Office 365 and Azure (Audit Log)

Details
Content
Dependencies
Version History

Search the unified audit log to view user and administrator activity in your organization.

Need to find if a user viewed a specific document or purged an item from their mailbox? If so, use the Microsoft Policy And Compliance (Audit Log) integration to search the unified audit log to view user and administrator activity in your organization.

The unified audit log contains events from

Exchange Online
SharePoint Online
OneDrive for Business
Azure Active Directory
Microsoft Teams
Power BI
and other Microsoft 365 services

You can search for all events in a specified date range, or you can filter the results based on specific criteria, such as the action, the user who performed the action, or the target object.

What does this pack do?

You can search for the following types of user and admin activity in Microsoft 365:

User activity in SharePoint Online and OneDrive for Business
User activity in Exchange Online (Exchange mailbox audit logging)
Admin activity in SharePoint Online
Admin activity in Azure Active Directory (the directory service for Microsoft 365)
Admin activity in Exchange Online (Exchange admin audit logging)
eDiscovery activities in the security and compliance center
User and admin activity in Power BI
User and admin activity in Microsoft Teams
User and admin activity in Dynamics 365
User and admin activity in Yammer
User and admin activity in Microsoft Power Automate
User and admin activity in Microsoft Stream
Analyst and admin activity in Microsoft Workplace Analytics
User and admin activity in Microsoft Power Apps
User and admin activity in Microsoft Forms
User and admin activity for sensitivity labels for sites that use SharePoint Online or Microsoft Teams

This pack includes the Microsoft Policy And Compliance (Audit Log) integration.

The unified audit log contains events from

Exchange Online
SharePoint Online
OneDrive for Business
Azure Active Directory
Microsoft Teams
Power BI
and other Microsoft 365 services

You can search for all events in a specified date range, or you can filter the results based on specific criteria, such as the action, the user who performed the action, or the target object.

What does this pack do?

You can search for the following types of user and admin activity in Microsoft 365:

User activity in SharePoint Online and OneDrive for Business
User activity in Exchange Online (Exchange mailbox audit logging)
Admin activity in SharePoint Online
Admin activity in Azure Active Directory (the directory service for Microsoft 365)
Admin activity in Exchange Online (Exchange admin audit logging)
eDiscovery activities in the security and compliance center
User and admin activity in Power BI
User and admin activity in Microsoft Teams
User and admin activity in Dynamics 365
User and admin activity in Yammer
User and admin activity in Microsoft Power Automate
User and admin activity in Microsoft Stream
Analyst and admin activity in Microsoft Workplace Analytics
User and admin activity in Microsoft Power Apps
User and admin activity in Microsoft Forms
User and admin activity for sensitivity labels for sites that use SharePoint Online or Microsoft Teams

This pack includes the Microsoft Policy And Compliance (Audit Log) integration.

Integrations

Name	Description
Microsoft Policy And Compliance (Audit Log)	Use the integration to get logs from the O365 service.

Playbooks

Name	Description
Office 365 and Azure Hunting	This playbook enables you to collect and investigate suspicious security events from Azure AD environment.
Office 365 and Azure Configuration Analysis	This playbook helps you collect, review, and find misconfigurations with the Azure environment.

Integrations

Name	Description
Microsoft Policy And Compliance (Audit Log)	Use the integration to get logs from the O365 service.

Playbooks

Name	Description
Office 365 and Azure Hunting	This playbook enables you to collect and investigate suspicious security events from Azure AD environment.
Office 365 and Azure Configuration Analysis	This playbook helps you collect, review, and find misconfigurations with the Azure environment.

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Microsoft Graph Applications	By: Cortex XSOAR
Microsoft Graph Identity and Access	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Microsoft Exchange Online	By: Cortex XSOAR

All level dependencies (5)

Pack Name	Pack By
Common Scripts	By: Cortex XSOAR
Microsoft Graph Applications	By: Cortex XSOAR
Base	By: Cortex XSOAR
Microsoft Graph Identity and Access	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR

PUBLISHER

Cortex

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	February 11, 2021
Last Release	February 20, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

Microsoft Policy And Compliance (Audit Log)

EWS Extension Online Powershell v2 (Deprecated)

O365 - Security And Compliance - Content Search (Deprecated)

O365 - Security And Compliance - Content Search v2

Azure Active Directory Identity And Access

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

Office 365 and Azure (Audit Log)

What does this pack do?

What does this pack do?

Integrations

Microsoft Policy And Compliance (Audit Log)

Integrations

Microsoft Policy And Compliance (Audit Log)

Integrations

Microsoft Policy And Compliance (Audit Log)

Integrations

Microsoft Policy And Compliance (Audit Log)

Playbooks

New: Office 365 and Azure Hunting

New: Office 365 and Azure Configuration Analysis

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER