We have enabled the ability to add the Office 365 Audit log information into the Sophos XDR Data Lake.

This capability is available for ALL XDR customers at NO ADDITIONAL CHARGE.  To access to the capability you should join the XDR Detections and Investigations EAP then configure the connector.

We will pull information from about 33 of the audit tables available in the Azure Audit logs.     Check out the 10 min video on the capability that covers enrolling in the EAP, configuring the adaptor and getting started with queries.  https://vimeo.com/manage/videos/652159242

The Features for this will turn on in MID December 2021 and be generally available in late January 2022.   For those that want a head start you can load in the demonstration queries into central now and ensure auditing is enabled in 365 Azure.

Category Value Member name Description Sophos Ingest
Active Directory 8 AzureActiveDirectory Azure Active Directory events. Yes
Active Directory 9 AzureActiveDirectoryAccountLogon Azure Active Directory OrgId logon events (deprecated). Yes
Active Directory 15 AzureActiveDirectoryStsLogon Secure Token Service (STS) logon events in Azure Active Directory. Yes
Exchange 1 ExchangeAdmin Events from the Exchange admin audit log. Yes
Exchange 2 ExchangeItem Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message. Yes
Exchange 3 ExchangeItemGroup Events from an Exchange mailbox audit log for actions that can be performed on multiple items, such as moving or deleted one or more email messages. Yes
Exchange 19 ExchangeAggregatedOperation Aggregated Exchange mailbox auditing events. Yes
Exchange 28 ThreatIntelligence Phishing and malware events from Exchange Online Protection and Microsoft Defender for Office 365. Yes
Exchange 29 MailSubmission Submission events from Exchange Online Protection and Microsoft Defender for Office 365. Yes
Exchange 75 MipAutoLabelExchangeItem Auto-labeling events in Exchange. Yes
Project 35 Project Microsoft Project events. Yes
SharePoint 4 SharePoint SharePoint events. Yes
SharePoint 6 SharePointFileOperation SharePoint file operation events. Yes
SharePoint 14 SharePointSharingOperation SharePoint sharing events. Yes
SharePoint 36 SharePointListOperation SharePoint List events. Yes
SharePoint 37 SharePointCommentOperation SharePoint comment events. Yes
SharePoint 54 SharePointListItemOperation SharePoint list item events. Yes
SharePoint 55 SharePointContentTypeOperation SharePoint list content type events. Yes
SharePoint 56 SharePointFieldOperation SharePoint list field events. Yes
SharePoint 71 MipAutoLabelSharePointItem Desi Yes
SharePoint 72 MipAutoLabelSharePointPolicyLocation Auto-labeling policy events in SharePoint. Yes
SharePoint 102 SharePointSearch Events related to searching an organization's SharePoint home site. Yes
SharePoint, Exchange 77 Search Events related to performing search queries in SharePoint and Exchange. Yes
SharePoint, Teams 47 ThreatIntelligenceAtpContent Phishing and malware events for files in SharePoint, OneDrive for Business, and Microsoft Teams from Microsoft Defender for Office 365. Yes
Skype 17 SkypeForBusinessUsersBlocked Blocked user events from Skype for Business. Yes
Skype 23 SkypeForBusinessCmdlets Skype for Business events. Yes
Teams 25 MicrosoftTeams Events from Microsoft Teams. Yes
Teams 57 MicrosoftTeamsAdmin Teams admin events. Yes
Teams 59 MicrosoftTeamsDevice Teams device events. Yes
Teams 60 MicrosoftTeamsAnalytics Teams analytics events. Yes
Teams 73 MicrosoftTeamsShifts Teams Shifts events. Yes
PowerAPP 45 PowerAppsApp Power Apps events. Yes
PowerAPP 46 PowerAppsPlan Subscription plan events for Power Apps. Yes

Full details on the MS Schema for audit logs are available from MS here: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema

Check out the demonstration queries available in the ZIP file below

MS 365 query pack.zip