Microsoft 365 的来源配置
与 Microft 365 集成
Microsoft 365 是一个由生产力软件、协作工具和基于云的服务组成的产品系列,由 Microsoft 拥有。CloudWatch 管道使用 Office 365 管理活动 API,从 Office 365 和 Microsoft Entra 活动日志中检索有关用户、管理员、系统以及策略操作和事件的信息。Office 365 管理活动 API(也称为“统一审计 API”)是 Office 365 安全与合规产品的一部分。客户与合作伙伴可以使用这些信息为企业创建新的或增强现有的运营、安全性与合规性监控解决方案。
使用 Office 365 管理活动 API 进行身份验证
要检索 Office 365 活动,管道需要使用您的账户进行身份验证。按照 Office 365 管理 API 中的说明进行操作:
在 Azure 中注册应用程序,支持的账户类型选择仅限此组织目录中的账户(单租户)。注册完成后,记录下应用程序(客户端)ID 和目录(租户)ID。
为该应用程序生成新密钥。该密钥也称作客户端密钥,用于授权码换取访问令牌的流程。
在 Amazon Secrets Manager 中创建密钥,将应用程序(客户端)ID 存入
client_id键,将客户端密钥存入client_secret键指定您的应用程序访问 Office 365 管理 API 所需的权限。所需权限如下:
ActivityFeed.Read:针对您列出的所有审计内容类型为必填项,包括 Audit.AzureActiveDirectory、Audit.Exchange、Audit.SharePoint 和 Audit.General。
ActivityFeed.ReadDlp:对于 DLP.All 内容类型为必填项
必须先为 Office 365 组织启用统一审计日志记录,然后才能通过 Office 365 管理活动 API 访问数据。您可以打开 Office 365 审计日志来完成此操作。有关说明,请参阅“开启或关闭 Office 365 审计日志搜索”。
配置 CloudWatch 管道
将管道配置为从 Office 365 读取活动时,请选择 Microsoft 365 作为数据来源。填写必填信息,例如使用目录(租户)ID 的租户 ID 以及存储 client_id 和 client_secret 的密钥。创建管道后,数据将在选定的 CloudWatch Logs 日志组中可用。
支持的开放式网络安全架构框架事件类
此集成支持 OCSF 架构版本 v1.5.0,来自各种工作负载(例如 Exchange、SharePoint、Teams 和 Azure Active Directory)的操作映射到“账户变更”(3001)、“身份验证”(3002)、“用户访问管理”(3005)、“组管理”(3006)、“电子邮件活动”(4009)、“Web 资源活动”(6001)、“文件托管活动”(6006)、“应用程序生命周期”(6002)、(2003)、“检测调查发现”(2004)、“事件调查发现”(2005)、“漏洞调查发现”(2002)和“未知”(0)。
合规性调查发现
“合规性调查发现”包含以下操作:
ApplyRecordLabel
ComplianceSettingChanged
ExclusionConfigurationDeleted
NewComplianceTag
NewRetentionCompliancePolicy
NewRetentionComplianceRule
CreateRulePackage
CreateSuppressionRule
ApproveDisposal
RemoveComplianceTag
SetComplianceTag
SetRestrictiveRetentionUI
SupervisionPolicyCreated
SupervisionPolicyUpdated
SupervisionPolicyDeleted
HoldUpdated
HoldCreated
HoldRemoved
DlpInfo
检测调查发现
“检测调查发现”包含以下操作:
FileMalwareDetected
DocumentSensitivityMismatchDetected
TIMailData
DeviceOffBoarding
AddIndicator
ChangeCustomDetectionRuleStatus
CreateCustomDetection
DeleteIndicator
EditIndicator
MonitoringAlertUpdated
RunCustomDetection
触发器 CMD 代理金丝雀检查。
DlpRuleMatch
AlertEntityGenerated
AlertTriggered
事件调查发现
“事件调查发现”包含以下操作:
AddCommentToIncident
AddTagsToIncident
AssignUserToIncident
CollectInvestigationPackage
EditIncidentClassification
RemediationActionAdded
RemediationActionUpdated
RemoveTagsFromIncident
UnAssignUserFromIncident
UpdateIncidentStatus
CaseUpdated
CaseAdded
CaseRemoved
账户变更
“账户变更”包含以下操作:
向角色添加成员
添加服务主体
添加用户
已添加角色
更改用户许可证
更改用户密码
删除用户
已删除应用程序权限
已删除角色
已编辑全局角色分配
已编辑角色
NetworkUserSuspended
从角色中移除成员
移除委托条目
Reset user password(重置用户密码)
设置强制更改用户密码
AdministratorAddedToTermStore
AdministratorDeletedFromTermStore
AlertNotificationsRecipientDeleted
CaseAdminUpdated
CaseAdminAdded
CaseAdminRemoved
已添加用户
身份验证
“身份验证”包含以下操作:
MailboxLogin
ClockedIn
ClockedOut
TeamsSessionStarted
Logon
SignInEvent
SSOUserCredentialsSet
用户已登录
UserLoggedIn
UserLoggedOff
