Events

Events can be expected and authorized or might have potential indication of unexpected activities.

SaaSDR currently monitors your Office365 logs for the below events (as recommended by CISA):

- Set domain authentication - Searches for any modifications to the domain on a tenant’s domain.

- Set federation settings on domain - Searches for any modifications to the federation settings on a tenant’s domain

- Update application - Searches for any modifications to an application.

- Update application - Certificates and secrets management - Searches for any credential modifications to an application.

- Update service principal - Searches for any modifications to a service principal.

- Add service principal credentials - Searches for any credential modifications to a service principal.

- Add app role assignment grant to user -Searches for any app role assignments to users.

- Add app role assignment to service - Searches for any app role assignments to service principals.

- Consent to application - Searches for any OAuth or application consents.

- User LoggedIn/UserLoginFailed - Searches for SAML token usage anomaly (User Authentication Value of 16457) in the Unified Audit Logs.

- MailboxLogin  - Searches for PowerShell logins into mailboxes.

- UserLoggedIn  - Searches for well-known AppID for Exchange Online PowerShell.

- UserLoggedIn/UserLoginFailed  - Searches for well-known AppID for PowerShell.

- UserLoggedIn/UserLoginFailed  - Searches for WinRM useragent string in the user logged in/ user login failed operations.

- MailItemAccessed  - Searches for the non-Microsoft AppIDs to see if it accessed mail items related events in Unified Audit Logs

- FileAccessed  - Searches for the AppID to see if it accessed Sharepoint or OneDrive items.

- FileAccessedExtended  - Searches for the AppID to see if it accessed Sharepoint or OneDrive item.

What’s in it for the users?

To view any user activity, go to Monitor > Events.

events

You can filter the activities by clicking on any Type or Category tab available in left navigation pane. Filter is based on the variations of the events appearing in the list.

event categories