Those who have been reading my blog, know that I have been working a lot with security monitoring and especially with Microsoft Cloud App Security (MCAS) in the last year or so. During that time it has been quite difficult to find out, in terms of documentation, where and how MCAS receives its Office 365 related activity data and what are the actual activities you can see in the MCAS.
For that reason, I started to collect the O365 audited activities to an Excel spreadsheet before summer vacation. This summer, my vacation period was 7,5 weeks and it explains a long quiet period in writing. Now, I have had time to finalize this work and the outcome can be downloaded from the bottom of the post.
Disclaimer: Audited activities list is based on Microsoft ‘docs.microsoft.com’ sources and might change over time. I haven’t tested all possible scenarios (MCAS vs O365 logs). Also, I haven’t found official documentation or architecture pictures about O365 integration from the Cloud App Security point of view. This is my personal assumption of how the integration works.
Cloud App Security & O365 Integration
Before jumping to the audited activities the key takeaway is: Cloud App Security integrates directly with Office 365’s audit logs and receives all audited events from all supported services. In a nutshell, it ingests the activities directly from O365 Management Activity API. Even, MCAS is not a 3rd party app it could be positioned to the bottom right corner from the O365 activity audit point of view.
Supported Apps In O365
MCAS fully supports (+protects) the following services:
- Dynamics 365 CRM
- Exchange (only appears after activities from Exchange are detected in the portal, and requires you to turn on auditing)
- Office 365
- OneDrive
- Power Automate
- Power BI (only appears after activities from Power BI are detected in the portal, and requires you to turn on auditing)
- SharePoint
- Skype for Business
- Teams (only appears after activities from Teams are detected in the portal)
- Yammer
According to Microsoft: “The Cloud App Security receives all audited events from all supported services”, such as PowerApps, Forms, and Stream.
- Sway audit support is retired by Microsoft in August
Even though the activities should ‘flow’ to both Unified Audit Log (UAL) and Cloud App Security, I have found that in some cases (example with Sway) the MCAS activity log doesn’t contain the same activities as UAL (see pics below). Sway events should be found from the logs inside the 24h timeframe but I have a slightly different experience.
Activities from O365 apps such as Forms, Flow, Sway & Delve are also found from MCAS
Worth to mention is the delay in O365 audit log records. It can take up to 30 minutes or up to 24 hours after an event occurs in the corresponding audit log record (long-term auditing storage in O365 in the picture below). Management Activity API document states “There is no guaranteed maximum latency for notification delivery (in other words, no SLA).
From the pictures below, you can find a list of the services and audited activities in terms of auditing. More information from the “O365 Unified Audit Log” reference doc.
O365 Management Activity API Structure
As said, the Cloud App Security ingest audit data from O365 Management Activity API. Because of that, it’s important to understand the audited activities if you want to create custom policies based on the activity data.
In a nutshell, the O365 Management Activity API provides information about the various user, admin, system, and policy actions and events from Office 365 and Azure Active Directory activity logs.
It contains the common schema and the product-specific schema. Schema descriptions below from docs.microsoft.com.
Common schema (docs.microsoft.com)
The interface to access core Office 365 auditing concepts such as Record Type, Creation Time, User Type, and Action as well as to provide core dimensions (such as User ID), location specifics (such as Client IP address), and product-specific properties (such as Object ID). Common schema is sourced from product data that is owned by each product team, such as Exchange, SharePoint, Azure Active Directory, Yammer, and OneDrive for Business.
Product-specific schema (docs.microsoft.com)
Built on top of the Common schema to provide a set of product-specific attributes; for example, Sway schema, SharePoint schema, OneDrive for Business schema, and Exchange admin schema.
What’s The Difference With O365 Management Activity API and Unified Audit Log?
You might start wondering – Are there any differences in the records that are fetched by the Management Activity API versus the records that are returned by using the audit log search tool in the Office 365 Security & Compliance Center?
The answer from both API & UAL FAQ is: The data that is returned by both methods is the same. There is no filtering that happens. The only difference is that with the API, you can get data for the last 7 days at a time. When searching the audit log in the Security & Compliance Center (or by using the corresponding Search-UnifiedAuditLog cmdlet in Exchange Online), you can get data for the last 90 days.
Caveats when connecting O365 to MCAS (docs.microsoft.com)
- To enable monitoring of Office 365 activities in Cloud App Security (or general), auditing must be enabled in the Office Security and Compliance Center.
- Exchange administrator audit logging, extra attention is needed, see- Exchange Administrator audit logging.
- Exchange Mailbox audit logging must be turned on for each user mailbox before user activity in Exchange Online is logged. Keep in mind that “Starting in January 2019, Microsoft is turning on mailbox audit logging by default for all organizations”.
- If Office apps are enabled, groups that are part of Office 365 are also imported to Cloud App Security from the specific Office apps.
- PowerBI auditing must be enabled to get the logs from there.
- Once auditing is enabled, Cloud App Security starts getting the logs (with a delay of 24-72 hours).
- Dynamics 365 auditing must be enabled to get the logs from there.
- Once auditing is enabled, Cloud App Security starts getting the logs (with a delay of 24-72 hours).
Downloadable Spreadsheet
References
Detailed properties of O365 audit log (UAL)
Hope this helps in the cloud security monitoring journey!
Sam's Corner 
Does Cloud App Security shows AIP admin actitivties related logs like super user added and/or Azure resources like key vault admin activities ?
With MCAS you can monitor Azure Activities such as Azure Key Vault (AKV) activities. If admin changes AKV policies or permissions in the AKV those are logged and found from the MCAS Activity Log.
AIP is a different story. It has logging capabilities but AIP is not integrated into the auditing pipeline in the same manner as other solutions. In MCAS, there isn’t a sign of AIP admin activities. The only place where I found AIP admin activities is the AIP service admin log.
https://docs.microsoft.com/en-us/powershell/module/aipservice/get-aipserviceadminlog?view=azureipps