UserLoginFailed
用户访问管理
“用户访问管理”包含以下操作:
Add-MailboxPermission
ModifyFolderPermissions
Remove-MailboxPermission
ApplicableAdaptiveScopeChange
CaseMemberAdded
组管理
“组管理”包含以下操作:
RemovedFromSecureLink
BotAddedToTeam
BotRemovedFromTeam
MemberAdded
MemberRemoved
MemberRoleChanged
ScheduleGroupAdded
ScheduleGroupEdited
ScheduleGroupDeleted
TeamCreated
TeamDeleted
添加组
向组中添加成员
已创建组
删除组
已删除组
已编辑组成员资格
已编辑组
GroupCreation
GroupDeletion
GroupRemoved
GroupAdded
GroupUpdated
RemovedFromGroup
AddedToGroup
从组中移除成员
RemoveSpecificResponder
RosterMemberAdded
RosterMemberDeleted
CaseMemberUpdated
CaseMemberRemoved
已添加团队
已删除团队
UserAddedToGroup
UserRemovedFromGroup
电子邮件活动
“电子邮件活动”包含以下操作:
发送
SendAs
SendOnBehalf
MessageDeletedNotification
QuarantineDelete
QuarantineExport
QuarantinePreview
QuarantineRelease
QuarantineReleaseRequest
QuarantineReleaseRequestDeny
QuarantineViewHeader
SupervisionRuleMatch
SupervisoryReviewTag
SupervisoryReviewOLAudit
Web 资源活动
“Web 资源活动”包含以下操作:
UpdateCalendarDelegation
AddFolderPermissions
Copy(复制)
创建
New-InboxRule
SoftDelete
Move
MailItemsAccessed
MoveToDeletedItems
Set-InboxRule
HardDelete
UpdateInboxRules
更新
LockRecord
UnlockRecord
SearchQueryPerformed
PageViewed
PageViewedExtended
FolderCreated
ClientViewSignaled
PagePrefetched
FolderModified
ListColumnCreated
ListContentTypeCreated
ListItemCreated
已创建网站 ContentType
已删除列表列
ListCreated
已删除列表项
SiteColumnDeleted
ListDeleted
ListContentTypeDeleted
ListRestored
SiteColumnCreated
ListItemRecycled
ListItemDeleted
ListItemRestored
ListContentTypeUpdated
ListUpdated
ListViewed
SiteContentTypeDeleted
ListItemUpdated
SiteColumnUpdated
AccessRequestAccepted
ListColumnUpdated
SiteContentTypeUpdated
AccessRequestCreated
PermissionLevelAdded
CompanyLinkCreated
AnonymousLinkCreated
SharingInvitationAccepted
SecureLinkCreated
SharingInvitationCreated
SecureLinkDeleted
CompanyLinkRemoved
AccessRequestDenied
AnonymousLinkRemoved
AccessRequestUpdated
SharingSet
AnonymousLinkUpdated
SharingInvitationBlocked
AnonymousLinkUsed
SecureLinkUsed
CompanyLinkUsed
SharingRevoked
AddedToSecureLink
SharingInvitationUpdated
SharingInvitationRevoked
ExemptUserAgentSet
AllowedDataLocationAdded
SiteGeoMoveCancelled
AllowGroupCreationSet
CustomizeExemptUsers
DeviceAccessPolicyChanged
NetworkAccessPolicyChanged
SiteCollectionCreated
SiteDeleted
SendToConnectionRemoved
SiteGeoMoveCompleted
SharingPolicyChanged
PreviewModeEnabledSet
HubSiteOrphanHubDeleted
SendToConnectionAdded
HubSiteJoined
SiteCollectionQuotaModified
LegacyWorkflowEnabledSet
OfficeOnDemandSet
NewsFeedEnabledSet
PeopleResultsScopeSet
AllowedDataLocationDeleted
SiteRenamed
HubSiteRegistered
HostSiteSet
GeoQuotaAllocated
HubSiteUnjoined
HubSiteUnregistered
SiteCollectionAdminAdded
PermissionLevelsInheritanceBroken
SharingInheritanceBroken
SiteGeoMoveScheduled
WebRequestAccessModified
WebMembersCanShareModified
