Office 365 アプリケーションのログの収集

Microsoft Office 365 アプリケーションのログを収集するには、以下の手順を実行します。

1. 1 つの Hosted Collector。
2. ログを収集するコンテンツ タイプごとに 1 つの Microsoft Office 365 監査 Source。例:
   • Office 365 Azure AD ログ
   • Office 365 Exchange ログ
   • Office 365 SharePoint ログ
   • Office 365 全般のログ
   • Office 365 データ損失防止 (DLP) イベント ログ

詳細については、「Microsoft Office 365 監査 Source」を参照してください。

推奨される Source Category の命名規則は次のとおりです。

• Azure AD: O365/Azure
• Exchange: O365/Exchange
• SharePoint: O365/SharePoint
• 全般: O365/SharePoint
• DLP:  O365/DLP

ログ メッセージのサンプル

{  
   "ClientIP":"62.68.137.155",
   "CreationTime":"2017-09-25T22:42:35",
   "Id":"9605876a-1c37-4337-ecbc-08d2409e6e9a",
   "Operation":"FileCopied",
   "OrganizationId":"fa0f55b5-3dac-425b-8e00-c58e5889499c",
   "RecordType":6,
   "UserKey":"i:0h.f|membership|10890000801fe866@live.com",
   "UserType":4,
   "Workload":"SharePoint",
   "ObjectId":"partner.acme.com/shared documents/foo/PurchaseOrder.xls",
   "UserId":"samir@acme.sharepoint.net",
   "EventSource":"SharePoint",
   "ItemType":"Folder",
   "Site":"7520eb33-0a76-4dfc-a56e-a835bb541aa0",
   "UserAgent":"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; InfoPath.3)",
   "DestinationFileName":"PurchaseOrder.xls",
   "DestinationRelativeUrl":"/my library/",
   "SiteUrl":"partner.acme.com",
   "SourceFileExtension":".xls",
   "SourceFileName":"PurchaseOrder.xls",
   "SourceRelativeUrl":"/shared documents/foo"
}

{  
   "CreationTime":"2017-09-25T22:37:35",
   "Id":"0df04c72-d3e1-4016-70ab-09f3333de0ca",
   "Operation":"FolderBind",
   "OrganizationId":"fa0f27b5-3dac-425b-8e00-c58e5889499c",
   "RecordType":2,
   "ResultStatus":"Succeeded",
   "UserKey":"10037FFE8EDD1D69",
   "UserType":2,
   "Workload":"Exchange",
   "UserId":"",
   "ClientIPAddress":"146.139.54.184",
   "ClientInfoString":"Client=WebServices;10.5.2.0ES10;",
   "ExternalAccess":false,
   "InternalLogonType":0,
   "LogonType":1,
   "LogonUserSid":"S-1-5-21-802669544-745651041-3938370137-2862061",
   "MailboxGuid":"6f541602-34c4-4846-9d98-40ce28ff6dc2",
   "MailboxOwnerSid":"S-1-5-21-802669544-745651041-3938370137-2707171",
   "MailboxOwnerUPN":"john@acme.com",
   "OrganizationName":"ACME.com",
   "OriginatingServer":"BLUPR02MB327 (15.02.0396.020)\r\n",
   "Item":{  
      "Id":"LgCDEFCvDwkeofbHT4Xu0aodZZIMAQBaMVsTsKq8RIhghXhDomkECDEFAAEUBCEB",
      "ParentFolder":{  
         "Id":"LgCDEFCvDwkeofbHT4Xu0aodZZIMAQBaMVsTsKq8RIhghXhDomkECDEFAAEUBCEB",
         "Path":"\\Recoverable Items\\Deletions"
      }
   }

クエリのサンプル

SharePoint 操作

_sourceCategory=O365* CreationTime Workload ("\"Workload\":\"SharePoint\"" or "\"Workload\":\"OneDrive\"")
| json "Operation", "Workload"
| where Workload in ("SharePoint", "OneDrive")
| timeslice by 1h
| count _timeslice, operation
| transpose row _timeslice column operation

ワークロード別の失敗したアクティビティ

_sourceCategory=O365* Workload Operation "ResultStatus" fail* 
| json "Workload", "ResultStatus", "Operation" 
| where resultstatus matches "*fail*" or resultstatus matches "*Fail*"
| timeslice 1h
| count _timeslice, workload 
| transpose row _timeslice column workload