Microsoft Office 365 sample event messages
Use these sample event messages to verify a successful integration with IBM® QRadar®.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Microsoft Office 365 sample messages when you use the Office 365 REST API protocol
Sample 1: The following sample event message shows that a member is successfully added to a group.
{"CreationTime":"2020-01-10T15:07:31","Id":"aaaaaaaa4-bbbb-cccc-c664-qwerasdfzxcv","Operation":"Set-Mailbox","OrganizationId":"aaaaaaaaa-f5b4-5d43-8070-xxxxxxxxxxxx","RecordType":1,"ResultStatus":"True","UserKey":"\"host.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/iteamtesting.onmicrosoft.com/admin.user\" on behalf of \"host.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/iteamtesting.onmicrosoft.com/user1\"","UserType":2,"Version":1,"Workload":"Exchange","ClientIP":"10.10.1.21:7414","ObjectId":"user1","UserId":"\"host.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/iteamtesting.onmicrosoft.com/admin.user\" on behalf of \"host.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/iteamtesting.onmicrosoft.com/user1\"","AppId":"","ClientAppId":"","ExternalAccess":false,"OrganizationName":"iteamtesting.onmicrosoft.com","OriginatingServer":"SERVER1234 (10.20.30.40)","Parameters":[{"Name":"Identity","Value":"host.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/iteamtesting.onmicrosoft.com/user1"},{"Name":"ForwardingSmtpAddress","Value":""},{"Name":"DeliverToMailboxAndForward","Value":"True"}],"SessionId":"aaaaaa-bbbb-cccc-dddd-bgh627392m"}| QRadar field name | Highlighted payload field name |
|---|---|
| Event ID | Operation |
| Event Category | Workload |
| Log Source Time | CreationTime |
| Username | UserKey
Only the iteamtesting.onmicrosoft.com/admin.user portion of the UserKey is used for the Username. |
| Source IP | ClientIP |
Sample 2: The following sample event message shows a Session Started audit event for Microsoft Teams.
{\"CreationTime\":\"2020-06-23T13:16:59\",\"Id\":\"22222222-4444-4444-4444-aaaaaaaaaaaa\",\"Operation\":\"TeamsSessionStarted\",\"OrganizationId\":\"aaaaaaaa-bbbb-cccc-dddd-aaaaaaaaaaaa\",\"RecordType\":25,\"UserKey\":\"aaaaaaaaa-aaaa-bbbb-cccc-aaaaaaaaaaaa\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\",\"ClientIP\":\"10.118.199.208\",\"ObjectId\":\"Unknown (Unknown)\",\"UserId\":\"firstname.lastname@example.com\"}| QRadar field name | Highlighted payload field name |
|---|---|
| Event ID | Operation |
| Event Category | Workload |
| Log Source Time | CreationTime |
| Username | UserId |
| Source IP | ClientIP |