本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
Microsoft 365 的來源組態
與 Microsoft 365 整合
Microsoft 365 是 Microsoft 擁有的一系列生產力軟體、協同合作和雲端服務。CloudWatch Pipeline 使用 Office 365 管理活動 API,從 Office 365 和 Microsoft Entra 活動日誌擷取使用者、管理員、系統和政策動作和事件的相關資訊。Office 365 管理活動 API (也稱為統一稽核 API) 是 Office 365 安全和合規產品的一部分。客戶和合作夥伴可以使用此資訊為企業建立新的或增強現有的操作、安全和合規監控解決方案。
使用 Office 365 Management Activity API 驗證
若要擷取活動 Office 365,管道需要向您的帳戶進行身分驗證。請遵循 Office 365 管理 APIs中的指示:
在 Azure 中向支援的 帳戶類型註冊應用程式,僅限此組織目錄中的帳戶 (單一租戶)。註冊完成後,記下應用程式 (用戶端) ID 和目錄 (租戶) ID。
為您的應用程式產生新的金鑰。金鑰也稱為用戶端秘密,用於交換存取字符的授權碼。
在 中 AWS Secrets Manager,建立秘密,並將應用程式 (用戶端) ID 存放在金鑰下,
client_id並將用戶端秘密存放在金鑰下client_secret指定應用程式存取 Office 365 Management APIs所需的許可。您需要的許可如下:
ActivityFeed.Read:您列出的所有稽核內容類型都需要,包括 Audit.AzureActiveDirectory、Audit.Exchange、Audit.SharePoint 和 Audit.General。
ActivityFeed.ReadDlp:DLP.All 內容類型特別需要
您必須先為 Office 365 組織啟用統一稽核記錄,才能透過 Office 365 管理活動 API 存取資料。您可以開啟 Office 365 稽核日誌來執行此操作。如需說明,請參閱開啟或關閉 Office 365 稽核日誌搜尋。
設定 CloudWatch 管道
設定管道從 Office 365 讀取活動時,請選擇 Microsoft 365 做為資料來源。使用目錄 (租戶) ID 和client_secret存放 client_id和 的秘密,填寫所需資訊,例如租戶 ID。建立管道後,資料將可在選取的 CloudWatch Logs 日誌群組中使用。
支援的開放式網路安全結構描述架構事件類別
此整合支援 OCSF 結構描述版本 v1.5.0,且來自 Exchange、SharePoint、Team 和 Azure Active Directory 等各種工作負載的動作會映射至帳戶變更 (3001)、身分驗證 (3002)、使用者存取管理 (3005)、群組管理 (3006)、電子郵件活動 (4009)、Web 資源活動 (6001)、檔案託管活動 (6006)、應用程式生命週期 (6002)、(2003)、偵測調查結果 (2004)、事件調查結果 (2005)、漏洞調查結果 (2002) 和未知 (00)。
合規調查結果
合規調查結果包含下列動作:
ApplyRecordLabel
ComplianceSettingChanged
ExclusionConfigurationDeleted
NewComplianceTag
NewRetentionCompliancePolicy
NewRetentionComplianceRule
CreateRulePackage
CreateSuppressionRule
ApproveDisposal
RemoveComplianceTag
SetComplianceTag
SetRestrictiveRetentionUI
SupervisionPolicyCreated
SupervisionPolicyUpdated
SupervisionPolicyDeleted
HoldUpdated
HoldCreated
HoldRemoved
DlpInfo
偵測調查結果
Detection Finding 包含下列動作:
FileMalwareDetected
DocumentSensitivityMismatchDetected
TIMailData
DeviceOffBoarding
AddIndicator
ChangeCustomDetectionRuleStatus
CreateCustomDetection
DeleteIndicator
EditIndicator
MonitoringAlertUpdated
RunCustomDetection
觸發 CMD 代理程式 Canary 檢查。
DlpRuleMatch
AlertEntityGenerated
AlertTriggered
事件調查結果
事件調查結果包含下列動作:
AddCommentToIncident
AddTagsToIncident
AssignUserToIncident
CollectInvestigationPackage
EditIncidentClassification
RemediationActionAdded
RemediationActionUpdated
RemoveTagsFromIncident
UnAssignUserFromIncident
UpdateIncidentStatus
CaseUpdated
CaseAdded
CaseRemoved
帳戶變更
帳戶變更包含下列動作:
將成員新增至角色
新增服務主體
新增使用者
新增的角色
變更使用者授權
變更使用者密碼
Delete user (刪除使用者)
已刪除的應用程式許可
已刪除的角色
編輯的全域角色指派
編輯的角色
NetworkUserSuspended
從角色移除成員
移除委派項目
Reset user password (重設使用者密碼)
設定強制變更使用者密碼
AdministratorAddedToTermStore
AdministratorDeletedFromTermStore
AlertNotificationsRecipientDeleted
CaseAdminUpdated
CaseAdminAdded
CaseAdminRemoved
新增的使用者
身分驗證
身分驗證包含下列動作:
MailboxLogin
ClockedIn
ClockedOut
TeamsSessionStarted
登入
SignInEvent
SSOUserCredentialsSet
登入的使用者
UserLoggedIn
UserLoggedOff
UserLoginFailed
使用者存取管理
使用者存取管理包含下列動作:
Add-MailboxPermission
ModifyFolderPermissions
Remove-MailboxPermission
ApplicableAdaptiveScopeChange
CaseMemberAdded
群組管理
群組管理包含下列動作:
RemovedFromSecureLink
BotAddedToTeam
BotRemovedFromTeam
MemberAdded
MemberRemoved
MemberRoleChanged
ScheduleGroupAdded
ScheduleGroupEdited
ScheduleGroupDeleted
TeamCreated
TeamDeleted
新增群組
將成員新增至群組
建立的群組
刪除群組
已刪除的群組
編輯的群組成員資格
編輯的群組
GroupCreation
GroupDeletion
GroupRemoved
GroupAdded
GroupUpdated
RemovedFromGroup
AddedToGroup
從群組移除成員
RemoveSpecificResponder
RosterMemberAdded
RosterMemberDeleted
CaseMemberUpdated
CaseMemberRemoved
已新增團隊
團隊已刪除
UserAddedToGroup
UserRemovedFromGroup
電子郵件活動
電子郵件活動包含下列動作:
傳送
SendAs
SendOnBehalf
MessageDeletedNotification
QuarantineDelete
QuarantineExport
QuarantinePreview
QuarantineRelease
QuarantineReleaseRequest
QuarantineReleaseRequestDeny
QuarantineViewHeader
SupervisionRuleMatch
SupervisoryReviewTag
SupervisoryReviewOLAudit
Web 資源活動
Web 資源活動包含下列動作:
UpdateCalendarDelegation
AddFolderPermissions
Copy (複製)
建立
New-InboxRule
SoftDelete
Move (移動)
MailItemsAccessed
MoveToDeletedItems
Set-InboxRule
HardDelete
UpdateInboxRules
更新
LockRecord
UnlockRecord
SearchQueryPerformed
PageViewed
PageViewedExtended
FolderCreated
ClientViewSignaled
PagePrefetched
FolderModified
ListColumnCreated
ListContentTypeCreated
ListItemCreated
Site ContentType 已建立
列出已刪除的資料欄
ListCreated
列出已刪除的項目
SiteColumnDeleted
ListDeleted
ListContentTypeDeleted
ListRestored
SiteColumnCreated
ListItemRecycled
ListItemDeleted
ListItemRestored
ListContentTypeUpdated
ListUpdated
ListViewed
SiteContentTypeDeleted
ListItemUpdated
SiteColumnUpdated
AccessRequestAccepted
ListColumnUpdated
SiteContentTypeUpdated
AccessRequestCreated
PermissionLevelAdded
CompanyLinkCreated
AnonymousLinkCreated
SharingInvitationAccepted
SecureLinkCreated
SharingInvitationCreated
SecureLinkDeleted
CompanyLinkRemoved
AccessRequestDenied
AnonymousLinkRemoved
AccessRequestUpdated
SharingSet
AnonymousLinkUpdated
SharingInvitationBlocked
AnonymousLinkUsed
SecureLinkUsed
CompanyLinkUsed
SharingRevoked
AddedToSecureLink
SharingInvitationUpdated
SharingInvitationRevoked
ExemptUserAgentSet
AllowedDataLocationAdded
SiteGeoMoveCancelled
AllowGroupCreationSet
CustomizeExemptUsers
DeviceAccessPolicyChanged
NetworkAccessPolicyChanged
SiteCollectionCreated
SiteDeleted
SendToConnectionRemoved
SiteGeoMoveCompleted
SharingPolicyChanged
PreviewModeEnabledSet
HubSiteOrphanHubDeleted
SendToConnectionAdded
HubSiteJoined
SiteCollectionQuotaModified
LegacyWorkflowEnabledSet
OfficeOnDemandSet
NewsFeedEnabledSet
PeopleResultsScopeSet
AllowedDataLocationDeleted
SiteRenamed
HubSiteRegistered
HostSiteSet
GeoQuotaAllocated
HubSiteUnjoined
HubSiteUnregistered
SiteCollectionAdminAdded
PermissionLevelsInheritanceBroken
SharingInheritanceBroken
SiteGeoMoveScheduled
WebRequestAccessModified
WebMembersCanShareModified
PermissionLevelModified
PermissionLevelRemoved
SitePermissionsModified
SiteCollectionAdminRemoved
SiteAdminChangeRequest
SharingInheritanceReset
BreakEnded
ChannelAdded
BreakStarted
ChannelDeleted
ChannelOwnerResponded
ChatRetrieved
ChannelSettingChanged
ChatCreated
ChatUpdated
ConnectorAdded
ConnectorRemoved
ConnectorUpdated
CreateUpdateRequest
EditUpdateRequest
FailedValidation
InviteeResponded
InviteSent
MeetingDetail
MeetingParticipantDetail
MessageCreatedHasLink
MessageDeleted
MessageCreatedNotification
MessageEditedHasLink
MessageHostedContentRead
MessageRead
MessageReadReceiptReceived
MessageHostedContentsListed
MessageSent
MessagesExported
MessageUpdated
MessageUpdatedNotification
OffShiftDialogAccepted
MessagesListed
OpenShiftAdded
OpenShiftDeleted
OpenShiftEdited
PerformedCardAction
RequestAdded
RequestRespondedTo
RequestCancelled
ScheduleSettingChanged
ScheduleShared
SensitivityLabelApplied
ScheduleWithdrawn
SensitivityLabelChanged
SensitivityLabelRemoved
SharingRestored
ShiftAdded
ShiftDeleted
ShiftEdited
SubscribedToMessages
TabAdded
SubmitUpdate
TabRemoved
TabUpdated
TeamSettingChanged
TeamsTenantSettingChanged
TerminatedSharing
TimeClockEntryDeleted
TimeClockEntryAdded
TimeClockEntryEdited
TimeOffAdded
TimeOffEdited
ViewUpdate
TimeOffDeleted
TranscriptsExported
AccessedOdataLink
AcceptedSharingLinkOnFolder
新增委派項目。
將網域新增至公司。
新增服務主體憑證。
將合作夥伴新增至公司。
更新服務主體。
AddedDataLossPreventionEvaluationResult
AddFormCoauthor
AddReviewer
AddSpecificResponder
管理員允許的第三方應用程式
管理員修改的應用程式擁有者
管理員修改的應用程式許可
管理員將應用程式設定為特色
管理員集略過同意狀態
管理員集條件式存取
管理員設定所需的邏輯名稱
管理員設定隔離狀態
AlertExcelDownloaded
AlertNotificationsRecipientAdded
AllowAnonymousResponse
AllowShareFormForCopy
AppBypassInformationBarrier
CanceledQuery
檢查 PowerShell 執行政策
ClassificationDefinitionDeleted
ClassificationAdded
ClassificationDefinitionUpdated
ClassificationDeleted
ClassificationDefinitionCreated
CollectionHardDeleted
CollectionCreated
CollectionRenamed
CollectionSoftDeleted
對影片進行註解
CommunityAccessFailure
CollectionUpdated
同意應用程式的 APIs
ConnectToExcelWorkbook
建立 LogCollection 請求
建立新的工作項目 (排程器)
ConsentModificationRequest
在 Acti 中建立遠端動作操作...
CreateComment
CreateForm
CreateResponse
儀表板已建立
儀表板已刪除
儀表板已更新
匯出的資料
DataAccessRequestOperation
DataExport
DataShareCreated
DeleteAllResponses
DeleteCustomDetection
已刪除的影片
DeletedResult
DeleteSummaryLink
DisableCollaboration
DisableSpecificResponse
DisallowShareFormForCopy
DisableSuppressionRule
DisallowAnonymousResponse
EditCustomDetection
編輯的應用程式
編輯的應用程式許可
編輯的全域角色指派
編輯的頻道
編輯的租戶設定
編輯的群組
編輯的使用者設定
編輯的角色
編輯的影片許可
EditForm
編輯的影片
EditRulePackage
EnableSameOrgCollaboration
EditSuppressionRule
EnableSpecificCollaboaration
EnableSpecificResponse
EnableSuppressionRule
EnableWorkOrSchoolCollaboration
EntityCreated
EntityDeleted
EntityRemediatorConfigurationUpdated
EntityUpdated
ExclusionConfigurationAdded
ExclusionConfigurationUpdated
ExecutedQuery
ExportForm
ExtendRetention
FileUpdateDescription
FileUpdateName
FileVisited
FolderSharingLinkShared
SharingLinkUsed
SharingLinkCreated
GenerateCopyOfLakeData
取得文字軌跡
取得文字記錄
取得影片
GetSummaryLink
GlossaryTermAssigned
GlossaryTermCreated
GlossaryTermDisassociated
GlossaryTermDeleted
GlossaryTermUpdated
目標政策已更新
群組檢視
InformationBarriersInsightsReportOneDr...
InformationBarriersInsightsReportSched...
InformationBarriersInsightsReportShare...
InformationBarriersInsightsReportCompl...
喜歡的影片
在影片上連結
LinkedEntityCreated
LinkedEntityDeleted
LinkedEntityUpdated
ListForms
將應用程式標記為精選
將應用程式標記為 Hero
MarkedMessageChanged
ReactedToMessage
MeetingExclusionCreated
MessageCreated
MessageAccessFailure
MessageViewed
MonitoringAlertNotificationRecipientAd...
MonitoringAlertNotificationRecipientDe...
MovedFormIntoCollection
MovedFormOutofCollection
NetworkConfigurationUpdated
NetworkSecurityConfigurationUpdated
MoveForm
NewAdaptiveScope
NotificationConfigurationUpdated
VM 上的 OCE 執行命令
已建立 OKR 或專案
OKR 或專案已刪除
OKR 或專案已更新
組織已建立
已更新組織整合
組織設定已更新
PlanCreated
PlanCopied
PlanDeleted
PlanRead
後遠端動作操作
PlanListRead
PreviewForm
PlanModified
ProcessProfileFields
ProjectCreated
ProjectAccessed
ProInvitation
ProjectDeleted
ProjectForTheWebRoadmaptSettings
ProjectForTheWebProjectSettings
ProjectListAccessed
ProjectUpdated
RelabelItem
ReleaseFromIsolation
從公司移除網域。
從公司移除合作夥伴。
移除服務主體憑證。
RemoveAdaptiveScope
RemoveAppRestrictions
RemoveFormCoauthor
RemoveRetentionComplianceRule
RemoveRetentionCompliancePolicy
ReporterConfigurationUpdated
RestrictAppExecution
RoadmapAccessed
RoadmapCreated
RoadmapDeleted
RoadmapItemAccessed
RoadmapItemCreated
RoadmapItemDeleted
RoadmapItemUpdated
RoadmapUpdated
RosterCreated
RosterDeleted
RosterSensitivityLabelUpdated
執行混合 AADJ 延伸模組
RunLiveResponseApi
SensorCreated
SensorConfigurationUpdated
SensorDeleted
SensorDeploymentAccessKeyUpdated
SensorDeploymentAccessKeyReceived
設定公司聯絡資訊
設定頻道縮圖
設定委派項目
設定公司資訊
設定網域身分驗證
在網域上設定聯合設定
設定 DirSyncEnabled 旗標
設定授權屬性
設定密碼政策
SetAdaptiveScope
SetAdvancedFeatures
SetRetentionCompliancePolicy
SiteIBModeChanged
共用影片
SiteIBModeSet
SetRetentionComplianceRule
SiteIBSegmentsChanged
SiteIBSegmentsRemoved
SiteIBSegmentsSet
SiteSensitivityLabelApplied
SensitivityLabelUpdated
SiteSensitivityLabelChanged
SiteSensitivityLabelRemoved
SoftDeleteSettingsUpdated
SPOIBIsDisabled
SPOIBIsEnabled
SubmitResponse
SubTaskCreated
SubTaskDeleted
SubTaskUpdated
SupervisorAdminToggled
SyslogServiceConfigurationUpdated
TaggingConfigurationUpdated
TaskAccessed
TaskAssigned
TaskCompleted
TaskDeleted
TaskCreated
TaskListCreated
TaskListRead
TaskListUpdated
TaskModified
TaskRead
TaskUpdated
團隊已更新
TenantSettingsUpdated
觸發裝置修復
由 SaaF 觸發一般動作
觸發一般動作
使用 選項觸發一般動作
不相同的影片
觸發協調器
更新群組。
更新使用者。
UpdatedDataAccessSetting
UpdatedOrganizationBriefingSettings
UpdatedOrganizationMyAnalyticsSettings
更新網域。
UpdatedPrivacySetting
UpdatedUserBriefingSettings
UpdatedUserMyAnalyticsSettings
UpdateFormSetting
UpdatePhishingStatus
UpdateResponse
UpdateUsageReportsPrivacySetting
UpdateUserSetting
URbacAuthorizationStatusChanged
UserInvited
UserSuspension
檢視的影片
驗證網域
驗證電子郵件驗證網域
ViewedExplore
ViewForm
ViewResponses
ViewRuntimeForm
ViewResponse
VpnConfigurationUpdated
WorkspaceCreated
WorkspaceDeleted
WorkspaceAlertThresholdLevelUpdated
SearchUpdated
SearchPermissionUpdated
PreviewItemListed
SearchCreated
SearchPermissionCreated
SearchRemoved
SearchExportDownloaded
SearchPreviewed
SearchPermissionRemoved
SearchResultsPurged
RemovedSearchResultsSentToZoom
RemovedSearchPreviewed
RemovedSearchExported
RemovedSearchResultsPurged
SearchResultsSentToZoom
SearchReportRemoved
SearchStarted
SearchReport
ThreadViewed
CaseViewed
SearchViewed
ViewedSearchExported
SearchStopped
ViewedSearchPreviewed
AddWorkingSetQueryToWorkingSet
AddQueryToWorkingSet
AddNonOffice365DataToWorkingSet
AnnotateDocument
LoadComparisonJob
RunAlgo
CreateWorkingSet
CreateWorkingSetSearch
CreateTag
DeleteTag
UpdateTag
DeleteWorkingSetSearch
UpdateCaseSettings
UpdateWorkingSetSearch
PreviewWorkingSetSearch
TagJob
LabelContentExplorerAccessedItem
AccessInvitationAccepted
AccessInvitationCreated
AccessInvitationExpired
AccessInvitationRevoked
AccessInvitationUpdated
AccessRequestApproved
AccessRequestRejected
AppCatalogCreated
AuditPolicyUpdate
ActivationEnabled
AuditPolicyRemoved
AzureStreamingEnabledSet
CollaborationTypeModified
CreateSSOApplication
ConnectedSiteSettingModified
CustomFieldOrLookupTableCreated
CustomFieldOrLookupTableDeleted
CustomFieldOrLookupTableModified
DelegateModified
DelegateRemoved
DefaultLanguageChangedInTermStore*
eDiscoveryHoldApplied
eDiscoveryHoldRemoved
eDiscoverySearchPerformed
EngagementAccepted
EngagementModified
EnterpriseCalendarModified
EngagementRejected
EntityForceCheckedIn
LanguageAddedToTermStore
LookAndFeelModified
LanguageRemovedFromTermStore
MaxQuotaModified
MaxResourceUsageModified
MySitePublicEnabledSet
ODBNextUXSettings
PermissionSyncSettingModified
PermissionTemplateModified
PortfolioDataAccessed
PortfolioDataModified
ProjectCheckedOut
ProjectCheckedIn
ProjectModified
ProjectPublished
ProjectWorkflowRestarted
PWASettingsAccessed
ProjectForceCheckedIn
PWASettingsModified
QueueJobStateModified
QuotaWarningEnabledModified
RenderingEnabled
ReportingAccessed
ResourceCheckedIn
ResourceAccessed
ReportingSettingModified
ResourceCreated
ResourceCheckedOut
ResourceModified
ResourcePlanCheckedInOrOut
ResourceDeleted
ResourcePlanModified
ResourcePlanPublished
ResourceForceCheckedIn
ResourceWarningEnabledModified
ResourceRedacted
SSOGroupCredentialsSet
SearchCenterUrlSet
SecondaryMySiteOwnerSet
SecurityCategoryModified
SecurityGroupModified
SiteCollectionAdminAdded*
StatusReportModified
SyntexBillingSubscriptionSettingsChang...
TaskStatusAccessed
TaskStatusApproved
TaskStatusRejected
TaskStatusSubmitted
TaskStatusSaved
TimesheetRejected
TimesheetApproved
TimesheetSaved
TimesheetSubmitted
TimesheetAccessed
UpdateSSOApplication
WorkflowModified
DlpRuleUndo
AlertUpdated
SensitivityLabelPolicyMatched
CopilotInteraction
頻道檢視
刪除的影片評論
已刪除的頻道
建立的頻道
建立的影片
使用者已停用
使用者已刪除
應用程式生命週期
應用程式生命週期包含下列動作:
AppDeletedFromCatalog
AppPublishedToCatalog
AppInstalled
AppUninstalled
AppUpdatedInCatalog
AppUpgraded
DeletedAllOrganizationApps
WorkforceIntegrationAdded
AddDevicesToBackfill 操作
AddDevicesToReinstall 操作
管理員已刪除應用程式
管理員已還原已刪除的應用程式
建立 VmExtention 請求
建立的應用程式
已刪除的應用程式
已刪除的應用程式版本
執行 AppHealthPlugin
安裝 RD 代理程式
更新裝置。
MigrationJobCompleted
修補的應用程式
已發佈的應用程式
移除服務主體。
已移除作為特色的應用程式
已將應用程式移除為 Hero
TriggerClientAgentCheckBulkAction 操作...
啟動的應用程式
LaunchPowerApp
DeleteSSOApplication
檔案託管活動
檔案託管活動包含下列動作:
UpdateFolderPermissions
FileCheckedIn
FileCheckedOut
FileCopied
FileAccessedExtended
FileDeletedSecondStageRecycleBin
FileDeleted
FileAccessed
FileDeletedFirstStageRecycleBin
RecordDelete
FileDownloaded
FileCheckOutDiscarded
FileModified
FileModifiedExtended
FilePreviewed
FileRecycled
FolderRecycled
FileVersionsAllMinorsRecycled
FileMoved
FileVersionRecycled
FileUploaded
FileRenamed
FileVersionsAllRecycled
FileRestored
FolderDeleted
FolderDeletedFirstStageRecycleBin
FolderMoved
FolderCopied
FolderDeletedSecondStageRecycleBin
FolderRenamed
FolderRestored
RecordingExported
ManagedSyncClientAllowed
FileSyncDownloadedFull
FileSyncDownloadedPartial
FileSyncUploadedFull
UnmanagedSyncClientBlocked
FileSyncUploadedPartial
AttachmentDeleted
AttachmentUpdated
AttachmentCreated
DataShareDeleted
已刪除的文字音軌
已刪除縮圖
DomainControllerCoverageExcelDownloaded
DownloadCopyOfLakeData
下載的影片
DownloadedReport
DownloadOffboardingPkg
DownloadFile
DownloadOnboardingPkg
FileAccessFailure
FileCreated
FileSensitivityLabelChanged
FileSensitivityLabelApplied
FileSensitivityLabelRemoved
FileShared
WACTokenShared
LiveResponseGetFile
LogsCollection
AddRemediatedData
BurnJob
DownloadDocument
ExportJob
ErrorRemediationJob
TagFiles
PreviewItemRendered
ViewDocument
FileFetched
FileViewed
SharedLinkCreated
SharedLinkDisabled
SharingInvitationAccepted*
SyncGetChanges
還原的應用程式版本
RunAntiVirusScan
StopAndQuarantineFile
上傳的文字音軌
將資料夾上傳至 Blob
上傳的縮圖
上傳的影片
UploadedOrgData
ReportDownloaded
PreviewItemDownloaded
SearchExported
發佈的解決方案畫布應用程式版本
