Data Source: O365 Set Company Information.

Description

Logs updates to organizational settings and company information in Microsoft 365, including changes to contact details, branding, and configuration policies.

Details

Property Value
Source o365
Sourcetype o365:management:activity
Separator Operation

Supported Apps

Event Fields

+ Fields
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">ActorContextId</span>
  
  <span class="pill kill-chain">ActorIpAddress</span>
  
  <span class="pill kill-chain">Actor{}.ID</span>
  
  <span class="pill kill-chain">Actor{}.Type</span>
  
  <span class="pill kill-chain">AzureActiveDirectoryEventType</span>
  
  <span class="pill kill-chain">ClientIP</span>
  
  <span class="pill kill-chain">CreationTime</span>
  
  <span class="pill kill-chain">ExtendedProperties{}.Name</span>
  
  <span class="pill kill-chain">ExtendedProperties{}.Value</span>
  
  <span class="pill kill-chain">Id</span>
  
  <span class="pill kill-chain">InterSystemsId</span>
  
  <span class="pill kill-chain">IntraSystemId</span>
  
  <span class="pill kill-chain">ModifiedProperties{}.Name</span>
  
  <span class="pill kill-chain">ModifiedProperties{}.NewValue</span>
  
  <span class="pill kill-chain">ModifiedProperties{}.OldValue</span>
  
  <span class="pill kill-chain">ObjectId</span>
  
  <span class="pill kill-chain">Operation</span>
  
  <span class="pill kill-chain">OrganizationId</span>
  
  <span class="pill kill-chain">RecordType</span>
  
  <span class="pill kill-chain">ResultStatus</span>
  
  <span class="pill kill-chain">SupportTicketId</span>
  
  <span class="pill kill-chain">TargetContextId</span>
  
  <span class="pill kill-chain">Target{}.ID</span>
  
  <span class="pill kill-chain">Target{}.Type</span>
  
  <span class="pill kill-chain">UserId</span>
  
  <span class="pill kill-chain">UserKey</span>
  
  <span class="pill kill-chain">UserType</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">Workload</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">additionalDetails</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">authentication_service</span>
  
  <span class="pill kill-chain">change_type</span>
  
  <span class="pill kill-chain">command</span>
  
  <span class="pill kill-chain">dataset_name</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_name</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">event_type</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">extendedAuditEventCategory</span>
  
  <span class="pill kill-chain">extended_properties</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">object</span>
  
  <span class="pill kill-chain">object_attrs</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">record_type</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">user_type</span>
  
  <span class="pill kill-chain">vendor_account</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1{"Actor": [{"ID": "bpatel@rodsoto.onmicrosoft.com", "Type": 5}, {"ID": "100320010208B5DC", "Type": 3}, {"ID": "User_425b75db-38be-4c7b-a474-5f0709247370", "Type": 2}, {"ID": "425b75db-38be-4c7b-a474-5f0709247370", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "ActorIpAddress": "", "AzureActiveDirectoryEventType": 1, "ClientIP": "", "CreationTime": "2021-01-13T22:57:21", "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory", "Value": "Company"}], "Id": "50a62783-f9d7-472c-9e44-f4f3d346e53c", "InterSystemsId": "6f435e84-e95b-44da-820f-2d2c9c237293", "IntraSystemId": "1163f0db-2241-4689-8486-b15c7812bbe0", "ModifiedProperties": [{"Name": "StrongAuthenticationPolicy", "NewValue": "[\r\n  {\r\n    \"RelyingPartyStrongAuthenticationPolicies\": [\r\n      {\r\n        \"RelyingParties\": [\r\n          \"*\"\r\n        ],\r\n        \"Rules\": [\r\n          {\r\n            \"SelectionConditions\": [\r\n              {\r\n                \"Claim\": 1,\r\n                \"Operator\": 0,\r\n                \"Values\": [\r\n                  \"73.15.72.101/32\",\r\n                  \"66.176.252.11/32\"\r\n                ]\r\n              }\r\n            ]\r\n          }\r\n        ],\r\n        \"Enabled\": true\r\n      }\r\n    ]\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"RelyingPartyStrongAuthenticationPolicies\": [\r\n      {\r\n        \"RelyingParties\": [\r\n          \"*\"\r\n        ],\r\n        \"Rules\": [\r\n          {\r\n            \"SelectionConditions\": [\r\n              {\r\n                \"Claim\": 1,\r\n                \"Operator\": 0,\r\n                \"Values\": [\r\n                  \"73.15.72.101/32\",\r\n                  \"66.176.252.11/32\"\r\n                ]\r\n              }\r\n            ]\r\n          },\r\n          {\r\n            \"SelectionConditions\": [\r\n              {\r\n                \"Claim\": 2,\r\n                \"Operator\": 0,\r\n                \"Values\": [\r\n                  \"insidecorporatenetwork--true\"\r\n                ]\r\n              }\r\n            ]\r\n          }\r\n        ],\r\n        \"Enabled\": true\r\n      }\r\n    ]\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "NewValue": "StrongAuthenticationPolicy", "OldValue": ""}], "ObjectId": "Company_0e8108b1-18e9-41a4-961b-dfcddf92ef08", "Operation": "Set Company Information.", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "RecordType": 8, "ResultStatus": "Success", "SupportTicketId": "", "Target": [{"ID": "Company_0e8108b1-18e9-41a4-961b-dfcddf92ef08", "Type": 2}, {"ID": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "Type": 2}, {"ID": "Directory", "Type": 2}, {"ID": "Emergency Information Technology Services LLC", "Type": 1}], "TargetContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "UserId": "bpatel@rodsoto.onmicrosoft.com", "UserKey": "100320010208B5DC@rodsoto.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}

Source: GitHub | Version: 2