Data Source: O365 Set Company Information.

Date: 2025-01-23

ID: 06c6d576-f032-41e3-b15d-80a434ce13d8

Author: Patrick Bareiss, Splunk

Description

Logs updates to organizational settings and company information in Microsoft 365, including changes to contact details, branding, and configuration policies.

Details

Property	Value
Source	`o365`
Sourcetype	`o365:management:activity`
Separator	Operation

Supported Apps

Splunk Add-on for Microsoft Office 365 (version 4.8.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">ActorContextId</span>
  
  <span class="pill kill-chain">ActorIpAddress</span>
  
  <span class="pill kill-chain">Actor{}.ID</span>
  
  <span class="pill kill-chain">Actor{}.Type</span>
  
  <span class="pill kill-chain">AzureActiveDirectoryEventType</span>
  
  <span class="pill kill-chain">ClientIP</span>
  
  <span class="pill kill-chain">CreationTime</span>
  
  <span class="pill kill-chain">ExtendedProperties{}.Name</span>
  
  <span class="pill kill-chain">ExtendedProperties{}.Value</span>
  
  <span class="pill kill-chain">Id</span>
  
  <span class="pill kill-chain">InterSystemsId</span>
  
  <span class="pill kill-chain">IntraSystemId</span>
  
  <span class="pill kill-chain">ModifiedProperties{}.Name</span>
  
  <span class="pill kill-chain">ModifiedProperties{}.NewValue</span>
  
  <span class="pill kill-chain">ModifiedProperties{}.OldValue</span>
  
  <span class="pill kill-chain">ObjectId</span>
  
  <span class="pill kill-chain">Operation</span>
  
  <span class="pill kill-chain">OrganizationId</span>
  
  <span class="pill kill-chain">RecordType</span>
  
  <span class="pill kill-chain">ResultStatus</span>
  
  <span class="pill kill-chain">SupportTicketId</span>
  
  <span class="pill kill-chain">TargetContextId</span>
  
  <span class="pill kill-chain">Target{}.ID</span>
  
  <span class="pill kill-chain">Target{}.Type</span>
  
  <span class="pill kill-chain">UserId</span>
  
  <span class="pill kill-chain">UserKey</span>
  
  <span class="pill kill-chain">UserType</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">Workload</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">additionalDetails</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">authentication_service</span>
  
  <span class="pill kill-chain">change_type</span>
  
  <span class="pill kill-chain">command</span>
  
  <span class="pill kill-chain">dataset_name</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_name</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">event_type</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">extendedAuditEventCategory</span>
  
  <span class="pill kill-chain">extended_properties</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">object</span>
  
  <span class="pill kill-chain">object_attrs</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">record_type</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">user_type</span>
  
  <span class="pill kill-chain">vendor_account</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1{"Actor": [{"ID": "bpatel@rodsoto.onmicrosoft.com", "Type": 5}, {"ID": "100320010208B5DC", "Type": 3}, {"ID": "User_425b75db-38be-4c7b-a474-5f0709247370", "Type": 2}, {"ID": "425b75db-38be-4c7b-a474-5f0709247370", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "ActorIpAddress": "", "AzureActiveDirectoryEventType": 1, "ClientIP": "", "CreationTime": "2021-01-13T22:57:21", "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory", "Value": "Company"}], "Id": "50a62783-f9d7-472c-9e44-f4f3d346e53c", "InterSystemsId": "6f435e84-e95b-44da-820f-2d2c9c237293", "IntraSystemId": "1163f0db-2241-4689-8486-b15c7812bbe0", "ModifiedProperties": [{"Name": "StrongAuthenticationPolicy", "NewValue": "[\r\n  {\r\n    \"RelyingPartyStrongAuthenticationPolicies\": [\r\n      {\r\n        \"RelyingParties\": [\r\n          \"*\"\r\n        ],\r\n        \"Rules\": [\r\n          {\r\n            \"SelectionConditions\": [\r\n              {\r\n                \"Claim\": 1,\r\n                \"Operator\": 0,\r\n                \"Values\": [\r\n                  \"73.15.72.101/32\",\r\n                  \"66.176.252.11/32\"\r\n                ]\r\n              }\r\n            ]\r\n          }\r\n        ],\r\n        \"Enabled\": true\r\n      }\r\n    ]\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"RelyingPartyStrongAuthenticationPolicies\": [\r\n      {\r\n        \"RelyingParties\": [\r\n          \"*\"\r\n        ],\r\n        \"Rules\": [\r\n          {\r\n            \"SelectionConditions\": [\r\n              {\r\n                \"Claim\": 1,\r\n                \"Operator\": 0,\r\n                \"Values\": [\r\n                  \"73.15.72.101/32\",\r\n                  \"66.176.252.11/32\"\r\n                ]\r\n              }\r\n            ]\r\n          },\r\n          {\r\n            \"SelectionConditions\": [\r\n              {\r\n                \"Claim\": 2,\r\n                \"Operator\": 0,\r\n                \"Values\": [\r\n                  \"insidecorporatenetwork--true\"\r\n                ]\r\n              }\r\n            ]\r\n          }\r\n        ],\r\n        \"Enabled\": true\r\n      }\r\n    ]\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "NewValue": "StrongAuthenticationPolicy", "OldValue": ""}], "ObjectId": "Company_0e8108b1-18e9-41a4-961b-dfcddf92ef08", "Operation": "Set Company Information.", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "RecordType": 8, "ResultStatus": "Success", "SupportTicketId": "", "Target": [{"ID": "Company_0e8108b1-18e9-41a4-961b-dfcddf92ef08", "Type": 2}, {"ID": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "Type": 2}, {"ID": "Directory", "Type": 2}, {"ID": "Emergency Information Technology Services LLC", "Type": 1}], "TargetContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "UserId": "bpatel@rodsoto.onmicrosoft.com", "UserKey": "100320010208B5DC@rodsoto.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}

Source: GitHub | Version: 2