Office 365

Owned by Omry Koschitzky
Last updated: Jun 23, 2022 by Noga Aviram (Unlicensed)
1 min read

Background

The Office365 Servers logs analysis App automatically Collect - Read - Parse - Analyzes - Reports all machine generated log data of the server and presents a comprehensive set of graphs and reports to analyze machine generated data. Use a predefined set of dashboards and widgets to  visualize and address the system software, code written, and infrastructure during development, testing, and production. This office365 logs analysis App helps measure, troubleshoot, and optimize your servers integrity, stability and quality with the several visualization and investigation dashboards.

Steps:

  1. The office365 App is running on the audit log of the audit log.
    For exporting it, you have to enter to Office365 Admin Console->Reports->Security & compliance-> Search & Investigation -> Audit log search and then press on 'Download all results' button.
    When adding/editing the logs to XpoLog it is mandatory to apply the correct log type(s) to each of the logs:

    1. office365 - all logs that the application will analyze must have office365 as a log type

  2. Once the required information is set, on each log click next and edit the log pattern, this step is crucial to the accuracy and deployment of the office365 App. Use the following patterns for each of the logs:

    1.  audit.CSV log:
      {date:Date,yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'},{string:UserIds,ftype=username;,},{string:Operation,ftype=eventName;,}{regexp:CreationTime,refName=AuditData,""CreationTime"":""([^"]+).*}{regexp:Id,ftype=auditid;refName=AuditData,""Id"":""([^"]+).*}{regexp:OrganizationId,refName=AuditData,""OrganizationId"":""([^"]+).*}{regexp:RecordType,refName=AuditData,""RecordType"":([^,]+).*}{regexp:ResultStatus,ftype=status;refName=AuditData,""ResultStatus"":""([^"]+).*}{regexp:UserKey,refName=AuditData,""UserKey"":""([^"]+).*}{regexp:UserType,ftype=usertype;refName=AuditData,""UserType"":([^,]+).*}{regexp:Version,ftype=version;refName=AuditData,""Version"":([^,]+).*}{regexp:Workload,ftype=workload;refName=AuditData,""Workload"":""([^"]+).*}{regexp:ObjectId,ftype=objectid;refName=AuditData,""ObjectId"":""([^"]+).*}{regexp:ClientIP,ftype=sourceip;refName=AuditData,(""ClientIP"":""\u005B|""ClientIP"":"")[XPLG_PARAM([^\u005D"]+)].*}{regexp:AzureActiveDirectoryEventType,refName=AuditData,""AzureActiveDirectoryEventType"":([^,]+).*}{regexp:ExternalAccess,refName=AuditData,""ExternalAccess"":([^,]+).*}{regexp:OrganizationName,refName=AuditData,""OrganizationName"":""([^"]+).*}{regexp:OriginatingServer,refName=AuditData,""OriginatingServer"":""([^"]+).*}{regexp:Client,refName=AuditData,""Client"":""([^"]+).*}{regexp:LoginStatus,refName=AuditData,""LoginStatus"":([^,]+).*}{regexp:UserDomain,ftype=domain;refName=AuditData,""UserDomain"":""([^"]+).*},"{string:AuditData}