Office 365 Activity

The Office 365 Activity Source in Observo AI enables the ingestion of JSON-formatted audit logs and user activity data from the Office 365 Management Activity API, supporting real-time security monitoring, compliance auditing, and user behavior analysis.

Purpose

The purpose of the Observo AI Source Office 365 Activity is to enable users to ingest activity data from Office 365 via its Management Activity API endpoints into the Observo AI platform for analysis and processing. It facilitates the collection of audit logs, user activity, and other events, typically in JSON format, allowing organizations to streamline data pipelines, enhance observability, and support use cases such as security monitoring, compliance auditing, and user behavior analysis by processing Office 365 activity data in real time.

Prerequisites

Before configuring the Office 365 Activity source in Observo AI, ensure the following requirements are met to facilitate seamless data ingestion:

  • Observo AI Platform Setup:

    • The Observo AI platform must be installed and operational, with support for the Office 365 Activity source.

    • Verify that the platform supports common data formats such as JSON, as Office 365 activity data is typically delivered in this format. Additional parsers may be needed for custom processing.

  • Office 365 API Access:

    • An active Microsoft 365 tenant must be available to send activity data to Observo AI.

    • Obtain the Microsoft 365 tenant ID, and generate a client ID, client secret, and necessary API permissions such as AuditLogs.Read.All, ActivityFeed.Read via the Microsoft Entra admin center or Azure portal.

  • Authentication:

    • Prepare one of the following authentication methods:

      • OAuth2: Obtain a client ID, client secret, and token endpoint URL from the Microsoft Entra admin center for secure access.

      • Secret Authentication: Use a stored secret within Observo AI's secure storage for credentials.

  • Network and Connectivity:

    • Ensure Observo AI can communicate with the Office 365 Management Activity API endpoint such as https://manage.office.com/api/v1.0/{tenant_id}/activity/feed/subscriptions.

    • Check for proxy settings, firewall rules, or VPC endpoint configurations that may affect connectivity to the Office 365 API.

Prerequisite
Description
Notes

Observo AI Platform

Must be installed and support Office 365 Activity source

Verify support for JSON; additional parsers may be needed

Office 365 API Access

Active Microsoft 365 tenant for activity data submission

Obtain tenant ID, client ID, and client secret from admin center

Authentication

OAuth2 or Secret Authentication

Prepare credentials as required by the Office 365 API

Network

Connectivity to the Office 365 Management Activity API endpoint

Check VPC endpoints, proxies, and firewalls

Integration

The Integration section outlines the configurations for the Office 365 Activity source. To configure the Office 365 Activity source in Observo AI, follow these steps to set up and test the data flow:

  1. Log in to Observo AI:

    • Navigate to the Sources tab.

    • Click the Add Source button and select Create New.

    • Choose Office 365 Activity from the list of available sources to begin configuration.

  2. General Settings:

    • Name: A unique identifier for the source, such as office-365-activity-source-1.

    • Description (Optional): Provide a description for the source.

    • Endpoint: HTTP endpoint to collect data from.

      Example

      https://manage.office.com/api/v1.0/9768d323-9fc1-40de-ab73-6e8909586650/activity/feed/subscriptions/content

    • Content Type (Optional): Office 365 Management Activity API Content Type

      Options

      Active Directory

      Exchange

      Sharepoint

      General

      DLP

    • Collection Interval: Collection intervals are used to set up search date range and scheduling. Default: 10 Minutes

  3. Authentication (Required):

    • Client ID: Client ID for OAuth2 authentication.

    • Client Secret: Client secret for OAuth2 authentication.

    • Tenant ID (Optional): Office 365 Azure Tenant ID

    • Publisher ID (Optional): Optional Publisher Identifier to use in API requests, defaults to Tenant Id if not defined. This helps in throttling. If not provided will share the same quota of Tenant ID

    • Token URL: URL to get the OAuth2 token.

  4. Checkpoint:

    • Initial Value: Starting value for the collection. Will be used for the first collection. Example: 2025-06-02T00:00:00Z

  5. Pagination (Default):

    • Request Interval: Time to wait between pagination requests. Use a duration string like '100ms' or '1s'. Default: 100ms

      Examples

      100ms

      500ms

      1s

  6. TLS Configuration (Optional):

    • CA File: The CA certificate provided as an inline string in PEM format.

    • Include System CA Certs Pool (True): Include the system CA certificates pool in the list of CAs used to verify the server certificate.

    • Cert File: Path to the TLS cert to use for TLS required connections.

    • Key File: Path to the TLS key to use for TLS required connections.

    • Insecure (True): Skip TLS verification when connecting to the endpoint. This is insecure and should not be used in production.

    • Insecure Skip Verify (True): Enable TLS but not verify the certificate.

    • Server Name Override: The server name to use to verify the hostname on the returned certificates.

  7. Advanced Settings (Optional):

    • Ingestion Lag: Use this setting to account for ingestion lag. This is necessary because there can be a lag of about 60 - 90 minutes (or longer) before Office 365 events are available for retrieval via API.

    • Proxy URL: URL of the proxy server to use when connecting to the endpoint.

    • Read Buffer Size: Size of the read buffer in bytes.

    • Write Buffer Size: Size of the write buffer in bytes.

    • Timeout: URL of the proxy server to use when connecting to the endpoint. Default: 20s

    • Compression: Compression algorithm to use for the request body. Select one.

  8. Parser Config:

    • Enable Source Log Parser: (False)

    • Toggle Enable Source Log Parser Switch to enable.

    • Select appropriate Parser from the Source Log Parser dropdown.

    • Add additional Parsers as needed.

  9. Pattern Extractor:

    • Refer to Observo AI's Pattern Extractor documentation for details on configuring pattern-based data extraction.

  10. Archival Destination:

    • Toggle Enable Archival on Source Switch to enable.

    • Under Archival Destination, select from the list of Archival Destinations (Required).

  11. Save and Test Configuration:

    • Save the configuration settings in Observo AI.

    • Send sample data to the Office 365 Activity endpoint and verify ingestion in the Analytics tab for data flow.

Example Scenarios

WealthSecure Solutions is a fictitious financial services company offering investment management, online banking, and wealth advisory services. To enhance security monitoring and compliance auditing, WealthSecure Solutions integrates the Observo AI platform to ingest Office 365 activity data, specifically SharePoint audit logs, via the Office 365 Management Activity API. This enables the company to monitor document access, sharing activities, and user behavior within SharePoint to ensure compliance with financial regulations and detect potential security risks. The IT team configures the Office 365 Activity source to process these logs in JSON format, allowing them to test data pipelines, validate configurations, and support real-time analytics in a secure and controlled environment.

Standard Office 365 Activity Source Setup

Here is a standard Office 365 Activity Source configuration example. Only the required sections and their associated field updates are displayed in the table below:

General Settings

Field
Value
Notes

Name

office-365-sharepoint-wealthsecure-1

Unique identifier for the SharePoint activity source.

Description

SharePoint audit logs for compliance and security monitoring

Optional description to clarify the purpose of the source.

Endpoint

https://manage.office.com/api/v1.0/1234abcd-5678-efgh-9012-ijk345lmn678/activity/feed/subscriptions/content

HTTP endpoint for SharePoint activity data, using WealthSecure’s tenant ID.

Content Type

SharePoint

Selected to focus on SharePoint audit logs for document access and sharing activities.

Collection Interval

15 Minutes

Set to 15 minutes to balance timely data collection with API quota limits.

Authentication

Field
Value
Notes

Client ID

abcd1234-5678-9012-efgh-ijk345lmn678

Obtained from Microsoft Entra admin center for OAuth2 authentication.

Client Secret

xYz9kLmNpQrStUv2wXy3zAbCdEfGhIjK

Securely generated client secret for OAuth2 authentication.

Tenant ID

1234abcd-5678-efgh-9012-ijk345lmn678

WealthSecure’s Microsoft 365 tenant ID for API access.

Publisher ID

pub-wealthsecure-001

Optional identifier to manage API throttling, distinct from tenant ID.

