Logo
Sign in
  1. Logpoint Service Desk
  2. Products Hub
  3. Marketplace
default.png

Office365 

Office365 enables you to fetch and analyze logs from Office 365 Management via APIs.

 

 

 

Release Details
Version: 6.0.1
Release date: 10th April, 2025
Supported On: Logpoint v7.5.0, Director Fabric v2.6.0, Director Console v2.6.0
Documentation: 
Office365 for Logpoint
Office365 for Director Console UI
Office365 for Director Console API
SHA 256: 8e2f10cbd3ee589d8602650518740ab88cd97aace62d67459d568bf8b33ec311
Download

Package Details

Office365 Components:
    1. Fetcher
      • Office365Fetcher
    2. Compiled Normalizer
      • Office365CompiledNormalizer
    3. Normalization package
      • LP_O365 Exchange MT
    4. Log Source Template
      • Microsoft365
    5. Search template
      • LP_Office365
    6. KB list
      • Executables
    7.  Reports
      • LP_Office365 OneDrive Overview 
      • LP_Office365 SharePoint Overview
      • LP_Office365 Exchange Overview
      • LP_Office365 Overview
      • LP_Office365 OneDrive Anonymous Link Activities
      • LP_Office365 Azure AD Login Activities
      • LP_Office365 Azure AD User Account Management
      • LP_Office365 OneDrive File Activities
      • LP_Office365 OneDrive Folder Activities
      • LP_Office365 Operations by File Category
      • LP_Office365 SharePoint File Activities
      • LP_Office365 SharePoint Folder Activities 
    8.  Dashboards
      • LP_Office365 Security and Compliance Alerts
      • LP_Office365 Azure AD Login Activities
      • LP_Office365 Azure AD User Account Management
      • LP_Office365 Exchange Overview
      • LP_Office365 OneDrive Anonymous Link Activities
      • LP_Office365 OneDrive File Activities
      • LP_Office365 OneDrive Folder Activities
      • LP_Office365 OneDrive Overview
      • LP_Office365 Operations by File Category
      • LP_Office365 Overview
      • LP_Office365 SharePoint File Activities
      • LP_Office365 SharePoint Folder Activities
      • LP_Office365 SharePoint Overview 
    9.  Alerts
      • LP_Office365 Global Administrator Role Assigned to User
      • LP_Office365 MailItemAccessed Logging Disabled
      • LP_Office365 Security and Compliance Alert related to Access Governance
      • LP_Office365 Security and Compliance Alert related to Data Governance
      • LP_Office365 Security and Compliance Alert related to Data Loss Prevention
      • LP_Office365 Security and Compliance Alert related to Mail Flow
      • LP_Office365 Security and Compliance Alert related to Other Category
      • LP_Office365 Security and Compliance Alert related to Threat Management
Enhancements
Description
Issue ID
Reference ID
If the Log Collection Policy on localhost was updated, the Office365 UI only displayed the details of the first account, even when users clicked on other listed accounts. PLUG-11684 82518
The fetcher became unresponsive due to missing timeout values, causing log collection to stop. PLUG-11714 82661, 83745, 85200, 89670
The values for the field target_user were not normalized. PLUG-16289 89024

 

Past Releases

Office365 v6.0.0

Version: 6.0.0
Release date: 30th October, 2024
Supported On: Logpoint v7.5.0, Director Fabric v2.6.0, Director Console v2.6.0

Documentation: 
Office365 for Logpoint
Office365 for Director Console UI
Office365 for Director Console API

SHA 256: 0066bd14dae87092869b71eba455e1592321ad5b884334187a8ba9120655b7a4

Download

 

Enhancements

Description

Issue ID

Reference ID

You can now configure Office365 from Log Sources, which provides a centralized user interface for all log collection configurations.

 

Compatibility is available with Director v2.6.0, currently available as Priority Access. Contact Support for its access.

PLUG-10846

-

 

 

Office365 v5.3.1

Version:5.3.1

Release date: August 07, 2023
Supported On: Logpoint 7.1.1 or later
Documentation: Office365 guide
SHA 256: 5295c2a9a2b681cbf94e08f6396c9c76b5fc9713683eef9e5adcffa8dfe3e53c

Download

 

Enhancements

Description
Issue ID
Reference ID
Updated Office365CompiledNormalizer to correctly normalize the Target field. KB-21664 76346, 76470

Renamed the following fields in Office365CompiledNormalizer:

Former Field Name Updated Field Name

P1Sender

return_path
P2Sender sender
ClientIPs client_address

client_user_agent

user_agent

scenario_name

scenario

app_access_context_client_app_id

application_id
app_access_context_api_id api_id

 

KB-20461, KB-21315, KB-21794 75006

Removed the following alerts that are no longer relevant:

  • LP_Office365 Multiple Successful Login from Different Country by Single User
  • LP_Office365 User License Change
  • LP_Office365 Multiple Successful Login From Different Host by Single User
  • LP_Office365 Multiple Failed Login from Different Host by Single User
  • LP_Office365 Multiple Failed Login from Same Host
  • LP_Office365 Malware Detected in OneDrive or SharePoint
  • LP_Office365 User Deleted from Azure AD
  • LP_Office365 User Added to Azure AD
  • LP_Office365 User Added to Multiple Groups
KB-21564 -
Added a new search template LP_Office365 and removed the LP_Office365 Azure AD Sign-ins search template. 

Bug Fixes

The following issues are fixed:

Description
Issue ID
Reference ID

The ID inside DeviceProperties field was not properly normalized by Office365CompiledNormalizer.

KB-21282 69065, 75375 
Office365CompiledNormalizer did not properly normalize the Office365 MT logs. KB-19351 71405

 

Office365 v5.3.0

Release Date: October 14, 2022

Download: Office365_5.3.0.zip

SHA256: ae3c91133d7a93979dab005303e620472ecf5faae4eef7455981ca388ee162bb

Enhancements

Description Issue ID Reference ID
Added the Office 365 Azure AD Sign-inssearch template to investigate suspicious user Sign-inevents. KB-18146 -
AddedDelete label for the actionFile Recycled. KB-17426 67528

Parsed the DeviceProperties field extract values for OS and browser_type.

KB-15893 -

Renamed the following fields in Office365CompiledNormalizer to maintain consistency:

Former Field Name
Renamed Field Name
ForwardingAddress forwarding_address
trc  receiver
tsd sender
KB-17640 -

Added new alerts to detect Office365 events:

  • LP_Office365 MailItem Accessed Logging Disabled
  • LP_Office365 Malware Detected in OneDrive or SharePoint
  • LP_Office365 Global Administrator Role Assigned to User
KB-18027

-

Removed the following alerts that are no longer relevant:

  • LP_Office365 File Rename OneDrive
  • LP_Office365 File Rename SharePoint
  • LP_Office365 File Download OneDrive
  • LP_Office365 File Download SharePoint
  • LP_Office365 File or Folder Modified SharePoint
  • LP_Office365 File or Folder Modified OneDrive
  • LP_Office365 Valid Login IPs
  • LP_Office365 Executables Stored in SharePoint
  • LP_Office365 Executables Stored in OneDrive
  • LP_Office365 Password Resets
  • LP_Office365 File Shared with External User OneDrive
  • LP_Office365 Configuration Changes by External Access in Exchange
  • LP_Office365 File Shared with External User OneDrive

Renamed the following alerts:

Former Alerts
Renamed alerts
LP_Office365 User Deleted from AD LP_Office365 User Deleted from Azure AD
LP_Office365 User Added to AD LP_Office365 User Added to Azure AD
LP_Office365 User Added to Group LP_Office365 User Added to Multiple Groups

Bug Fixes

The following issues are fixed:

Description
Issue ID
Reference ID

The value of policy_name was captured by the user field. 

KB-17136 -
Office365CompiledNormalizer did not properly normalize the receiver field in Office365 logs. KB-16067 64064

 

Office365 v5.1.1

Release Date: April 21, 2021

Supported On: Logpoint v6.7.0 and later

Download: Office365_5.1.1.zip

SHA256: ee8dac6f17439fff2914564ac9e88b8eb837fcef4ae43783a27e1d1b92bc9c4a

Bug Fix

An issue in the compiled normalizer Office365CompiledNormalizer where the fields subject and attachment data for the Exchange logs were not parsed correctly has now been resolved.

 

Office365 v3.7.0

Release Date: December 05, 2019

Supported On: Logpoint v6.6.5 or later

Download: Office365_3.7.0.zip

SHA256: 894078d72bcedbc88af56b6ae0b552250448317bff05b2c5fafb8d38ad411b9f

Office365 has been upgraded to support Logpoint v7.1.1.

