Skip to main content
Sumo Logic

Collect Logs for the Office 365 App

This page provides instructions for configuring log collection for the Microsoft Office 365 App, as well as providing sample log messages and queries.

To collect logs for the Microsoft Office 365 App, do the following:
  1. One Hosted Collector.
  2. One Microsoft Office 365 Audit Source for each content type you want to collect logs for. For example:
    • Office 365 Azure AD logs
    • Office 365 Exchange logs
    • Office 365 SharePoint logs
    • Office 365 General logs
    • Office 365 Data Loss Prevention (DLP) event logs

For complete details, see Microsoft Office 365 Audit Source.

We recommend the following Source Category naming convention:

  • Azure AD: O365/Azure
  • Exchange: O365/Exchange
  • SharePoint: O365/SharePoint
  • General: O365/SharePoint
  • DLP:  O365/DLP

Sample Log Messages

{  
   "ClientIP":"62.68.137.155",
   "CreationTime":"2017-09-25T22:42:35",
   "Id":"9605876a-1c37-4337-ecbc-08d2409e6e9a",
   "Operation":"FileCopied",
   "OrganizationId":"fa0f55b5-3dac-425b-8e00-c58e5889499c",
   "RecordType":6,
   "UserKey":"i:0h.f|membership|10890000801fe866@live.com",
   "UserType":4,
   "Workload":"SharePoint",
   "ObjectId":"partner.acme.com/shared documents/foo/PurchaseOrder.xls",
   "UserId":"samir@acme.sharepoint.net",
   "EventSource":"SharePoint",
   "ItemType":"Folder",
   "Site":"7520eb33-0a76-4dfc-a56e-a835bb541aa0",
   "UserAgent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; InfoPath.3)",
   "DestinationFileName":"PurchaseOrder.xls",
   "DestinationRelativeUrl":"/my library/",
   "SiteUrl":"partner.acme.com",
   "SourceFileExtension":".xls",
   "SourceFileName":"PurchaseOrder.xls",
   "SourceRelativeUrl":"/shared documents/foo"
}

{  
   "CreationTime":"2017-09-25T22:37:35",
   "Id":"0df04c72-d3e1-4016-70ab-09f3333de0ca",
   "Operation":"FolderBind",
   "OrganizationId":"fa0f27b5-3dac-425b-8e00-c58e5889499c",
   "RecordType":2,
   "ResultStatus":"Succeeded",
   "UserKey":"10037FFE8EDD1D69",
   "UserType":2,
   "Workload":"Exchange",
   "UserId":"",
   "ClientIPAddress":"146.139.54.184",
   "ClientInfoString":"Client=WebServices;10.5.2.0ES10;",
   "ExternalAccess":false,
   "InternalLogonType":0,
   "LogonType":1,
   "LogonUserSid":"S-1-5-21-802669544-745651041-3938370137-2862061",
   "MailboxGuid":"6f541602-34c4-4846-9d98-40ce28ff6dc2",
   "MailboxOwnerSid":"S-1-5-21-802669544-745651041-3938370137-2707171",
   "MailboxOwnerUPN":"john@acme.com",
   "OrganizationName":"ACME.com",
   "OriginatingServer":"BLUPR02MB327 (15.02.0396.020)\r\n",
   "Item":{  
      "Id":"LgCDEFCvDwkeofbHT4Xu0aodZZIMAQBaMVsTsKq8RIhghXhDomkECDEFAAEUBCEB",
      "ParentFolder":{  
         "Id":"LgCDEFCvDwkeofbHT4Xu0aodZZIMAQBaMVsTsKq8RIhghXhDomkECDEFAAEUBCEB",
         "Path":"\\Recoverable Items\\Deletions"
      }
   }

Query Samples

SharePoint Operations

_sourceCategory=O365* CreationTime Workload ("\"Workload\":\"SharePoint\"" or "\"Workload\":\"OneDrive\"")
| json "Operation", "Workload"
| where Workload in ("SharePoint", "OneDrive")
| timeslice by 1h
| count _timeslice, operation
| transpose row _timeslice column operation

Failed Activity by Workload

_sourceCategory=O365* Workload Operation "ResultStatus" fail* 
| json "Workload", "ResultStatus", "Operation" 
| where resultstatus matches "*fail*" or resultstatus matches "*Fail*"
| timeslice 1h
| count _timeslice, workload 
| transpose row _timeslice column workload