Introduction
The tag beginning cloud.office365.management identifies events with workload generated by Microsoft Office 365 (hosted on Azure). The types of events supported are:
|
How is the data sent to Devo?
To send logs to this table, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can download the collector and learn how to use it in Office 365 collector.
Log samples
The following is a sample log sent to the cloud.office365.management table. Also, find how the information will be parsed in your data table.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
2021-05-05 13:40:40.582 ip-10-36-0-8=54.234.232.241 cloud.office365.management: {"CreationTime": "2021-05-05T12:14:39", "Id": "2151f1c6-be90-397c-b747-531ba11a2c63", "Operation": "TIMailData", "OrganizationId": "3ec4eda1-a5d1-433d-90da-8dc791283d95", "RecordType": 28, "UserKey": "ThreatIntel", "UserType": 4, "Version": 1, "Workload": "ThreatIntelligence", "ObjectId": "bb1ce88f-7f02-4811-8093-08d90fbea9ad3206597056826205911", "UserId": "ThreatIntel", "DeliveryAction": "Blocked", "DetectionMethod": "Spoof external domain", "DetectionType": "Inline", "Directionality": "Inbound", "EventDeepLink": "https://protection.office.com/?hash=/threatexplorer?messageParams=bb1ce88f-7f02-4811-8093-08d90fbea9ad,bb1ce88f-7f02-4811-8093-08d90fbea9ad-320659705682620591-1,2021-05-05T00:00:00,2021-05-05T23:59:59&view=Phish", "InternetMessageId": "<efe4cce87cd843f0898ea02bff80522f_CAErQ_N5GjBS4ehvQ6xds7DJqNf2_Wnyrj43QSXGvJDk1=HGnCw@mail.gmail.com>", "LatestDeliveryLocation": "Quarantine", "MessageTime": "2021-05-05T12:13:00", "NetworkMessageId": "bb1ce88f-7f02-4811-8093-08d90fbea9ad", "OriginalDeliveryLocation": "Quarantine", "P1Sender": "bounces+16125188-3a3a-hrblockanswers=hrblock.com@em6484.tourscheduling.com", "P2Sender": "rdigiovanni@tourscheduling.com", "Policy": "Spoof", "PolicyAction": "Quarantine", "Recipients": ["hrblockanswers@hrblock.com"], "SenderIp": "167.89.51.149", "Subject": "Re: Google Street View Inside H&R Block", "ThreatsAndDetectionTech": ["Phish: [Spoof external domain]", "Spam: [Advanced filter]"], "Verdict": "Phish"} 2021-05-05 13:40:40.589 ip-10-36-0-8=54.234.232.241 cloud.office365.management: {"CreationTime": "2021-05-05T12:15:23", "Id": "5befd4ad-ec9f-4c02-9112-4d2ca7e113f4", "Operation": "TIMailData", "OrganizationId": "3ec4eda1-a5d1-433d-90da-8dc791283d95", "RecordType": 28, "UserKey": "ThreatIntel", "UserType": 4, "Version": 1, "Workload": "ThreatIntelligence", "ObjectId": "78cfc607-3d29-46fd-ae5e-08d90fbee04946513991775614248221", "UserId": "ThreatIntel", "DeliveryAction": "Blocked", "DetectionMethod": "Spoof external