Overview

Microsoft 365, formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.

Supported data types

  • Office365 Audit

An example:

{
    "user_agent": {
        "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/237.12 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/237.12"
    },
    "network": {
        "type": "ipv4"
    },
    "ecs": {
        "version": "1.9.0"
    },
    "tags": [
        "jenkins"
        
    ],
    "file": {
        "extension": "jpg",
        "name": "String.jpg",
        "directory": "String"
    },
    "o365": {
        "audit": {
            "UserType": 0,
            "ObjectId": "String",
            "RecordType": 6,
            "SourceRelativeUrl": "String",
            "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/237.12 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/237.12",
            "WebId": "3jabd5-43fh-2853-1e79f-128e80ba",
            "AppAccessContext": {
                "AADSessionId": "33891-2796a8d-274-12076-1207ba99d",
                "CorrelationId": "98732ab2-4785-2703-20af-2379-127ad986f"
            },
            "Site": "2917290-18ad-124f-122ba-2179690b08d2",
            "ItemType": "File",
            "CreationTime": "2021-12-19T13:39:46",
            "SourceFileExtension": "jpg",
            "Workload": "String",
            "Id": "2176ad-1f2f-167d8-adba-1297d08f0h",
            "SourceFileName": "String.jpg",
            "DoNotDistributeEvent": true,
            "ClientIP": "1.1.1.1",
            "SiteUrl": "String",
            "OrganizationId": "79612ad3-27da-1680-2f67-852ad971ff",
            "Operation": "FileAccessed",
            "CorrelationId": "157-157d-8753-578a097d-25780da07f",
            "CustomUniqueId": false,
            "UserKey": "String",
            "UserId": "String",
            "ListId": "23960-127d-268ad-378fd-12759fd877a",
            "ListItemUniqueId": "6789df-3689a-468-3681-360afb9d2",
            "EventSource": "String",
            "Version": 1
        }
    },
    "related": {
        "ip": "1.1.1.2",
        "user": "David"
    },
    "client": {
        "address": "1.1.1.2",
        "ip": "1.1.1.2"
    },
    "fileset": {
        "name": "audit"
    },
    "@version": "1",
    "user": {
        "email": "David@mail.com",
        "domain": "String",
        "id": "String",
        "name": "David"
    },
    "cloud": {
        "region": "String",
        "machine": {
            "type": "Standard_F16s"
        },
        "account": {},
        "service": {
            "name": "Virtual Machines"
        },
        "instance": {
            "id": "6789df-28022-468-376890-360afb9d2",
            "name": "FDG489GH"
        },
        "provider": "azure"
    },
    "url": {
        "original": "String"
    },
    "agent": {
        "name": "FDG489GH",
        "ephemeral_id": "23960-236790-268ad-378fd-25790af839",
        "id": "c23960-127d-365792-378fd-2679fad452",
        "version": "9.10.2",
        "hostname": "SHFK4683GH",
        "type": "filebeat"
    },
    "service": {
        "type": "o365"
    },
    "input": {
        "type": "o365audit"
    },
    "organization": {
        "id": "236757698-4683-268ad-378fd-3578efb389",
        "name": "23615647-4792-268ad-378fd-358fad37"
    },
    "event": {
        "category": "file",
        "code": "String",
        "kind": "event",
        "id": "46209-2593-369032-378fd-52ad73f",
        "outcome": "success",
        "action": "FileAccessed",
        "dataset": "o365.audit",
        "provider": "String",
        "module": "o365",
        "type": "access"
    },
    "@timestamp": "2021-12-19T13:39:46.000Z",
    "source": {
        "ip": "1.1.1.2"
    },
    "host": {
        "id": "e46209-46754-68ad674-35784-52ad73f",
        "name": "String"
    },
    "message": "Blob"
}
JSON

Sending Data to Hunters

For Hunters to integrate with your Office365 Audit logs, the log files should be collected to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters. Log files can be shared into the same prefix in the storage, or separated into different prefixes per data type.