Document toolboxDocument toolbox

cloud.office365

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
4 min read
[ 1 Introduction ] [ 2 Valid tags and data tables ] [ 3 How is the data sent to Devo? ] [ 4 Table structure ]

Introduction

The tags beginning with cloud.office365 identify events with workload generated by Microsoft 365 cloud products (formerly Office 365).

Valid tags and data tables

The full tag must have at least 3 levels. The first 2 are fixed as cloud.office365. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Microsoft 365 Azure Active Directory

cloud.office365.aad

cloud.office365.aad

Microsoft 365 Data Loss Prevention

cloud.office365.dlp

cloud.office365.dlp

Microsoft 365 Exchange

cloud.office365.exchange

cloud.office365.exchange

Microsoft 365 Identity Alerts

cloud.office365.identity.alerts

cloud.office365.identity.alerts

Microsoft 365 management

cloud.office365.management

cloud.office365.management

Union table

This is a union table, which means it collects information from different related tables.

See more information about this union table in this article.

cloud.office365.management.aip

cloud.office365.management.aip

cloud.office365.management.airinvestigation

cloud.office365.management.airinvestigation

cloud.office365.management.azureactivedirectory

cloud.office365.management.azureactivedirectory

cloud.office365.management.cca

cloud.office365.management.cca

cloud.office365.management.compliance

cloud.office365.management.compliance

cloud.office365.management.compliancemanager

cloud.office365.management.compliancemanager

cloud.office365.management.corereporting

cloud.office365.management.corereporting

cloud.office365.management.crm

cloud.office365.management.crm

cloud.office365.management.dlpsensitiveinformationtype

cloud.office365.management.dlpsensitiveinformationtype

cloud.office365.management.endpoint

cloud.office365.management.endpoint

cloud.office365.management.exchange

cloud.office365.management.exchange

cloud.office365.management.mcas

cloud.office365.management.mcas

cloud.office365.management.microsoftflow

cloud.office365.management.microsoftflow

cloud.office365.management.microsoftforms

cloud.office365.management.microsoftforms

cloud.office365.management.microsoftstream

cloud.office365.management.microsoftstream

cloud.office365.management.microsoftteams

cloud.office365.management.microsoftteams

cloud.office365.management.mip

cloud.office365.management.mip

cloud.office365.management.myanalytics

cloud.office365.management.myanalytics

cloud.office365.management.officeapps

cloud.office365.management.officeapps

cloud.office365.management.onedrive

cloud.office365.management.onedrive

cloud.office365.management.onedriveforbusiness

cloud.office365.management.onedriveforbusiness

cloud.office365.management.powerapps

cloud.office365.management.powerapps

cloud.office365.management.powerbi

cloud.office365.management.powerbi

cloud.office365.management.powerplatformadmin

cloud.office365.management.powerplatformadmin

cloud.office365.management.project

cloud.office365.management.project

cloud.office365.management.publicendpoint

cloud.office365.management.publicendpoint

cloud.office365.management.quarantine

cloud.office365.management.quarantine

cloud.office365.management.rdl

cloud.office365.management.rdl

cloud.office365.management.se

cloud.office365.management.se

cloud.office365.management.securitycompliancecenter

cloud.office365.management.securitycompliancecenter

cloud.office365.management.sharepoint

cloud.office365.management.sharepoint

cloud.office365.management.skypeforbusiness

cloud.office365.management.skypeforbusiness

cloud.office365.management.threatintelligence

cloud.office365.management.threatintelligence

cloud.office365.management.workplaceanalytics

cloud.office365.management.workplaceanalytics

cloud.office365.management.yammer

cloud.office365.management.yammer

Microsoft 365 message tracing

cloud.office365.messagetracing

cloud.office365.messagetracing

Microsoft 365 OneDrive

cloud.office365.onedrive

cloud.office365.onedrive

-

cloud.office365.other

cloud.office365.other

Microsoft 365 reports

cloud.office365.reporting.atptraffic

cloud.office365.reporting.atpraffic

cloud.office365.reporting.maildetailatp

cloud.office365.reporting.maildetailatp

cloud.office365.reporting.mailtraffic

cloud.office365.reporting.mailtraffic

cloud.office365.reporting.messagetrace

cloud.office365.reporting.messagetrace

cloud.office365.reporting.safelinksdetail

cloud.office365.reporting.safelinksdetail

cloud.office365.reporting.spoofmail

cloud.office365.reporting.spoofmail

Microsoft 365 security events

cloud.office365.security.scorecontrol

cloud.office365.security.scorecontrol

cloud.office365.security.scores

cloud.office365.security.scores

Microsoft 365 Security & Compliance Center

cloud.office365.securitycompliancecenter

cloud.office365.securitycompliancecenter

Microsoft 365 SharePoint

cloud.office365.sharepoint

cloud.office365.sharepoint

Microsoft 365 SIEM agent

cloud.office365.siem_agent_alert

cloud.office365.siem_agent.alert

cloud.office365.siem_agent_event

cloud.office365.siem_agent.event

Microsoft 365 Teams

cloud.office365.teams

cloud.office365.teams

For more information, read more About Devo tags.

How is the data sent to Devo?

Table structure

These are the fields displayed in these tables: