Fortinet black logo

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Microsoft Office 365 Audit

FortiSIEM Support added: 4.8.1

FortiSIEM last modification: 6.3.0

Vendor version tested: Not Provided

 

Vendor: Microsoft

Product Information: https://www.microsoft.com/en-us/microsoft-365/business

 

What is Discovered and Monitored

Office 365 Activity Type Operation
File and folder activities

FileAccessed, FileCheckedIn, FileCheckedOut, FileCopied, FileDeleted,FileCheckOutDiscarded, FileDownloaded, FileModified, FileMoved, FileRenamed, FileRestored, FileUploaded

Sharing and access request activities

AccessRequestAccepted, SharingInvitationAccepted, CompanyLinkCreated, AccessRequestCreated, AnonymousLinkCreated, SharingInvitationCreated, AccessRequestDenied, CompanyLinkRemoved, AnonymousLinkRemoved, SharingSet, AnonymousLinkUpdated, AnonymousLinkUsed, SharingRevoked, CompanyLinkUsed, SharingInvitationRevoked

Synchronization activities

ManagedSyncClientAllowed, UnmanagedSyncClientBlocked, FileSyncDownloadedFull, FileSyncDownloadedPartial, FileSyncUploadedFull, FileSyncUploadedPartial

Site administration activities

ExemptUserAgentSet, SiteCollectionAdminAdded, AddedToGroup, AllowGroupCreationSet, CustomizeExemptUsers, SharingPolicyChanged, GroupAdded, SendToConnectionAdded, SiteCollectionCreated, GroupRemoved, SendToConnectionRemoved, PreviewModeEnabledSet, LegacyWorkflowEnabledSet, OfficeOnDemandSet, NewsFeedEnabledSet, PeopleResultsScopeSet, SitePermissionsModified, RemovedFromGroup, SiteRenamed, SiteAdminChangeRequest, HostSiteSet, GroupUpdated

Exchange mailbox activities

Copy, Create, SoftDelete, Move, MoveToDeletedItems, HardDelete, SendAs, SendOnBehalf, Update, MailboxLogin

Sway activities

SwayChangeShareLevel, SwayCreate, SwayDelete, SwayDisableDuplication, SwayDuplicate, SwayEdit, EnableDuplication, SwayRevokeShare, SwayShare, SwayExternalSharingOff, SwayExternalSharingOn, SwayServiceOff, SwayServiceOn, SwayView

User administration activities

Add user, Change user license, Change user password, Delete user, Reset user password, Set force change user password, Set license properties, Update user

Group administration activities

Add group, Add member to group, Delete group, Remove member from group, Update group

Application administration activities

Add delegation entry, Add service principal, Add service principal credentials, Remove delegation entry, Remove service principal, Remove service principal credentials, Set delegation entry

Role administration activities

Add role member to role, Remove role member from role, Set company contact information

Directory administration activities

Add domain to company, Add partner to company, Remove domain from company, Remove partner from company, Set company information, Set domain authentication, Set federation settings on domain, Set password policy, Set DirSyncEnabled flag on company, Update domain, Verify domain, Verify email verified domain

Event Types

In ADMIN > Device Support > Event Types, search for "MS_Office365" in the Search field to see the event types associated with Office 365.

Reports

There are many reports defined in RESOURCES > Reports > Device > Application > Document Mgmt. Search for "Office365" in the main content panel Search... field.

Configuration in Office 365 Audit

Enable Office 365 Audit Log Search

To be able to search audit logs, you must first enable Office 365 audit log search. For instructions on how to enable audit log search, see https://docs.microsoft.com/en-us/office365/securitycompliance/turn-audit-log-search-on-or-off.

To use the Office 365 Management Activity API to access auditing data for your organization, you must enable audit log search in the Security & Compliance Center.

If you do not enable audit log search, you cannot access auditing data for your organization.

Before you can enable or disable audit log search for your Microsoft 365 organization, you must be assigned the Audit Logs role in the Exchange admin center.

Follow these steps to assign the Audit Logs role and enable audit log search for your organization.

  1. Log in to Microsoft Office Online: https://login.microsoftonline.com.
  2. Click Admin > Security & compliance.

  3. Click Exchange admin center.

    If you receive the following alert, you must enable Office 365 Exchange Online before proceeding. In this case, go to Step 4. Otherwise, go to Step 6.

  4. Click Admin > Purchase services.

  5. Select one of Microsoft 365 services. In this example, Microsoft 365 Business Premium Trial is selected.

  6. Click Admin > Security & compliance > Exchange admin center.

  7. Click Exchange admin center > permissions > admin roles > New to create a new role.

  8. Select Audit Logs Roles and add the members you want to add the group. Click Save.

  9. The Audit Log role will display in the Exchange admin center > permissions > admin roles table.

  10. Go back to the Microsoft 365 Admin center.
  11. Click Security & compliance > Report dashboard.

    When you first go into this page, it will ask you to enable Audit log. After you enable it, the page will display the Search button.

Create the Office 365 API Credential

Follow these steps to create the Office 365 API credential.

  1. Login to https://portal.azure.com.
  2. Click All Services.
  3. Click Azure Active Directory.
  4. Click App Registrations (on the right panel).
  5. Click New registration and enter the following information:

    Name: FSM

    Supported Account Types: Select Accounts in any organizational directory (Any Azure AD directory – Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).

    Redirect URI: https://your.internal.fsm.ip

  6. Click Register:

    Copy the Application (client) ID to a text editor, you'll need this when entering Office 365 Credentials in FortiSIEM.

    Copy the Directory (tenant) ID to a text editor, you'll need this when entering Office 365 Credentials in FortiSIEM.

  7. Click Certificates & secrets (on the right panel).
  8. New client secret:

    Description: FSM

    Expires in: 2 years

    Copy the value (for example: AC83J.6_nobD:G1Q=DJe/hFiB3BP4+a) to a text editor. You will need this value when entering Office 365 Credentials in FortiSIEM.

  9. Go to API permissions (left panel).
  10. Click Add a permission.
  11. Select Office 365 Management APIs.
  12. Click Application permissions and expand all.
  13. Select all permissions with "Read" access (we don't want to write). Click Add permissions.

    You will see a warning: "Permissions have changed." Users and/or admins will have to consent even if they have already done so previously.

    We'll need to approve all these permission grants.

  14. Click grant admin consent and select Yes when you see the Do you want to grant consent for the requested permissions for all accounts in your_organization? alert. This will update any existing admin consent records this application already has to match what is listed below.

 

Sample API Permission

Configuration in FortiSIEM

Configuration is done in two parts. Follow the steps in these two sections to configure your FortiSIEM.

Define Office 365 Management Credential in FortiSIEM

Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save:
Settings Description
Name Enter a name for the credential
Device Type Microsoft Office365
Access Protocol Office 365 Mgmt Activity API
Tenant ID Use the ID from Azure Login URL. See Step 5 in Create Office 365 API Credential.
Password config

If you select Manual, take the following steps:

  1. For Client ID, use the value obtained in Step 5 in Create Office 365 API Credential.
  2. For Client Secret, use the value obtained in Step 7 in Create Office 365 API Credential.

For CyberArk SDK credential method, see CyberArk SDK Password Configuration.

For CyberARK REST API credential method, see CyberArk REST API Password Configuration.

Authentication Endpoint

Enter the authentication endpoint. The Authentication Endpoint depends on the type of Office 365 environment you have:

  • Enterprise plan: login.windows.net

  • GCC government plan: login.microsoftonline.com

  • GCC High government plan: login.microsoftonline.us

  • DoD government plan: login.microsoftonline.us

Note: Do NOT include "https://" in the Authentication Endpoint URL field.

Authentication Protocol

Enter the token location. For example, /oauth2/token.

Organization The organization the device belongs to.
Description Description of the device.
Create IP Range to Credential Association and Test Connectivity

From the FortiSIEM Supervisor node, take the following steps.

  1. In Step 2: Enter IP Range to Credential Associations, click New to create a new association.
    1. Select the name of the credential created in the Define Office 365 Management Credential from the Credentials drop-down list.
    2. In the IP/Host Name field, enter the API Endpoint based off your Office 365 plan type. Your options are:
      • Enterprise plan: manage.office.com

      • GCC government plan: manage-gcc.office.com

      • GCC High government plan: manage.office365.us

      • DoD government plan: manage.protection.apps.mil

    3. Click Save.
  2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping to start the polling. A pop up will appear and show the Test Connectivity results.
  3. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Office 365 Log Collection.

 

Sample Events for Audit

[OFFICE365_EVENT_DATA] = {"Actor":[{"ID":"dtomic@my.company.org","Type":5},{"ID":"10030000873CEE9F","Type":3},{"ID":"18ed3507‑a475‑4ccb‑b669‑d66bc9f2a36e","Type":2},{"ID":"User_68d76168‑813d‑4b9f‑88cd‑37b66a5b3841","Type":2},{"ID":"68d76168‑813d‑4b9f‑88cd‑37b66a5b3841","Type":2},{"ID":"User","Type":2}],"ActorContextId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","ActorIpAddress":"<null>","AzureActiveDirectoryEventType":1,"ClientIP":"<null>","CreationTime":"2019‑07‑23T13:16:05UTC","ExtendedProperties":[{"Name":"actorContextId","Value":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318"},{"Name":"actorObjectId","Value":"68d76168‑813d‑4b9f‑88cd‑37b66a5b3841"},{"Name":"actorObjectClass","Value":"User"},{"Name":"actorUPN","Value":"dtomic@my.company.org"},{"Name":"actorAppID","Value":"18ed3507‑a475‑4ccb‑b669‑d66bc9f2a36e"},{"Name":"actorPUID","Value":"10030000873CEE9F"},{"Name":"teamName","Value":"MSODS."},{"Name":"targetContextId","Value":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318"},{"Name":"targetObjectId","Value":"02232019‑4557‑45d6‑9630‑f78694bc8341"},{"Name":"extendedAuditEventCategory","Value":"Application"},{"Name":"targetName","Value":"FSM"},{"Name":"targetIncludedUpdatedProperties","Value":"[\"AppAddress\",\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]"},{"Name":"correlationId","Value":"a854ecc6‑31d6‑4fea‑8d56‑aeed05aa1174"},{"Name":"version","Value":"2"},{"Name":"additionalDetails","Value":"{}"},{"Name":"resultType","Value":"Success"},{"Name":"auditEventCategory","Value":"ApplicationManagement"},{"Name":"nCloud","Value":"<null>"},{"Name":"env_ver","Value":"2.1"},{"Name":"env_name","Value":"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"},{"Name":"env_time","Value":"2019‑07‑23T13:16:05.0208099Z"},{"Name":"env_epoch","Value":"64BOV"},{"Name":"env_seqNum","Value":"25454285"},{"Name":"env_popSample","Value":"0"},{"Name":"env_iKey","Value":"ikey"},{"Name":"env_flags","Value":"257"},{"Name":"env_cv","Value":"##17a913a8‑943a‑42f3‑b8ad‑2ea3bc4bf927_00000000‑0000‑0000‑0000‑000000000000_17a913a8‑943a‑42f3‑b8ad‑2ea3bc4bf927"},{"Name":"env_os","Value":"<null>"},{"Name":"env_osVer","Value":"<null>"},{"Name":"env_appId","Value":"restdirectoryservice"},{"Name":"env_appVer","Value":"1.0.11219.0"},{"Name":"env_cloud_ver","Value":"1.0"},{"Name":"env_cloud_name","Value":"MSO‑AM5R"},{"Name":"env_cloud_role","Value":"restdirectoryservice"},{"Name":"env_cloud_roleVer","Value":"1.0.11219.0"},{"Name":"env_cloud_roleInstance","Value":"AM5RRDSR582"},{"Name":"env_cloud_environment","Value":"PROD"},{"Name":"env_cloud_deploymentUnit","Value":"R5"}],"Id":"fc12de96‑0cbc‑4618‑9c8f‑cc8ab7891e3b","ModifiedProperties":[{"Name":"AppAddress","NewValue":"[\r\n {\r\n \"AddressType\": 0,\r\n \"Address\": \"https://10.222.248.17\",\r\n \"ReplyAddressClientType\": 1\r\n }\r\n]","OldValue":"[]"},{"Name":"AppId","NewValue":"[\r\n \"0388f2da‑dbcc‑4506‑ba57‑a85c578297c0\"\r\n]","OldValue":"[]"},{"Name":"AvailableToOtherTenants","NewValue":"[\r\n false\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"FSM\"\r\n]","OldValue":"[]"},{"Name":"RequiredResourceAccess","NewValue":"[\r\n {\r\n \"ResourceAppId\": \"00000003‑0000‑0000‑c000‑000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8‑ba31‑4d61‑89e7‑88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AppAddress, AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess","OldValue":""}],"ObjectId":"Not Available","Operation":"Add application.","OrganizationId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","RecordType":8,"ResultStatus":"Success","SupportTicketId":"","Target":[{"ID":"Application_02232019‑4557‑45d6‑9630‑f78694bc8341","Type":2},{"ID":"02232019‑4557‑45d6‑9630‑f78694bc8341","Type":2},{"ID":"Application","Type":2},{"ID":"FSM","Type":1}],"TargetContextId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","TenantId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","UserId":"dtomic@my.company.org","UserKey":"10030000873CEE9F@my.company.org","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","phCustId":1}

