.description |
| record_type_field | security_result.detection_fields |
| reid | target.resource.id |
| RelativeUrl | target.url |
| relayhost | observer.hostname |
| Report | target.resource.type |
| ReportId | target.resource.id |
| ReportName | target.resource.name |
| ReportType | target.resource.type |
| requestClientApplication | principal.application |
| resource.name | target.resource.name |
| resource.type | target.resource.type |
| ResourceTitle | target.resource.name |
| ResourceUrl | network.http.referral_url |
| ResultStatus | security_result.action_details |
| ResultStatus | security_result.summary |
| role | principal.user.attribute.roles |
| roles | target.user.attribute.roles |
| securityDescription | security_result.description |
| securityRuleId | security_result.rule_id |
| securityRuleName | security_result.rule_name |
| securitySeverity | security_result.severity |
| securitySummary | security_result.summary |
| Sender | network.email.from |
| SenderIp | src.ip |
| SendOnBehalfOfUserSmtp | target.user.userid |
| ServiceName | src.application |
| ServiceName Operation Message | metadata.description |
| Severity | security_result.severity |
| severity | security_result.severity_details |
| Sha1 | target.file.sha1 |
| Sha256 | target.file.sha256 |
| SharingType | metadata.description |
| sip | principal.ip |
| SiteUrl | network.http.referral_url |
| SiteUrl | principal.url |
| SiteUrl | src.url |
| SiteUrl | target.url |
| Source | security_result.description |
| sourceDnsDomain | network.dns_domain |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | src.file.full_path |
| SourceFileName | target.file.full_path |
| SourceFileName | target.resource.name |
| SourceRelativeUrl | src.url |
| SourceRelativeUrl | target.resource.parent |
| SourceRelativeUrl SourceFileName | src.file.full_path |
| sourceUserName | principal.user.email_addresses |
| sourceUserName | principal.user.userid |
| src | principal.ip |
| src_geoip.city_name | principal.location.city |
| src_geoip.country_name | principal.location.country_or_region |
| src_geoip.latitude | principal.location.region_latitude |
| src_geoip.longitude | principal.location.region_longitude |
| src_geoip.region_code | principal.location.state |
| src_ip | principal.ip |
| srcUserUID | src.user.product_object_id |
| STORAGE_OBJECT | target.resource.resource_type |
| Subject | network.email.subject |
| TableName | target.resource.parent |
| targetApp | target.application |
| targetEmail | target.user.email_addresses |
| TargetFilePath | target.file.full_path |
| targetGroupId | target.group.product_object_id |
| targetGroupName | target.group.group_display_name |
| targetId | target.application |
| targetService | target.resource.id |
| targetUser | target.user.email_addresses |
| targetUser | target.user.userid |
| targetUserId | target.user.user_display_name |
| TargetUserOrGroupName | target.user.group_identifiers |
| TargetUserOrGroupType | target.user.group_identifiers |
| TASK | target.resource.resource_type |
| TeamGuid | target.group.product_object_id |
| TeamGuid | target.resource.id |
| TeamGuid | target.user.group_identifiers |
| TeamName | principal.group.group_display_name |
| TeamName | target.group.group_display_name |
| TeamName | target.resource.name |
| temp_actor_id | principal.user.product_object_id |
| temp_deviceProperties.Value | principal.asset.hostname |
| temp_deviceProperties.Value | principal.asset.product_object_id |
| temp_object_id | target.resource.product_object_id |
| temp_target_id | target.group.product_object_id |
| temp_target_id | target.user.product_object_id |
| tempActorName.ID | src.user.userid |
| tempDevicePropertiesOS | principal.asset.platform_software.platform_version |
| tempIdentity | target.group.group_display_name |
| tempMembers | target.user.userid |
| tempModifiedProperties.NewValue | target.asset.product_object_id |