Token URL

https://login.microsoftonline.com/1234abcd-5678-efgh-9012-ijk345lmn678/oauth2/v2.0/token

OAuth2 token endpoint for authentication.

Checkpoint

Field
Value
Notes

Initial Value

2025-07-01T00:00:00Z

Starting point for data collection, set to July 1, 2025, for initial ingestion.

Pagination

Field
Value
Notes

Request Interval

200ms

Set to 200 milliseconds to manage pagination requests efficiently.

TLS Configuration

Field
Value
Notes

CA File

-----BEGIN CERTIFICATE-----MIID...-----END CERTIFICATE-----

Inline PEM-format CA certificate for secure API communication.

Include System CA Certs Pool

True

Includes system CA certificates to verify the server certificate.

Cert File

/path/to/tls-cert.pem

Path to the TLS certificate for secure connections.

Key File

/path/to/tls-key.pem

Path to the TLS key for secure connections.

Insecure

False

Ensures TLS verification is enforced for production security.

Insecure Skip Verify

False

Ensures certificate verification is performed for secure communication.

Server Name Override

manage.office.com

Specifies the server name for certificate hostname verification.

Advanced Settings

Field
Value
Notes

Ingestion Lag

90 Minutes

Accounts for Office 365 API lag of 60–90 minutes for event availability.

Proxy URL

http://proxy.wealthsecure.local:8080

Proxy server URL for API connectivity within WealthSecure’s network.

Read Buffer Size

8192

Set to 8192 bytes to handle SharePoint log data efficiently.

Write Buffer Size

8192

Set to 8192 bytes for consistent buffer management.

Timeout

30s

Increased to 30 seconds to account for potential network latency.

Compression

gzip

Uses gzip compression for API request bodies to optimize data transfer.

Troubleshooting

If issues arise with the Office 365 Activity source in Observo AI, use the following steps to diagnose and resolve them:

  • Verify Configuration Settings:

    • Ensure all fields, such as Endpoint, Client ID, Client Secret, and parser settings, are correctly entered and match the Office 365 API setup.

    • Confirm the HTTP method such as GET or POST aligns with the endpoint's requirements.

  • Check Authentication:

    • For OAuth2, ensure the client ID, client secret, and token URL are valid and not expired, with appropriate API permissions such as ActivityFeed.Read.

    • For Secret Authentication, confirm the secret is accessible in Observo AI's secure storage.

  • Validate Network Connectivity:

    • Check for firewall rules, proxy settings, or VPC endpoint configurations that may block access to the Office 365 Management Activity API endpoint.

    • Test connectivity using tools like curl or Postman with similar proxy configurations to verify access.

  • Common Error Messages:

    • "Inaccessible host": May indicate TLS version mismatches such as TLS 1.3 issues or DNS problems. Ensure the host supports the required TLS version and check DNS settings.

    • "Authentication failed": Verify that the client ID, client secret, or stored secret is correct and has the necessary permissions for the Office 365 API.

    • "Request timeout": Check the Timeout setting and network latency; consider increasing the timeout value.

  • Monitor Logs and Data:

    • Verify that data is being ingested by monitoring the Office 365 Activity endpoint activity.

    • Use the Analytics tab in the targeted Observo AI pipeline to monitor data volume and ensure expected throughput.

    • Check Observo AI logs for errors or warnings related to data ingestion from the Office 365 Activity source.

Issue
Possible Cause
Resolution

Data not ingested

Incorrect URL or parser configuration

Verify URL and parser settings

Authentication errors

Invalid or expired credentials

Check client ID, client secret, or secret validity

Connectivity issues

Firewall or proxy blocking access

Test network connectivity and VPC endpoints

"Inaccessible host"

TLS or DNS issues

Ensure TLS compatibility and check DNS

"Authentication failed"

Misconfigured credentials

Verify auth method and permissions

"Request timeout"

Network latency or low timeout setting

Increase Timeout or check network

Resources

For additional guidance and detailed information, refer to the following resources:

PreviousObservo Sample LogsNextOkta Logs

Last updated

Was this helpful?