Enhancements

  • The following labels are added for Office365:

     Application

    Action

    Labels

    Azure Active Directory

    Add owner to application Add, User, Application, Management
      Add application Add, Application, Management
      Update company Update, Company
    Microsoft Teams Connector Added Connector, Add      
  • The following Azure fields are mapped to the Logpoint taxonomy: 

    Vendor Fields
    Logpoint Fields

    actorObjectClass

    actor_object_class
    actorObjectId  actor_object_id
    additionalDetails   additional_information
    auditEventCategory  audit_event_category
    correlationId correlation_id
    env_appId  application_id
    env_appVer  application_version
    env_cloud_deploymentUnit  cloud_deployment_unit
    env_cloud_environment  could_environment
    evn_cloud_name  cloud
    env_cloud_role  cloud_role
    env_cloud_roleInstance  cloud_role_instance
    evn_could_roleVer  cloud_role_version
    env_flags  flag
    env_osVer os_version
    env_os os
    env_popSample  pop_sample 
    env_seqNum  sequence_number
    env_time  env_ts
    env_ver env_version
    extendedAuditEventcategory extended_audit_event_category
    ModifiedProperties event_properties
    resultType result_type
    targetIncludedUpdatedProperties target_included_updated_properties
    targetObjectId target_object_id
    targetPUID target_puid
    targetUPN target_upn
    teamName team
    FileSyncBytesCommitted file_sync_bytes_committed
    MachineId machine_id
    OperationDetails operation_details
    ClientApplicationId client_application_id
    EntityPath path
    alert_name alert
    AlertLinks alert_link
    EventData event_data
    ClientType client_type
    ApplicationDisplayName application_display_name
    ListBaseType list_base_type
    ListTitle list_title
    ListBaseTemplateType list_base_template_type
    OperationDetails details
    ResourceTitle title
    ResourceUrl  url
    object_name   object
    TeamGuid   team_guid
    ChannelName channel
    ChannelGuid  channel_guid
    ExtraProperties   description
    TabType  tab_type
    TeamGuid  team_guid
    ClientInfoString  client_information
    ExternalAccess   external_access
    ItemId  ItemId 
    ItemIsRecord  ItemIsRecord 
    MailboxOwnerMasterAccountSid  MailboxOwnerMasterAccountSid 
    ItemInternetMessageDd  ItemInternetMessageDd 
    copyRoleAssignments copyRoleAssignments 
    UniqueSharingId  UniqueSharingId 
    ImplicitShare  ImplicitShare
    ClassificationInfo  ClassificationInfo 
    actorAppId  actorAppId 
    actorContextId actorContextId 
    actorUPN  actorUPN

Support

If you have any questions or require assistance, create a support ticket.

Comments

  • Avatar
    Manjul Bhattarai
    June 17, 2019 08:57

    Office365 v3.5.0 has been publicly released.

    Comment actions Permalink
  • Avatar
    Daniel Hainich
    August 01, 2019 09:03

    It seems there is an Problem with the fetcher.

    127.0.0.1
    AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID: 060389f5-9662-4e29-b59b-eeb5d9981100 Correlation ID: 0e03bd28-f2c6-4386-a209-15473bd4fa52 Timestamp: 2019-08-01 09:03:24Z

    Comment actions Permalink
  • Avatar
    Jouni Peltonen
    September 18, 2019 07:25

    Same here.

    Comment actions Permalink
  • Avatar
    Janne Nyman
    September 18, 2019 11:01

    Hi Daniel, did you raise a ticket for this? Did you get it resolved?

    Best regards,
    Janne

    Comment actions Permalink
  • Avatar
    Phung Nguyen
    September 19, 2019 11:08

    Which privileges does the service account in O365 need? Reading permission to the auditlogs?

    Comment actions Permalink
  • Avatar
    Nils Krumrey
    September 19, 2019 11:18

    In addition to the permissions of the O365 Management API, I think the user just needs to be able to log in to Office 365 - so a standard domain user account should work?

    Comment actions Permalink

Article is closed for comments.

Follow

Related articles

  • Azure Log Analytics
  • Microsoft Exchange
  • Microsoft Defender ATP
  • GoogleCloudPlatform
  • NXLog Enterprise
Privacy policy    EULA    Terms of service   
Copyright © , Logpoint. All rights reserved.

Note: We use cookies that are essential for the smooth functioning of our website.