PermissionLevelModified
PermissionLevelRemoved
SitePermissionsModified
SiteCollectionAdminRemoved
SiteAdminChangeRequest
SharingInheritanceReset
BreakEnded
ChannelAdded
BreakStarted
ChannelDeleted
ChannelOwnerResponded
ChatRetrieved
ChannelSettingChanged
ChatCreated
ChatUpdated
ConnectorAdded
ConnectorRemoved
ConnectorUpdated
CreateUpdateRequest
EditUpdateRequest
FailedValidation
InviteeResponded
InviteSent
MeetingDetail
MeetingParticipantDetail
MessageCreatedHasLink
MessageDeleted
MessageCreatedNotification
MessageEditedHasLink
MessageHostedContentRead
MessageRead
MessageReadReceiptReceived
MessageHostedContentsListed
MessageSent
MessagesExported
MessageUpdated
MessageUpdatedNotification
OffShiftDialogAccepted
MessagesListed
OpenShiftAdded
OpenShiftDeleted
OpenShiftEdited
PerformedCardAction
RequestAdded
RequestRespondedTo
RequestCancelled
ScheduleSettingChanged
ScheduleShared
SensitivityLabelApplied
ScheduleWithdrawn
SensitivityLabelChanged
SensitivityLabelRemoved
SharingRestored
ShiftAdded
ShiftDeleted
ShiftEdited
SubscribedToMessages
TabAdded
SubmitUpdate
TabRemoved
TabUpdated
TeamSettingChanged
TeamsTenantSettingChanged
TerminatedSharing
TimeClockEntryDeleted
TimeClockEntryAdded
TimeClockEntryEdited
TimeOffAdded
TimeOffEdited
ViewUpdate
TimeOffDeleted
TranscriptsExported
AccessedOdataLink
AcceptedSharingLinkOnFolder
添加委托条目。
向公司添加域。
添加服务主体凭证。
向公司添加合作伙伴。
更新服务主体。
AddedDataLossPreventionEvaluationResult
AddFormCoauthor
AddReviewer
AddSpecificResponder
管理员允许了第三方应用程序
管理员修改了应用程序所有者
管理员修改了应用程序权限
管理员将应用程序设置为精选
管理员设置了绕过同意状态
管理员设置了条件访问权限
管理员设置了所需的逻辑名称
管理员设置了隔离状态
AlertExcelDownloaded
AlertNotificationsRecipientAdded
AllowAnonymousResponse
AllowShareFormForCopy
AppBypassInformationBarrier
CanceledQuery
检查 PowerShell 执行策略
ClassificationDefinitionDeleted
ClassificationAdded
ClassificationDefinitionUpdated
ClassificationDeleted
ClassificationDefinitionCreated
CollectionHardDeleted
CollectionCreated
CollectionRenamed
CollectionSoftDeleted
对视频进行了评论
CommunityAccessFailure
CollectionUpdated
已同意使用该应用程序的 API
ConnectToExcelWorkbook
创建 LogCollection 请求
新建工作项目(调度器)
ConsentModificationRequest
创建远程动作操作…
CreateComment
CreateForm
CreateResponse
已创建控制面板
已删除控制面板
已更新控制面板
已导出数据
DataAccessRequestOperation
DataExport
DataShareCreated
DeleteAllResponses
DeleteCustomDetection
已删除视频
DeletedResult
DeleteSummaryLink
DisableCollaboration
DisableSpecificResponse
DisallowShareFormForCopy
DisableSuppressionRule
DisallowAnonymousResponse
EditCustomDetection
已编辑应用程序
已编辑应用程序权限
已编辑全局角色分配
已编辑通道
已编辑租户设置
已编辑组
已编辑用户设置
已编辑角色
已编辑视频权限
EditForm
已编辑视频
EditRulePackage
EnableSameOrgCollaboration
EditSuppressionRule
EnableSpecificCollaboaration
EnableSpecificResponse
EnableSuppressionRule
EnableWorkOrSchoolCollaboration
EntityCreated
EntityDeleted
EntityRemediatorConfigurationUpdated
EntityUpdated
ExclusionConfigurationAdded
ExclusionConfigurationUpdated
