Skip to main content

Office 365

The Office 365 Matano managed log source lets you ingest your Microsoft Office 365 logs directly into Matano.


Use the managed log source by specifying the managed.type property in your log_source as O365.

name: o365

type: O365
client_id: <MY_CLIENT_ID>
tenant_id: <MY_TENANT_ID>

For the tables you would like to enable from this managed log source, under a tables/ subdirectory in your log source directory, create a file with the name <table_name>.yml>. For example:

└── log_sources/
└── o365/
└── log_source.yml
└── tables/
└── audit.yml

For a complete reference on configuring log sources, including extending the table schema, see Log source configuration.


The Office 365 managed log source supports the following tables:

  • audit


Pull (default)

Matano integrates with your Microsoft Office 365 account to automatically pull relevant logs on a regular basis (every 5 min).

To get started with the integration, specify the following properties in the log source configuration file:

type: O365
client_id: <MY_CLIENT_ID>
tenant_id: <MY_TENANT_ID>
tenant_name: # optional

After the first deployment, this log source will also generate a secret in AWS secret's manager to store secrets related to this integration.


To finish onboarding the log source, populate the client_secret key in the secret generated by Matano in AWS Secrets Manager, with the value from your OAuth app.


O365 data is normalized to ECS fields. Custom fields are normalized into the o365 field. You can view the complete mapping to see the full schema.