Skip to main content

Microsoft Policy And Compliance (Audit Log)

This Integration is part of the Office 365 and Azure (Audit Log) Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Use the integration to get logs from the O365 service.

Configure Microsoft Policy And Compliance (Audit Log) in Cortex#

ParameterDescriptionRequired
Exchange Online URLTrue
CertificateA pfx certificate encoded in Base64.True
PasswordTrue
The organization used in app-only authentication.True
The application ID from the Azure portalTrue

Required Permissions To Search Audit Logs#

  • The minimum required Exchange permissions are Audit Logs or View-Only Audit Logs.
  • Go to The Microsoft Admin Portal.
  • Click Show All --> Roles --> Roles Assignments --> Exchange section.
  • Click Add role group --> Choose the name and description --> Select the Audit Logs or View-Only Audit Logs roles --> Select the members to apply the role(s) to --> Click Add role group.
  • For more information --> How to assign permissions to search the audit log.

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

o365-auditlog-search#


Use the o365-search-auditlog command to search the unified audit log. This log contains events from Exchange Online, SharePoint Online, OneDrive for Business, Azure Active Directory, Microsoft Teams, Power BI, and other Microsoft 365 services. You can search for all events in a specified date range, or you can filter the results based on specific criteria, such as the action, the user who performed the action, or the target object.

Base Command#

o365-auditlog-search

Input#

Argument NameDescriptionRequired
start_dateThe start date of the date range or a date range (3 days, 1 year, etc.). Entries are stored in the unified audit log in Coordinated Universal Time (UTC). If you specify a date/time value without a time zone, the value is in UTC. Default is 24 hours.Optional
end_dateThe end date of the date range. Entries are stored in the unified audit log in Coordinated Universal Time (UTC). If you specify a date/time value without a time zone, the value is in UTC. If empty, wll take current time.Optional
free_textThe text string by which to filter the log entries.\ \ If the value contains spaces, enclose the value in quotation\ \ marks (for example: "Invalid logon").Optional
record_typeThe record type by which to filter the log entries.\ \ Available record types: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype.Optional
ip_addressesA comma-separated list of IP addresses by which to filter the log entries.Optional
operationsThe operations by which to filter the log entries. The available values for this parameter depend on the record_types value. Refer to https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#audited-activities.Optional
user_idsA comma-separated list of ID of the users who performed the action by which to filter the log entries. The list of user IDs can be acquired by running the ews-users-list command.Optional
result_sizeThe maximum number of results to return. Default is 10. Default is 10.Optional

Context Output#

PathTypeDescription
O365AuditLog.Actor.IDStringThe ID of the actor.
O365AuditLog.Actor.TypeNumberThe type of the actor.
O365AuditLog.ActorContextIdStringThe GUID of the organization that the actor belongs to.
O365AuditLog.ActorIpAddressStringThe actor's IP address in IPV4 or IPV6 address format.
O365AuditLog.ApplicationIdStringThe GUID that represents the application that is requesting the login. The display name can be looked up using the Azure Active Directory Graph API.
O365AuditLog.AzureActiveDirectoryEventTypeNumberThe type of Azure Active Directory event.
O365AuditLog.ClientIPStringThe IP address of the device that was used when the activity was logged. The IP address is displayed in IPv4 or IPv6 address format.
O365AuditLog.CreationTimeDateThe date and time in Coordinated Universal Time (UTC) when the user performed the activity.
O365AuditLog.ExtendedProperties.NameStringName of the extended properties.
O365AuditLog.ExtendedProperties.ValueStringValue of the extended properties.
O365AuditLog.ModifiedProperties.NameStringName of the modified properties.
O365AuditLog.ModifiedProperties.NewValueStringThe updated value of the property.
O365AuditLog.ModifiedProperties.OldValueStringThe previous value of the property.
O365AuditLog.IdStringThe unique ID of the log.
O365AuditLog.InterSystemsIdStringThe GUID that tracked the actions across components within the Office 365 service.
O365AuditLog.IntraSystemIdStringThe GUID that's generated by Azure Active Directory to track the action.
O365AuditLog.LogonErrorStringFor failed logins, a user-readable description of the reason for the failure.
O365AuditLog.ObjectIdStringFor SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet.
O365AuditLog.OperationStringThe operation used in the log.
O365AuditLog.OrganizationIdStringThe GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs.
O365AuditLog.RecordTypeNumberThe type of operation indicated by the record. See the AuditLogRecordType table (https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema\#auditlogrecordtype\)for details on the types of audit log records.
O365AuditLog.ResultStatusStringWhether the action (specified in the Operation property) was successful. Possible values are Succeeded, PartiallySucceeded, or Failed. For Exchange admin activity, the value is either True or False.
O365AuditLog.SupportTicketIdStringThe customer support ticket ID for the action in "act-on-behalf-of" situations.
O365AuditLog.Target.IDStringThe ID of the user on whom the action (identified by the Operation property) was performed.
O365AuditLog.Target.TypeNumberThe type of the user on whom the action (identified by the Operation property) was performed.
O365AuditLog.TargetContextIdStringThe GUID of the organization that the targeted user belongs to.
O365AuditLog.UserIdStringIdentifier (for example, email address) for the user who clicked on the URL.
O365AuditLog.UserKeyStringAn alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange.
O365AuditLog.UserTypeNumberThe type of user who performed the operation.
O365AuditLog.VersionNumberThe version of the log.
O365AuditLog.WorkloadStringThe Office 365 service where the activity occurred.

Command Example#

!o365-auditlog-search start_date="01/01/21" end_date="01/02/21" result_size=1

Context Example#

{
"O365AuditLog": {
"Actor": [
{
"ID": "3fa9f28b-eb0e-463a-ba7b-8089fe9991e2",
"Type": 0
},
{
"ID": "user@example.com",
"Type": 5
}
],
"ActorContextId": "ebac1a16-81bf-449b-8d43-5732c3c1d999",
"ActorIpAddress": "ClientIP",
"ApplicationId": "00000002-0000-0ff1-ce00-000000000000",
"AzureActiveDirectoryEventType": 1,
"ClientIP": "ClientIP",
"CreationTime": "2021-01-01T23:59:56",
"ExtendedProperties": [
{
"Name": "UserAgent",
"Value": "python-requests/2.18.4"
},
{
"Name": "UserAuthenticationMethod",
"Value": "1"
},
{
"Name": "RequestType",
"Value": "OAuth2:Token"
},
{
"Name": "ResultStatusDetail",
"Value": "UserError"
},
{
"Name": "KeepMeSignedIn",
"Value": "false"
}
],
"Id": "8133912e-b888-4849-b8fb-070710b35400",
"InterSystemsId": "4bf55773-4137-4d68-b7f8-ef8ef9c0235f",
"IntraSystemId": "8133912e-b888-4849-b8fb-070710b35400",
"LogonError": "InvalidUserNameOrPassword",
"ModifiedProperties": [],
"ObjectId": "00000002-0000-0ff1-ce00-000000000000",
"Operation": "UserLoginFailed",
"OrganizationId": "ebac1a16-81bf-449b-8d43-5732c3c1d999",
"RecordType": 15,
"ResultStatus": "Failed",
"SupportTicketId": "",
"Target": [
{
"ID": "00000002-0000-0ff1-ce00-000000000000",
"Type": 0
}
],
"TargetContextId": "ebac1a16-81bf-449b-8d43-5732c3c1d999",
"UserId": "user@example.com",
"UserKey": "user@example.com",
"UserType": 0,
"Version": 1,
"Workload": "AzureActiveDirectory"
}
}

Human Readable Output#

Audit log from 01/01/2021 00:00:00 to 01/02/2021 00:00:00#

ActorActorContextIdActorIpAddressApplicationIdAzureActiveDirectoryEventTypeClientIPCreationTimeExtendedPropertiesIdInterSystemsIdIntraSystemIdLogonErrorModifiedPropertiesObjectIdOperationOrganizationIdRecordTypeResultStatusSupportTicketIdTargetTargetContextIdUserIdUserKeyUserTypeVersionWorkload
[{"ID":"ID","Type":0},{"ID":"user@example.com","Type":5}]"ebac1a16-81bf-449b-8d43-5732c3c1d999""ClientIP""00000002-0000-0ff1-ce00-000000000000"1"ClientIP"{"value":"2021-01-01T23:59:56","DateTime":"Friday, January 1, 2021 11:59:56 PM"}[{"Name":"UserAgent","Value":"python-requests/2.18.4"},{"Name":"UserAuthenticationMethod","Value":"1"},{"Name":"RequestType","Value":"OAuth2:Token"},{"Name":"ResultStatusDetail","Value":"UserError"},{"Name":"KeepMeSignedIn","Value":"false"}]"8133912e-b888-4849-b8fb-070710b35400""4bf55773-4137-4d68-b7f8-ef8ef9c0235f""8133912e-b888-4849-b8fb-070710b35400""InvalidUserNameOrPassword""00000002-0000-0ff1-ce00-000000000000""UserLoginFailed""ebac1a16-81bf-449b-8d43-5732c3c1d999"15"Failed"""{"ID":"00000002-0000-0ff1-ce00-000000000000","Type":0}"ebac1a16-81bf-449b-8d43-5732c3c1d999""user@example.com""user@example.com"01"AzureActiveDirectory"