| tempObject.NewValue | metadata.description |
| tempPermission | target.user.attribute.permissions |
| tempReceivers | network.email.to |
| tempRecordType | principal.resource.attribute.roles |
| tempRole | principal.user.attribute.roles |
| temprole | target.user.attribute.roles |
| temptargetName.ID | target.user.user_display_name |
| tempUserType | principal.user.attribute.roles |
| tenantId | principal.group.product_object_id |
| tenantValue identity identityValue | metadata.description |
| ThreadID | target.resource.id |
| timaildata.Recipients | network.email.to |
| trc | target.user.userid |
| ttr | security_result.summary |
| url | target.url |
| user_agent | network.http.user_agent |
| UserAgent | network.http.user_agent |
| UserClaims | security_result.description |
| userdomain | principal.administrative_domain |
| userid | principal.user.userid |
| UserId | target.user.product_object_id |
| UserId | target.user.userid |
| UserType_field | security_result.detection_fields |
| Version | metadata.product_version |
| VirusInfo | target.resource.resource_subtype |
| WINDOWS | principal.asset.platform_software.platform |
| Workload | metadata.description |
| Workload | src.application |
| Workload | target.application |
| Workload Operation targetId | metadata.description |
| WorkSpaceName | target.resource.parent |
| WorkSpaceName | target.resource.parent |
| WorkSpaceName | target.resource.resource_subtype |
| YammerNetworkId | target.resource.parent |
Product Event Types¶
| Description | metadata.event_type |
|---|---|
| not_valid_log, invalid_date, AlertUpdated, AlertTriggered, SearchQueryPerformed, AlertUpdated or AlertTriggered or AlertEntityGenerated, Get-CaseHoldPolicy or Get-ComplianceCase or Get-ComplianceSearchAction or Get-ComplianceSearch or New-ComplianceCase, ProjectCheckedOut, ValidaterbacAccessCheck, Update StsRefreshTokenValidFrom Timestamp, CrmDefaultActivity, CrmDefaultActivity | GENERIC_EVENT |
| SupervisoryReviewOLAudit, DlpRuleMatch, TIMailData | EMAIL_TRANSACTION |
| MailboxLogin, MipLabel, HardDelete or SoftDelete, MailItemsAccessed, SendOnBehalf or SendAs or Send or Update, Set-CASMailbox or Set-Mailbox, Set-Contact or Set-MailContact or Set-MailUser | EMAIL_UNCATEGORIZED |
| FileCreated | FILE_CREATION |
| Add group | GROUP_CREATION |
| Delete group, Remove-UnifiedGroup | GROUP_DELETION |
| Add member to group, Remove member from group, AddedToGroup, Set-DistributionGroup or Update-DistributionGroupMember, Update group | GROUP_MODIFICATION |
| Create, FolderCreated or SiteCollectionCreated, SubmitResponse, TeamCreated, Add device, CaseAdded | RESOURCE_CREATION |
| SoftDelete, Delete device, DeleteFlow, SiteDeleted | RESOURCE_DELETION |
| Update device | RESOURCE_PERMISSIONS_CHANGE |
| CrmDefaultActivity | SERVICE_UNSPECIFIED |
| Set-InboxRule,New-InboxRule | SETTING_CREATION |
| Set-CalendarProcessing | SETTING_MODIFICATION |
| HeartBeat | STATUS_HEARTBEAT |
| Reset user password or Change user password or Delete application password for user, | USER_CHANGE_PASSWORD |
| Add app role assignment grant to user, Add owner to group, MemberRoleChanged, MemberAdded or MemberRemoved, Add OAuth2PermissionGrant, GenerateEmbedToken, SiteCollectionAdminAdded, TeamsAdminAction, AddFolderPermissions or ModifyFolderPermissions or RemoveFolderPermissions, Add-MailboxPermission, Set-User, Consent to application | USER_CHANGE_PERMISSIONS |
| TeamsSessionStarted, StreamCreateVideoComment or StreamCreateVideo or StreamEditUserSettings or StreamEditVideoPermissions or StreamEditVideo or StreamInvokeVideoSetLink or StreamInvokeVideoUpload or StreamInvokeVideoView, Get-CsTeamsUpgradeOverridePolicy | USER_COMMUNICATION |
| Add user | USER_CREATION |
| Delete user | USER_DELETION |
| UserLoggedIn or UserLoginFailed | USER_LOGIN |
| Access, FileAccessed or FileAccessedExtended or FileCheckedOut or FilePreviewed or SecureLinkUsed, ProjectAccessed, ViewedSearchExported or SearchExportDownloaded or SearchStarted or SearchUpdated or SearchViewed, FolderBind, ListViewed, ManagedSyncClientAllowed | USER_RESOURCE_ACCESS |
| Create, FolderCreated or SiteCollectionCreated, FolderCreated or SiteCollectionCreated, TeamCreated | USER_RESOURCE_CREATION |
| SoftDelete, Disable account, DeleteFlow | USER_RESOURCE_DELETION |
| Update, ViewReport, ClientViewSignaled or PagePrefetched or PageViewed or PageViewedExtended, ClientViewSignaled or PagePrefetched or PageViewed or PageViewedExtended, CreateResponse or EditForm, FileCheckedIn or FileModified or FileModifiedExtended, ListColumnUpdated or ListContentTypeUpdated or SiteContentTypeUpdated, FileMoved, FileSyncUploadedFull, FolderModified, ListColumnCreated or ListItemCreated or ListItemDeleted or ListUpdated, FileDownloaded, FileSyncDownloadedFull, Add registered owner to device or Add registered users to device, MoveToDeletedItems or Move, Set Company Information, UpdateInboxRules, Update service principal | USER_RESOURCE_UPDATE_CONTENT |
| SharingRevoked | USER_RESOURCE_UPDATE_PERMISSIONS |
| Change user license, Update user, Add contact | USER_UNCATEGORIZED |
Log Sample¶
{"Actor":[{"ID":"8a684ab2-99db-4bb3-b63a-e4df50f9a0c6","Type":0},{"ID":"john.doe@domain.com","Type":5}],"ActorContextId":"e87d1b53-abbc-4959-9da0-222596aae7e1","ActorIpAddress":"127.0.0.1","ApplicationId":"ad9a4fbf-ccf6-4173-91af-ebd18698f1ab","AzureActiveDirectoryEventType":1,"ClientIP":"10.1.1.1","CreationTime":"2021-09-23T00:05:50","DeviceProperties":[{"Name":"Id","Value":"432cd0bc-f4ef-4bb4-a744-a008a4e97c32"},{"Name":"DisplayName","Value":"USER-PC01"},{"Name":"OS","Value":"Windows"},{"Name":"BrowserType","Value":"Other"},{"Name":"IsCompliant","Value":"True"},{"Name":"IsCompliantAndManaged","Value":"True"},{"Name":"TrustType","Value":"2"},{"Name":"SessionId","Value":"ed8545b1-5461-4023-bf2e-faba31e5494d"}],"ErrorNumber":"0","ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Windows-AzureAD-Authentication-Provider/1.0"},{"Name":"UserAuthenticationMethod","Value":"8"},{"Name":"RequestType","Value":"OAuth2:Token"}],"Id":"689f70d1-a3f4-4697-9b67-726444c85165","InterSystemsId":"0febb8ab-5d7e-4248-a174-9b536f6c61b6","IntraSystemId":"6502aca4-e991-4bec-aba4-e1528325db0e","ModifiedProperties":[],"ObjectId":"00000002-0000-0000-c000-000000000000","Operation":"UserLoggedIn","OrganizationId":"e87d1b53-abbc-4959-9da0-222596aae7e1","RecordType":15,"ResultStatus":"Success","SupportTicketId":"","Target":[{"ID":"00000002-0000-0000-c000-000000000000","Type":0}],"TargetContextId":"e87d1b53-abbc-4959-9da0-222596aae7e1","UserId":"JSmith@domain.com","UserKey":"d606a355-e74b-497c-a8e6-d2645fdfe009","UserType":0,"Version":1,"Workload":"AzureActiveDirectory"}
Sample Parsing¶
metadata.product_log_id: "689f70d1-a3f4-4697-9b67-726444c85165"
metadata.event_timestamp.seconds: 1632355550
metadata.event_type: USER_LOGIN
metadata.vendor_name: "Microsoft"
metadata.product_name: "Office 365"
metadata.product_event_type: "UserLoggedIn"
metadata.description: "User Login - AzureActiveDirectory"
additional.fields.key: "UserKey"
additional.fields.value.string_value: "d606a355-e74b-497c-a8e6-d2645fdfe009"
principal.user.userid: "john.doe@domain.com"
principal.user.email_addresses: "john.doe@domain.com"
principal.ip: "10.1.1.1"
principal.application: "AzureActiveDirectory"
principal.resource.id: "e87d1b53-abbc-4959-9da0-222596aae7e1"
principal.name: "Organization Id"
principal.product_object_id: "6502aca4-e991-4bec-aba4-e1528325db0e"
src.resource.product_object_id: "e87d1b53-abbc-4959-9da0-222596aae7e1"
security_result.summary: "User login successful"
security_result.action: ALLOW
network.http.user_agent: "Windows-AzureAD-Authentication-Provider/1.0"
extensions.auth.type: MACHINE
extensions.mechanism: REMOTE
Parser Alerting¶
if [Operation] == "AlertTriggered"
Rules¶
Coming soon