If you're having trouble at any stage please contact us at support@skyformation.com.
Preface
Office 365 provides a broad set of office applications as document management, web mail, presentation creation and more. Office 365 services are delivered as a cloud service.
For more information refer to: https://www.office.com/
Office 365 Audit Sources & Events Supported
To see a full list of the minimal Office 365 subscription required per endpoint below please refer to: Office 365 Minimal Subscription Requirement Per Endpoint
Service Covered | Event included | Endpoint/API | Notes | Minimal Subscription Required |
---|---|---|---|---|
Azure AD | Graph Directory Audit logs (same as deprecated sign-in events) | Graph Directory Audit logs | See https://docs.microsoft.com/en-us/graph/api/resources/directoryaudit?view=graph-rest-1.0 | |
Graph Sign-In logs(same as deprecated audit events) + Security alerts on suspicious sign-ins | Graph Sign-In logs | See https://docs.microsoft.com/en-us/graph/api/resources/signin?view=graph-rest-1.0 | ||
Azure AD deprecated endpoints |
sign-in events (e.g. login success/failed) | Deprecated - signin-event | See https://docs.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-beta | AAD Premium P2 |
General audit events as group/users management | Deprecated - audit-events | See https://docs.microsoft.com/en-us/graph/api/resources/directoryaudit?view=graph-rest-beta | None | |
Azure AD Identity Protection | Risk and anomalies detection in Azure AD | graph-identity-protection |
For more information on the Azure AD Identity Protection API please refer to: https://docs.microsoft.com/en-us/graph/api/resources/identityprotection-root?view=graph-rest-beta
|
|
Share Point | SharePoint administrative and file management operations | management-activity-api | None | |
Exchange | Exchange administrative operation | management-activity-api | Events from the Exchange admin audit log. Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message. Events from an Exchange mailbox audit log for actions that can be performed on multiple items, such as moving or deleted one or more email messages. | None |
Message Trace | activity-report-api | email send/receive trace | None | |
DLP | ComplianceDLPSharePoint, ComplianceDLPExchange | management-activity-api | Data loss protection (DLP) events in SharePoint and OneDrive for Business. Data loss protection (DLP) events in Exchange, when configured via Unified DLP Policy. DLP events based on Exchange Transport Rules are not supported. | None |
Microsoft Cloud App Security (MCAS) | Cloud services anomalies, suspicious activities and violations detected by the Microsoft CASB service |
mcas-alerts
|
E5 or purchased to other enterprise edition | |
Advance Threat Protection (ATP) *** |
Spoof Mail |
activity-report-api | view information about insider spoofing in your cloud-based organization. Insider spoofing is where the sender’s email address in an inbound message appears to represent your organization, but the actual identity of the sender is different | E3 |
DLP Policy |
activity-report-api | provides details about the Exchange mail data loss prevention (DLP) policies and rules used in processing email messages. | E3 | |
Malware report MailDetailMalware |
activity-report-api | view the details of messages that contained malware. | E3 | |
Spam report |
activity-report-api | provides details about the processing steps taken on email messages identified as containing spam while the message was being processed. | E3 | |
Audit events | General audit events | audit-events | Office 365 audit events | None |
Yammer | Yammer schema | microsoft-graph-api | Yammer events | None |
Sway | Sway schema | microsoft-graph-api | Sway events | None |
Microsoft Teams | MicrosoftTeams, MicrosoftTeamsAddOns, MicrosoftTeamsSettingsOperation | microsoft-graph-api | Events from Microsoft Teams. | None |
Office 365 Threat Detection |
Risky users Risky sign-ins Risk detections |
risk detection graph API | Azure AD Premium P1 or P2 |
*** Data availability delay of the audit source is approximately 24 hours from the moment that the event was triggered.
How to on-board Office 365 Connector to SkyFormation
Adding Office 365 Connector To SkyFormation Platform
Comments
0 comments
Please sign in to leave a comment.