For query assistance, please see the following Best Practices guide
We have enabled the ability to add the Office 365 Audit log information into the Sophos XDR Data Lake.
This capability is available for ALL XDR customers at NO ADDITIONAL CHARGE. To access to the capability you should join the XDR Detections and Investigations EAP then configure the connector.
We will pull information from about 33 of the audit tables available in the Azure Audit logs. Check out the 10 min video on the capability that covers enrolling in the EAP, configuring the adaptor and getting started with queries. https://vimeo.com/manage/videos/652159242
The Features for this will turn on in MID December 2021 and be generally available in late January 2022. For those that want a head start you can load in the demonstration queries into central now and ensure auditing is enabled in 365 Azure.
| Category | Value | Member name | Description | Sophos Ingest |
| Active Directory | 8 | AzureActiveDirectory | Azure Active Directory events. | Yes |
| Active Directory | 9 | AzureActiveDirectoryAccountLogon | Azure Active Directory OrgId logon events (deprecated). | Yes |
| Active Directory | 15 | AzureActiveDirectoryStsLogon | Secure Token Service (STS) logon events in Azure Active Directory. | Yes |
| Exchange | 1 | ExchangeAdmin | Events from the Exchange admin audit log. | Yes |
| Exchange | 2 | ExchangeItem | Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message. | Yes |
| Exchange | 3 | ExchangeItemGroup | Events from an Exchange mailbox audit log for actions that can be performed on multiple items, such as moving or deleted one or more email messages. | Yes |
| Exchange | 19 | ExchangeAggregatedOperation | Aggregated Exchange mailbox auditing events. | Yes |
| Exchange | 28 | ThreatIntelligence | Phishing and malware events from Exchange Online Protection and Microsoft Defender for Office 365. | Yes |
| Exchange | 29 | MailSubmission | Submission events from Exchange Online Protection and Microsoft Defender for Office 365. | Yes |
| Exchange | 75 | MipAutoLabelExchangeItem | Auto-labeling events in Exchange. | Yes |
| Project | 35 | Project | Microsoft Project events. | Yes |
| SharePoint | 4 | SharePoint | SharePoint events. | Yes |
| SharePoint | 6 | SharePointFileOperation | SharePoint file operation events. | Yes |
| SharePoint | 14 | SharePointSharingOperation | SharePoint sharing events. | Yes |
| SharePoint | 36 | SharePointListOperation | SharePoint List events. | Yes |
| SharePoint | 37 | SharePointCommentOperation | SharePoint comment events. | Yes |
| SharePoint | 54 | SharePointListItemOperation | SharePoint list item events. | Yes |
| SharePoint | 55 | SharePointContentTypeOperation | SharePoint list content type events. | Yes |
| SharePoint | 56 | SharePointFieldOperation | SharePoint list field events. | Yes |
| SharePoint | 71 | MipAutoLabelSharePointItem | Desi | Yes |
| SharePoint | 72 | MipAutoLabelSharePointPolicyLocation | Auto-labeling policy events in SharePoint. | Yes |
| SharePoint | 102 | SharePointSearch | Events related to searching an organization's SharePoint home site. | Yes |
| SharePoint, Exchange | 77 | Search | Events related to performing search queries in SharePoint and Exchange. | Yes |
| SharePoint, Teams | 47 | ThreatIntelligenceAtpContent | Phishing and malware events for files in SharePoint, OneDrive for Business, and Microsoft Teams from Microsoft Defender for Office 365. | Yes |
| Skype | 17 | SkypeForBusinessUsersBlocked | Blocked user events from Skype for Business. | Yes |
| Skype | 23 | SkypeForBusinessCmdlets | Skype for Business events. | Yes |
| Teams | 25 | MicrosoftTeams | Events from Microsoft Teams. | Yes |
| Teams | 57 | MicrosoftTeamsAdmin | Teams admin events. | Yes |
| Teams | 59 | MicrosoftTeamsDevice | Teams device events. | Yes |
| Teams | 60 | MicrosoftTeamsAnalytics | Teams analytics events. | Yes |
| Teams | 73 | MicrosoftTeamsShifts | Teams Shifts events. | Yes |
| PowerAPP | 45 | PowerAppsApp | Power Apps events. | Yes |
| PowerAPP | 46 | PowerAppsPlan | Subscription plan events for Power Apps. | Yes |
Full details on the MS Schema for audit logs are available from MS here: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Check out the demonstration queries available in the ZIP file below