cloud.office365.management

Introduction

The tag beginning cloud.office365.management identifies events with workload generated by Microsoft Office 365 (hosted on Azure). The types of events supported are:

AirInvestigation
AzureActiveDirectory
Compliance
Endpoint
Exchange
MCAS
MicrosoftFlow

MicrosoftForms
MicrosoftStream
MicrosoftTeams
MyAnalytics
OneDrive
PowerApps
PowerBI

Quarantine
SecurityComplianceCenter
SharePoint
SkypeForBusiness
ThreatIntelligence
Yammer

How is the data sent to Devo?

To send logs to this table, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can download the collector and learn how to use it in Office 365 collector.

Log samples

The following is a sample log sent to the cloud.office365.management table. Also, find how the information will be parsed in your data table.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

2021-05-05 13:40:40.582 ip-10-36-0-8=54.234.232.241 cloud.office365.management: {"CreationTime": "2021-05-05T12:14:39", "Id": "2151f1c6-be90-397c-b747-531ba11a2c63", "Operation": "TIMailData", "OrganizationId": "3ec4eda1-a5d1-433d-90da-8dc791283d95", "RecordType": 28, "UserKey": "ThreatIntel", "UserType": 4, "Version": 1, "Workload": "ThreatIntelligence", "ObjectId": "bb1ce88f-7f02-4811-8093-08d90fbea9ad3206597056826205911", "UserId": "ThreatIntel", "DeliveryAction": "Blocked", "DetectionMethod": "Spoof external domain", "DetectionType": "Inline", "Directionality": "Inbound", "EventDeepLink": "https://protection.office.com/?hash=/threatexplorer?messageParams=bb1ce88f-7f02-4811-8093-08d90fbea9ad,bb1ce88f-7f02-4811-8093-08d90fbea9ad-320659705682620591-1,2021-05-05T00:00:00,2021-05-05T23:59:59&view=Phish", "InternetMessageId": "<efe4cce87cd843f0898ea02bff80522f_CAErQ_N5GjBS4ehvQ6xds7DJqNf2_Wnyrj43QSXGvJDk1=HGnCw@mail.gmail.com>", "LatestDeliveryLocation": "Quarantine", "MessageTime": "2021-05-05T12:13:00", "NetworkMessageId": "bb1ce88f-7f02-4811-8093-08d90fbea9ad", "OriginalDeliveryLocation": "Quarantine", "P1Sender": "bounces+16125188-3a3a-hrblockanswers=hrblock.com@em6484.tourscheduling.com", "P2Sender": "rdigiovanni@tourscheduling.com", "Policy": "Spoof", "PolicyAction": "Quarantine", "Recipients": ["hrblockanswers@hrblock.com"], "SenderIp": "167.89.51.149", "Subject": "Re: Google Street View Inside H&R Block", "ThreatsAndDetectionTech": ["Phish: [Spoof external domain]", "Spam: [Advanced filter]"], "Verdict": "Phish"}
2021-05-05 13:40:40.589 ip-10-36-0-8=54.234.232.241 cloud.office365.management: {"CreationTime": "2021-05-05T12:15:23", "Id": "5befd4ad-ec9f-4c02-9112-4d2ca7e113f4", "Operation": "TIMailData", "OrganizationId": "3ec4eda1-a5d1-433d-90da-8dc791283d95", "RecordType": 28, "UserKey": "ThreatIntel", "UserType": 4, "Version": 1, "Workload": "ThreatIntelligence", "ObjectId": "78cfc607-3d29-46fd-ae5e-08d90fbee04946513991775614248221", "UserId": "ThreatIntel", "DeliveryAction": "Blocked", "DetectionMethod": "Spoof external domain", "DetectionType": "Inline", "Directionality": "Inbound", "EventDeepLink": "https://protection.office.com/?hash=/threatexplorer?messageParams=78cfc607-3d29-46fd-ae5e-08d90fbee049,78cfc607-3d29-46fd-ae5e-08d90fbee049-4651399177561424822-1,2021-05-05T00:00:00,2021-05-05T23:59:59&view=Phish", "InternetMessageId": "<E1leGMe-6WyVWA-Me@ucs101-ucs-11.msgpanel.com>", "LatestDeliveryLocation": "Quarantine", "MessageTime": "2021-05-05T12:13:58", "NetworkMessageId": "78cfc607-3d29-46fd-ae5e-08d90fbee049", "OriginalDeliveryLocation": "Quarantine", "P1Sender": "olivia.w@tccwebinars.com", "P2Sender": "olivia.w@tccwebinars.com", "Policy": "Spoof", "PolicyAction": "Quarantine", "Recipients": ["gsrivastava@hrblock.com"], "SenderIp": "87.246.187.118", "Subject": "Next Week- MS Excel Pivot Tables, Charts & Graphs- Analyze, Modify and Present Data With Faster & Better Results", "ThreatsAndDetectionTech": ["Phish: [Spoof external domain]", "Spam: [Domain reputation]"], "Verdict": "Phish"}
