Data Source: M365 Copilot Graph API

Date: 2025-09-30

ID: 30dd2202-869c-47fb-ad37-4f4d4c93c6b7

Author: Rod Soto, Splunk

Description

Access Logs from M365 Copilot access via Graph API

Details

Property	Value
Source	`AuditLogs.SignIns`
Sourcetype	`o365:graph:api`

Name ▲▼	Technique ▲▼	Type ▲▼
M365 Copilot Application Usage Pattern Anomalies	Valid Accounts	Anomaly
M365 Copilot Failed Authentication Patterns	Brute Force	Anomaly
M365 Copilot Non Compliant Devices Accessing M365 Copilot	Impair Defenses	Anomaly
M365 Copilot Session Origin Anomalies	Valid Accounts	Anomaly

Supported Apps

Splunk Add-on for Microsoft Office 365 (version 5.1.0)

Event Fields

+ Fields

  <span class="pill kill-chain">appDisplayName</span>
  
  <span class="pill kill-chain">appId</span>
  
  <span class="pill kill-chain">clientAppUsed</span>
  
  <span class="pill kill-chain">conditionalAccessStatus</span>
  
  <span class="pill kill-chain">correlationId</span>
  
  <span class="pill kill-chain">createdDateTime</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">deviceDetail.browser</span>
  
  <span class="pill kill-chain">deviceDetail.deviceId</span>
  
  <span class="pill kill-chain">deviceDetail.displayName</span>
  
  <span class="pill kill-chain">deviceDetail.isCompliant</span>
  
  <span class="pill kill-chain">deviceDetail.isManaged</span>
  
  <span class="pill kill-chain">deviceDetail.operatingSystem</span>
  
  <span class="pill kill-chain">deviceDetail.trustType</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">ipAddress</span>
  
  <span class="pill kill-chain">isInteractive</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">location.city</span>
  
  <span class="pill kill-chain">location.countryOrRegion</span>
  
  <span class="pill kill-chain">location.geoCoordinates.altitude</span>
  
  <span class="pill kill-chain">location.geoCoordinates.latitude</span>
  
  <span class="pill kill-chain">location.geoCoordinates.longitude</span>
  
  <span class="pill kill-chain">location.state</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">resourceDisplayName</span>
  
  <span class="pill kill-chain">resourceId</span>
  
  <span class="pill kill-chain">riskDetail</span>
  
  <span class="pill kill-chain">riskLevelAggregated</span>
  
  <span class="pill kill-chain">riskLevelDuringSignIn</span>
  
  <span class="pill kill-chain">riskState</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">status.additionalDetails</span>
  
  <span class="pill kill-chain">status.errorCode</span>
  
  <span class="pill kill-chain">status.failureReason</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">userDisplayName</span>
  
  <span class="pill kill-chain">userId</span>
  
  <span class="pill kill-chain">userPrincipalName</span>
  
</div>

Example Log

1{"id": "7fbc0a97-7f78-4cc8-9377-dc94d2ad1e00", "createdDateTime": "2025-09-30T12:34:20Z", "userDisplayName": "Rod  Soto", "userPrincipalName": "rodsoto@rodsoto.onmicrosoft.com", "userId": "bfb8c366-0406-41a5-b3e3-328f4a3b4484", "appId": "9199bf20-a13f-4107-85dc-02114787ef48", "appDisplayName": "One Outlook Web", "ipAddress": "127.0.0.1", "clientAppUsed": "Browser", "correlationId": "8fe7aa9b-42c8-b52e-c6f2-8e4dfc07996b", "conditionalAccessStatus": "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Exchange Online", "resourceId": "00000002-0000-0ff1-ce00-000000000000", "status": {"errorCode": 0, "failureReason": "Other.", "additionalDetails": "MFA requirement satisfied by claim in the token"}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 140.0.0", "isCompliant": false, "isManaged": false, "trustType": ""}, "location": {"city": "Miami", "state": "Florida", "countryOrRegion": "US", "geoCoordinates": {"altitude": null, "latitude": 25.76286, "longitude": -80.31196}}, "appliedConditionalAccessPolicies": []}

Source: GitHub | Version: 1

Data Source: M365 Copilot Graph API

Description

Details

Related Detections

Supported Apps

Event Fields

Example Log