Skip to content

Microsoft Office 365

Microsoft Office 365

About

Microsoft 365 is a suite of apps that help you stay connected and get things done

Product Details

Vendor URL: Microsoft Office 365

Product Type: Productivity Tools (SAAS)

Product Tier: Tier II

Integration Method: API

Integration URL: Microsoft Office 365 - Cyderes Documentation

Log Guide: Office 365 Log Guide

Parser Details

Log Format: JSON

Expected Normalization Rate: 98-100%

Data Label: OFFICE_365

Error Handling: If log is not valid, metadata event type is set to GENERIC_EVENT and metadata description is set with: "parsing error: not_valid_log: %{message}". In other parts of the parser, if things fail, the same error will be set with a more description additional error description, such as "parsing error: invalid_date: %{message}".

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field UDM Event Type
Operation = AlertTriggered is_alert is_alert
Operation = AlertTriggered is_significant is_significant
ModifiedProperties.Name, ModifiedProperties.NewValue, UserKey additional.fields additional
Hard-Coded: mechanism extensions.auth.mechanism extensions
Hard-Coded: MACHINE extensions.auth.type extensions
Workload intermediary.application intermediary
Varies metadata.description metadata
Varies metadata.event_type metadata
Operation metadata.product_event_type metadata
Id, AlertId, ObjectId metadata.product_log_id metadata
Hard-Coded: Office 365, Entity, metadata.product_name metadata
ClientVersion, CmdletVersion metadata.product_version metadata
FlowDetailsUrl, EntityPath, EventDeepLink metadata.url_back_to_product metadata
Hard-Coded: Microsoft metadata.vendor_name metadata
protocol network.application_protocol network
dlprulematch.ExchangeMetaData.BCC network.email.bcc network
dlprulematch.ExchangeMetaData.CC network.email.cc network
Sender, ExchangeDetails.From, P2Sender network.email.from network
Item.Id, mailKey network.email.mail_id network
email.subject, emailSubject, ExchangeMetaData.Subject, Subject network.email.subject network
dlprulematch.ExchangeMetaData.To network.email.to network
ResourceUrl network.http.referral_url network
ClientInfoString, UserAgent, ClientApplication, network.http.user_agent network
Workload principal.application principal
ClientIP, ip, sip principal.ip principal
clientPort principal.port principal
processValue+processArgs principal.process.command_line principal
ClientProcessName, InstanceUrl principal.process.file.full_path principal
OrganizationId principal.resource.id principal
Hard-Coded: Organization Id principal.resource.name principal
IntraSystemId principal.resource.product_object_id principal
role principal.user.attribute.roles principal
principalUser principal.user.email_addresses principal
temp_actor_id principal.user.product_object_id principal
UserId, principalUser principal.user.userid principal
LogonUserSid principal.user.windows_sid principal
result security_result security_result
Name security_result.description security_result
EventSource, ServiceName src.application src
SourceRelativeUrl/SourceFileName, ObjectId src.file.full_path src
FileSyncBytesCommitted src.file.size src
OriginatingServer, originatingHost, src.hostname src
SenderIp src.ip src
Folder.Id src.resource.id src
Folder.Path src.resource.name src
ActorContextId src.resource.product_object_id src
srcUserUID src.user.product_object_id src
Actor.ID src.user.userid src
OrganizationName, EffectiveOrganization target.administrative_domain target
targetApp, Workload, targetId, ItemType target.application target
ObjectId, Item.ParentFolder.Path, DestinationRelativeUrl/DestinationFileName target.file.full_path target
FileSyncBytesCommitted target.file.size target
emailAddress target.group.email_addresses target
TeamName, groupName, ObjectId, targetGroupName target.group.group_display_name target
TeamGuid, groupId, EventData, Target.ID, ObjectId, targetGroupId target.group.product_object_id target
osName target.platform target
osVersion, Common.ProductVersion target.platform_version target
Parameters target.process.command_line target
ObjectId targettarget.process.file.full_path target
AffectedItems.0.Id, Item.Id, ObjectId, ReportId, FormId, TeamGuid, deviceId, DestFolder.Id, Item.ParentFolder.Id, targetService, Id target.resource.id target
ReportName, FormName, Item.ParentFolder.Path, TeamName, deviceName, DestFolder.Path, companyName, Item.ParentFolder.Name, Common.ApplicationName, ResourceTitle, FlowConnectorNames target.resource.name target
IntraSystemId, ActorContextId, Target.ID, Common.ApplicationId target.resource.product_object_id target
Common.ProcessName target.resource.resource_subtype target
Hard-Coded: STORAGE_OBJECT, Hard-Coded: DEVICE target.resource.resource_type target
Hard-Coded: [Report, MailboxItem, Form, Folder, SETTING] ItemType target.resource.type target
ObjectId, RelativeUrl, ItemUrl target.url target
targetEmail, MailboxOwnerUPN, emailAddresses, targetUser target.user.email_addresses target
Id target.user.employee_id target
TeamGuid, TargetUserOrGroupName, TargetUserOrGroupType target.user.group_identifiers target
Target.ID target.user.product_object_id target
Members.0.DisplayName, ObjectId, targetUserId target.user.user_display_name target
trc, ObjectId, Item.ParentFolder.MemberUpn, UserId, MailboxOwnerUPN, SendOnBehalfOfUserSmtp, caseMember, targetUser, target.user.email_addresses target.user.userid target

Product Event Types

Description metadata.event_type
not_valid_log, invalid_date, AlertUpdated, AlertTriggered, SearchQueryPerformed, AlertUpdated or AlertTriggered or AlertEntityGenerated, Get-CaseHoldPolicy or Get-ComplianceCase or Get-ComplianceSearchAction or Get-ComplianceSearch or New-ComplianceCase, ProjectCheckedOut, ValidaterbacAccessCheck, Update StsRefreshTokenValidFrom Timestamp, CrmDefaultActivity, CrmDefaultActivity GENERIC_EVENT
SupervisoryReviewOLAudit, DlpRuleMatch, TIMailData EMAIL_TRANSACTION
MailboxLogin, MipLabel, HardDelete or SoftDelete, MailItemsAccessed, SendOnBehalf or SendAs or Send or Update, Set-CASMailbox or Set-Mailbox, Set-Contact or Set-MailContact or Set-MailUser EMAIL_UNCATEGORIZED
FileCreated FILE_CREATION
Add group GROUP_CREATION
Delete group, Remove-UnifiedGroup GROUP_DELETION
Add member to group, Remove member from group, AddedToGroup, Set-DistributionGroup or Update-DistributionGroupMember, Update group GROUP_MODIFICATION
Create, FolderCreated or SiteCollectionCreated, SubmitResponse, TeamCreated, Add device, CaseAdded RESOURCE_CREATION
SoftDelete, Delete device, DeleteFlow, SiteDeleted RESOURCE_DELETION
Update device RESOURCE_PERMISSIONS_CHANGE
CrmDefaultActivity SERVICE_UNSPECIFIED
Set-InboxRule,New-InboxRule SETTING_CREATION
Set-CalendarProcessing SETTING_MODIFICATION
HeartBeat STATUS_HEARTBEAT
Reset user password or Change user password or Delete application password for user, USER_CHANGE_PASSWORD
Add app role assignment grant to user, Add owner to group, MemberRoleChanged, MemberAdded or MemberRemoved, Add OAuth2PermissionGrant, GenerateEmbedToken, SiteCollectionAdminAdded, TeamsAdminAction, AddFolderPermissions or ModifyFolderPermissions or RemoveFolderPermissions, Add-MailboxPermission, Set-User, Consent to application USER_CHANGE_PERMISSIONS
TeamsSessionStarted, StreamCreateVideoComment or StreamCreateVideo or StreamEditUserSettings or StreamEditVideoPermissions or StreamEditVideo or StreamInvokeVideoSetLink or StreamInvokeVideoUpload or StreamInvokeVideoView, Get-CsTeamsUpgradeOverridePolicy USER_COMMUNICATION
Add user USER_CREATION
Delete user USER_DELETION
UserLoggedIn or UserLoginFailed USER_LOGIN
Access, FileAccessed or FileAccessedExtended or FileCheckedOut or FilePreviewed or SecureLinkUsed, ProjectAccessed, ViewedSearchExported or SearchExportDownloaded or SearchStarted or SearchUpdated or SearchViewed, FolderBind, ListViewed, ManagedSyncClientAllowed USER_RESOURCE_ACCESS
Create, FolderCreated or SiteCollectionCreated, FolderCreated or SiteCollectionCreated, TeamCreated USER_RESOURCE_CREATION
SoftDelete, Disable account, DeleteFlow USER_RESOURCE_DELETION
Update, ViewReport, ClientViewSignaled or PagePrefetched or PageViewed or PageViewedExtended, ClientViewSignaled or PagePrefetched or PageViewed or PageViewedExtended, CreateResponse or EditForm, FileCheckedIn or FileModified or FileModifiedExtended, ListColumnUpdated or ListContentTypeUpdated or SiteContentTypeUpdated, FileMoved, FileSyncUploadedFull, FolderModified, ListColumnCreated or ListItemCreated or ListItemDeleted or ListUpdated, FileDownloaded, FileSyncDownloadedFull, Add registered owner to device or Add registered users to device, MoveToDeletedItems or Move, Set Company Information, UpdateInboxRules, Update service principal USER_RESOURCE_UPDATE_CONTENT
SharingRevoked USER_RESOURCE_UPDATE_PERMISSIONS
Change user license, Update user, Add contact USER_UNCATEGORIZED

Log Sample

{"Actor":[{"ID":"8a684ab2-99db-4bb3-b63a-e4df50f9a0c6","Type":0},{"ID":"john.doe@domain.com","Type":5}],"ActorContextId":"e87d1b53-abbc-4959-9da0-222596aae7e1","ActorIpAddress":"127.0.0.1","ApplicationId":"ad9a4fbf-ccf6-4173-91af-ebd18698f1ab","AzureActiveDirectoryEventType":1,"ClientIP":"10.1.1.1","CreationTime":"2021-09-23T00:05:50","DeviceProperties":[{"Name":"Id","Value":"432cd0bc-f4ef-4bb4-a744-a008a4e97c32"},{"Name":"DisplayName","Value":"USER-PC01"},{"Name":"OS","Value":"Windows"},{"Name":"BrowserType","Value":"Other"},{"Name":"IsCompliant","Value":"True"},{"Name":"IsCompliantAndManaged","Value":"True"},{"Name":"TrustType","Value":"2"},{"Name":"SessionId","Value":"ed8545b1-5461-4023-bf2e-faba31e5494d"}],"ErrorNumber":"0","ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Windows-AzureAD-Authentication-Provider/1.0"},{"Name":"UserAuthenticationMethod","Value":"8"},{"Name":"RequestType","Value":"OAuth2:Token"}],"Id":"689f70d1-a3f4-4697-9b67-726444c85165","InterSystemsId":"0febb8ab-5d7e-4248-a174-9b536f6c61b6","IntraSystemId":"6502aca4-e991-4bec-aba4-e1528325db0e","ModifiedProperties":[],"ObjectId":"00000002-0000-0000-c000-000000000000","Operation":"UserLoggedIn","OrganizationId":"e87d1b53-abbc-4959-9da0-222596aae7e1","RecordType":15,"ResultStatus":"Success","SupportTicketId":"","Target":[{"ID":"00000002-0000-0000-c000-000000000000","Type":0}],"TargetContextId":"e87d1b53-abbc-4959-9da0-222596aae7e1","UserId":"JSmith@domain.com","UserKey":"d606a355-e74b-497c-a8e6-d2645fdfe009","UserType":0,"Version":1,"Workload":"AzureActiveDirectory"}

Sample Parsing

metadata.product_log_id: "689f70d1-a3f4-4697-9b67-726444c85165"
metadata.event_timestamp.seconds: 1632355550
metadata.event_type: USER_LOGIN
metadata.vendor_name: "Microsoft"
metadata.product_name: "Office 365"
metadata.product_event_type: "UserLoggedIn"
metadata.description: "User Login - AzureActiveDirectory"
additional.fields.key: "UserKey"
additional.fields.value.string_value: "d606a355-e74b-497c-a8e6-d2645fdfe009"
principal.user.userid: "john.doe@domain.com"
principal.user.email_addresses: "john.doe@domain.com"
principal.ip: "10.1.1.1"
principal.application: "AzureActiveDirectory"
principal.resource.id: "e87d1b53-abbc-4959-9da0-222596aae7e1"
principal.name: "Organization Id"
principal.product_object_id: "6502aca4-e991-4bec-aba4-e1528325db0e"
src.resource.product_object_id: "e87d1b53-abbc-4959-9da0-222596aae7e1"
security_result.summary: "User login successful"
security_result.action: ALLOW
network.http.user_agent: "Windows-AzureAD-Authentication-Provider/1.0"
extensions.auth.type: MACHINE
extensions.mechanism: REMOTE

Parser Alerting

if [Operation] == "AlertTriggered"

Rules

Coming soon