2021-05-05 13:40:40.531 ip-10-36-0-8=54.234.232.241 cloud.office365.management: {"CreationTime": "2021-05-05T12:16:05", "Id": "02c29d28-8639-4f0a-59e0-d6fb2bd38204", "Operation": "TIMailData", "OrganizationId": "3ec4eda1-a5d1-433d-90da-8dc791283d95", "RecordType": 28, "UserKey": "ThreatIntel", "UserType": 4, "Version": 1, "Workload": "ThreatIntelligence", "ObjectId": "58cb05b7-60ed-47f7-61fd-08d90fbf43a4181802769096114774741", "UserId": "ThreatIntel", "DeliveryAction": "Blocked", "DetectionMethod": "Spoof external domain", "DetectionType": "Inline", "Directionality": "Inbound", "EventDeepLink": "https://protection.office.com/?hash=/threatexplorer?messageParams=58cb05b7-60ed-47f7-61fd-08d90fbf43a4,58cb05b7-60ed-47f7-61fd-08d90fbf43a4-18180276909611477474-1,2021-05-05T00:00:00,2021-05-05T23:59:59&view=Phish", "InternetMessageId": "<20210504094241.1FEE17E057527C96@gmail.com>", "LatestDeliveryLocation": "Quarantine", "MessageTime": "2021-05-05T12:14:02", "NetworkMessageId": "58cb05b7-60ed-47f7-61fd-08d90fbf43a4", "OriginalDeliveryLocation": "Quarantine", "P1Sender": "elysethompson1994@gmail.com", "P2Sender": "elysethompson1994@gmail.com", "Policy": "Spoof", "PolicyAction": "Quarantine", "Recipients": ["eltham@hrblock.com.au"], "SenderIp": "192.187.111.171", "Subject": "Mobile First Designs", "ThreatsAndDetectionTech": ["Phish: [Spoof external domain]", "Spam: [Advanced filter]"], "Verdict": "Phish"}
2021-07-28 11:31:46.055 localhost=127.0.0.1 cloud.office365.management: {"CreationTime": "2021-07-27T07:00:07", "Id": "1f0d90aa-ea89-4198-ab8f-f623282cce76", "Operation": "MailItemsAccessed", "OrganizationId": "3ec4eda1-a5d1-433d-90da-8dc791283d95", "RecordType": 50, "ResultStatus": "Succeeded", "UserKey": "1003000093CE36CB", "UserType": 0, "Version": 1, "Workload": "Exchange", "UserId": "rosemiller", "AppId": "a33b759f-4c83-4a0f-873b-267456f3d63e", "ClientIPAddress": "155.134.38.214", "ClientInfoString": "Client=REST;Client=RESTSystem;;", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "kristenlittle", "MailboxGuid": "5aa78e74-e91c-4909-80ac-dd2faf140c52", "MailboxOwnerSid": "kristenlittle", "MailboxOwnerUPN": "rosemiller", "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationName": "desktop-22.phillips.org", "OriginatingServer": "DM6PR11MB4219 (15.20.4200.000)\\r\\n", "SessionId": "def328a1-0d5a-4ec5-8e71-8de31ecbe0e8", "Folders": [{"FolderItems": [{"InternetMessageId": "<michaelwilliams@herrera.info>"}, {"InternetMessageId": "<troy27@hotmail.com>"}, {"InternetMessageId": "<ecameron@holmes.org>"}, {"InternetMessageId": "<gregorybarr@laptop-41.reese-king.info>"}], "Id": "LgAAAACHzhHkShFlQp9g+Wj4ghzOAQDqoCqPs9WeQJ1+mxruey4WABdDYgAMAAAB", "Path": "\\\\Projects\\\\FOM"}, {"FolderItems": [{"InternetMessageId": "<200264$jessewilkins@may.org>"}, {"InternetMessageId": "<200264$melissa94@hale.net>"}, {"InternetMessageId": "<200264$fjackson@rodriguez.com>"}], "Id": "LgAAAACHzhHkShFlQp9g+Wj4ghzOAQAQc4HwGZxJTZN/54pyOvszABY1NS+xAAAB", "Path": "\\\\Deleted Items"}, {"FolderItems": [{"InternetMessageId": "<hwright@laptop-41.reese-king.info>"}], "Id": "LgAAAACHzhHkShFlQp9g+Wj4ghzOAQCX/pRPTWfdQ5JL9MBMffNqAAMqINwVAAAB", "Path": "\\\\Projects\\\\FIN\\\\Jobs\\\\Prod Batch Jobs"}], "OperationCount": 8, "@devo_fetch_start": "2021-07-27T07:02:44", "@devo_start_requests": "2021-07-27 07:05:14.285655", "@devo_received_response": "2021-07-27 07:05:17.865811", "@devo_fetch_end": "2021-07-27T07:04:59", "@devo_sending_time": "2021-07-27 07:05:17.914964"}

And this is how the log would be parsed:

Field	Value	Type	Extra fields
eventdate	`2021-05-05 15:40:40.531`	`timestamp`
Id	`02c29d28-8639-4f0a-59e0-d6fb2bd38204`	`str`
Workload	`ThreatIntelligence`	`str`
StatusTime	`null`	`str`
FeatureStatus	`null`	`str`
Status	`null`	`str`
StatusDisplayName	`null`	`str`
IncidentIds	`null`	`str`
WorkloadDisplayName	`null`	`str`
UserType	`4`	`int`
timestamp	`2021-05-05 14:16:05.000`	`timestamp`
Operation	`TIMailData`	`str`
Version	`1`	`int`
LogonType	`null`	`int`
MailboxOwnerSid	`null`	`str`
ExternalAccess	`null`	`bool`
OrganizationName	`null`	`str`
SessionId	`null`	`str`
ClientAddress	`null`	`str`
ClientIPAddress	`null`	`str`
ClientProcessName	`null`	`str`
ResultStatus	`null`	`str`
UserId	`ThreatIntel`	`str`
LogonUserSid	`null`	`str`
InternalLogonType	`null`	`int`
OriginatingServer	`null`	`str`
UserKey	`ThreatIntel`	`str`
MailboxGuid	`null`	`str`
OrganizationId	`3ec4eda1-a5d1-433d-90da-8dc791283d95`	`str`
RecordType	`28`	`int`
ClientInfoString	`null`	`str`
MailboxOwnerUPN	`null`	`str`
CrossMailboxOperation	`null`	`bool`
AffectedItems	`null`	`str`
Folder_Id	`null`	`str`
Folder_Path	`null`	`str`
FoldersItemsStr	“[{"FolderItems": [{"InternetMessageId": "<michaelwilliams@herrera.info>"}, {"InternetMessageId": "<troy27@hotmail.com>"}, {"InternetMessageId": "<ecameron@holmes.org>"}, {"InternetMessageId": "<gregorybarr@laptop-41.reese-king.info>"}], "Id": "LgAAAACHzhHkShFlQp9g+Wj4ghzOAQDqoCqPs9WeQJ1+mxruey4WABdDYgAMAAAB", "Path": "\\\\Projects\\\\FOM"}, {"FolderItems": [{"InternetMessageId": "<200264$jessewilkins@may.org>"}, {"InternetMessageId": "<200264$melissa94@hale.net>"}, {"InternetMessageId": "<200264$fjackson@rodriguez.com>"}], "Id": "LgAAAACHzhHkShFlQp9g+Wj4ghzOAQAQc4HwGZxJTZN/54pyOvszABY1NS+xAAAB", "Path": "\\\\Deleted Items"}, {"FolderItems": [{"InternetMessageId": "<hwright@laptop-41.reese-king.info>"}], "Id": "LgAAAACHzhHkShFlQp9g+Wj4ghzOAQCX/pRPTWfdQ5JL9MBMffNqAAMqINwVAAAB", "Path": "\\\\Projects\\\\FIN\\\\Jobs\\\\Prod Batch Jobs"}]“	`str`
ForwardTo	`rita.perez@nomail.co;roberto.lopez@nomail.co`	`str`
Parameters_Raw	`[{"Name":"Identity","Value":"Charlie.Hillis@de.com"},{"Name": "ForwardTo", "Value": "rita.perez@nomail.co;roberto.lopez@nomail.co"},{"Name":"ActiveSyncAllowedDeviceIDs","Value":"+1QD8P4A5OH1OBFGTHKOO1CNT5K"}]`	`str`
Item_Subject	`null`	`str`
Item_Attachments	`null`	`str`
Item_ParentFolder_Id	`null`	`str`
Item_ParentFolder_Path	`null`	`str`
ModifiedProperties	`null`	`str`
SendOnBehalfOfUserSmtp	`null`	`str`
SendAsUserSmtp	`null`	`str`
PolicyDetails	`null`	`str`
PolicyDetails_PolicyName_str	`null`	`str`
PolicyDetails_PolicyId_str	`null`	`str`
PolicyDetails_location_str	`null`	`str`
PolicyDetails_RuleMode_str	`null`	`str`
PolicyDetails_RuleName_str	`null`	`str`
PolicyDetails_RuleId_str	`null`	`str`
PolicyDetails_Severity_str	`null`	`str`
PolicyDetails_ManagementRuleId_str	`null`	`str`
Unique_PolicyDetails_location_str	`null`	`str`
PolicyDetails_confidence_str	`null`	`str`
PolicyDetails_count_str	`null`	`str`
PolicyDetails_sensitiveType_str	`null`	`str`
PolicyDetails_uniqueCount_str	`null`	`str`
PolicyDetails_ConditionsMatched_Name_str	`null`	`str`
PolicyDetails_ConditionsMatched_Value_str	`null`	`str`
PolicyDetails_ConditionMatchedInNewScheme_str	`null`	`str`
ExchangeMetaData_BCC	`null`	`str`
ExchangeMetaData_MessageID	`null`	`str`
ExchangeMetaData_From	`null`	`str`
ExchangeMetaData_CC	`null`	`str`
ExchangeMetaData_Sent	`null`	`str`
ExchangeMetaData_Subject	`null`	`str`
ExchangeMetaData_RecipientCount	`null`	`int`
ExchangeMetaData_To	`null`	`str`
InterSystemsId	`null`	`str`
TargetUserId	`null`	`str`
Actor_ID_str	`null`	`str`
Actor_Type_str	`null`	`str`
ActorContextId	`null`	`str`
YammerNetworkId	`null`	`int`
ActorUserId	`null`	`str`
ActorIpAddress	`null`	`str`
Client	`null`	`str`
ClientIP	`null`	`str`
LogonError	`null`	`str`
ApplicationId	`null`	`str`
Target_ID_str	`null`	`str`
Target_Type_str	`null`	`str`
IntraSystemId	`null`	`str`
ExtendedProperties_Name_str	`null`	`str`
ExtendedProperties_Value_str	`null`	`str`
ActorYammerUserId	`null`	`int`
FileName	`null`	`str`
TargetContextId	`null`	`str`
AzureActiveDirectoryEventType	`null`	`int`
VersionId	`null`	`int`
FileId	`null`	`int`
PostIncidentDocumentUrl	`null`	`str`
Severity	`null`	`str`
Title	`null`	`str`
Comments	`null`	`str`
AffectedWorkloadDisplayNames	`null`	`str`
AlertEntityId	`null`	`str`
Messages_MessageText_str	`null`	`str`
Messages_PublishedTime_str	`null`	`str`
ChannelGuid	`null`	`str`
LogonUserDisplayName	`null`	`str`
RecipientUPN	`null`	`str`
ApplicationDisplayName	`null`	`str`
MessageType	`null`	`str`
EventSource	`null`	`str`
DestinationRelativeUrl	`null`	`str`
MachineId	`null`	`str`
WebId	`null`	`str`
SendOnBehalfOfUserMailboxGuid	`null`	`str`
ExtraProperties_Key_str	`null`	`str`
ExtraProperties_Value_str	`null`	`str`
SharingPermission	`null`	`int`
ObjectName	`null`	`str`
SharingType	`null`	`str`
DataflowRefreshScheduleType	`null`	`str`
TenantName	`null`	`str`
CustomUniqueId	`null`	`bool`
DatasetId	`null`	`str`
SiteUrl	`null`	`str`
Parameters_Name_str	`null`	`str`
Parameters_Value_str	`null`	`str`
ImportType	`null`	`str`
ImportId	`null`	`str`
PolicyId	`null`	`str`
ItemName	`null`	`str`
Datasets_DatasetId_str	`null`	`str`
Datasets_DatasetName_str	`null`	`str`
ImplicitShare	`null`	`str`
ImportDisplayName	`null`	`str`
ItemType	`null`	`str`
WorkSpaceName	`null`	`str`
DestFolder_Path	`null`	`str`
DestFolder_Id	`null`	`str`
UniqueSharingId	`null`	`str`
TargetUserOrGroupName	`null`	`str`
FlowConnectorNames	`null`	`str`
FileSyncBytesCommitted	`null`	`str`
CorrelationId	`null`	`str`
Members_DisplayName_str	`null`	`str`
Members_UPN_str	`null`	`str`
Members_Role_str	`null`	`str`
AddOnGuid	`null`	`str`
DashboardName	`null`	`str`
IsSuccess	`null`	`bool`
AlertId	`null`	`str`
ListTitle	`null`	`str`
ReportType	`null`	`str`
AffectedWorkloadNames	`null`	`str`
FlowDetailsUrl	`null`	`str`
TargetYammerUserId	`null`	`int`
ImpactDescription	`null`	`str`
BrowserName	`null`	`str`
OperationProperties_Value_str	`null`	`str`
OperationProperties_Name_str	`null`	`str`
ReportId	`null`	`str`
DestMailboxOwnerSid	`null`	`str`
AffectedUserCount	`null`	`int`
Category	`null`	`str`
MachineDomainInfo	`null`	`str`
ListBaseType	`null`	`str`
DestMailboxId	`null`	`str`
TabType	`null`	`str`
Activity	`null`	`str`
DestinationFileExtension	`null`	`str`
UserUPN	`null`	`str`
ListId	`null`	`str`
SourceRelativeUrl	`null`	`str`
UserTypeInitiated	`null`	`int`
EndTime	`null`	`str`
SendAsUserMailboxGuid	`null`	`str`
ActionType	`null`	`str`
SourceFileExtension	`null`	`str`
DashboardId	`null`	`str`
ClientApplicationId	`null`	`str`
DestMailboxOwnerUPN	`null`	`str`
MailboxOwnerMasterAccountSid	`null`	`str`
SensitiveInfoDetectionIsIncluded	`null`	`bool`
Schedules_RefreshFrequency	`null`	`str`
Schedules_Days_str	`null`	`str`
Schedules_Time_str	`null`	`str`
Schedules_TimeZone	`null`	`str`
TeamName	`null`	`str`
WorkspaceId	`null`	`str`
DataflowType	`null`	`str`
SourceFileName	`null`	`str`
FeatureDisplayName	`null`	`str`
EntityPath	`null`	`str`
TeamGuid	`null`	`str`
ResourceTitle	`null`	`str`
Classification	`null`	`str`
ListBaseTemplateType	`null`	`str`
DestinationFileName	`null`	`str`
AffectedTenantCount	`null`	`int`
DatasetName	`null`	`str`
LicenseDisplayName	`null`	`str`
Feature	`null`	`str`
StartTime	`null`	`str`
TargetUserOrGroupType	`null`	`str`
DataConnectivityMode	`null`	`str`
LastUpdatedTime	`null`	`str`
ReportName	`null`	`str`
EntityType	`null`	`str`
OperationDetails	`null`	`str`
UserAgent	`null`	`str`
AlertType	`null`	`str`
Name	`null`	`str`
CmdletVersion	`null`	`str`
ImportSource	`null`	`str`
SkypeForBusinessEventType	`null`	`int`
AddOnType	`null`	`int`
DoNotDistributeEvent	`null`	`bool`
ChannelName	`null`	`str`
ListItemUniqueId	`null`	`str`
ObjectId	`58cb05b7-60ed-47f7-61fd-08d90fbf43a4181802769096114774741`	`str`
AttachmentData	`null`	`json`
DeliveryAction	`Blocked`	`str`
DetectionMethod	`Spoof external domain`	`str`
DetectionType	`Inline`	`str`
Directionality	`Inbound`	`str`
EventDeepLink	`https://protection.office.com/?hash=/threatexplorer?messageParams=58cb05b7-60ed-47f7-61fd-08d90fbf43a4,58cb05b7-60ed-47f7-61fd-08d90fbf43a4-18180276909611477474-1,2021-05-05T00:00:00,2021-05-05T23:59:59&view=Phish`	`str`
InternetMessageId	`<20210504094241.1FEE17E057527C96@gmail.com>`	`str`
LatestDeliveryLocation	`Quarantine`	`str`
MessageTime	`2021-05-05T12:14:02`	`str`
NetworkMessageId	`58cb05b7-60ed-47f7-61fd-08d90fbf43a4`	`str`
OriginalDeliveryLocation	`Quarantine`	`str`
P1Sender	`elysethompson1994@gmail.com`	`str`
P2Sender	`elysethompson1994@gmail.com`	`str`
Policy	`Spoof`	`str`
PolicyAction	`Quarantine`	`str`
Recipients	`►(array)`	`str`
SenderIp	`192.187.111.171`	`str`
Subject	`Mobile First Designs`	`str`
ThreatsAndDetectionTech	`►(array)`	`str`
Verdict	`Phish`	`str`
SourceLocationType	`null`	`int`
Platform	`null`	`int`
Application	`null`	`str`
FileExtension	`null`	`str`
DeviceName	`null`	`str`
MDATPDeviceId	`null`	`str`
FileSize	`null`	`int`
FileType	`null`	`str`
Hidden	`null`	`bool`
message	`▼(object)` `CreationTime: 2021-05-05T12:16:05` `Id: 02c29d28-8639-4f0a-59e0-d6fb2bd38204` `Operation: TIMailData` `OrganizationId: 3ec4eda1-a5d1-433d-90da-8dc791283d95` `RecordType: 28` `UserKey: ThreatIntel` `UserType: 4` `Version: 1` `Workload: ThreatIntelligence` `ObjectId: 58cb05b7-60ed-47f7-61fd-08d90fbf43a4181802769096114774741` `UserId: ThreatIntel` `DeliveryAction: Blocked` `DetectionMethod: Spoof external domain` `DetectionType: Inline` `Directionality: Inbound` `EventDeepLink: https://protection.office.com/?hash=/threatexplorer?messageParams=58cb05b7-60ed-47f7-61fd-08d90fbf43a4,58cb05b7-60ed-47f7-61fd-08d90fbf43a4-18180276909611477474-1,2021-05-05T00:00:00,2021-05-05T23:59:59&view=Phish` `InternetMessageId: <20210504094241.1FEE17E057527C96@gmail.com>` `LatestDeliveryLocation: Quarantine` `MessageTime: 2021-05-05T12:14:02` `NetworkMessageId: 58cb05b7-60ed-47f7-61fd-08d90fbf43a4` `OriginalDeliveryLocation: Quarantine` `P1Sender: elysethompson1994@gmail.com` `P2Sender: elysethompson1994@gmail.com` `Policy: Spoof` `PolicyAction: Quarantine` `▼Recipients: (array)` `0: eltham@hrblock.com.au` `SenderIp: 192.187.111.171` `Subject: Mobile First Designs` `▼ThreatsAndDetectionTech: (array)` `0: Phish: [Spoof external domain]` `1: Spam: [Advanced filter]` `Verdict: Phish`	`str`
hostchain	`ip-10-36-0-8=54.234.232.241`	`str`	✓
tag	`cloud.office365.management`	`str`	✓