-
Notifications
You must be signed in to change notification settings - Fork 0
Get Office 365 Audit Log
This is a guide to take you through getting your company's Office 365 audit log using iland's Java SDK.
If you have git cloned the Java SDK project then you can just cd into the office-365-audit-log directory and follow along.
To get started with using the Java SDK's resources it would be good to read this section of the Wiki to familiarize yourself with how we call Resources.
We are using the endpoint in Company Location Resource, the documentation for which is located here.
Based on the documentation above for the endpoint getO365AuditLog we need to pass it companyId, locationId, page and a pageSize.
The last two are paging parameters which we will discuss later.
So we need to get the companyId and locationId which our Office 365 organizations are located at. To do this we either must know these values, which could be found in the iland's console URL, ie. http://console.iland.com/#/company/123456789/vbo/location/dal22.ilandcloud.com/dashboard in which the company id would be 123456789 and the location id would be dal22.ilandcloud.com.
But if we wanted to do it through iland's SDK, we should get the logged-in user's inventory through the User Resource and look for the entity O365_LOCATION which will contain the company id and location id we need to get the Office 365 audit log.
In the code it looks like this:
for (final UserCompanyInventoryResponse companyInventoryResponse : userInventory
.getInventory()) {
final Map<IamEntityType, List<UserInventoryEntityResponse>> entities =
companyInventoryResponse.getEntities();
for (final IamEntityType entity : entities.keySet()) {
for (final UserInventoryEntityResponse e : entities.get(entity)) {
if (e.getType().equals(IamEntityType.O365_LOCATION)) {
o365Location = e.getUuid();
break;
}
}
}
After getting the O365_LOCATION from the user's inventory we still need to do some work to get the company id and location id. We need to split the returned UUID and grab the relevant info we want. We do this in the following code:
final String[] splitO365Location = o365Location.split(":");
companyId = splitO365Location[3];
locationId = splitO365Location[5];
To learn more about the user's inventory you can read more about in it in the wiki here.
So now that we have the correct company id and location id we can use the SDK to get the audit log by using the function getO365AuditLog.
Looking at the documentation, we can see that the function returns a type of O365AuditLogEventSetResponse.
From the documentation of that type we see it returns some paging information and a set of type O365AuditLogEventResponse.
Here is the documentation for the Office 365 audit log event response.
Once you have the correct company id and location id, it's very easy to get events from the Office 365 audit log.
int page = 0;
int pageSize = 100;
O365AuditLogEventSetResponse auditLogEventResponses =
companyLocationResource.getO365AuditLog(companyId, locationId, page, pageSize);
And then to print some basic information about the events you get would look like this
for (final O365AuditLogEventResponse logEventResponse : auditLogEventResponses
.getData()) {
System.out.println(String.format(
"User %s at IP: %s did event %s for entity %s of type %s at time %s.",
logEventResponse.getUsername(), logEventResponse.getIpAddress(),
logEventResponse.getEventType(), logEventResponse.getEntityName(),
logEventResponse.getEventType(), logEventResponse.getTime()));
}
Lastly, as you can see we have pagination parameters that are a part of the function to get the Office 365 audit log.
In the above example, we only get the first 100 events of the Office 365 audit log. But let's say you wanted to get all the events.
Well, you would need something like a while loop to increment the page number and check to see if the number of events returned is equal to the page size.
You could accomplish that by doing this
int pageSize = 100;
int count = pageSize;
int page = 0;
Set<O365AuditLogEventResponse> eventResponseSet = new HashSet<>();
while (count == pageSize) {
O365AuditLogEventSetResponse auditLogEventResponses =
companyLocationResource
.getO365AuditLog(companyId, locationId, page, pageSize);
count = auditLogEventResponses.getData().size();
if (count == 0) {
break;
}
page++;
eventResponseSet.addAll(auditLogEventResponses.getData());
}