Microsoft Office 365 Audit

FortiSIEM Support added: 4.8.1

FortiSIEM last modification: 6.3.0

Vendor version tested: Not Provided

 

Vendor: Microsoft

Product Information: https://www.microsoft.com/en-us/microsoft-365/business

 

What is Discovered and Monitored

Office 365 Activity Type Operation
File and folder activities

FileAccessed, FileCheckedIn, FileCheckedOut, FileCopied, FileDeleted,FileCheckOutDiscarded, FileDownloaded, FileModified, FileMoved, FileRenamed, FileRestored, FileUploaded

Sharing and access request activities

AccessRequestAccepted, SharingInvitationAccepted, CompanyLinkCreated, AccessRequestCreated, AnonymousLinkCreated, SharingInvitationCreated, AccessRequestDenied, CompanyLinkRemoved, AnonymousLinkRemoved, SharingSet, AnonymousLinkUpdated, AnonymousLinkUsed, SharingRevoked, CompanyLinkUsed, SharingInvitationRevoked

Synchronization activities

ManagedSyncClientAllowed, UnmanagedSyncClientBlocked, FileSyncDownloadedFull, FileSyncDownloadedPartial, FileSyncUploadedFull, FileSyncUploadedPartial

Site administration activities

ExemptUserAgentSet, SiteCollectionAdminAdded, AddedToGroup, AllowGroupCreationSet, CustomizeExemptUsers, SharingPolicyChanged, GroupAdded, SendToConnectionAdded, SiteCollectionCreated, GroupRemoved, SendToConnectionRemoved, PreviewModeEnabledSet, LegacyWorkflowEnabledSet, OfficeOnDemandSet, NewsFeedEnabledSet, PeopleResultsScopeSet, SitePermissionsModified, RemovedFromGroup, SiteRenamed, SiteAdminChangeRequest, HostSiteSet, GroupUpdated

Exchange mailbox activities

Copy, Create, SoftDelete, Move, MoveToDeletedItems, HardDelete, SendAs, SendOnBehalf, Update, MailboxLogin

Sway activities

SwayChangeShareLevel, SwayCreate, SwayDelete, SwayDisableDuplication, SwayDuplicate, SwayEdit, EnableDuplication, SwayRevokeShare, SwayShare, SwayExternalSharingOff, SwayExternalSharingOn, SwayServiceOff, SwayServiceOn, SwayView

User administration activities

Add user, Change user license, Change user password, Delete user, Reset user password, Set force change user password, Set license properties, Update user

Group administration activities

Add group, Add member to group, Delete group, Remove member from group, Update group

Application administration activities

Add delegation entry, Add service principal, Add service principal credentials, Remove delegation entry, Remove service principal, Remove service principal credentials, Set delegation entry

Role administration activities

Add role member to role, Remove role member from role, Set company contact information

Directory administration activities

Add domain to company, Add partner to company, Remove domain from company, Remove partner from company, Set company information, Set domain authentication, Set federation settings on domain, Set password policy, Set DirSyncEnabled flag on company, Update domain, Verify domain, Verify email verified domain

Event Types

In ADMIN > Device Support > Event Types, search for "MS_Office365" in the Search field to see the event types associated with Office 365.

Reports

There are many reports defined in RESOURCES > Reports > Device > Application > Document Mgmt. Search for "Office365" in the main content panel Search... field.

Configuration in Office 365 Audit

Enable Office 365 Audit Log Search

To be able to search audit logs, you must first enable Office 365 audit log search. For instructions on how to enable audit log search, see https://docs.microsoft.com/en-us/office365/securitycompliance/turn-audit-log-search-on-or-off.

To use the Office 365 Management Activity API to access auditing data for your organization, you must enable audit log search in the Security & Compliance Center.

If you do not enable audit log search, you cannot access auditing data for your organization.

Before you can enable or disable audit log search for your Microsoft 365 organization, you must be assigned the Audit Logs role in the Exchange admin center.

Follow these steps to assign the Audit Logs role and enable audit log search for your organization.

  1. Log in to Microsoft Office Online: https://login.microsoftonline.com.
  2. Click Admin > Security & compliance.

  3. Click Exchange admin center.

    If you receive the following alert, you must enable Office 365 Exchange Online before proceeding. In this case, go to Step 4. Otherwise, go to Step 6.

  4. Click Admin > Purchase services.

  5. Select one of Microsoft 365 services. In this example, Microsoft 365 Business Premium Trial is selected.

  6. Click Admin > Security & compliance > Exchange admin center.

  7. Click Exchange admin center > permissions > admin roles > New to create a new role.

  8. Select Audit Logs Roles and add the members you want to add the group. Click Save.

  9. The Audit Log role will display in the Exchange admin center > permissions > admin roles table.

  10. Go back to the Microsoft 365 Admin center.
  11. Click Security & compliance > Report dashboard.

    When you first go into this page, it will ask you to enable Audit log. After you enable it, the page will display the Search button.

Create the Office 365 API Credential

Follow these steps to create the Office 365 API credential.

  1. Login to https://portal.azure.com.
  2. Click All Services.
  3. Click Azure Active Directory.
  4. Click App Registrations (on the right panel).
  5. Click New registration and enter the following information:

    Name: FSM

    Supported Account Types: Select Accounts in any organizational directory (Any Azure AD directory – Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).

    Redirect URI: https://your.internal.fsm.ip

  6. Click Register:

    Copy the Application (client) ID to a text editor, you'll need this when entering Office 365 Credentials in FortiSIEM.

    Copy the Directory (tenant) ID to a text editor, you'll need this when entering Office 365 Credentials in FortiSIEM.

  7. Click Certificates & secrets (on the right panel).
  8. New client secret:

    Description: FSM

    Expires in: 2 years

    Copy the value (for example: AC83J.6_nobD:G1Q=DJe/hFiB3BP4+a) to a text editor. You will need this value when entering Office 365 Credentials in FortiSIEM.

