Events

Events related to Microsoft 365 can be viewed, filtered according to the service types. Events of varying criticality related to user, application, files can be viewed here. This view helps IT admins and Security Operations teams monitor any unusual activities.

What’s in it for the users?

To view any user activity, go to Monitor > Events.

events

You can filter the activities by clicking on any Type or Category tab available in left navigation pane. Filter is based on the variations of the events appearing in the list.

event categories

To view the details of the User Activity Event, click the Event, the detail page will show pop-up in JSON view.

User Activity Event

SaaSDR currently monitors your Office365 logs for the below events (as recommended by CISA):

- Set domain authentication - Searches for any modifications to the domain on a tenant’s domain.

- Set federation settings on domain - Searches for any modifications to the federation settings on a tenant’s domain

- Update application - Searches for any modifications to an application.

- Update application - Certificates and secrets management - Searches for any credential modifications to an application.

- Update service principal - Searches for any modifications to a service principal.

- Add service principal credentials - Searches for any credential modifications to a service principal.

- Add app role assignment grant to user -Searches for any app role assignments to users.

- Add app role assignment to service - Searches for any app role assignments to service principals.

- Consent to application - Searches for any OAuth or application consents.

- User LoggedIn/UserLoginFailed - Searches for SAML token usage anomaly (User Authentication Value of 16457) in the Unified Audit Logs.

- MailboxLogin  - Searches for PowerShell logins into mailboxes.

- UserLoggedIn  - Searches for well-known AppID for Exchange Online PowerShell.

- UserLoggedIn/UserLoginFailed  - Searches for well-known AppID for PowerShell.

- UserLoggedIn/UserLoginFailed  - Searches for WinRM useragent string in the user logged in/ user login failed operations.

- MailItemAccessed  - Searches for the non-Microsoft AppIDs to see if it accessed mail items related events in Unified Audit Logs

- FileAccessed  - Searches for the AppID to see if it accessed Sharepoint or OneDrive items.

- FileAccessedExtended  - Searches for the AppID to see if it accessed Sharepoint or OneDrive item.