ExecutedQuery
ExportForm
ExtendRetention
FileUpdateDescription
FileUpdateName
FileVisited
FolderSharingLinkShared
SharingLinkUsed
SharingLinkCreated
GenerateCopyOfLakeData
获取文本轨道
获取文字记录
获取视频
GetSummaryLink
GlossaryTermAssigned
GlossaryTermCreated
GlossaryTermDisassociated
GlossaryTermDeleted
GlossaryTermUpdated
已更新目标政策
组视图
InformationBarriersInsightsReportOneDr...
InformationBarriersInsightsReportSched...
InformationBarriersInsightsReportShare...
InformationBarriersInsightsReportCompl...
点赞视频
链接到视频
LinkedEntityCreated
LinkedEntityDeleted
LinkedEntityUpdated
ListForms
已将应用程序标记为精选
已将应用程序标记为主打推荐
MarkedMessageChanged
ReactedToMessage
MeetingExclusionCreated
MessageCreated
MessageAccessFailure
MessageViewed
MonitoringAlertNotificationRecipientAd...
MonitoringAlertNotificationRecipientDe...
MovedFormIntoCollection
MovedFormOutofCollection
NetworkConfigurationUpdated
NetworkSecurityConfigurationUpdated
MoveForm
NewAdaptiveScope
NotificationConfigurationUpdated
OCE 在虚拟机上运行命令
已创建 OKR 或项目
已删除 OKR 或项目
已更新 OKR 或项目
已创建组织
已更新组织集成
已更新组织设置
PlanCreated
PlanCopied
PlanDeleted
PlanRead
远程操作后的动作操作
PlanListRead
PreviewForm
PlanModified
ProcessProfileFields
ProjectCreated
ProjectAccessed
ProInvitation
ProjectDeleted
ProjectForTheWebRoadmaptSettings
ProjectForTheWebProjectSettings
ProjectListAccessed
ProjectUpdated
RelabelItem
ReleaseFromIsolation
从公司中移除域。
从公司中移除合作伙伴。
移除服务主体凭证。
RemoveAdaptiveScope
RemoveAppRestrictions
RemoveFormCoauthor
RemoveRetentionComplianceRule
RemoveRetentionCompliancePolicy
ReporterConfigurationUpdated
RestrictAppExecution
RoadmapAccessed
RoadmapCreated
RoadmapDeleted
RoadmapItemAccessed
RoadmapItemCreated
RoadmapItemDeleted
RoadmapItemUpdated
RoadmapUpdated
RosterCreated
RosterDeleted
RosterSensitivityLabelUpdated
运行混合 AADJ 扩展
RunLiveResponseApi
SensorCreated
SensorConfigurationUpdated
SensorDeleted
SensorDeploymentAccessKeyUpdated
SensorDeploymentAccessKeyReceived
设置公司联系人信息
设置通道缩略图
设置委托条目
设置公司信息
设置域身份验证
在域上设置联合身份验证设置
设置 DirSyncEnabled 标志
设置许可证属性
设置密码策略
SetAdaptiveScope
SetAdvancedFeatures
SetRetentionCompliancePolicy
SiteIBModeChanged
共享视频
SiteIBModeSet
SetRetentionComplianceRule
SiteIBSegmentsChanged
SiteIBSegmentsRemoved
SiteIBSegmentsSet
SiteSensitivityLabelApplied
SensitivityLabelUpdated
SiteSensitivityLabelChanged
SiteSensitivityLabelRemoved
SoftDeleteSettingsUpdated
SPOIBIsDisabled
SPOIBIsEnabled
SubmitResponse
SubTaskCreated
SubTaskDeleted
SubTaskUpdated
SupervisorAdminToggled
SyslogServiceConfigurationUpdated
TaggingConfigurationUpdated
TaskAccessed
TaskAssigned
TaskCompleted
TaskDeleted
TaskCreated
TaskListCreated
TaskListRead
TaskListUpdated
TaskModified
TaskRead
TaskUpdated
已更新团队
TenantSettingsUpdated
触发设备修复
触发 SaaF 的通用操作
触发通用操作
触发含有选项的通用操作
取消点赞视频
触发编排工具
更新组
更新用户
UpdatedDataAccessSetting
UpdatedOrganizationBriefingSettings
UpdatedOrganizationMyAnalyticsSettings
更新域
UpdatedPrivacySetting
