Skip to main content

Microsoft Policy And Compliance (Audit Log)

This Integration is part of the Office 365 and Azure (Audit Log) Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Use the integration to get logs from the O365 service.

Configure MicrosoftPolicyAndComplianceAuditLog on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for MicrosoftPolicyAndComplianceAuditLog.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Exchange Online URLTrue
    Email (Password for basic authentication only)False
    Trust any certificate (not secure)False
  4. Click Test to validate the URLs, token, and connection.

Authentication#

  • Basic authentication - Fill in the Email and password.
  • OAuth2.0 (For MFA enabled accounts) -
    1. Enter a value for the UPN parameter in the integration configuration.
    2. Run the o365-auditlog-auth-start command and follow the instructions.
    3. Run the o365-auditlog-auth-test command to verify that the authorization process was implemented correctly.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

o365-auditlog-auth-start#


Starts the OAuth2.0 authorization process.

o365-auditlog-auth-complete#


Completes the OAuth2.0 authorization process.

o365-auditlog-auth-test#


Tests the OAuth2.0 authorization process.

o365-auditlog-search#


Use the o365-search-auditlog command to search the unified audit log. This log contains events from Exchange Online, SharePoint Online, OneDrive for Business, Azure Active Directory, Microsoft Teams, Power BI, and other Microsoft 365 services. You can search for all events in a specified date range, or you can filter the results based on specific criteria, such as the user who performed the action, the action, or the target object.

Base Command#

o365-auditlog-search

Input#

Argument NameDescriptionRequired
start_dateThe start date of the date range or a date range (3 days, 1 year, etc.). Entries are stored in the unified audit log in Coordinated Universal Time (UTC). If you specify a date/time value without a time zone, the value is in UTC. Default is 24 hours.Optional
end_dateThe end date of the date range. Entries are stored in the unified audit log in Coordinated Universal Time (UTC). If you specify a date/time value without a time zone, the value is in UTC. If empty, wll take current time.Optional
free_textThe text string by which to filter the log entries.\ \ If the value contains spaces, enclose the value in quotation\ \ marks (for example: "Invalid logon").Optional
record_typeThe record type by which to filter the log entries.\ \ Available record types: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype.Optional
ip_addressesA comma-separated list of IP addresses by which to filter the log entries.Optional
operationsThe operations by which to filter the log entries. The available values for this parameter depend on the record_types value. Refer to https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#audited-activities.Optional
user_idsA comma-separated list of ID of the users who performed the action by which to filter the log entries. The list of user IDs can be acquired by running the ews-users-list command.Optional
result_sizeThe maximum number of results to return. Default is 10. Default is 10.Optional

Context Output#

PathTypeDescription
O365AuditLog.Actor.IDStringThe ID of the actor.
O365AuditLog.Actor.TypeNumberThe type of the actor.
O365AuditLog.ActorContextIdStringThe GUID of the organization that the actor belongs to.
O365AuditLog.ActorIpAddressStringThe actor's IP address in IPV4 or IPV6 address format.
O365AuditLog.ApplicationIdStringThe GUID that represents the application that is requesting the login. The display name can be looked up using the Azure Active Directory Graph API.
O365AuditLog.AzureActiveDirectoryEventTypeNumberThe type of Azure Active Directory event.
O365AuditLog.ClientIPStringThe IP address of the device that was used when the activity was logged. The IP address is displayed in IPv4 or IPv6 address format.
O365AuditLog.CreationTimeDateThe date and time in Coordinated Universal Time (UTC) when the user performed the activity.
O365AuditLog.ExtendedProperties.NameStringName of the extended properties.
O365AuditLog.ExtendedProperties.ValueStringValue of the extended properties.
O365AuditLog.IdStringThe unique ID of the log.
O365AuditLog.InterSystemsIdStringThe GUID that tracked the actions across components within the Office 365 service.
O365AuditLog.IntraSystemIdStringThe GUID that's generated by Azure Active Directory to track the action.
O365AuditLog.LogonErrorStringFor failed logins, a user-readable description of the reason for the failure.
O365AuditLog.ObjectIdStringFor SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet.
O365AuditLog.OperationStringThe operation used in the log.
O365AuditLog.OrganizationIdStringThe GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs.
O365AuditLog.RecordTypeNumberThe type of operation indicated by the record. See the AuditLogRecordType table (https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema\#auditlogrecordtype\)for details on the types of audit log records.
O365AuditLog.ResultStatusStringWhether the action (specified in the Operation property) was successful. Possible values are Succeeded, PartiallySucceeded, or Failed. For Exchange admin activity, the value is either True or False.
O365AuditLog.SupportTicketIdStringThe customer support ticket ID for the action in "act-on-behalf-of" situations.
O365AuditLog.Target.IDStringThe ID of the user on whom the action (identified by the Operation property) was performed.
O365AuditLog.Target.TypeNumberThe type of the user on whom the action (identified by the Operation property) was performed.
O365AuditLog.TargetContextIdStringThe GUID of the organization that the targeted user belongs to.
O365AuditLog.UserIdStringIdentifier (for example, email address) for the user who clicked on the URL.
O365AuditLog.UserKeyStringAn alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange.
O365AuditLog.UserTypeNumberThe type of user who performed the operation.
O365AuditLog.VersionNumberThe version of the log.
O365AuditLog.WorkloadStringThe Office 365 service where the activity occurred.
O365AuditLog.ModifiedProperties.NameStringName of the modified properties.
O365AuditLog.ModifiedProperties.NewValueStringThe updated value of the property.
O365AuditLog.ModifiedProperties.OldValueStringThe previous value of the property.

Command Example#

!o365-auditlog-search start_date="01/01/21" end_date="01/02/21" result_size=1

Context Example#

{
"O365AuditLog": {
"Actor": [
{
"ID": "3fa9f28b-eb0e-463a-ba7b-8089fe9991e2",
"Type": 0
},
{
"ID": "user@example.com",
"Type": 5
}
],
"ActorContextId": "ebac1a16-81bf-449b-8d43-5732c3c1d999",
"ActorIpAddress": "ClientIP",
"ApplicationId": "00000002-0000-0ff1-ce00-000000000000",
"AzureActiveDirectoryEventType": 1,
"ClientIP": "ClientIP",
"CreationTime": "2021-01-01T23:59:56",
"ExtendedProperties": [
{
"Name": "UserAgent",
"Value": "python-requests/2.18.4"
},
{
"Name": "UserAuthenticationMethod",
"Value": "1"
},
{
"Name": "RequestType",
"Value": "OAuth2:Token"
},
{
"Name": "ResultStatusDetail",
"Value": "UserError"
},
{
"Name": "KeepMeSignedIn",
"Value": "false"
}
],
"Id": "8133912e-b888-4849-b8fb-070710b35400",
"InterSystemsId": "4bf55773-4137-4d68-b7f8-ef8ef9c0235f",
"IntraSystemId": "8133912e-b888-4849-b8fb-070710b35400",
"LogonError": "InvalidUserNameOrPassword",
"ModifiedProperties": [],
"ObjectId": "00000002-0000-0ff1-ce00-000000000000",
"Operation": "UserLoginFailed",
"OrganizationId": "ebac1a16-81bf-449b-8d43-5732c3c1d999",
"RecordType": 15,
"ResultStatus": "Failed",
"SupportTicketId": "",
"Target": [
{
"ID": "00000002-0000-0ff1-ce00-000000000000",
"Type": 0
}
],
"TargetContextId": "ebac1a16-81bf-449b-8d43-5732c3c1d999",
"UserId": "user@example.com",
"UserKey": "user@example.com",
"UserType": 0,
"Version": 1,
"Workload": "AzureActiveDirectory"
}
}

Human Readable Output#

Audit log from 01/01/2021 00:00:00 to 01/02/2021 00:00:00#

ActorActorContextIdActorIpAddressApplicationIdAzureActiveDirectoryEventTypeClientIPCreationTimeExtendedPropertiesIdInterSystemsIdIntraSystemIdLogonErrorModifiedPropertiesObjectIdOperationOrganizationIdRecordTypeResultStatusSupportTicketIdTargetTargetContextIdUserIdUserKeyUserTypeVersionWorkload
[{"ID":"ID","Type":0},{"ID":"user@example.com","Type":5}]"ebac1a16-81bf-449b-8d43-5732c3c1d999""ClientIP""00000002-0000-0ff1-ce00-000000000000"1"ClientIP"{"value":"2021-01-01T23:59:56","DateTime":"Friday, January 1, 2021 11:59:56 PM"}[{"Name":"UserAgent","Value":"python-requests/2.18.4"},{"Name":"UserAuthenticationMethod","Value":"1"},{"Name":"RequestType","Value":"OAuth2:Token"},{"Name":"ResultStatusDetail","Value":"UserError"},{"Name":"KeepMeSignedIn","Value":"false"}]"8133912e-b888-4849-b8fb-070710b35400""4bf55773-4137-4d68-b7f8-ef8ef9c0235f""8133912e-b888-4849-b8fb-070710b35400""InvalidUserNameOrPassword""00000002-0000-0ff1-ce00-000000000000""UserLoginFailed""ebac1a16-81bf-449b-8d43-5732c3c1d999"15"Failed"""{"ID":"00000002-0000-0ff1-ce00-000000000000","Type":0}"ebac1a16-81bf-449b-8d43-5732c3c1d999""user@example.com""user@example.com"01"AzureActiveDirectory"