Skip to main content
Sumo Logic

Collect Logs for Office 365

To collect logs for the Sumo Logic App for Microsoft Office 365, configure the following:

  1. One Hosted Collector.
  2. One Microsoft Office 365 Audit Source for each content type you want to collect logs for. For example:
    • Azure AD
    • Exchange
    • SharePoint

For complete details, see Microsoft Office 365 Audit Source.

We recommend the following Source Category naming convention:

  • SharePoint: O365/SharePoint
  • Exchange: O365/Exchange
  • Azure AD: O365/Azure

Sample Log Messages

{  
   "ClientIP":"62.68.137.155",
   "CreationTime":"2017-09-25T22:42:35",
   "Id":"9605876a-1c37-4337-ecbc-08d2409e6e9a",
   "Operation":"FileCopied",
   "OrganizationId":"fa0f55b5-3dac-425b-8e00-c58e5889499c",
   "RecordType":6,
   "UserKey":"i:0h.f|membership|10890000801fe866@live.com",
   "UserType":4,
   "Workload":"SharePoint",
   "ObjectId":"partner.acme.com/shared documents/foo/PurchaseOrder.xls",
   "UserId":"samir@acme.sharepoint.net",
   "EventSource":"SharePoint",
   "ItemType":"Folder",
   "Site":"7520eb33-0a76-4dfc-a56e-a835bb541aa0",
   "UserAgent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; InfoPath.3)",
   "DestinationFileName":"PurchaseOrder.xls",
   "DestinationRelativeUrl":"/my library/",
   "SiteUrl":"partner.acme.com",
   "SourceFileExtension":".xls",
   "SourceFileName":"PurchaseOrder.xls",
   "SourceRelativeUrl":"/shared documents/foo"
}

{  
   "CreationTime":"2017-09-25T22:37:35",
   "Id":"0df04c72-d3e1-4016-70ab-09f3333de0ca",
   "Operation":"FolderBind",
   "OrganizationId":"fa0f27b5-3dac-425b-8e00-c58e5889499c",
   "RecordType":2,
   "ResultStatus":"Succeeded",
   "UserKey":"10037FFE8EDD1D69",
   "UserType":2,
   "Workload":"Exchange",
   "UserId":"",
   "ClientIPAddress":"146.139.54.184",
   "ClientInfoString":"Client=WebServices;10.5.2.0ES10;",
   "ExternalAccess":false,
   "InternalLogonType":0,
   "LogonType":1,
   "LogonUserSid":"S-1-5-21-802669544-745651041-3938370137-2862061",
   "MailboxGuid":"6f541602-34c4-4846-9d98-40ce28ff6dc2",
   "MailboxOwnerSid":"S-1-5-21-802669544-745651041-3938370137-2707171",
   "MailboxOwnerUPN":"john@acme.com",
   "OrganizationName":"ACME.com",
   "OriginatingServer":"BLUPR02MB327 (15.02.0396.020)\r\n",
   "Item":{  
      "Id":"LgCDEFCvDwkeofbHT4Xu0aodZZIMAQBaMVsTsKq8RIhghXhDomkECDEFAAEUBCEB",
      "ParentFolder":{  
         "Id":"LgCDEFCvDwkeofbHT4Xu0aodZZIMAQBaMVsTsKq8RIhghXhDomkECDEFAAEUBCEB",
         "Path":"\\Recoverable Items\\Deletions"
      }
   }

Query Samples

SharePoint Operations

_sourceCategory=O365* CreationTime Workload ("\"Workload\":\"SharePoint\"" or "\"Workload\":\"OneDrive\"")
| json "Operation", "Workload"
| where Workload in ("SharePoint", "OneDrive")
| timeslice by 1h
| count _timeslice, operation
| transpose row _timeslice column operation

Failed Activity by Workload

_sourceCategory=O365* Workload Operation "ResultStatus" fail* 
| json "Workload", "ResultStatus", "Operation" 
| where resultstatus matches "*fail*" or resultstatus matches "*Fail*"
| timeslice 1h
| count _timeslice, workload 
| transpose row _timeslice column workload