Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

Microsoft Office365 Audit

Microsoft Office 365 Audit

FortiSIEM Support added: 4.8.1

FortiSIEM last modification: 7.1.0

Vendor version tested: Not Provided

Vendor: Microsoft

Product Information: https://www.microsoft.com/en-us/microsoft-365/business

Office 365 Management Activity API (manage.office.com)

The Office 365 Management Activity API aggregates actions and events into tenant-specific content blobs, which are classified by the type and source of the content they contain. Currently, the following content types are supported:

  • Audit.AzureActiveDirectory

  • Audit.Exchange

  • Audit.SharePoint

  • Audit.General (includes all other workloads not included in the previous content types)

  • DLP.All (DLP events only for all workloads)

For details about the events and properties associated with these content types, see Office 365 Management Activity API schema.

An extensive list of Office 365 services are audited via this method, and service names can be seen by inspecting the “AuditLogRecordType” of this link: https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema

What is Discovered and Monitored

Office 365 Activity Type Operation
File and folder activities

Available via O365 Mgmt Activity API

Sharing and access request activities

Available via O365 Mgmt Activity API

Synchronization activities

Available via O365 Mgmt Activity API

Site administration activities

Available via O365 Mgmt Activity API

Exchange mailbox activities

Available via O365 Mgmt Activity API

User administration activities

Available via O365 Mgmt Activity API

Group administration activities

Available via O365 Mgmt Activity API

Application administration activities

Available via O365 Mgmt Activity API

Role administration activities

Available via O365 Mgmt Activity API

Directory administration activities

Available via O365 Mgmt Activity API

An extensive list of Office 365 services are audited via this method, and service names can be seen by inspecting the “AuditLogRecordType” at this link: https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema

Rules and Reports

Rules

Navigate to Resources >Rules and search for "Office365:" in the main Search... field to see available rules.

The following are rules all generated via datasource : Office365 Mgmt Activity API. Note that the following are examples, and non-exhaustive.

  • Office365: Abnormal Logon Detected

  • Office365: Brute Force Login Attempts - Same Source

  • Office365: Brute Force Login Attempts - Same User

  • Office365: Brute Force Logon Success

  • Office365: Identity Protection Detected a Risky User or SignIn Activity

  • Office365: Strong Authentication Disabled for a User

  • Office365: Suspicious File Type Uploaded

Reports

Navigate to Resources > Reports and search for "Office365:" in the main Search... field to see available reports.

The following are reports all generated via datasource : Office365 Mgmt Activity API. Note that the following are examples, and non-exhaustive.

Office365: Top Entra ID Logons by Source

Office365: Top Entra ID Failed User Logon

Office365: Top Sharepoint Links Used

Office365: Top Sharepoint Secure Links Used by Source

Office365: Top Sharepoint Company Links Used by Source

Office365: Top Sharepoint Anonymous Links Used by Source

Office 365 Dashboard

The Office 365 Dashboard contains the following tabs:

Logon Audit

Object

Description

Data Source Microsoft Office365 Management Activity API - Collects both Entra ID (formerly Azure AD) logon events as well as Exchange mailbox logons.
Widgets Various mailbox and Entra ID logon success/failure activity reports.
Troubleshooting Ensure that mailbox auditing is enabled for every mailbox in your organization.
Sharepoint Audit

Object

Description

Data Source Microsoft Office365 Management Activity API
Widgets These are reports based on Sharepoint shared link activity primarily, others may be added in the future. Other Sharepoint reports are available.

Sensitivity Label Audit

This is only populated if you are using Microsoft MIP for Exchange to assign sensitivity labels to emails.

Object

Description

Data Source Microsoft Office365 Management Activity API
Reference Documents

https://support.microsoft.com/en-us/office/apply-sensitivity-labels-to-your-files-and-email-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/announcing-new-microsoft-information-protection-capabilities-to/ba-p/1999692

Enabling Mailbox Auditing

Note: The following is an excerpt of the article here.

Mailbox audit logging is turned on by default in all organizations. This effort started in January 2019, and means that certain actions performed by mailbox owners, delegates, and admins are automatically logged.

Here are some benefits of mailbox auditing on by default:

  • Auditing is automatically turned on when you create a new mailbox. You don't need to manually turn on mailbox auditing for new users.

  • You don't need to manage the mailbox actions that are audited. A predefined set of mailbox actions are audited by default for each sign-in type (Admin, Delegate, and Owner).

  • When Microsoft releases a new mailbox action, the action might be added automatically to the list of mailbox actions that are audited by default (subject to the user having the appropriate license). This result means you don't need to add new actions on mailboxes as they're released.

  • You have a consistent mailbox auditing policy across your organization (because you're auditing the same actions for all mailboxes).

Key Note:

By default, only mailbox audit events for users with licenses that include Microsoft Purview Audit (Premium) are available in audit log searches in the Microsoft Purview compliance portal or via the Office 365 Management Activity API. These licenses are described here. For brevity, this article will collectively refer to licenses that include Audit (Premium) as E5/A5/G5 licenses.

To verify that mailbox auditing on by default is turned on for your organization, run the following command in Exchange Online PowerShell:

Get-OrganizationConfig | Format-List AuditDisabled

The value False indicates that mailbox auditing on by default is turned on for the organization. Mailbox auditing on by default in the organization overrides the mailbox auditing settings on individual mailboxes.

Supported Mailbox Types

Mailbox types that are supported by mailbox auditing on by default are described in the following table:

Mailbox type

Supported

User mailboxes
Shared mailboxes
Microsoft 365 Group mailboxes
Resource mailboxes
Public folder mailboxes

Sign-in Types Information

  • Owner: The mailbox owner (the account that's associated with the mailbox).

  • Delegate:

    • A user who's been assigned the SendAs, SendOnBehalf, or FullAccess permission to another mailbox.

    • An admin who's been assigned the FullAccess permission to a user's mailbox.

  • Admin:

    • The mailbox is searched with one of the following Microsoft eDiscovery tools:

      • Content Search in the compliance portal.

      • eDiscovery or eDiscovery (Premium) in the compliance portal.

      • In-Place eDiscovery in Exchange Online.

    • The mailbox is accessed by using the Microsoft Exchange Server MAPI Editor.

Mailbox Actions

Mailbox action

Description

Create An item was created in the Calendar, Contacts, Draft, Notes, or Tasks folder in the mailbox (for example, a new meeting request is created). Creating, sending, or receiving a message isn't audited. Also, creating a mailbox folder isn't audited.
FolderBind A mailbox folder was accessed. This action is also logged when the admin or delegate opens the mailbox. (24 hour delay)
HardDelete A message was purged from the Recoverable Items folder.
MailboxLogin The user signed into their mailbox. (owner only login)
MailItemsAccessed

Note: This value is available only for users with E5/A5/G5 licenses. For more information, see Set up Microsoft Purview Audit (Premium).

Occurs when mail data is accessed by mail protocols and clients.

MessageBind

Note: This value is available only for users without E5/A5/G5 licenses.

A message was viewed in the preview pane or opened by an admin. (admin only activity, not delegate or owner)

Move

A message was moved to another folder.

MoveToDeletedItems A message was deleted and moved to the Deleted Items folder.

RecordDelete

An item that's labeled as a record was soft-deleted (moved to the Recoverable Items folder). Items labeled as records can't be permanently deleted (purged from the Recoverable Items folder).

SearchQueryInitiated

Note: This value is available only for users with E5/A5/G5 licenses. For more information, see Set up Microsoft Purview Audit (Premium).

A person uses Outlook (Windows, Mac, iOS, Android, or Outlook on the web) or the Mail app for Windows 10 to search for items in a mailbox.

Send

Note: This value is available only for users with E5/A5/G5 licenses. For more information, see Set up Microsoft Purview Audit (Premium).

The user sends an email message, replies to an email message, or forwards an email message. (Owner or Admin only not delegate)

SendAs

A message was sent using the SendAs permission. This permission allows another user to send the message as though it came from the mailbox owner. (Admin or Delegate, Owner n/a)

SendOnBehalf - (admin and delegate only)

A message was sent using the SendOnBehalf permission. This permission allows another user to send the message on behalf of the mailbox owner. The message indicates to the recipient who the message was sent on behalf of and who actually sent the message.

SoftDelete

A message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder.

Update

A message or any of its properties was changed.

UpdateCalendarDelegation

A calendar delegation was assigned to a mailbox. Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner's calendar.

UpdateComplianceTag

A retention label was updated.

UpdateFolderPermissions

A folder permission was changed. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.

UpdateInboxRules

An inbox rule was added, removed, or changed. Inbox rules process messages in the user's Inbox based on conditions. Actions specify what to do to messages that match the conditions of the rule. For example, move the message to a specified folder or delete the message.

Differences between SendAs and SendOnBehalf

SendAs - Recipient does not know who actually sent the message, appears to be from impersonated mailbox

SendOnBehalf - Recipient sees the sender, and who actually sent the message.

Important:

If you customized the mailbox actions to audit before mailbox auditing on by default was turned on in your organization, the customized mailbox auditing settings are preserved on the mailbox and aren't overwritten by the default mailbox actions as described in this section. To revert the audit mailbox actions to their default values (which you can do at any time), see the Restore the default mailbox actions section later in this article.

Setting up Mailbox Auditing Office 365

To set up mailbox auditing in Office 365, take the following steps.

  1. Login to Exchange Online (Note: Instructions different slightly for GCC High and other gov cloud Organizations)

  2. Powershell Command:

    Connect-ExchangeOnline -UserPrincipalName navin@contoso.onmicrosoft.com

  3. For each mailbox you'd like to turn on auditing, run the following command:

    Set-Mailbox -Identity <MailboxIdentity> -AuditEnabled $true

    • To bulk set for every mailbox run:

      Get-Mailbox -ResultSize Unlimited -Filter{RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true

Key Note:

As previously mentioned, although mailbox audit logging on by default is turned on for all organizations, only users with licenses that include Audit (Premium) (collectively referred to in this article as E5/A5/G5 licenses) return mailbox audit log events in audit log searches in the Microsoft Purview compliance portal or via the Office 365 Management Activity API by default.

Mailbox Operations that require premium licenses: ( Available only for users with E5/A5/G5 licenses.)

Mailbox action

Description

SearchQueryInitiated A person uses Outlook (Windows, Mac, iOS, Android, or Outlook on the web) or the Mail app for Windows 10 to search for items in a mailbox.
MailItemsAccessed Occurs when mail data is accessed by mail protocols and clients.
MessageBind A message was viewed in the preview pane or opened by an admin.
***Send The user sends an email message, replies to an email message, or forwards an email message.

Note: Remember, an admin with Full Access permission to a mailbox is considered a delegate.

Mailbox Audit Operations that do not have auditing turned on by default:

Mailbox action

Description

Copy (Admin only) A message was copied to another folder.
FolderBind (Admin and Delegate) A mailbox folder was accessed. This action is also logged when the admin or delegate opens the mailbox.
MailboxLogin (Owner only) The user signed into their mailbox.
MessageBind (Admin only) A message was viewed in the preview pane or opened by an admin. (not applicable to E5/A5/G5 licenses)

Move

A message was moved to another folder.

RecordDelete

An item that's labeled as a record was soft-deleted (moved to the Recoverable Items folder). Items labeled as records can't be permanently deleted (purged from the Recoverable Items folder).

SearchQueryInitiated (Owner only)

A person uses Outlook (Windows, Mac, iOS, Android, or Outlook on the web) or the Mail app for Windows 10 to search for items in a mailbox.

UpdateComplianceTag

A retention label was updated.

Mailbox Audit Operations that require premium licenses: ( Available only for users with E5/A5/G5 licenses.)

Mailbox action

Description

SearchQueryInitiated A person uses Outlook (Windows, Mac, iOS, Android, or Outlook on the web) or the Mail app for Windows 10 to search for items in a mailbox.
MailItemsAccessed Occurs when mail data is accessed by mail protocols and clients.
MessageBind A message was viewed in the preview pane or opened by an admin.
Send The user sends an email message, replies to an email message, or forwards an email message.
Note: MessageTrace API can obtain overview info on mail send/receive but does only contains data such as sender/receiver/subject, and other metadata.

Configuration

Configuring Office 365 for Auditing

To configuring Office 365 for Auditing, take the following steps.

Create Office 365 Credential

  1. Login to the Azure Portal.

  2. Go to Microsoft Entra ID (Formerly Azure AD).

  3. On the left hand toolbar, select App registrations.

Create New App Registration

  1. Click New registration.

  2. In the Name field, enter "FortiSIEM App".

  3. From Supported Account Types, select Accounts in this organizational directory only (<domain> only – single tenant).

  4. Leave the Redirect URI (optional) field blank.

  5. Click Register.

    After clicking Register, on the redirected page showing your registration details, note the following:

    • Application (Client) ID

    • Directory (Tenant) ID


Generate Secret Key

To generate a secret key, take the following steps:

  1. On the left hand toolbar, click Certificates and Secrets.

  2. Click New client secret.

  3. In the right side popup, enter the following information:

    • In the Description field, enter "FortiSIEM Secret Key".

    • From the Expires drop-down list, select 730 days (24 months) or your desired expiration.

      Note: You must update the key in FortiSIEM configuration BEFORE it expires by creating a new key before retiring the old one.

  4. Click Add.

  5. Record the new API Key secret value at the bottom of the page. You can only view this once, so store the information in a secure location for configuration later.

Configure API Permissions for Application Registration

  1. In the left pane, navigate to API permissions.

  2. Click Add a permission.

  3. Select Office 365 Management APIs.

  4. Click Application permissions and expand all.

  5. Select all permissions with "Read" access. (There is no reason to write).

  6. Click Add permissions.

    You will see a warning: "Permissions have changed." Users and/or admins will have to consent even if they have already done so previously.

Approve Permission Grants

For Sharepoint Permissions, take the following step:

Add permission > Sharepoint > Application Permissions > Sites.Read.All

For Graph API Permissions, take the following steps:

  1. Login to Azure Portal.

  2. Go to Microsoft Entra ID (Formerly Azure AD).

  3. On the left hand toolbar, select App registrations.

  4. Select your app from the list if it is already defined.

  5. On the left hand toolbar, select API permissions.

  6. Select Microsoft Graph > Application permissions.

  7. Select the following permissions:

    • Reports.Read.All (Primary)

    • IdentityRiskEvent.Read.All

    • IdentityRiskyServicePrincipal.Read.All

    • IdentityRiskyUser.Read.All

    • SecurityEvents.Read.All

    • SecurityIncident.Read.All (Microsoft365 Defender APIs)

    • ThreatIndicators.Read.All

    • ThreatIntelligence.Read.All

    • User.Read.All

For Office 365 Reports API Permissions, take the following steps:

  1. Login to Azure Portal.

  2. Go to Microsoft Entra ID (Formerly Azure AD).

  3. On the left hand toolbar, select App registrations.

  4. Select your app from the list if it is already defined.

  5. On the left hand toolbar, select API permissions.

  6. Select the middle tab at the top labeled APIs my organization uses.

  7. In the search bar, enter "Office 365 Exchange Online" and select it (Note: It does not appear by default).

  8. Select Application Permissions.

  9. Locate the ReportingWebService drop-down list and select the permission ReportingWebService.Read.All.

  10. Make sure to click the Grant admin consent for <tenant> after saving.

Click grant admin consent and select Yes when you see the prompt: Do you want to grant consent for the requested permissions for all accounts in your_organization? alert. This will update any existing admin consent records this application already has to match what has been configured.

Configuration in FortiSIEM

Configuration is done in two parts. Follow the steps in these two sections to configure your FortiSIEM.

Define Office 365 Management Credential in FortiSIEM

Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save:
Settings Description
Name Enter a name for the credential
Device Type Microsoft Office365
Access Protocol Office 365 Mgmt Activity API
Tenant ID Use the ID from Azure Login URL. See Step 5 in Create Office 365 API Credential.
Password config

If you select Manual, take the following steps:

  1. For Client ID, use the value obtained in Step 5 in Create Office 365 API Credential.
  2. For Client Secret, use the value obtained in Step 7 in Create Office 365 API Credential.

For CyberArk SDK credential method, see CyberArk SDK Password Configuration.

For CyberARK REST API credential method, see CyberArk REST API Password Configuration.

Authentication Endpoint

Enter the authentication endpoint. The Authentication Endpoint depends on the type of Office 365 environment you have:

  • Enterprise plan: login.windows.net

  • GCC government plan: login.microsoftonline.com

  • GCC High government plan: login.microsoftonline.us

  • DoD government plan: login.microsoftonline.us

Note: Do NOT include "https://" in the Authentication Endpoint URL field.

Authentication Protocol

Enter the token location. For example, /oauth2/token.

Organization The organization the device belongs to.
Description Description of the device.
Create IP Range to Credential Association and Test Connectivity

From the FortiSIEM Supervisor node, take the following steps.

  1. In Step 2: Enter IP Range to Credential Associations, if the organization has more than 1 collector, select the collector from the drop-down list that will do the API polling. If the organization has 1 or no collectors, there is no drop-down and you can proceed to the next step.
  2. Click New to create a new association.
    1. Select the name of the credential created in the Define Office 365 Management Credential from the Credentials drop-down list.
    2. In the IP/Host Name field, enter the API Endpoint based off your Office 365 plan type. Your options are:
      • Enterprise plan: manage.office.com

      • GCC government plan: manage-gcc.office.com

      • GCC High government plan: manage.office365.us

      • DoD government plan: manage.protection.apps.mil

    3. Click Save.
  3. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping to start the polling. A pop up will appear and show the Test Connectivity results.
  4. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Office 365 Log Collection.

Sample Events for Audit

[OFFICE365_EVENT_DATA] = {"Actor":[{"ID":"user@my.example.org","Type":5},{"ID":"10030000873CEE9F","Type":3},{"ID":"18ed3507‑a475‑4ccb‑b669‑d66bc9f2a36e","Type":2},{"ID":"User_68d76168‑813d‑4b9f‑88cd‑37b66a5b3841","Type":2},{"ID":"68d76168‑813d‑4b9f‑88cd‑37b66a5b3841","Type":2},{"ID":"User","Type":2}],"ActorContextId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","ActorIpAddress":"<null>","AzureActiveDirectoryEventType":1,"ClientIP":"<null>","CreationTime":"2019‑07‑23T13:16:05UTC","ExtendedProperties":[{"Name":"actorContextId","Value":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318"},{"Name":"actorObjectId","Value":"68d76168‑813d‑4b9f‑88cd‑37b66a5b3841"},{"Name":"actorObjectClass","Value":"User"},{"Name":"actorUPN","Value":"user@my.example.org"},{"Name":"actorAppID","Value":"18ed3507‑a475‑4ccb‑b669‑d66bc9f2a36e"},{"Name":"actorPUID","Value":"10030000873CEE9F"},{"Name":"teamName","Value":"MSODS."},{"Name":"targetContextId","Value":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318"},{"Name":"targetObjectId","Value":"02232019‑4557‑45d6‑9630‑f78694bc8341"},{"Name":"extendedAuditEventCategory","Value":"Application"},{"Name":"targetName","Value":"FSM"},{"Name":"targetIncludedUpdatedProperties","Value":"[\"AppAddress\",\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]"},{"Name":"correlationId","Value":"a854ecc6‑31d6‑4fea‑8d56‑aeed05aa1174"},{"Name":"version","Value":"2"},{"Name":"additionalDetails","Value":"{}"},{"Name":"resultType","Value":"Success"},{"Name":"auditEventCategory","Value":"ApplicationManagement"},{"Name":"nCloud","Value":"<null>"},{"Name":"env_ver","Value":"2.1"},{"Name":"env_name","Value":"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"},{"Name":"env_time","Value":"2019‑07‑23T13:16:05.0208099Z"},{"Name":"env_epoch","Value":"64BOV"},{"Name":"env_seqNum","Value":"25454285"},{"Name":"env_popSample","Value":"0"},{"Name":"env_iKey","Value":"ikey"},{"Name":"env_flags","Value":"257"},{"Name":"env_cv","Value":"##17a913a8‑943a‑42f3‑b8ad‑2ea3bc4bf927_00000000‑0000‑0000‑0000‑000000000000_17a913a8‑943a‑42f3‑b8ad‑2ea3bc4bf927"},{"Name":"env_os","Value":"<null>"},{"Name":"env_osVer","Value":"<null>"},{"Name":"env_appId","Value":"restdirectoryservice"},{"Name":"env_appVer","Value":"1.0.11219.0"},{"Name":"env_cloud_ver","Value":"1.0"},{"Name":"env_cloud_name","Value":"MSO‑AM5R"},{"Name":"env_cloud_role","Value":"restdirectoryservice"},{"Name":"env_cloud_roleVer","Value":"1.0.11219.0"},{"Name":"env_cloud_roleInstance","Value":"AM5RRDSR582"},{"Name":"env_cloud_environment","Value":"PROD"},{"Name":"env_cloud_deploymentUnit","Value":"R5"}],"Id":"fc12de96‑0cbc‑4618‑9c8f‑cc8ab7891e3b","ModifiedProperties":[{"Name":"AppAddress","NewValue":"[\r\n {\r\n \"AddressType\": 0,\r\n \"Address\": \"https://10.222.248.17\",\r\n \"ReplyAddressClientType\": 1\r\n }\r\n]","OldValue":"[]"},{"Name":"AppId","NewValue":"[\r\n \"0388f2da‑dbcc‑4506‑ba57‑a85c578297c0\"\r\n]","OldValue":"[]"},{"Name":"AvailableToOtherTenants","NewValue":"[\r\n false\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"FSM\"\r\n]","OldValue":"[]"},{"Name":"RequiredResourceAccess","NewValue":"[\r\n {\r\n \"ResourceAppId\": \"00000003‑0000‑0000‑c000‑000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8‑ba31‑4d61‑89e7‑88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AppAddress, AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess","OldValue":""}],"ObjectId":"Not Available","Operation":"Add application.","OrganizationId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","RecordType":8,"ResultStatus":"Success","SupportTicketId":"","Target":[{"ID":"Application_02232019‑4557‑45d6‑9630‑f78694bc8341","Type":2},{"ID":"02232019‑4557‑45d6‑9630‑f78694bc8341","Type":2},{"ID":"Application","Type":2},{"ID":"FSM","Type":1}],"TargetContextId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","TenantId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","UserId":"user@my.example.org","UserKey":"10030000873CEE9F@my.company.org","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","phCustId":1}

Microsoft Office365 Audit

Microsoft Office 365 Audit

FortiSIEM Support added: 4.8.1

FortiSIEM last modification: 7.1.0

Vendor version tested: Not Provided

Vendor: Microsoft

Product Information: https://www.microsoft.com/en-us/microsoft-365/business

Office 365 Management Activity API (manage.office.com)

The Office 365 Management Activity API aggregates actions and events into tenant-specific content blobs, which are classified by the type and source of the content they contain. Currently, the following content types are supported:

  • Audit.AzureActiveDirectory

  • Audit.Exchange

  • Audit.SharePoint

  • Audit.General (includes all other workloads not included in the previous content types)

  • DLP.All (DLP events only for all workloads)

For details about the events and properties associated with these content types, see Office 365 Management Activity API schema.

An extensive list of Office 365 services are audited via this method, and service names can be seen by inspecting the “AuditLogRecordType” of this link: https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema

What is Discovered and Monitored

Office 365 Activity Type Operation
File and folder activities

Available via O365 Mgmt Activity API

Sharing and access request activities

Available via O365 Mgmt Activity API

Synchronization activities

Available via O365 Mgmt Activity API

Site administration activities

Available via O365 Mgmt Activity API

Exchange mailbox activities

Available via O365 Mgmt Activity API

User administration activities

Available via O365 Mgmt Activity API

Group administration activities

Available via O365 Mgmt Activity API

Application administration activities

Available via O365 Mgmt Activity API

Role administration activities

Available via O365 Mgmt Activity API

Directory administration activities

Available via O365 Mgmt Activity API

An extensive list of Office 365 services are audited via this method, and service names can be seen by inspecting the “AuditLogRecordType” at this link: https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema

Rules and Reports

Rules

Navigate to Resources >Rules and search for "Office365:" in the main Search... field to see available rules.

The following are rules all generated via datasource : Office365 Mgmt Activity API. Note that the following are examples, and non-exhaustive.

  • Office365: Abnormal Logon Detected

  • Office365: Brute Force Login Attempts - Same Source

  • Office365: Brute Force Login Attempts - Same User

  • Office365: Brute Force Logon Success

  • Office365: Identity Protection Detected a Risky User or SignIn Activity

  • Office365: Strong Authentication Disabled for a User

  • Office365: Suspicious File Type Uploaded

Reports

Navigate to Resources > Reports and search for "Office365:" in the main Search... field to see available reports.

The following are reports all generated via datasource : Office365 Mgmt Activity API. Note that the following are examples, and non-exhaustive.

Office365: Top Entra ID Logons by Source

Office365: Top Entra ID Failed User Logon

Office365: Top Sharepoint Links Used

Office365: Top Sharepoint Secure Links Used by Source

Office365: Top Sharepoint Company Links Used by Source

Office365: Top Sharepoint Anonymous Links Used by Source

Office 365 Dashboard

The Office 365 Dashboard contains the following tabs:

Logon Audit

Object

Description

Data Source Microsoft Office365 Management Activity API - Collects both Entra ID (formerly Azure AD) logon events as well as Exchange mailbox logons.
Widgets Various mailbox and Entra ID logon success/failure activity reports.
Troubleshooting Ensure that mailbox auditing is enabled for every mailbox in your organization.
Sharepoint Audit

Object

Description

Data Source Microsoft Office365 Management Activity API
Widgets These are reports based on Sharepoint shared link activity primarily, others may be added in the future. Other Sharepoint reports are available.

Sensitivity Label Audit

This is only populated if you are using Microsoft MIP for Exchange to assign sensitivity labels to emails.

Object

Description

Data Source Microsoft Office365 Management Activity API
Reference Documents

https://support.microsoft.com/en-us/office/apply-sensitivity-labels-to-your-files-and-email-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/announcing-new-microsoft-information-protection-capabilities-to/ba-p/1999692

Enabling Mailbox Auditing

Note: The following is an excerpt of the article here.

Mailbox audit logging is turned on by default in all organizations. This effort started in January 2019, and means that certain actions performed by mailbox owners, delegates, and admins are automatically logged.

Here are some benefits of mailbox auditing on by default:

  • Auditing is automatically turned on when you create a new mailbox. You don't need to manually turn on mailbox auditing for new users.

  • You don't need to manage the mailbox actions that are audited. A predefined set of mailbox actions are audited by default for each sign-in type (Admin, Delegate, and Owner).

  • When Microsoft releases a new mailbox action, the action might be added automatically to the list of mailbox actions that are audited by default (subject to the user having the appropriate license). This result means you don't need to add new actions on mailboxes as they're released.

  • You have a consistent mailbox auditing policy across your organization (because you're auditing the same actions for all mailboxes).

Key Note:

By default, only mailbox audit events for users with licenses that include Microsoft Purview Audit (Premium) are available in audit log searches in the Microsoft Purview compliance portal or via the Office 365 Management Activity API. These licenses are described here. For brevity, this article will collectively refer to licenses that include Audit (Premium) as E5/A5/G5 licenses.

To verify that mailbox auditing on by default is turned on for your organization, run the following command in Exchange Online PowerShell:

Get-OrganizationConfig | Format-List AuditDisabled

The value False indicates that mailbox auditing on by default is turned on for the organization. Mailbox auditing on by default in the organization overrides the mailbox auditing settings on individual mailboxes.

Supported Mailbox Types

Mailbox types that are supported by mailbox auditing on by default are described in the following table:

Mailbox type

Supported

User mailboxes
Shared mailboxes
Microsoft 365 Group mailboxes
Resource mailboxes
Public folder mailboxes

Sign-in Types Information

  • Owner: The mailbox owner (the account that's associated with the mailbox).

  • Delegate:

    • A user who's been assigned the SendAs, SendOnBehalf, or FullAccess permission to another mailbox.

    • An admin who's been assigned the FullAccess permission to a user's mailbox.

  • Admin:

    • The mailbox is searched with one of the following Microsoft eDiscovery tools:

      • Content Search in the compliance portal.

      • eDiscovery or eDiscovery (Premium) in the compliance portal.

      • In-Place eDiscovery in Exchange Online.

    • The mailbox is accessed by using the Microsoft Exchange Server MAPI Editor.

Mailbox Actions

Mailbox action

Description

Create An item was created in the Calendar, Contacts, Draft, Notes, or Tasks folder in the mailbox (for example, a new meeting request is created). Creating, sending, or receiving a message isn't audited. Also, creating a mailbox folder isn't audited.
FolderBind A mailbox folder was accessed. This action is also logged when the admin or delegate opens the mailbox. (24 hour delay)
HardDelete A message was purged from the Recoverable Items folder.
MailboxLogin The user signed into their mailbox. (owner only login)
MailItemsAccessed

Note: This value is available only for users with E5/A5/G5 licenses. For more information, see Set up Microsoft Purview Audit (Premium).

Occurs when mail data is accessed by mail protocols and clients.

MessageBind

Note: This value is available only for users without E5/A5/G5 licenses.

A message was viewed in the preview pane or opened by an admin. (admin only activity, not delegate or owner)

Move

A message was moved to another folder.

MoveToDeletedItems A message was deleted and moved to the Deleted Items folder.

RecordDelete

An item that's labeled as a record was soft-deleted (moved to the Recoverable Items folder). Items labeled as records can't be permanently deleted (purged from the Recoverable Items folder).

SearchQueryInitiated

Note: This value is available only for users with E5/A5/G5 licenses. For more information, see Set up Microsoft Purview Audit (Premium).

A person uses Outlook (Windows, Mac, iOS, Android, or Outlook on the web) or the Mail app for Windows 10 to search for items in a mailbox.

Send

Note: This value is available only for users with E5/A5/G5 licenses. For more information, see Set up Microsoft Purview Audit (Premium).

The user sends an email message, replies to an email message, or forwards an email message. (Owner or Admin only not delegate)

SendAs

A message was sent using the SendAs permission. This permission allows another user to send the message as though it came from the mailbox owner. (Admin or Delegate, Owner n/a)

SendOnBehalf - (admin and delegate only)

A message was sent using the SendOnBehalf permission. This permission allows another user to send the message on behalf of the mailbox owner. The message indicates to the recipient who the message was sent on behalf of and who actually sent the message.

SoftDelete

A message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder.

Update

A message or any of its properties was changed.

UpdateCalendarDelegation

A calendar delegation was assigned to a mailbox. Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner's calendar.

UpdateComplianceTag

A retention label was updated.

UpdateFolderPermissions

A folder permission was changed. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.

UpdateInboxRules

An inbox rule was added, removed, or changed. Inbox rules process messages in the user's Inbox based on conditions. Actions specify what to do to messages that match the conditions of the rule. For example, move the message to a specified folder or delete the message.

Differences between SendAs and SendOnBehalf

SendAs - Recipient does not know who actually sent the message, appears to be from impersonated mailbox

SendOnBehalf - Recipient sees the sender, and who actually sent the message.

Important:

If you customized the mailbox actions to audit before mailbox auditing on by default was turned on in your organization, the customized mailbox auditing settings are preserved on the mailbox and aren't overwritten by the default mailbox actions as described in this section. To revert the audit mailbox actions to their default values (which you can do at any time), see the Restore the default mailbox actions section later in this article.

Setting up Mailbox Auditing Office 365

To set up mailbox auditing in Office 365, take the following steps.

  1. Login to Exchange Online (Note: Instructions different slightly for GCC High and other gov cloud Organizations)

  2. Powershell Command:

    Connect-ExchangeOnline -UserPrincipalName navin@contoso.onmicrosoft.com

  3. For each mailbox you'd like to turn on auditing, run the following command:

    Set-Mailbox -Identity <MailboxIdentity> -AuditEnabled $true

    • To bulk set for every mailbox run:

      Get-Mailbox -ResultSize Unlimited -Filter{RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true

Key Note:

As previously mentioned, although mailbox audit logging on by default is turned on for all organizations, only users with licenses that include Audit (Premium) (collectively referred to in this article as E5/A5/G5 licenses) return mailbox audit log events in audit log searches in the Microsoft Purview compliance portal or via the Office 365 Management Activity API by default.

Mailbox Operations that require premium licenses: ( Available only for users with E5/A5/G5 licenses.)

Mailbox action

Description

SearchQueryInitiated A person uses Outlook (Windows, Mac, iOS, Android, or Outlook on the web) or the Mail app for Windows 10 to search for items in a mailbox.
MailItemsAccessed Occurs when mail data is accessed by mail protocols and clients.
MessageBind A message was viewed in the preview pane or opened by an admin.
***Send The user sends an email message, replies to an email message, or forwards an email message.

Note: Remember, an admin with Full Access permission to a mailbox is considered a delegate.

Mailbox Audit Operations that do not have auditing turned on by default:

Mailbox action

Description

Copy (Admin only) A message was copied to another folder.
FolderBind (Admin and Delegate) A mailbox folder was accessed. This action is also logged when the admin or delegate opens the mailbox.
MailboxLogin (Owner only) The user signed into their mailbox.
MessageBind (Admin only) A message was viewed in the preview pane or opened by an admin. (not applicable to E5/A5/G5 licenses)

Move

A message was moved to another folder.

RecordDelete

An item that's labeled as a record was soft-deleted (moved to the Recoverable Items folder). Items labeled as records can't be permanently deleted (purged from the Recoverable Items folder).

SearchQueryInitiated (Owner only)

A person uses Outlook (Windows, Mac, iOS, Android, or Outlook on the web) or the Mail app for Windows 10 to search for items in a mailbox.

UpdateComplianceTag

A retention label was updated.

Mailbox Audit Operations that require premium licenses: ( Available only for users with E5/A5/G5 licenses.)

Mailbox action

Description

SearchQueryInitiated A person uses Outlook (Windows, Mac, iOS, Android, or Outlook on the web) or the Mail app for Windows 10 to search for items in a mailbox.
MailItemsAccessed Occurs when mail data is accessed by mail protocols and clients.
MessageBind A message was viewed in the preview pane or opened by an admin.
Send The user sends an email message, replies to an email message, or forwards an email message.
Note: MessageTrace API can obtain overview info on mail send/receive but does only contains data such as sender/receiver/subject, and other metadata.

Configuration

Configuring Office 365 for Auditing

To configuring Office 365 for Auditing, take the following steps.

Create Office 365 Credential

  1. Login to the Azure Portal.

  2. Go to Microsoft Entra ID (Formerly Azure AD).

  3. On the left hand toolbar, select App registrations.

Create New App Registration

  1. Click New registration.

  2. In the Name field, enter "FortiSIEM App".

  3. From Supported Account Types, select Accounts in this organizational directory only (<domain> only – single tenant).

  4. Leave the Redirect URI (optional) field blank.

  5. Click Register.

    After clicking Register, on the redirected page showing your registration details, note the following:

    • Application (Client) ID

    • Directory (Tenant) ID


Generate Secret Key

To generate a secret key, take the following steps:

  1. On the left hand toolbar, click Certificates and Secrets.

  2. Click New client secret.

  3. In the right side popup, enter the following information:

    • In the Description field, enter "FortiSIEM Secret Key".

    • From the Expires drop-down list, select 730 days (24 months) or your desired expiration.

      Note: You must update the key in FortiSIEM configuration BEFORE it expires by creating a new key before retiring the old one.

  4. Click Add.

  5. Record the new API Key secret value at the bottom of the page. You can only view this once, so store the information in a secure location for configuration later.

Configure API Permissions for Application Registration

  1. In the left pane, navigate to API permissions.

  2. Click Add a permission.

  3. Select Office 365 Management APIs.

  4. Click Application permissions and expand all.

  5. Select all permissions with "Read" access. (There is no reason to write).

  6. Click Add permissions.

    You will see a warning: "Permissions have changed." Users and/or admins will have to consent even if they have already done so previously.

Approve Permission Grants

For Sharepoint Permissions, take the following step:

Add permission > Sharepoint > Application Permissions > Sites.Read.All

For Graph API Permissions, take the following steps:

  1. Login to Azure Portal.

  2. Go to Microsoft Entra ID (Formerly Azure AD).

  3. On the left hand toolbar, select App registrations.

  4. Select your app from the list if it is already defined.

  5. On the left hand toolbar, select API permissions.

  6. Select Microsoft Graph > Application permissions.

  7. Select the following permissions:

    • Reports.Read.All (Primary)

    • IdentityRiskEvent.Read.All

    • IdentityRiskyServicePrincipal.Read.All

    • IdentityRiskyUser.Read.All

    • SecurityEvents.Read.All

    • SecurityIncident.Read.All (Microsoft365 Defender APIs)

    • ThreatIndicators.Read.All

    • ThreatIntelligence.Read.All

    • User.Read.All

For Office 365 Reports API Permissions, take the following steps:

  1. Login to Azure Portal.

  2. Go to Microsoft Entra ID (Formerly Azure AD).

  3. On the left hand toolbar, select App registrations.

  4. Select your app from the list if it is already defined.

  5. On the left hand toolbar, select API permissions.

  6. Select the middle tab at the top labeled APIs my organization uses.

  7. In the search bar, enter "Office 365 Exchange Online" and select it (Note: It does not appear by default).

  8. Select Application Permissions.

  9. Locate the ReportingWebService drop-down list and select the permission ReportingWebService.Read.All.

  10. Make sure to click the Grant admin consent for <tenant> after saving.

Click grant admin consent and select Yes when you see the prompt: Do you want to grant consent for the requested permissions for all accounts in your_organization? alert. This will update any existing admin consent records this application already has to match what has been configured.

Configuration in FortiSIEM

Configuration is done in two parts. Follow the steps in these two sections to configure your FortiSIEM.

Define Office 365 Management Credential in FortiSIEM

Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save:
Settings Description
Name Enter a name for the credential
Device Type Microsoft Office365
Access Protocol Office 365 Mgmt Activity API
Tenant ID Use the ID from Azure Login URL. See Step 5 in Create Office 365 API Credential.
Password config

If you select Manual, take the following steps:

  1. For Client ID, use the value obtained in Step 5 in Create Office 365 API Credential.
  2. For Client Secret, use the value obtained in Step 7 in Create Office 365 API Credential.

For CyberArk SDK credential method, see CyberArk SDK Password Configuration.

For CyberARK REST API credential method, see CyberArk REST API Password Configuration.

Authentication Endpoint

Enter the authentication endpoint. The Authentication Endpoint depends on the type of Office 365 environment you have:

  • Enterprise plan: login.windows.net

  • GCC government plan: login.microsoftonline.com

  • GCC High government plan: login.microsoftonline.us

  • DoD government plan: login.microsoftonline.us

Note: Do NOT include "https://" in the Authentication Endpoint URL field.

Authentication Protocol

Enter the token location. For example, /oauth2/token.

Organization The organization the device belongs to.
Description Description of the device.
Create IP Range to Credential Association and Test Connectivity

From the FortiSIEM Supervisor node, take the following steps.

  1. In Step 2: Enter IP Range to Credential Associations, if the organization has more than 1 collector, select the collector from the drop-down list that will do the API polling. If the organization has 1 or no collectors, there is no drop-down and you can proceed to the next step.
  2. Click New to create a new association.
    1. Select the name of the credential created in the Define Office 365 Management Credential from the Credentials drop-down list.
    2. In the IP/Host Name field, enter the API Endpoint based off your Office 365 plan type. Your options are:
      • Enterprise plan: manage.office.com

      • GCC government plan: manage-gcc.office.com

      • GCC High government plan: manage.office365.us

      • DoD government plan: manage.protection.apps.mil

    3. Click Save.
  3. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping to start the polling. A pop up will appear and show the Test Connectivity results.
  4. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Office 365 Log Collection.

Sample Events for Audit

[OFFICE365_EVENT_DATA] = {"Actor":[{"ID":"user@my.example.org","Type":5},{"ID":"10030000873CEE9F","Type":3},{"ID":"18ed3507‑a475‑4ccb‑b669‑d66bc9f2a36e","Type":2},{"ID":"User_68d76168‑813d‑4b9f‑88cd‑37b66a5b3841","Type":2},{"ID":"68d76168‑813d‑4b9f‑88cd‑37b66a5b3841","Type":2},{"ID":"User","Type":2}],"ActorContextId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","ActorIpAddress":"<null>","AzureActiveDirectoryEventType":1,"ClientIP":"<null>","CreationTime":"2019‑07‑23T13:16:05UTC","ExtendedProperties":[{"Name":"actorContextId","Value":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318"},{"Name":"actorObjectId","Value":"68d76168‑813d‑4b9f‑88cd‑37b66a5b3841"},{"Name":"actorObjectClass","Value":"User"},{"Name":"actorUPN","Value":"user@my.example.org"},{"Name":"actorAppID","Value":"18ed3507‑a475‑4ccb‑b669‑d66bc9f2a36e"},{"Name":"actorPUID","Value":"10030000873CEE9F"},{"Name":"teamName","Value":"MSODS."},{"Name":"targetContextId","Value":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318"},{"Name":"targetObjectId","Value":"02232019‑4557‑45d6‑9630‑f78694bc8341"},{"Name":"extendedAuditEventCategory","Value":"Application"},{"Name":"targetName","Value":"FSM"},{"Name":"targetIncludedUpdatedProperties","Value":"[\"AppAddress\",\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]"},{"Name":"correlationId","Value":"a854ecc6‑31d6‑4fea‑8d56‑aeed05aa1174"},{"Name":"version","Value":"2"},{"Name":"additionalDetails","Value":"{}"},{"Name":"resultType","Value":"Success"},{"Name":"auditEventCategory","Value":"ApplicationManagement"},{"Name":"nCloud","Value":"<null>"},{"Name":"env_ver","Value":"2.1"},{"Name":"env_name","Value":"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"},{"Name":"env_time","Value":"2019‑07‑23T13:16:05.0208099Z"},{"Name":"env_epoch","Value":"64BOV"},{"Name":"env_seqNum","Value":"25454285"},{"Name":"env_popSample","Value":"0"},{"Name":"env_iKey","Value":"ikey"},{"Name":"env_flags","Value":"257"},{"Name":"env_cv","Value":"##17a913a8‑943a‑42f3‑b8ad‑2ea3bc4bf927_00000000‑0000‑0000‑0000‑000000000000_17a913a8‑943a‑42f3‑b8ad‑2ea3bc4bf927"},{"Name":"env_os","Value":"<null>"},{"Name":"env_osVer","Value":"<null>"},{"Name":"env_appId","Value":"restdirectoryservice"},{"Name":"env_appVer","Value":"1.0.11219.0"},{"Name":"env_cloud_ver","Value":"1.0"},{"Name":"env_cloud_name","Value":"MSO‑AM5R"},{"Name":"env_cloud_role","Value":"restdirectoryservice"},{"Name":"env_cloud_roleVer","Value":"1.0.11219.0"},{"Name":"env_cloud_roleInstance","Value":"AM5RRDSR582"},{"Name":"env_cloud_environment","Value":"PROD"},{"Name":"env_cloud_deploymentUnit","Value":"R5"}],"Id":"fc12de96‑0cbc‑4618‑9c8f‑cc8ab7891e3b","ModifiedProperties":[{"Name":"AppAddress","NewValue":"[\r\n {\r\n \"AddressType\": 0,\r\n \"Address\": \"https://10.222.248.17\",\r\n \"ReplyAddressClientType\": 1\r\n }\r\n]","OldValue":"[]"},{"Name":"AppId","NewValue":"[\r\n \"0388f2da‑dbcc‑4506‑ba57‑a85c578297c0\"\r\n]","OldValue":"[]"},{"Name":"AvailableToOtherTenants","NewValue":"[\r\n false\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"FSM\"\r\n]","OldValue":"[]"},{"Name":"RequiredResourceAccess","NewValue":"[\r\n {\r\n \"ResourceAppId\": \"00000003‑0000‑0000‑c000‑000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8‑ba31‑4d61‑89e7‑88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AppAddress, AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess","OldValue":""}],"ObjectId":"Not Available","Operation":"Add application.","OrganizationId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","RecordType":8,"ResultStatus":"Success","SupportTicketId":"","Target":[{"ID":"Application_02232019‑4557‑45d6‑9630‑f78694bc8341","Type":2},{"ID":"02232019‑4557‑45d6‑9630‑f78694bc8341","Type":2},{"ID":"Application","Type":2},{"ID":"FSM","Type":1}],"TargetContextId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","TenantId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","UserId":"user@my.example.org","UserKey":"10030000873CEE9F@my.company.org","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","phCustId":1}