UpdatedUserBriefingSettings
UpdatedUserMyAnalyticsSettings
UpdateFormSetting
UpdatePhishingStatus
UpdateResponse
UpdateUsageReportsPrivacySetting
UpdateUserSetting
URbacAuthorizationStatusChanged
UserInvited
UserSuspension
已查看视频
验证域
验证电子邮件已验证的域
ViewedExplore
ViewForm
ViewResponses
ViewRuntimeForm
ViewResponse
VpnConfigurationUpdated
WorkspaceCreated
WorkspaceDeleted
WorkspaceAlertThresholdLevelUpdated
SearchUpdated
SearchPermissionUpdated
PreviewItemListed
SearchCreated
SearchPermissionCreated
SearchRemoved
SearchExportDownloaded
SearchPreviewed
SearchPermissionRemoved
SearchResultsPurged
RemovedSearchResultsSentToZoom
RemovedSearchPreviewed
RemovedSearchExported
RemovedSearchResultsPurged
SearchResultsSentToZoom
SearchReportRemoved
SearchStarted
SearchReport
ThreadViewed
CaseViewed
SearchViewed
ViewedSearchExported
SearchStopped
ViewedSearchPreviewed
AddWorkingSetQueryToWorkingSet
AddQueryToWorkingSet
AddNonOffice365DataToWorkingSet
AnnotateDocument
LoadComparisonJob
RunAlgo
CreateWorkingSet
CreateWorkingSetSearch
CreateTag
DeleteTag
UpdateTag
DeleteWorkingSetSearch
UpdateCaseSettings
UpdateWorkingSetSearch
PreviewWorkingSetSearch
TagJob
LabelContentExplorerAccessedItem
AccessInvitationAccepted
AccessInvitationCreated
AccessInvitationExpired
AccessInvitationRevoked
AccessInvitationUpdated
AccessRequestApproved
AccessRequestRejected
AppCatalogCreated
AuditPolicyUpdate
ActivationEnabled
AuditPolicyRemoved
AzureStreamingEnabledSet
CollaborationTypeModified
CreateSSOApplication
ConnectedSiteSettingModified
CustomFieldOrLookupTableCreated
CustomFieldOrLookupTableDeleted
CustomFieldOrLookupTableModified
DelegateModified
DelegateRemoved
DefaultLanguageChangedInTermStore*
eDiscoveryHoldApplied
eDiscoveryHoldRemoved
eDiscoverySearchPerformed
EngagementAccepted
EngagementModified
EnterpriseCalendarModified
EngagementRejected
EntityForceCheckedIn
LanguageAddedToTermStore
LookAndFeelModified
LanguageRemovedFromTermStore
MaxQuotaModified
MaxResourceUsageModified
MySitePublicEnabledSet
ODBNextUXSettings
PermissionSyncSettingModified
PermissionTemplateModified
PortfolioDataAccessed
PortfolioDataModified
ProjectCheckedOut
ProjectCheckedIn
ProjectModified
ProjectPublished
ProjectWorkflowRestarted
PWASettingsAccessed
ProjectForceCheckedIn
PWASettingsModified
QueueJobStateModified
QuotaWarningEnabledModified
RenderingEnabled
ReportingAccessed
ResourceCheckedIn
ResourceAccessed
ReportingSettingModified
ResourceCreated
ResourceCheckedOut
ResourceModified
ResourcePlanCheckedInOrOut
ResourceDeleted
ResourcePlanModified
ResourcePlanPublished
ResourceForceCheckedIn
ResourceWarningEnabledModified
ResourceRedacted
SSOGroupCredentialsSet
SearchCenterUrlSet
SecondaryMySiteOwnerSet
SecurityCategoryModified
SecurityGroupModified
SiteCollectionAdminAdded*
StatusReportModified
SyntexBillingSubscriptionSettingsChang...
TaskStatusAccessed
TaskStatusApproved
TaskStatusRejected
TaskStatusSubmitted
TaskStatusSaved
TimesheetRejected
TimesheetApproved
TimesheetSaved
TimesheetSubmitted
TimesheetAccessed
UpdateSSOApplication
WorkflowModified
DlpRuleUndo
AlertUpdated
SensitivityLabelPolicyMatched
CopilotInteraction
Channel view
已删除视频评论
已删除通道
已创建通道
已创建视频
已停用用户
用户被删除
应用程序生命周期
“应用程序生命周期”包含以下操作:
AppDeletedFromCatalog
AppPublishedToCatalog
AppInstalled
AppUninstalled
AppUpdatedInCatalog
AppUpgraded
DeletedAllOrganizationApps
WorkforceIntegrationAdded
AddDevicesToBackfill Operation
AddDevicesToReinstall Operation
管理员已删除应用程序
管理员已恢复删除的应用程序
创建 VmExtention 请求
已创建应用程序
已删除应用程序
已删除应用程序版本
执行 AppHealthPlugin
安装 RD 代理
更新设备
MigrationJobCompleted
已修补应用程序
已发布应用程序
移除服务主体
已将应用程序作为精选移除
已将应用程序作为主打推荐移除
TriggerClientAgentCheckBulkAction Opera...
已启动应用程序
LaunchPowerApp
DeleteSSOApplication
文件托管活动
“文件托管活动”包含以下操作:
UpdateFolderPermissions
FileCheckedIn
FileCheckedOut
FileCopied
FileAccessedExtended
FileDeletedSecondStageRecycleBin
FileDeleted
FileAccessed
FileDeletedFirstStageRecycleBin
RecordDelete
FileDownloaded
FileCheckOutDiscarded
FileModified
FileModifiedExtended
FilePreviewed
FileRecycled
FolderRecycled
FileVersionsAllMinorsRecycled
FileMoved
FileVersionRecycled
FileUploaded
FileRenamed
FileVersionsAllRecycled
FileRestored
FolderDeleted
FolderDeletedFirstStageRecycleBin
FolderMoved
FolderCopied
FolderDeletedSecondStageRecycleBin
FolderRenamed
FolderRestored
RecordingExported
ManagedSyncClientAllowed
FileSyncDownloadedFull
FileSyncDownloadedPartial
FileSyncUploadedFull
UnmanagedSyncClientBlocked
FileSyncUploadedPartial
AttachmentDeleted
AttachmentUpdated
AttachmentCreated
DataShareDeleted
已删除文本轨道
已删除缩略图
DomainControllerCoverageExcelDownloaded
DownloadCopyOfLakeData
已下载视频
DownloadedReport
DownloadOffboardingPkg
DownloadFile
DownloadOnboardingPkg
FileAccessFailure
FileCreated
FileSensitivityLabelChanged
FileSensitivityLabelApplied
FileSensitivityLabelRemoved
FileShared
WACTokenShared
LiveResponseGetFile
LogsCollection
AddRemediatedData
BurnJob
DownloadDocument
ExportJob
ErrorRemediationJob
TagFiles
PreviewItemRendered
ViewDocument
FileFetched
FileViewed
SharedLinkCreated
SharedLinkDisabled
SharingInvitationAccepted*
SyncGetChanges
已恢复应用程序版本
RunAntiVirusScan
StopAndQuarantineFile
已上传文本轨道
将文件夹上传到 blob
已上传缩略图
已上传视频
UploadedOrgData
ReportDownloaded
PreviewItemDownloaded
SearchExported
已发布解决方案 Canvas 应用程序版本