Office365
Office365 fetches and analyzes logs from Office 365 Management APIs.
Package Details
Office365 Components:-
- Fetcher
- Office365Fetcher
- Compiled Normalizer
- Office365CompiledNormalizer
- Normalization package
- LP_O365 Exchange MT
- Log Source Template
- Microsoft365
- Search template
- LP_Office365
- KB list
- Executables
- Reports
- LP_Office365 OneDrive Overview
- LP_Office365 SharePoint Overview
- LP_Office365 Exchange Overview
- LP_Office365 Overview
- LP_Office365 OneDrive Anonymous Link Activities
- LP_Office365 Azure AD Login Activities
- LP_Office365 Azure AD User Account Management
- LP_Office365 OneDrive File Activities
- LP_Office365 OneDrive Folder Activities
- LP_Office365 Operations by File Category
- LP_Office365 SharePoint File Activities
- LP_Office365 SharePoint Folder Activities
- Dashboards
- LP_Office365 Security and Compliance Alerts
- LP_Office365 Azure AD Login Activities
- LP_Office365 Azure AD User Account Management
- LP_Office365 Exchange Overview
- LP_Office365 OneDrive Anonymous Link Activities
- LP_Office365 OneDrive File Activities
- LP_Office365 OneDrive Folder Activities
- LP_Office365 OneDrive Overview
- LP_Office365 Operations by File Category
- LP_Office365 Overview
- LP_Office365 SharePoint File Activities
- LP_Office365 SharePoint Folder Activities
- LP_Office365 SharePoint Overview
- Alerts
- LP_Office365 Global Administrator Role Assigned to User
- LP_Office365 MailItemAccessed Logging Disabled
- LP_Office365 Security and Compliance Alert related to Access Governance
- LP_Office365 Security and Compliance Alert related to Data Governance
- LP_Office365 Security and Compliance Alert related to Data Loss Prevention
- LP_Office365 Security and Compliance Alert related to Mail Flow
- LP_Office365 Security and Compliance Alert related to Other Category
- LP_Office365 Security and Compliance Alert related to Threat Management
- Fetcher
Description |
Issue ID |
Reference ID |
---|---|---|
You can now configure Office365 from Log Sources, which provides a centralized user interface for all log collection configurations.
Compatibility is available with Director v2.6.0, currently available as Priority Access. Contact Support for its access. |
PLUG-10846 |
- |
Past Releases
Office365 v5.3.1
Version:5.3.1
Enhancements
Description
|
Issue ID
|
Reference ID
|
||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Updated Office365CompiledNormalizer to correctly normalize the Target field. | KB-21664 | 76346, 76470 | ||||||||||||||||
Renamed the following fields in Office365CompiledNormalizer:
|
KB-20461, KB-21315, KB-21794 | 75006 | ||||||||||||||||
Removed the following alerts that are no longer relevant:
|
KB-21564 | - | ||||||||||||||||
Added a new search template LP_Office365 and removed the LP_Office365 Azure AD Sign-ins search template. |
Bug Fixes
The following issues are fixed:
Description
|
Issue ID
|
Reference ID
|
---|---|---|
The ID inside DeviceProperties field was not properly normalized by Office365CompiledNormalizer. |
KB-21282 | 69065, 75375 |
Office365CompiledNormalizer did not properly normalize the Office365 MT logs. | KB-19351 | 71405 |
Office365 v5.3.0
Release Date: October 14, 2022
Download: Office365_5.3.0.zip
SHA256: ae3c91133d7a93979dab005303e620472ecf5faae4eef7455981ca388ee162bb
Enhancements
Description | Issue ID | Reference ID | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
Added the Office 365 Azure AD Sign-inssearch template to investigate suspicious user Sign-inevents. | KB-18146 | - | ||||||||
AddedDelete label for the actionFile Recycled. | KB-17426 | 67528 | ||||||||
Parsed the DeviceProperties field extract values for OS and browser_type. |
KB-15893 | - | ||||||||
Renamed the following fields in Office365CompiledNormalizer to maintain consistency:
|
KB-17640 | - | ||||||||
Added new alerts to detect Office365 events:
|
KB-18027 |
- |
||||||||
Removed the following alerts that are no longer relevant:
|
||||||||||
Renamed the following alerts:
|
Bug Fixes
The following issues are fixed:
Description
|
Issue ID
|
Reference ID
|
---|---|---|
The value of policy_name was captured by the user field. |
KB-17136 | - |
Office365CompiledNormalizer did not properly normalize the receiver field in Office365 logs. | KB-16067 | 64064 |
Office365 v5.1.1
Release Date: April 21, 2021
Supported On: Logpoint v6.7.0 and later
Download: Office365_5.1.1.zip
SHA256: ee8dac6f17439fff2914564ac9e88b8eb837fcef4ae43783a27e1d1b92bc9c4a
Bug Fix
An issue in the compiled normalizer Office365CompiledNormalizer where the fields subject and attachment data for the Exchange logs were not parsed correctly has now been resolved.
Office365 v3.7.0
Release Date: December 05, 2019
Supported On: Logpoint v6.6.5 or later
Download: Office365_3.7.0.zip
SHA256: 894078d72bcedbc88af56b6ae0b552250448317bff05b2c5fafb8d38ad411b9f
Office365 has been upgraded to support Logpoint v7.1.1.Enhancements
-
The following labels are added for Office365:
Application
ActionLabels
Azure Active Directory
Add owner to application Add, User, Application, Management Add application Add, Application, Management Update company Update, Company Microsoft Teams Connector Added Connector, Add -
The following Azure fields are mapped to the Logpoint taxonomy:
Vendor FieldsLogpoint FieldsactorObjectClass
actor_object_class actorObjectId actor_object_id additionalDetails additional_information auditEventCategory audit_event_category correlationId correlation_id env_appId application_id env_appVer application_version env_cloud_deploymentUnit cloud_deployment_unit env_cloud_environment could_environment evn_cloud_name cloud env_cloud_role cloud_role env_cloud_roleInstance cloud_role_instance evn_could_roleVer cloud_role_version env_flags flag env_osVer os_version env_os os env_popSample pop_sample env_seqNum sequence_number env_time env_ts env_ver env_version extendedAuditEventcategory extended_audit_event_category ModifiedProperties event_properties resultType result_type targetIncludedUpdatedProperties target_included_updated_properties targetObjectId target_object_id targetPUID target_puid targetUPN target_upn teamName team FileSyncBytesCommitted file_sync_bytes_committed MachineId machine_id OperationDetails operation_details ClientApplicationId client_application_id EntityPath path alert_name alert AlertLinks alert_link EventData event_data ClientType client_type ApplicationDisplayName application_display_name ListBaseType list_base_type ListTitle list_title ListBaseTemplateType list_base_template_type OperationDetails details ResourceTitle title ResourceUrl url object_name object TeamGuid team_guid ChannelName channel ChannelGuid channel_guid ExtraProperties description TabType tab_type TeamGuid team_guid ClientInfoString client_information ExternalAccess external_access ItemId ItemId ItemIsRecord ItemIsRecord MailboxOwnerMasterAccountSid MailboxOwnerMasterAccountSid ItemInternetMessageDd ItemInternetMessageDd copyRoleAssignments copyRoleAssignments UniqueSharingId UniqueSharingId ImplicitShare ImplicitShare ClassificationInfo ClassificationInfo actorAppId actorAppId actorContextId actorContextId actorUPN actorUPN
Support
If you have any questions or require assistance, create a support ticket.
Office365 v3.5.0 has been publicly released.
It seems there is an Problem with the fetcher.
127.0.0.1
AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID: 060389f5-9662-4e29-b59b-eeb5d9981100 Correlation ID: 0e03bd28-f2c6-4386-a209-15473bd4fa52 Timestamp: 2019-08-01 09:03:24Z
Same here.
Hi Daniel, did you raise a ticket for this? Did you get it resolved?
Best regards,
Janne
Which privileges does the service account in O365 need? Reading permission to the auditlogs?
In addition to the permissions of the O365 Management API, I think the user just needs to be able to log in to Office 365 - so a standard domain user account should work?