About Microsoft 365 Audit logs
Table name: o365_audit_logs
Audit event logs for various actions over your Office 365 environment. These include General logs, DLP related logs, and logs from specific applications - SharePoint, Exchange, AzureActiveDirectory.
Learn more here.
Important Note Regarding Setting up Audit-Logs ingestion
This integration requires its own Client Secret when registering the app (a different one from the message-trace).
In the Hunters Data Types section:
Enable Microsoft Audit Logs
Disable O365 Message Trace
To configure this, go to:
Data Sources → Connect Data Sources → More Integrations under Office 365:
.png?sv=2022-11-02&spr=https&st=2026-01-11T05%3A46%3A57Z&se=2026-01-11T05%3A57%3A57Z&sr=c&sp=r&sig=%2BVSplUGQnOz1QJ8ZMn%2BtFWXXbKXjoVH5O0navXzYeVI%3D)
.png?sv=2022-11-02&spr=https&st=2026-01-11T05%3A46%3A57Z&se=2026-01-11T05%3A57%3A57Z&sr=c&sp=r&sig=%2BVSplUGQnOz1QJ8ZMn%2BtFWXXbKXjoVH5O0navXzYeVI%3D)
Sending Data To Hunters
📘 Note
To complete the steps below you’ll need an Azure admin user.
To set up ingestion from Microsoft 365, perform the following steps:
STEP 1: Register application - Register a new application on Azure with appropriate permissions, create client secrets and gather information in your notepad for the next steps.
STEP 2: Retrieve authorization code - Use the information gathered in step 1 to retrieve an authorization code, required to complete the next step.
STEP 3: Get a refresh token - Generate a refresh token using the information gathered in step 1 and the authorization code retrieved in step 2.
STEP 4: Enable auditing - Make sure Azure is keeping the logs.
STEP 5: Start subscriptions - Start subscriptions to receive logs from Office 365 Management Activity API.
STEP 6: Deliver keys to Hunters - Set up the connection in the Hunters platform.
Sample Data
{"CreationTime": "2022-05-11T13:34:07", "Id": "123456", "Operation": "UserLoggedIn", "OrganizationId": "1111", "RecordType": 15, "ResultStatus": "Success", "UserKey": "12345", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "1.1.1.1", "ObjectId": "000000", "UserId": "john@doe", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}], "ModifiedProperties": [], "Actor": [{"ID": "12345", "Type": 0}, {"ID": "john@doe", "Type": 5}], "ActorContextId": "12345", "ActorIpAddress": "1.1.1.1", "InterSystemsId": "12345", "IntraSystemId": "6789", "SupportTicketId": "", "Target": [{"ID": "0000", "Type": 0}], "TargetContextId": "12345", "ApplicationId": "12345", "DeviceProperties": [{"Name": "OS", "Value": "MacOs"}, {"Name": "BrowserType", "Value": "Chrome"}, {"Name": "IsCompliantAndManaged", "Value": "False"}, {"Name": "SessionId", "Value": "123"}], "ErrorNumber": "0"}