Microsoft Office 365

Microsoft Office 365 is a suite of cloud-based software as a service products for business environments, including security, productivity, and collaboration tools.

Securonix integrates with the Microsoft Office 365 Management API to ingest overall Office 365 advanced threat protection (ATP) relevant threat alerts, as well as alerts across a wide range of Office 365 applications to identify threats such as privilege escalation, data exfiltration, malicious file activity (malware), phishing, and unusual account behavior, as well as insider threats.

Events Included Endpoint/API Notes Minimum Subscription Required
Azure AD Graph Directory Audit Logs (same as deprecated sign-in events) Graph Directory Audit Logs See
Azure AD Graph Sign-In Logs (same as deprecated audit events), Security Alerts on Suspicious Sign-Ins Graph Sign-In Logs See
Azure AD
Deprecated Endpoints
Sign-In Events (e.g. login success/failed) Deprecated - Sign-In Event See AAD Premium P2
Azure AD
Deprecated Endpoints
General Audit Events as Group/Users Management Deprecated - Audit Events See
Azure AD Identity Protection Risk and Anomaly Detection in Azure AD graph-identity-protection For more information on the Azure AD Identity Protection API please refer to:
Share Point SharePoint Administrative and File Management operations management-activity-api
Exchange Exchange Administrative Operation management-activity-api Events from the Exchange admin audit log. Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message. Events from an Exchange mailbox audit log for actions that can be performed on multiple items, such as moving or deleting one or more email messages.
Exchange Message Trace activity-report-api Email Send/Receive Trace
DLP Compliance DLP SharePoint, Compliance DLP Exchange management-activity-api Data loss protection (DLP) events in SharePoint and OneDrive for Business. Data loss protection (DLP) events in Exchange, when configured via Unified DLP Policy. DLP events based on Exchange Transport Rules are not supported.
Microsoft Cloud App Security (MCAS) Cloud Services Anomalies, Suspicious Activities and Violations Detected by the Microsoft CASB Service mcas-activities, mcas-alerts E5 or other enterprise edition
Advanced Threat Protection (ATP) Spoof Mail,
Spoof Mail Report
activity-report-api View information about insider spoofing in your cloud-based organization. Insider spoofing is where the sender’s email address in an inbound message appears to represent your organization, but the actual identity of the sender is different. E3
Advanced Threat Protection (ATP) DLP Policy,
Mail Detail DLP Policy
activity-report-api Provides details about the Exchange mail data loss prevention (DLP) policies and rules used in processing email messages. E3
Advanced Threat Protection (ATP) Malware Report,
Mail Detail Malware
activity-report-api View the details of messages that contained malware. E3
Advanced Threat Protection (ATP) Spam Report, Mail Detail Spam activity-report-api Provides details about the processing steps taken on email messages identified as containing spam while the message was being processed. E3
Audit Events General Audit Events audit-events Office 365 Audit Events
Yammer Yammer Schema microsoft-graph-api Yammer Events
Sway Sway Schema microsoft-graph-api Sway Events
Microsoft Teams Microsoft Teams, Microsoft Teams Add Ons, Microsoft Teams Settings Operation microsoft-graph-api Events from Microsoft Teams.
Office 365 Threat Detection Risky Users,
Risky Sign-Ins,
Risk Detections
risk detection graph API Azure AD Premium P1 or P2