O365 Audit Logs

About Microsoft 365 Audit logs

Table name: o365_audit_logs

Audit event logs for various actions over your Office 365 environment. These include General logs, DLP realted logs, and logs from specific applications - SharePoint, Exchange, AzureActiveDirectory.

Learn more here.

Sending Data To Hunters

📘 Note

To complete the steps below you’ll need an Azure admin user.

To set up ingestion from Microsoft 365, perform the following steps:

• STEP 1: Register application - Register a new application on Azure with appropriate permissions, create client secrets and gather information in your notepad for the next steps.

• STEP 2: Retrieve authorization code - Use the information gathered in step 1 to retrieve an authorization code, required to complete the next step.

• STEP 3: Get a refresh token - Generate a refresh token using the information gathered in step 1 and the authorization code retrieved in step 2.

• STEP 4: Enable auditing - Make sure Azure is keeping the logs.

• STEP 5: Start subscriptions - Start subscriptions to recieve logs from Office 365 Management Activity API.

• STEP 6: Deliver keys to Hunters - Set up the connection in the Hunters platform.

Sample Data

{"CreationTime": "2022-05-11T13:34:07", "Id": "123456", "Operation": "UserLoggedIn", "OrganizationId": "1111", "RecordType": 15, "ResultStatus": "Success", "UserKey": "12345", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "1.1.1.1", "ObjectId": "000000", "UserId": "john@doe", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "Redirect"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}], "ModifiedProperties": [], "Actor": [{"ID": "12345", "Type": 0}, {"ID": "john@doe", "Type": 5}], "ActorContextId": "12345", "ActorIpAddress": "1.1.1.1", "InterSystemsId": "12345", "IntraSystemId": "6789", "SupportTicketId": "", "Target": [{"ID": "0000", "Type": 0}], "TargetContextId": "12345", "ApplicationId": "12345", "DeviceProperties": [{"Name": "OS", "Value": "MacOs"}, {"Name": "BrowserType", "Value": "Chrome"}, {"Name": "IsCompliantAndManaged", "Value": "False"}, {"Name": "SessionId", "Value": "123"}], "ErrorNumber": "0"}