domain", "DetectionType": "Inline", "Directionality": "Inbound", "EventDeepLink": "https://protection.office.com/?hash=/threatexplorer?messageParams=78cfc607-3d29-46fd-ae5e-08d90fbee049,78cfc607-3d29-46fd-ae5e-08d90fbee049-4651399177561424822-1,2021-05-05T00:00:00,2021-05-05T23:59:59&view=Phish", "InternetMessageId": "<E1leGMe-6WyVWA-Me@ucs101-ucs-11.msgpanel.com>", "LatestDeliveryLocation": "Quarantine", "MessageTime": "2021-05-05T12:13:58", "NetworkMessageId": "78cfc607-3d29-46fd-ae5e-08d90fbee049", "OriginalDeliveryLocation": "Quarantine", "P1Sender": "olivia.w@tccwebinars.com", "P2Sender": "olivia.w@tccwebinars.com", "Policy": "Spoof", "PolicyAction": "Quarantine", "Recipients": ["gsrivastava@hrblock.com"], "SenderIp": "87.246.187.118", "Subject": "Next Week- MS Excel Pivot Tables, Charts & Graphs- Analyze, Modify and Present Data With Faster & Better Results", "ThreatsAndDetectionTech": ["Phish: [Spoof external domain]", "Spam: [Domain reputation]"], "Verdict": "Phish"} 2021-05-05 13:40:40.531 ip-10-36-0-8=54.234.232.241 cloud.office365.management: {"CreationTime": "2021-05-05T12:16:05", "Id": "02c29d28-8639-4f0a-59e0-d6fb2bd38204", "Operation": "TIMailData", "OrganizationId": "3ec4eda1-a5d1-433d-90da-8dc791283d95", "RecordType": 28, "UserKey": "ThreatIntel", "UserType": 4, "Version": 1, "Workload": "ThreatIntelligence", "ObjectId": "58cb05b7-60ed-47f7-61fd-08d90fbf43a4181802769096114774741", "UserId": "ThreatIntel", "DeliveryAction": "Blocked", "DetectionMethod": "Spoof external domain", "DetectionType": "Inline", "Directionality": "Inbound", "EventDeepLink": "https://protection.office.com/?hash=/threatexplorer?messageParams=58cb05b7-60ed-47f7-61fd-08d90fbf43a4,58cb05b7-60ed-47f7-61fd-08d90fbf43a4-18180276909611477474-1,2021-05-05T00:00:00,2021-05-05T23:59:59&view=Phish", "InternetMessageId": "<20210504094241.1FEE17E057527C96@gmail.com>", "LatestDeliveryLocation": "Quarantine", "MessageTime": "2021-05-05T12:14:02", "NetworkMessageId": "58cb05b7-60ed-47f7-61fd-08d90fbf43a4", "OriginalDeliveryLocation": "Quarantine", "P1Sender": "elysethompson1994@gmail.com", "P2Sender": "elysethompson1994@gmail.com", "Policy": "Spoof", "PolicyAction": "Quarantine", "Recipients": ["eltham@hrblock.com.au"], "SenderIp": "192.187.111.171", "Subject": "Mobile First Designs", "ThreatsAndDetectionTech": ["Phish: [Spoof external domain]", "Spam: [Advanced filter]"], "Verdict": "Phish"}
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
|
| |
Id |
|
| |
Workload |
|
| |
StatusTime |
|
| |
FeatureStatus |
|
| |
Status |
|
| |
StatusDisplayName |
|
| |
IncidentIds |
|
| |
WorkloadDisplayName |
|
| |
UserType |
|
| |
timestamp |
|
| |
Operation |
|
| |
Version |
|
| |
LogonType |
|
| |
MailboxOwnerSid |
|
| |
ExternalAccess |
|
| |
OrganizationName |
|
| |
SessionId |
|
| |
ClientAddress |
|
| |
ClientIPAddress |
|
| |
ClientProcessName |
|
| |
ResultStatus |
|
| |
UserId |