  9. Go to API permissions (left panel).
  10. Click Add a permission.
  11. Select Office 365 Management APIs.
  12. Click Application permissions and expand all.
  13. Select all permissions with "Read" access (we don't want to write). Click Add permissions.

    You will see a warning: "Permissions have changed." Users and/or admins will have to consent even if they have already done so previously.

    We'll need to approve all these permission grants.

  14. Click grant admin consent and select Yes when you see the Do you want to grant consent for the requested permissions for all accounts in your_organization? alert. This will update any existing admin consent records this application already has to match what is listed below.

 

Sample API Permission

Configuration in FortiSIEM

Configuration is done in two parts. Follow the steps in these two sections to configure your FortiSIEM.

Define Office 365 Management Credential in FortiSIEM

Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save:
Settings Description
Name Enter a name for the credential
Device Type Microsoft Office365
Access Protocol Office 365 Mgmt Activity API
Tenant ID Use the ID from Azure Login URL. See Step 5 in Create Office 365 API Credential.
Password config

If you select Manual, take the following steps:

  1. For Client ID, use the value obtained in Step 5 in Create Office 365 API Credential.
  2. For Client Secret, use the value obtained in Step 7 in Create Office 365 API Credential.

For CyberArk SDK credential method, see CyberArk SDK Password Configuration.

For CyberARK REST API credential method, see CyberArk REST API Password Configuration.

Authentication Endpoint

Enter the authentication endpoint. The Authentication Endpoint depends on the type of Office 365 environment you have:

  • Enterprise plan: login.windows.net

  • GCC government plan: login.microsoftonline.com

  • GCC High government plan: login.microsoftonline.us

  • DoD government plan: login.microsoftonline.us

Note: Do NOT include "https://" in the Authentication Endpoint URL field.

Authentication Protocol

Enter the token location. For example, /oauth2/token.

Organization The organization the device belongs to.
Description Description of the device.
Create IP Range to Credential Association and Test Connectivity

From the FortiSIEM Supervisor node, take the following steps.

  1. In Step 2: Enter IP Range to Credential Associations, click New to create a new association.
    1. Select the name of the credential created in the Define Office 365 Management Credential from the Credentials drop-down list.
    2. In the IP/Host Name field, enter the API Endpoint based off your Office 365 plan type. Your options are:
      • Enterprise plan: manage.office.com

      • GCC government plan: manage-gcc.office.com

      • GCC High government plan: manage.office365.us

      • DoD government plan: manage.protection.apps.mil

    3. Click Save.
  2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping to start the polling. A pop up will appear and show the Test Connectivity results.
  3. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Office 365 Log Collection.

 

Sample Events for Audit

[OFFICE365_EVENT_DATA] = {"Actor":[{"ID":"dtomic@my.company.org","Type":5},{"ID":"10030000873CEE9F","Type":3},{"ID":"18ed3507‑a475‑4ccb‑b669‑d66bc9f2a36e","Type":2},{"ID":"User_68d76168‑813d‑4b9f‑88cd‑37b66a5b3841","Type":2},{"ID":"68d76168‑813d‑4b9f‑88cd‑37b66a5b3841","Type":2},{"ID":"User","Type":2}],"ActorContextId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","ActorIpAddress":"<null>","AzureActiveDirectoryEventType":1,"ClientIP":"<null>","CreationTime":"2019‑07‑23T13:16:05UTC","ExtendedProperties":[{"Name":"actorContextId","Value":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318"},{"Name":"actorObjectId","Value":"68d76168‑813d‑4b9f‑88cd‑37b66a5b3841"},{"Name":"actorObjectClass","Value":"User"},{"Name":"actorUPN","Value":"dtomic@my.company.org"},{"Name":"actorAppID","Value":"18ed3507‑a475‑4ccb‑b669‑d66bc9f2a36e"},{"Name":"actorPUID","Value":"10030000873CEE9F"},{"Name":"teamName","Value":"MSODS."},{"Name":"targetContextId","Value":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318"},{"Name":"targetObjectId","Value":"02232019‑4557‑45d6‑9630‑f78694bc8341"},{"Name":"extendedAuditEventCategory","Value":"Application"},{"Name":"targetName","Value":"FSM"},{"Name":"targetIncludedUpdatedProperties","Value":"[\"AppAddress\",\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]"},{"Name":"correlationId","Value":"a854ecc6‑31d6‑4fea‑8d56‑aeed05aa1174"},{"Name":"version","Value":"2"},{"Name":"additionalDetails","Value":"{}"},{"Name":"resultType","Value":"Success"},{"Name":"auditEventCategory","Value":"ApplicationManagement"},{"Name":"nCloud","Value":"<null>"},{"Name":"env_ver","Value":"2.1"},{"Name":"env_name","Value":"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"},{"Name":"env_time","Value":"2019‑07‑23T13:16:05.0208099Z"},{"Name":"env_epoch","Value":"64BOV"},{"Name":"env_seqNum","Value":"25454285"},{"Name":"env_popSample","Value":"0"},{"Name":"env_iKey","Value":"ikey"},{"Name":"env_flags","Value":"257"},{"Name":"env_cv","Value":"##17a913a8‑943a‑42f3‑b8ad‑2ea3bc4bf927_00000000‑0000‑0000‑0000‑000000000000_17a913a8‑943a‑42f3‑b8ad‑2ea3bc4bf927"},{"Name":"env_os","Value":"<null>"},{"Name":"env_osVer","Value":"<null>"},{"Name":"env_appId","Value":"restdirectoryservice"},{"Name":"env_appVer","Value":"1.0.11219.0"},{"Name":"env_cloud_ver","Value":"1.0"},{"Name":"env_cloud_name","Value":"MSO‑AM5R"},{"Name":"env_cloud_role","Value":"restdirectoryservice"},{"Name":"env_cloud_roleVer","Value":"1.0.11219.0"},{"Name":"env_cloud_roleInstance","Value":"AM5RRDSR582"},{"Name":"env_cloud_environment","Value":"PROD"},{"Name":"env_cloud_deploymentUnit","Value":"R5"}],"Id":"fc12de96‑0cbc‑4618‑9c8f‑cc8ab7891e3b","ModifiedProperties":[{"Name":"AppAddress","NewValue":"[\r\n {\r\n \"AddressType\": 0,\r\n \"Address\": \"https://10.222.248.17\",\r\n \"ReplyAddressClientType\": 1\r\n }\r\n]","OldValue":"[]"},{"Name":"AppId","NewValue":"[\r\n \"0388f2da‑dbcc‑4506‑ba57‑a85c578297c0\"\r\n]","OldValue":"[]"},{"Name":"AvailableToOtherTenants","NewValue":"[\r\n false\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"FSM\"\r\n]","OldValue":"[]"},{"Name":"RequiredResourceAccess","NewValue":"[\r\n {\r\n \"ResourceAppId\": \"00000003‑0000‑0000‑c000‑000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8‑ba31‑4d61‑89e7‑88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AppAddress, AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess","OldValue":""}],"ObjectId":"Not Available","Operation":"Add application.","OrganizationId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","RecordType":8,"ResultStatus":"Success","SupportTicketId":"","Target":[{"ID":"Application_02232019‑4557‑45d6‑9630‑f78694bc8341","Type":2},{"ID":"02232019‑4557‑45d6‑9630‑f78694bc8341","Type":2},{"ID":"Application","Type":2},{"ID":"FSM","Type":1}],"TargetContextId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","TenantId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","UserId":"dtomic@my.company.org","UserKey":"10030000873CEE9F@my.company.org","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","phCustId":1}