cloud.office365.exchange

Introduction

The tag beginning with cloud.office365.exchange identifies events with workload generated by Microsoft Office 365 (hosted on Azure). The types of events supported are:

AirInvestigation
AzureActiveDirectory
Compliance
Endpoint
Exchange
MCAS
MicrosoftFlow

MicrosoftForms
MicrosoftStream
MicrosoftTeams
MyAnalytics
OneDrive
PowerApps
PowerBI

Quarantine
SecurityComplianceCenter
SharePoint
SkypeForBusiness
ThreatIntelligence
Yammer

How is the data sent to Devo?

You can forward logs generated by Microsoft Office 365 using any Syslog drain (for example, Syslog-ng).

Log samples

The following are sample logs sent to the cloud.office365.exchange tag. Also, find how the information will be parsed in your data table under the sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

2021-05-11 09:09:43.244 localhost=127.0.0.1 cloud.office365.exchange: {"CreationTime": "2021-03-17T19:04:36", "Id": "7973f043-b78d-4fcb-985b-3dbfae0bc000","Operation": "UserLoginFailed","OrganizationId": "5d3e2773-e07f-4432-a630-1a0f68a28a05","RecordType": 15,"ResultStatus": "Success","UserKey": "00000000-0000-0000-0000-000000000000","UserType": 0,"Version": 1,"Workload": "AzureActiveDirectory","ClientIP": "165.225.221.72","ObjectId": "00000002-0000-0000-c000-000000000000","UserId": "201423@cognizant.com","AzureActiveDirectoryEventType": 1,"ExtendedProperties": [{"Name": "ResultStatusDetail","Value": "Success"},{"Name": "UserAgent","Value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36"},{"Name": "RequestType","Value": "Saml2:processrequest"}],"ModifiedProperties": [],"Actor": [{"ID": "201423@cognizant.com","Type": 5}],"ActorContextId": "de08c407-19b9-427d-9fe8-edf254300ca7","ActorIpAddress": "165.225.221.72","InterSystemsId": "7c8a6fcc-c176-440d-a07c-5e78c3fc26a2","IntraSystemId": "7973f043-b78d-4fcb-985b-3dbfae0bc000","SupportTicketId": "","Target": [ {"ID": "00000002-0000-0000-c000-000000000000","Type": 0 }],"TargetContextId": "5d3e2773-e07f-4432-a630-1a0f68a28a05","ApplicationId": "ec187d92-7742-477c-8985-3af753c6719d","ErrorNumber": "16000","LogonError": "SelectUserAccount"}

And this is how the log would be parsed

Field	Value	Type	Extra fields
eventdate	`2021-05-11 09:09:43.244`	`timestamp`
CreationTime	`2021-03-17T19:04:36`	`str`
Id	`7973f043-b78d-4fcb-985b-3dbfae0bc000`	`str`
Operation	`UserLoginFailed`	`str`
OrganizationId	`5d3e2773-e07f-4432-a630-1a0f68a28a05`	`str`
RecordType	`15`	`int`
ResultStatus	`Success`	`str`
UserKey	`00000000-0000-0000-0000-000000000000`	`str`
UserType	`0`	`int`
Version	`1`	`int`
Workload	`AzureActiveDirectory`	`str`
ClientIP	`165.225.221.72`	`str`
ObjectId	`00000002-0000-0000-c000-000000000000`	`str`
UserId	`201423@cognizant.com`	`str`
ClientIPAddress	`null`	`str`
ClientInfoString	`null`	`str`
ClientProcessName	`null`	`str`
ClientVersion	`null`	`str`
ExternalAccess	`null`	`bool`
InternalLogonType	`null`	`int`
LogonType	`null`	`int`
LogonUserSid	`null`	`str`
MailboxGuid	`null`	`str`
MailboxOwnerSid	`null`	`str`
MailboxOwnerUPN	`null`	`str`
OrganizationName	`null`	`str`
OriginatingServer	`null`	`str`
SessionId	`null`	`str`
AzureActiveDirectoryEventType	`1`	`int`
ExtendedProperties_Name_str	`ResultStatusDetail,UserAgent,RequestType`	`str`
ExtendedProperties_Value_str	`Success,Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36,Saml2:processrequest`	`str`
Actor_ID_str	`201423@cognizant.com`	`str`
Actor_Type_str	`5`	`str`
ActorContextId	`de08c407-19b9-427d-9fe8-edf254300ca7`	`str`
ActorIpAddress	`165.225.221.72`	`ip`
InterSystemsId	`7c8a6fcc-c176-440d-a07c-5e78c3fc26a2`	`str`
IntraSystemId	`7973f043-b78d-4fcb-985b-3dbfae0bc000`	`str`
SupportTicketId		`str`
Target_ID_str	`00000002-0000-0000-c000-000000000000`	`str`
Target_Type_str	`0`	`str`
TargetContextId	`5d3e2773-e07f-4432-a630-1a0f68a28a05`	`str`
ApplicationId	`ec187d92-7742-477c-8985-3af753c6719d`	`str`
AffectedItems_Attachments_str	`null`	`str`
AffectedItems_Id_str	`null`	`str`
AffectedItems_InternetMessageId_str	`null`	`str`
AffectedItems_ParentFolder_str	`null`	`str`
AffectedItems_Subject_str	`null`	`str`
CrossMailboxOperation	`null`	`bool`
Folder_Id	`null`	`str`
Folder_Path	`null`	`str`
hostchain	`localhost=127.0.0.1`	`str`	✓
tag	`cloud.office365.exchange`	`str`	✓
rawMessage	{"CreationTime": "2021-03-17T19:04:36", "Id": "7973f043-b78d-4fcb-985b-3dbfae0bc000","Operation": "UserLoginFailed","OrganizationId": "5d3e2773-e07f-4432-a630-1a0f68a28a05","RecordType": 15,"ResultStatus": "Success","UserKey": "00000000-0000-0000-0000-000000000000","UserType": 0,"Version": 1,"Workload": "AzureActiveDirectory","ClientIP": "165.225.221.72","ObjectId": "00000002-0000-0000-c000-000000000000","UserId": "201423@cognizant.com","AzureActiveDirectoryEventType": 1,"ExtendedProperties": [{"Name": "ResultStatusDetail","Value": "Success"},{"Name": "UserAgent","Value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36"},{"Name": "RequestType","Value": "Saml2:processrequest"}],"ModifiedProperties": [],"Actor": [{"ID": "201423@cognizant.com","Type": 5}],"ActorContextId": "de08c407-19b9-427d-9fe8-edf254300ca7","ActorIpAddress": "165.225.221.72","InterSystemsId": "7c8a6fcc-c176-440d-a07c-5e78c3fc26a2","IntraSystemId": "7973f043-b78d-4fcb-985b-3dbfae0bc000","SupportTicketId": "","Target": [ {"ID": "00000002-0000-0000-c000-000000000000","Type": 0 }],"TargetContextId": "5d3e2773-e07f-4432-a630-1a0f68a28a05","ApplicationId": "ec187d92-7742-477c-8985-3af753c6719d","ErrorNumber": "16000","LogonError": "SelectUserAccount"}	`str`	✓