Office365

Office365 enables you to fetch and analyze logs from Office 365 Management via APIs.

Release Details

Version: 6.0.1

Release date: 10th April, 2025

Supported On: Logpoint v7.5.0, Director Fabric v2.6.0, Director Console v2.6.0

Documentation:

Office365 for Logpoint
Office365 for Director Console UI
Office365 for Director Console API

SHA 256: 8e2f10cbd3ee589d8602650518740ab88cd97aace62d67459d568bf8b33ec311

Download

Package Details

Office365 Components:

1. Fetcher
  - Office365Fetcher
2. Compiled Normalizer
  - Office365CompiledNormalizer
3. Normalization package
  - LP_O365 Exchange MT
4. Log Source Template
  - Microsoft365
5. Search template
  - LP_Office365
6. KB list
  - Executables
7. Reports
  - LP_Office365 OneDrive Overview
  - LP_Office365 SharePoint Overview
  - LP_Office365 Exchange Overview
  - LP_Office365 Overview
  - LP_Office365 OneDrive Anonymous Link Activities
  - LP_Office365 Azure AD Login Activities
  - LP_Office365 Azure AD User Account Management
  - LP_Office365 OneDrive File Activities
  - LP_Office365 OneDrive Folder Activities
  - LP_Office365 Operations by File Category
  - LP_Office365 SharePoint File Activities
  - LP_Office365 SharePoint Folder Activities
8. Dashboards
  - LP_Office365 Security and Compliance Alerts
  - LP_Office365 Azure AD Login Activities
  - LP_Office365 Azure AD User Account Management
  - LP_Office365 Exchange Overview
  - LP_Office365 OneDrive Anonymous Link Activities
  - LP_Office365 OneDrive File Activities
  - LP_Office365 OneDrive Folder Activities
  - LP_Office365 OneDrive Overview
  - LP_Office365 Operations by File Category
  - LP_Office365 Overview
  - LP_Office365 SharePoint File Activities
  - LP_Office365 SharePoint Folder Activities
  - LP_Office365 SharePoint Overview
9. Alerts
  - LP_Office365 Global Administrator Role Assigned to User
  - LP_Office365 MailItemAccessed Logging Disabled
  - LP_Office365 Security and Compliance Alert related to Access Governance
  - LP_Office365 Security and Compliance Alert related to Data Governance
  - LP_Office365 Security and Compliance Alert related to Data Loss Prevention
  - LP_Office365 Security and Compliance Alert related to Mail Flow
  - LP_Office365 Security and Compliance Alert related to Other Category
  - LP_Office365 Security and Compliance Alert related to Threat Management

Enhancements

Description	Issue ID	Reference ID
If the Log Collection Policy on localhost was updated, the Office365 UI only displayed the details of the first account, even when users clicked on other listed accounts.	PLUG-11684	82518
The fetcher became unresponsive due to missing timeout values, causing log collection to stop.	PLUG-11714	82661, 83745, 85200, 89670
The values for the field target_user were not normalized.	PLUG-16289	89024

Past Releases

Office365 v6.0.0

Version: 6.0.0

Release date: 30th October, 2024

Supported On: Logpoint v7.5.0, Director Fabric v2.6.0, Director Console v2.6.0

Documentation:

Office365 for Logpoint
Office365 for Director Console UI
Office365 for Director Console API

SHA 256: 0066bd14dae87092869b71eba455e1592321ad5b884334187a8ba9120655b7a4

Download

Enhancements

Description

Issue ID

Reference ID

You can now configure Office365 from Log Sources, which provides a centralized user interface for all log collection configurations.

Compatibility is available with Director v2.6.0, currently available as Priority Access. Contact Support for its access.

PLUG-10846

Office365 v5.3.1

Version:5.3.1

Release date: August 07, 2023

Supported On: Logpoint 7.1.1 or later

Documentation: Office365 guide

SHA 256: 5295c2a9a2b681cbf94e08f6396c9c76b5fc9713683eef9e5adcffa8dfe3e53c

Download

Enhancements

Description

Issue ID

Reference ID

Updated Office365CompiledNormalizer to correctly normalize the Target field.

KB-21664

76346, 76470

Renamed the following fields in Office365CompiledNormalizer:

Former Field Name	Updated Field Name
P1Sender	return_path
P2Sender	sender
ClientIPs	client_address
client_user_agent	user_agent
scenario_name	scenario
app_access_context_client_app_id	application_id
app_access_context_api_id	api_id

KB-20461, KB-21315, KB-21794

75006

Removed the following alerts that are no longer relevant:

LP_Office365 Multiple Successful Login from Different Country by Single User
LP_Office365 User License Change
LP_Office365 Multiple Successful Login From Different Host by Single User
LP_Office365 Multiple Failed Login from Different Host by Single User
LP_Office365 Multiple Failed Login from Same Host
LP_Office365 Malware Detected in OneDrive or SharePoint
LP_Office365 User Deleted from Azure AD
LP_Office365 User Added to Azure AD
LP_Office365 User Added to Multiple Groups

KB-21564

Added a new search template LP_Office365 and removed the LP_Office365 Azure AD Sign-ins search template.

Bug Fixes

The following issues are fixed:

Description	Issue ID	Reference ID
The ID inside DeviceProperties field was not properly normalized by Office365CompiledNormalizer.	KB-21282	69065, 75375
Office365CompiledNormalizer did not properly normalize the Office365 MT logs.	KB-19351	71405

Office365 v5.3.0

Release Date: October 14, 2022

Download: Office365_5.3.0.zip

SHA256: ae3c91133d7a93979dab005303e620472ecf5faae4eef7455981ca388ee162bb

Enhancements

Description

Issue ID

Reference ID

Added the Office 365 Azure AD Sign-inssearch template to investigate suspicious user Sign-inevents.

KB-18146

AddedDelete label for the actionFile Recycled.

KB-17426

67528

Parsed the DeviceProperties field extract values for OS and browser_type.

KB-15893

Renamed the following fields in Office365CompiledNormalizer to maintain consistency:

Former Field Name	Renamed Field Name
ForwardingAddress	forwarding_address
trc	receiver
tsd	sender

KB-17640

Added new alerts to detect Office365 events:

LP_Office365 MailItem Accessed Logging Disabled
LP_Office365 Malware Detected in OneDrive or SharePoint
LP_Office365 Global Administrator Role Assigned to User

KB-18027

Removed the following alerts that are no longer relevant:

LP_Office365 File Rename OneDrive
LP_Office365 File Rename SharePoint
LP_Office365 File Download OneDrive
LP_Office365 File Download SharePoint
LP_Office365 File or Folder Modified SharePoint
LP_Office365 File or Folder Modified OneDrive
LP_Office365 Valid Login IPs
LP_Office365 Executables Stored in SharePoint
LP_Office365 Executables Stored in OneDrive
LP_Office365 Password Resets
LP_Office365 File Shared with External User OneDrive
LP_Office365 Configuration Changes by External Access in Exchange
LP_Office365 File Shared with External User OneDrive

Renamed the following alerts:

Former Alerts	Renamed alerts
LP_Office365 User Deleted from AD	LP_Office365 User Deleted from Azure AD
LP_Office365 User Added to AD	LP_Office365 User Added to Azure AD
LP_Office365 User Added to Group	LP_Office365 User Added to Multiple Groups

Bug Fixes

The following issues are fixed:

Description	Issue ID	Reference ID
The value of policy_name was captured by the user field.	KB-17136	-
Office365CompiledNormalizer did not properly normalize the receiver field in Office365 logs.	KB-16067	64064

Office365 v5.1.1

Release Date: April 21, 2021

Supported On: Logpoint v6.7.0 and later

Download: Office365_5.1.1.zip

SHA256: ee8dac6f17439fff2914564ac9e88b8eb837fcef4ae43783a27e1d1b92bc9c4a

Bug Fix

An issue in the compiled normalizer Office365CompiledNormalizer where the fields subject and attachment data for the Exchange logs were not parsed correctly has now been resolved.

Office365 v3.7.0

Release Date: December 05, 2019

Supported On: Logpoint v6.6.5 or later

Download: Office365_3.7.0.zip

SHA256: 894078d72bcedbc88af56b6ae0b552250448317bff05b2c5fafb8d38ad411b9f

Office365 has been upgraded to support Logpoint v7.1.1.

Enhancements

The following labels are added for Office365:

Application	Action	Labels
Azure Active Directory	Add owner to application	Add, User, Application, Management
	Add application	Add, Application, Management
	Update company	Update, Company
Microsoft Teams	Connector Added	Connector, Add

The following Azure fields are mapped to the Logpoint taxonomy:

Vendor Fields	Logpoint Fields
actorObjectClass	actor_object_class
actorObjectId	actor_object_id
additionalDetails	additional_information
auditEventCategory	audit_event_category
correlationId	correlation_id
env_appId	application_id
env_appVer	application_version
env_cloud_deploymentUnit	cloud_deployment_unit
env_cloud_environment	could_environment
evn_cloud_name	cloud
env_cloud_role	cloud_role
env_cloud_roleInstance	cloud_role_instance
evn_could_roleVer	cloud_role_version
env_flags	flag
env_osVer	os_version
env_os	os
env_popSample	pop_sample
env_seqNum	sequence_number
env_time	env_ts
env_ver	env_version
extendedAuditEventcategory	extended_audit_event_category
ModifiedProperties	event_properties
resultType	result_type
targetIncludedUpdatedProperties	target_included_updated_properties
targetObjectId	target_object_id
targetPUID	target_puid
targetUPN	target_upn
teamName	team
FileSyncBytesCommitted	file_sync_bytes_committed
MachineId	machine_id
OperationDetails	operation_details
ClientApplicationId	client_application_id
EntityPath	path
alert_name	alert
AlertLinks	alert_link
EventData	event_data
ClientType	client_type
ApplicationDisplayName	application_display_name
ListBaseType	list_base_type
ListTitle	list_title
ListBaseTemplateType	list_base_template_type
OperationDetails	details
ResourceTitle	title
ResourceUrl	url
object_name	object
TeamGuid	team_guid
ChannelName	channel
ChannelGuid	channel_guid
ExtraProperties	description
TabType	tab_type
TeamGuid	team_guid
ClientInfoString	client_information
ExternalAccess	external_access
ItemId	ItemId
ItemIsRecord	ItemIsRecord
MailboxOwnerMasterAccountSid	MailboxOwnerMasterAccountSid
ItemInternetMessageDd	ItemInternetMessageDd
copyRoleAssignments	copyRoleAssignments
UniqueSharingId	UniqueSharingId
ImplicitShare	ImplicitShare
ClassificationInfo	ClassificationInfo
actorAppId	actorAppId
actorContextId	actorContextId
actorUPN	actorUPN

Support

If you have any questions or require assistance, create a support ticket.

Comments

Manjul Bhattarai
June 17, 2019 08:57

Office365 v3.5.0 has been publicly released.

Comment actions Permalink
Daniel Hainich
August 01, 2019 09:03

It seems there is an Problem with the fetcher.

127.0.0.1
AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID: 060389f5-9662-4e29-b59b-eeb5d9981100 Correlation ID: 0e03bd28-f2c6-4386-a209-15473bd4fa52 Timestamp: 2019-08-01 09:03:24Z

Comment actions Permalink
Jouni Peltonen
September 18, 2019 07:25

Same here.

Comment actions Permalink
Janne Nyman
September 18, 2019 11:01

Hi Daniel, did you raise a ticket for this? Did you get it resolved?

Best regards,
Janne

Comment actions Permalink
Phung Nguyen
September 19, 2019 11:08

Which privileges does the service account in O365 need? Reading permission to the auditlogs?

Comment actions Permalink
Nils Krumrey
September 19, 2019 11:18

In addition to the permissions of the O365 Management API, I think the user just needs to be able to log in to Office 365 - so a standard domain user account should work?

Comment actions Permalink