|
| |
LogonUserSid |
|
| |
InternalLogonType |
|
| |
OriginatingServer |
|
| |
UserKey |
|
| |
MailboxGuid |
|
| |
OrganizationId |
|
| |
RecordType |
|
| |
ClientInfoString |
|
| |
MailboxOwnerUPN |
|
| |
CrossMailboxOperation |
|
| |
AffectedItems |
|
| |
Folder_Id |
|
| |
Folder_Path |
|
| |
Item_Subject |
|
| |
Item_Attachments |
|
| |
Item_ParentFolder_Id |
|
| |
Item_ParentFolder_Path |
|
| |
ModifiedProperties |
|
| |
SendOnBehalfOfUserSmtp |
|
| |
SendAsUserSmtp |
|
| |
PolicyDetails |
|
| |
PolicyDetails_PolicyName_str |
|
| |
PolicyDetails_PolicyId_str |
|
| |
PolicyDetails_location_str |
|
| |
PolicyDetails_RuleMode_str |
|
| |
PolicyDetails_RuleName_str |
|
| |
PolicyDetails_RuleId_str |
|
| |
PolicyDetails_Severity_str |
|
| |
PolicyDetails_ManagementRuleId_str |
|
| |
Unique_PolicyDetails_location_str |
|
| |
PolicyDetails_confidence_str |
|
| |
PolicyDetails_count_str |
|
| |
PolicyDetails_sensitiveType_str |
|
| |
PolicyDetails_uniqueCount_str |
|
| |
PolicyDetails_ConditionsMatched_Name_str |
|
| |
PolicyDetails_ConditionsMatched_Value_str |
|
| |
PolicyDetails_ConditionMatchedInNewScheme_str |
|
| |
ExchangeMetaData_BCC |
|
| |
ExchangeMetaData_MessageID |
|
| |
ExchangeMetaData_From |
|
| |
ExchangeMetaData_CC |
|
| |
ExchangeMetaData_Sent |
|
| |
ExchangeMetaData_Subject |
|
| |
ExchangeMetaData_RecipientCount |
|
| |
ExchangeMetaData_To |
|
| |
InterSystemsId |
|
| |
TargetUserId |
|
| |
Actor_ID_str |
|
| |
Actor_Type_str |
|
| |
ActorContextId |
|
| |
YammerNetworkId |
|
| |
ActorUserId |
|
| |
ActorIpAddress |
|
| |
Client |
|
| |
ClientIP |
|
| |
LogonError |
|
| |
ApplicationId |
|
| |
Target_ID_str |
|
| |
Target_Type_str |
|
| |
IntraSystemId |
|
| |
ExtendedProperties_Name_str |
|
| |
ExtendedProperties_Value_str |
|
| |
ActorYammerUserId |
|
| |
FileName |
|
| |
TargetContextId |
|
| |
AzureActiveDirectoryEventType |
|
| |
VersionId |
|
| |
FileId |
|
| |
PostIncidentDocumentUrl |
|
| |
Severity |
|
| |
Title |
|
| |
Comments |
|
| |
AffectedWorkloadDisplayNames |
|
| |
AlertEntityId |
|
| |
Messages_MessageText_str |
|
| |
Messages_PublishedTime_str |
|
| |
ChannelGuid |
|
| |
LogonUserDisplayName |
|
| |
RecipientUPN |
|
| |
ApplicationDisplayName |
|
| |
MessageType |
|
| |
EventSource |
|
| |
DestinationRelativeUrl |
|
| |
MachineId |
|
| |
WebId |
|
| |
SendOnBehalfOfUserMailboxGuid |
|
| |
ExtraProperties_Key_str |
|
| |
ExtraProperties_Value_str |
|
| |
SharingPermission |
|
| |
ObjectName |
|
| |
SharingType |
|
| |
DataflowRefreshScheduleType |
|
| |
TenantName |
|
| |
CustomUniqueId |
|
| |
DatasetId |
|
| |
SiteUrl |
|
| |
Parameters_Name_str |
|
| |
Parameters_Value_str |
|
| |
ImportType |
|
| |
ImportId |
|
| |
PolicyId |
|
| |
ItemName |
|
| |
Datasets_DatasetId_str |
|
| |
Datasets_DatasetName_str |
|
| |
ImplicitShare |
|
| |
ImportDisplayName |
|
| |
ItemType |
|
| |
WorkSpaceName |
|
| |
DestFolder_Path |
|
| |
DestFolder_Id |
|
| |
UniqueSharingId |
|
| |
TargetUserOrGroupName |
|
| |
FlowConnectorNames |
|
| |
FileSyncBytesCommitted |
|
| |
CorrelationId |
|
| |
Members_DisplayName_str |
|
| |
Members_UPN_str |
|
| |
Members_Role_str |
|
| |
AddOnGuid |
|
| |
DashboardName |
|
| |
IsSuccess |
|
| |
AlertId |
|
| |
ListTitle |
|
| |
ReportType |
|
| |
AffectedWorkloadNames |
|
| |
FlowDetailsUrl |
|
| |
TargetYammerUserId |
|
| |
ImpactDescription |
|
| |
BrowserName |
|
| |
OperationProperties_Value_str |
|
| |
OperationProperties_Name_str |
|
| |
ReportId |
|
| |
DestMailboxOwnerSid |
|
| |
AffectedUserCount |
|
| |
Category |
|
| |
MachineDomainInfo |
|
| |
ListBaseType |
|
| |
DestMailboxId |
|
| |
TabType |
|
| |
Activity |
|
| |
DestinationFileExtension |
|
| |
UserUPN |
|
| |
ListId |
|
| |
SourceRelativeUrl |
|
| |
UserTypeInitiated |
|
| |
EndTime |
|
| |
SendAsUserMailboxGuid |
|
| |
ActionType |
|
| |
SourceFileExtension |
|
| |
DashboardId |
|
| |
ClientApplicationId |
|
| |
DestMailboxOwnerUPN |
|
| |
MailboxOwnerMasterAccountSid |
|
| |
SensitiveInfoDetectionIsIncluded |
|
| |
Schedules_RefreshFrequency |
|
| |
Schedules_Days_str |
|
| |
Schedules_Time_str |
|
| |
Schedules_TimeZone |
|
| |
TeamName |
|
| |
WorkspaceId |
|
| |
DataflowType |
|
| |
SourceFileName |
|
| |
FeatureDisplayName |
|
| |
EntityPath |
|
| |
TeamGuid |
|
| |
ResourceTitle |
|
| |
Classification |
|
| |
ListBaseTemplateType |
|
| |
DestinationFileName |
|
| |
AffectedTenantCount |
|
| |
DatasetName |
|
| |
LicenseDisplayName |
|
| |
Feature |
|
| |
StartTime |
|
| |
TargetUserOrGroupType |
|
| |
DataConnectivityMode |
|
| |
LastUpdatedTime |
|
| |
ReportName |
|
| |
EntityType |
|
| |
OperationDetails |
|
| |
UserAgent |
|
| |
AlertType |
|
| |
Name |
|
| |
CmdletVersion |
|
| |
ImportSource |
|
| |
SkypeForBusinessEventType |
|
| |
AddOnType |
|
| |
DoNotDistributeEvent |
|
| |
ChannelName |
|
| |
ListItemUniqueId |
|
| |
ObjectId |
|
| |
AttachmentData |
|
| |
DeliveryAction |
|
| |
DetectionMethod |
|
| |
DetectionType |
|
| |
Directionality |
|
| |
EventDeepLink |
| ||
InternetMessageId |
|
| |
LatestDeliveryLocation |
|
| |
MessageTime |
|
| |
NetworkMessageId |
|
| |
OriginalDeliveryLocation |
|
| |
P1Sender |
| ||
P2Sender |
| ||
Policy |
|
| |
PolicyAction |
|
| |
Recipients |
|
| |
SenderIp |
|
| |
Subject |
|
| |
ThreatsAndDetectionTech |
|
| |
Verdict |
|
| |
SourceLocationType |
|
| |
Platform |
|
| |
Application |
|
| |
FileExtension |
|
| |
DeviceName |
|
| |
MDATPDeviceId |
|
| |
FileSize |
|
| |
FileType |
|
| |
Hidden |
|
| |
message |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |