Log Types: Microsoft 365

Overview

Microsoft 365 includes a range of office automation tools, such as spreadsheets, calendars, email clients, and documentation generation tools.

These tools can generate audit logs and using Office 365 Management API, an application like Snare Central can retrieve these audit logs.

Collection

Snare Central can be configured to collect audit logs from Office 365 Management API, as described in this user guide: Microsoft 365 Logs Collection page.

About Microsoft 365 audit log

Microsoft 365 audit log: Supported types

Currently, these are the supported content types under Microsoft 365 audit logs:

Audit.AzureActiveDirectory
Audit.Exchange
Audit.SharePoint
Audit.General (includes all other workloads not included in the previous content types)
DLP.All (DLP events only for all workloads)

In order to retrieve these content blobs a tenant must first subscribe to the desired content type(s), once subscription is successful the tenant can fetch the audit logs associated with content type(s).

Microsoft 365 audit log: Log Structure

Below is a sample of a requested Microsoft 365 audit log using an Office 365 Management API.

[
{
"CreationTime": "2022-03-15T00:45:18",
"Id": "80c76bd2-9d81-4c57-a97a-accfc3443dca",
"Operation": "ValidaterbacAccessCheck",
"OrganizationId": "41463f53-8812-40f4-890f-865bf6e35190",
"RecordType": 52,
"UserKey": "admin@contoso.onmicrosoft.com",
"UserType": 5,
"Version": 1,
"Workload": "SecurityComplianceCenter",
"UserId": "admin@contoso.onmicrosoft.com",
"AadAppId": "9a8cf76d-d754-3e2e-b10d-9bb87654f3b2",
"DataType": "rbacAccessCheck",
"RelativeUrl": "/DataInsights/DataInsightsService.svc/validate/rbacAccessCheck?tenantid=41463f53-8812-40f4-890f-865bf6e35190",
"ResultCount": "0"
}
]

Microsoft 365 audit log: Log Schema

The Microsoft 365 Management API schema is provided as a data service in two layers:

Common schema
Common schema are the fields common for all Microsoft 365 audit logs.
You can visit Microsoft documentation here for more details about Common schemas.
Service-specific schema
Fields that are specific depending on the service type, for example: Sharepoint services has on its own set of schemas, same goes for Exchange and DLP related services.
You can visit Microsoft documentation here for more details about Service-specific schemas.

Note: Depending on the Microsoft 365 audit log type (which is identified via RecordType, see Microsoft 365 Audit Log Identification), Snare Central will parse and identify the type of schema to be used to define the fields per each table.

Integrating Microsoft 365 audit log with Snare Central

The Microsoft 365 audit logs fetched by Snare Central will be parsed and restructured using Snare’s own formatting, and these logs or events can be routed to one or more destinations, depending on the user’s configuration and intention.

Microsoft 365 Audit Log Identification

In order to identify audit logs from one another, Snare Central uses the field RecordType.

RecordType’s value indicates the type of Microsoft 365 audit log it is and the operation performed by the record. Using this field, Snare Central can map and parse the associated fields with it.

For example, value “1” indicates that an audit log is a type of ExchangeAdmin log, while “4” indicates that it's a SharePoint type of log.

Snare Central currently supports the parsing of the following RecordType(s) (see table below), while the rest of the unsupported RecordType(s) will be classified as Office365AuditLog.

Supported RecordType(s)

Value	Audit Log Type	Description

Value	Audit Log Type	Description
1	ExchangeAdmin	Events from the Exchange admin audit log.
2	ExchangeItem	Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.
3	ExchangeItemGroup	Events from an Exchange mailbox audit log for actions that can be performed on multiple items, such as moving or deleted one or more email messages.
4	SharePoint	SharePoint events.
6	SharePointFileOperation	SharePoint file operation events.
8	AzureActiveDirectory	Microsoft Entra events.
9	AzureActiveDirectoryAccountLogon	Microsoft Entra OrgId logon events (deprecated).
15	AzureActiveDirectoryStsLogon	Secure Token Service (STS) logon events in Microsoft Entra ID.
36	SharePointListOperation	SharePoint List events.
50	ExchangeItemAggregated	Events related to the MailItemsAccessed mailbox auditing action.

Note: For other RecordTypes under Microsoft 365 audit log, you can visit Microsoft’s documentation here.

Microsoft 365 Audit Log Fields

The fields below are the common fields for all Office365* logs, including the generic or Office365AuditLog log type.

Field	Description

Field	Description
DATE	Event date, in the format YYYY-MM-DD.
TIME	Event time, in the format HH:MM:SS.
DATETIME	The timestamp of the event log in RFC3339Nano format.
COLLECTIONDATETIME	Snare Central’s local date and time of the actual log collection from Office 365 Management API in RFC3339Nano format.
SYSTEM	The source system. Will base its value on the CLIENTIP if not empty, else it will use domain value defined in the configuration.
TABLE	For supported RecordType(s) (see supported RecordTypes above), value will be: Office365 + <sub-type>. All other unsupported sub-types will be classified as Office365AuditLog.
CRITICALITY	-
AUDITID	Based on Id, this field contains the Unique identifier of an audit record or log.
RECORDTYPE	Based on RecordType, this field indicates the operation performed by the record. For available RecordType values, you can visit Microsoft’s documentation here.
CREATIONTIME	Based on CreationTime, this field contains the date and time in Coordinated Universal Time (UTC) when the user performed the activity.
OPERATION	Based on Operation, this field contains the name of the user or admin activity.
ORGID	Based on OrganizationId, this fields contains the GUID uniquely assigned to a tenant.
USERTYPE	Based on UserType, this field contains the type of user that performed the operation. For available UserType values, you can visit Microsoft’s documentation here.
USERKEY	Based on UserKey, this field contains the alternative ID for the user identified in the UserId property.
WORKLOAD	Based on Workload, this field contains the Microsoft 365 service where the activity occurred.
USERID	Based on UserId, this field contains the UPN (User Principal Name) of the user who performed the action that resulted in the record being logged.
RESULTSTATUS	Based on UserKey, this field contains the detail that indicates whether the action was successful or not. Note: Different workloads may overwrite the value of this field.
OBJECTID	Based on ObjectId, this field may contain the different detail depending on the Workload. Note: Different workloads may contain different set of values for this field.
CLIENTIP	Based on ClientIp, this field contains the IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. Note: For Microsoft Entra related events, the IP address isn't logged and the value for the ClientIP property is null or empty.
SCOPE	Based on Scope, this field contains the detail whether event created by a hosted O365 service or an on-premises server. Possible values are online and onprem.
VERSION	Based on Version, this field contains the version number of the activity that's logged.
SNAREDATAMAP	All unclassified field(s) parsed from the Microsoft 365 log will be pushed into the SNAREDATAMAP.

Notes

https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference

https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema