SmartConnector for Microsoft Office 365 Management Activity


The Microsoft Office 365 Management Activity guide can be found here


Comment List

    Hi everyone

    i follow all the steps mentioned on the document but i cann't get logs i think ther is a missed permission on O365 

    any help please.

    best regards

  • Hi everyone.   Record type 40 in 7.15 maps Device Product incorrectly to eDiscovery rather than Security Compliance Alerts.   It kind of threw me for a loop.  SD02696513 submitted to document this bug.  Here's the map file I created to correct the issue.   It includes an extra bonus that creates a URL that will take your analyst to the alert (after they log in).   Note:  this is specific to

    SecurityComplianceAlerts,Security Compliance Alerts,"__concatenate("""",__split(fileId,"" "",""2""))"

  • Additional events to add 


    1) Record Type 29 -- user submitted Phish identification 

    2) Record Type 51 -- Hygiene event (i'm seeing this trigger when a user hits the spam filters in exchange)

    3) Record Type 64 -- AIR investigations.    One of the interesting things for this is email header information for zapped  emails and what appears to be the offending email that causes the restrict user use case to fire based on span filters.  When I get a chance

  • Dear  ,


    I've already raised a FR to include the relevant events that we've identified:

    SD02377637/FR: CON-22046 | Expand event types supportability of MS Office 365 Connector


    However, the best approach is that ArcSight SIEM as security solution provides a fully coverage of all the security events generated, at least the documented ones are mandatory.

    Note that there are more events seen on the wild, this is because of Microsoft and I'm not asking to you to cover them, but for sure all the ones "GA" which are fully documented by MS.

    This is what another SIEM solutions offers out of the box, and they maintain it frequently, 

    I appreciate to see progress on this agent, but it is still away to be considered as a reliable data collector for office365.


    Hope that this clarifies the current scenario,





  • Hi ,


    The best approach here is to submit a feature request case on the support platform, when you submit your case please specify the security  events your company needs to be included in one of the next connector releases.




  • Hi All,


    While it is truth that the agent has received some updates during these last months, we can still see lots of relevant security events not covered, in fact, only the following ones are supported:

    1 ExchangeAdmin2 ExchangeItem3 ExchangeItemGroup4 SharePoint6 SharePointFileOperation8 AzureActiveDirectory9 AzureActiveDirectoryAccountLogon11 ComplianceDLPSharePoint13 ComplianceDLPExchange14 SharePointSharingOperation33 ComplianceDLPSharePointClassification55 SharePointContentTypeOperation56 SharePointFieldOperation


    This is just a subset from the events produced 

    Actually, as security solution, they should focus on all the relevant ones for security monitoring, at first glance, I still miss many other events, to highlight: 



    Is it too difficult to support them? I'm not asking for all of them but just the needed to ensure a proper security monitoring, neither the types "seen on the wild/nor documented"


    Best regards,



  • When is someone going to fix the permission instructions in this document.  They don't work as written?

  • Hi all, sorry for my newbi question but this connector replace the "Microsoft Azure Monitor Event Hub" connector way ? Or is complementary in any sense? 

  • Hi Team,

    Can you please release a new smartconnector office 365 guide?

    Azure screenshots and instructions are outdated and it is not working.

    "Bad request" in the logs.

  • Hi,

    I am getting the below error, please advise;

    Connector parameters did not pass the verification with error [1:Cannot retrieve access token due to: []

    Thanks and Regards,
    Siddarth T