Appendix¶

Fetching Message Tracking (Exchange Online) Logs¶

Office365 does not fetch Message Tracking (Exchange Online) logs. To fetch these logs, you need to download the Logpoint Agent and the PowerShell script zipped with Office365.

To fetch Message Tracking (Exchange Online) logs:

Import exchange online cmdlets into the Windows PowerShell session.

Note

Refer to Connect to Exchange Online PowerShell for details on importing exchange online cmdlets into the Windows PowerShell session.
Enter the Username, Password, DateStart and location of the Outfile in the provided PowerShell script.
Schedule an interval to run the provided script using the Windows scheduler.
Install Logpoint Agent Collector.
Configure Logpoint Agent Collector to collect the output file that consists of the Message Tracking (Exchange Online) logs written by the PowerShell script.
While configuring Logpoint Agent Collector:

5.1 The fetch interval must be the same as in the Windows scheduler.

5.2 You must use the Office365 normalization package LP_O365 Exchange MT.

Vendor Field Map¶

The following tables map the Office 365 fields to the Logpoint taxonomy.

Vendor Fields	Logpoint Fields
actorObjectClass	actor_object_class
actorObjectId	actor_object_id
additionalDetails	additional_information
auditEventCategory	audit_event_category
correlationId	correlation_id
env_appId	application_id
env_appVer	application_version
env_cloud_deploymentUnit	cloud_deployment_unit
env_cloud_environment	could_environment
evn_cloud_name	cloud
env_cloud_role	cloud_role
env_cloud_roleInstance	cloud_role_instance
evn_could_roleVer	cloud_role_version
env_flags	flag
env_osVer	os_version
env_os	os
env_popSample	pop_sample
env_seqNum	sequence_number
env_time	env_ts
env_ver	env_version
extendedAuditEventcategory	extended_audit_event_category
ModifiedProperties	event_properties
resultType	result_type
targetIncludedUpdatedProperties	target_included_updated_properties
targetObjectId	target_object_id
targetPUID	target_puid
targetUPN	target_upn
teamName	team
FileSyncBytesCommitted	file_sync_bytes_committed
MachineId	machine_id
OperationDetails	operation_details
ClientApplicationId	client_application_id
EntityPath	path
alert_name	alert
AlertLinks	alert_link
EventData	event_data
ClientType	client_type
ApplicationDisplayName	application_display_name
ListBaseType	list_base_type
ListTitle	list_title
ListBaseTemplateType	list_base_template_type
OperationDetails	details
ResourceTitle	title
ResourceUrl	url
object_name	object
TeamGuid	team_guid
ChannelName	channel
ChannelGuid	channel_guid
ExtraProperties	description
TabType	tab_type
TeamGuid	team_guid
ClientInfoString	client_information
ExternalAccess	external_access
ItemId	item_id
ItemIsRecord	item_is_record
MailboxOwnerMasterAccountSid	mailbox_owner_master_account_sid
ItemInternetMessageDd	item_internet_message_id
copyRoleAssignments	copy_role_assignments
UniqueSharingId	unique_sharing_id
ImplicitShare	implicit_share
ClassificationInfo	classification_information
actorappId	actor_application_id
actorContextId	actor_context_id
actorUPN	actor_upn
destinationfilename	destination_file
actorpuid	actor_puid
role_wellknownobjectname	role
role_displayname	role_name
role_objectid	role_object_id
role_templateid	role_template_id
SharePointMetaDataFileSize	file_size
SharePointMetaDataFrom	sender
SharePointMetaDataSiteCollectionUrl	site_url
PolicyDetailsPolicyName	policy
PolicyDetailsRulesActionParameters	action_parameter
PolicyDetailsRulesConditionsMatchedCondition MatchedInNewScheme	matched_in_new_scheme
PolicyDetailsRulesConditionsMatchedSensitive InformationConfidence	sensative_info_confidence
PolicyDetailsRulesConditionsMatchedSensitive InformationCount	sensative_info_count
PolicyDetailsRulesConditionsMatchedSensitive InformationSensitiveInformationDetections ResultsTruncated	sensitive_info_result_truncated
PolicyDetailsRulesConditionsMatchedSensitive InformationSensitiveInformationTypeName	sensative_info_type_id
PolicyDetailsRulesConditionsMatchedSensitive InformationSensitiveType	sensative_info_type

Helpful?