Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Microsoft Office 365

 

Use the JSA Microsoft Office 365 Content Extension to closely monitor your Microsoft Office 365 deployment. The JSA Microsoft Office 365 content extension adds rules, building blocks, reports, saved searches, and custom event properties to build on existing JSA event parsing capabilities for Microsoft Office 365 deployments.

JSA Microsoft Office 365 Content Extensions

JSA Microsoft Office 365 Content Extension V1.2.1

The following table shows the custom properties that are new or updated in JSAMicrosoft Office 365 Content Extension V1.2.1.

Table 1: Custom Properties in JSA Microsoft Office 365 Content Extension V1.2.1

Name

Optimized

Capture Group

Regex

ObjectType

Yes

1

ItemType\":\"[^\"]+)

Originating_User

Yes

1

UserId[":]*([^"]*)

Recipient Host

Yes

1

TargetUserOrGroupName\":\"[^\"@]*@([^\"]*)

Recipient_User

Yes

1

Value":"[^"]*?:([^"]*)

Subject

Yes

1

Subject[":]*([^"]*)

Subject[":]*([^"]*)

Target User Name

Yes

1

MailboxOwnerUPN[":]*([^"]*)

ObjectId[":]*([^"]*)

ObjectId[":]*([^"]*)

JSA Microsoft Office 365 Content Extension V1.2.0

The following table shows the custom properties that are new or updated in JSAMicrosoft Office 365 Content Extension V1.2.0.

Table 2: Custom Properties in JSA Microsoft Office 365 Content Extension V1.2.0

Name

Optimized

Capture Group

Regex

Policy Name

Yes

1

ObjectId\":\"([^\"]+)

Recipient Host

Yes

1

TargetUserOrGroupName\":\"[^\"@]*@([^\"]*)

Recipient_User

Yes

1

TargetUserOrGroupType\":\"(?:Member|Guest).*TargetUserOrGroupName\":\"([^\"]+)

Role Name

Yes

1

Roles\",\"Value\":\"([^\"]+)

Role\",\"Value\":\"([^\"]+)

Target User Name

Yes

1

TargetUserOrGroupName\":\"([^\"]+)

The following table shows the new rules and building blocks in JSAMicrosoft Office 365 Content Extension V1.2.0.

Table 3: New Rules and Building Blocks in JSA Microsoft Office 365 Content Extension V1.2.0

Type

Name

Description

Building Block

BB:CategoryDefinition: Object Access Events

Added new building block to Office 365 content pack

Building Block

BB:CategoryDefinition: Object Download Events

Added new building block to Office 365 content pack

Building Block

BB:CategoryDefinition: Object Upload Events

Added new building block to Office 365 content pack

The following table shows the changed saved searches in JSAMicrosoft Office 365 Content Extension V1.2.0.

Table 4: Changed Saved Searches in JSA Microsoft Office 365 Content Extension V1.2.0

Name

Description

Office365: File Activity

The filter for this saved search has been filtered to use BB:CategoryDefinition: Object Access Events, BB:CategoryDefinition: Object Download Events, BB:CategoryDefinition: Object Upload Events

The following table shows the removed reference data in JSAMicrosoft Office 365 Content Extension V1.2.0.

Table 5: Removed Reference Data in JSA Microsoft Office 365 Content Extension V1.2.0

Type

Name

Description

Reference Set

Office 365 - File Activity

Contains QIDs for file activity events, such as file created, file modified, file deleted, and file copied.

(Back to top)Use the JSA Microsoft Office 365 Content Extension to closely monitor your Microsoft Office 365 deployment. The JSA Microsoft Office 365 content extension adds rules, building blocks, reports, saved searches, and custom event properties to build on existing JSA event parsing capabilities for Microsoft Office 365 deployments.

JSA Microsoft Office 365 Content Extension V1.1.0

The following table shows the custom properties that are new or updated in JSAMicrosoft Office 365 Content Extension V1.1.0.

Table 6: Custom Properties in JSA Microsoft Office 365 Content Extension V1.1.0

Name

Optimized

Capture Group

Regex

Affected Workload

Yes

1

Workload\":\"([^\"]+)

Error Code

Yes

1

LogonError\":\"([^\"]+)

File Directory

Yes

1

SourceRelativeUrl\":\"((?:[^\"]*\/)(?=[^\.\"]+\.)|(?:[^\"]+))[^\"]*

File Extension

Yes

1

SourceFileExtension\":\"([^\"]+)

Filename

Yes

1

SourceFileName\":\"([^\"]+)

Group Name

Yes

Yes

Yes

1

1

1

TargetUserOrGroupType\":\"[^\"]*Group.*TargetUserOrGroupName\":\"([^\"]+)

Group\.DisplayName\",\"Value\":\"([^\"]+)

ObjectType

No

1

ItemType\":\"([^\"]+)

Policy Name

Yes

1

ObjectId\":\"([^\"]+)

Recipient Host

Yes

1

TargetUserOrGroupName\":\"[^\"@]*@([^\"]*)

Recipient_User

Yes

1

TargetUserOrGroupType\":\"(?:Member|Guest).*TargetUserOrGroupName\":\"([^\"]+)

Target User Area

Yes

1

TargetUserOrGroupType\":\"([^\"]+)

Target User Name

Yes

Yes

1

ObjectId\":\"([^\"]*)

TargetUserOrGroupName\":\"([^\"]+)

User Agent

No

1

TargetUserOrGroupName\":\"([^\"]+)

The following table shows the changed saved searches in JSAMicrosoft Office 365 Content Extension V1.1.0.

Table 7: Changed Saved Searches in JSA Microsoft Office 365 Content Extension V1.1.0

Name

Description

Office 365: Incidents that have impacted the health of an Office 365 Workload

Search is made available to all users.

Office365: File Activity

Search is made available to all users.

(Back to top)Use the JSA Microsoft Office 365 Content Extension to closely monitor your Microsoft Office 365 deployment. The JSA Microsoft Office 365 content extension adds rules, building blocks, reports, saved searches, and custom event properties to build on existing JSA event parsing capabilities for Microsoft Office 365 deployments.

JSA Microsoft Office 365 Content Extension V1.0.0

The following table shows the custom properties in JSAMicrosoft Office 365 Content Extension V1.0.0.

Table 8: Custom Properties in JSA Microsoft Office 365 Content Extension V1.0.0

Name

Regex

Filename

"SourceFileName":"(.*?)",

Affected Workload

"Workload":"(.*?)",

OAuth Actor

"Actor":\[\{"ID":"(.*?)",

Policy Name

ObjectId":"(.*?)",

The following table shows the rules and building blocks in JSAMicrosoft Office 365 Content Extension V1.0.0.

Table 9: Rules and Building Blocks in JSA Microsoft Office 365 Content Extension V1.0.0

Type

Name

Description

Building Block

BB: Office 365: Removed an OAuth2PermissionsGrant in a directory

Used in the Office 365: Added and Removed an OAuth2PermissionGrant in the directory within a certain time period rule.

Building Block

BB: Office 365: Added an OAuth2PermissionGrant in the directory

Used in the Office 365: Added and Removed an OAuth2PermissionGrant in the directory within a certain time period rule.

Building Block

BB: Office 365: Management Role Assignment Added

Used in the Office 365: Management Policy added and deleted with the same policy name within a certain time period rule.

Building Block

BB: Office 365: Management Role Assignment Removed

Used in the Office 365: Management Policy added and deleted with the same policy name within a certain time period rule.

Rule

Office 365: Added and Removed an OAuth2PermissionGrant in the directory within a certain time period

Detects when an OAuth2PermissionGrant is added and removed in a directory within a certain period.

Rule

Office 365: An event that impacts the health of an Office365 workload has occurred

Detects when an event that impacts the health of an Office 365 workload has occurred.

Rule

Office 365: Management Policy added and deleted with the same policy name within a certain time period

Detects when a management policy with the same name is added and deleted within a certain period.

The following table shows the reports in JSAMicrosoft Office 365 Content Extension V1.0.0.

Table 10: Reports in JSA Microsoft Office 365 Content Extension V1.0.0

Report Name

Search Name and Dependencies

Office 365 Incidents that have impacted the health of an Office 365 Workload - Weekly

Saved Search: Office 365: Incidents that have impacted the health of an Office 365 Workload

Office 365 Incidents that have impacted the health of an Office 365 Workload - Monthly

Saved Search: Office 365: Incidents that have impacted the health of an Office 365 Workload

Office 365 File Activity - Weekly

Saved Search: Office 365: File Activity

Office 365 File Activity - Monthly

Saved Search: Office 365: File Activity

The following table shows the reference data in JSAMicrosoft Office 365 Content Extension V1.0.0.

Table 11: Reference Data in JSA Microsoft Office 365 Content Extension V1.0.0

Type

Name

Description

Reference Set

Office 365 - File Activity

Contains QIDs for file activity events, such as file created, file modified, file deleted, and file copied.

The following table shows the saved searches in JSAMicrosoft Office 365 Content Extension V1.0.0.

Table 12: Saved Searches in JSA Microsoft Office 365 Content Extension V1.0.0

Name

Description

Office 365: File Activity

Used by the Office 365 File Activity reports.

Office 365: Incidents that have impacted the health of an Office 365 Workload

Used by the Office 365 Workload Health reports.

(Back to top)Use the JSA Microsoft Office 365 Content Extension to closely monitor your Microsoft Office 365 deployment. The JSA Microsoft Office 365 content extension adds rules, building blocks, reports, saved searches, and custom event properties to build on existing JSA event parsing capabilities for Microsoft Office 365 deployments.