Specifications #
[reports://<specify_name>]
host = <host-name>, Default is current system hostname
repo = <repository-name>
source = <source-as-per-table> Check Source & Sourcetype Mapping Table Below
sourcetype = <sourcetype-as-per-table> Check Source & Sourcetype Mapping Table Below
period = <int> (the number of days over which the report is aggregated.)
(Default 7, Supported values: 30, 90, 180)
frequency = <seconds>
cron = <cron-expression>
Note: Cron has higher priority and will be considered for scheduling instead of frequency, if both are defined.
It is preferable to define only one, either cron or frequency.
secret = <secret-stanza-name>
global = <global-stanza-name>
disabled = 0/1
[service://<specify_name>]
host = <host-name>, Default is current system hostname
repo = <repository-name>
source = issues | messages
sourcetype = dataelicit/m365:m365-service
tenant = <entra-app-tenant-name>
frequency = <seconds>
cron = <cron-expression>
Note: Cron has higher priority and will be considered for scheduling instead of frequency, if both are defined.
It is preferable to define only one, either cron or frequency.
secret = <secret-stanza-name>
global = <global-stanza-name>
disabled = 0/1
[audit://<specify_name>]
host = <host-name>, Default is current system hostname
repo = <repository-name>
source = AuditLogs.SignIns
sourcetype = dataelicit/m365:m365-audit-logs
tenant = <entra-app-tenant-name>
frequency = <seconds>
cron = <cron-expression>
Note: Cron has higher priority and will be considered for scheduling instead of frequency, if both are defined.
It is preferable to define only one, either cron or frequency.
secret = <secret-stanza-name>
global = <global-stanza-name>
disabled = 0/1
[msgtrace://<specify_name>]
host = <host-name>, Default is current system hostname
repo = <repository-name>
source = Message_Trace
sourcetype = dataelicit/m365:m365-message-trace
startDate = <YYYY-MM-DDTHH:MM:SS> (Default 7 days ago)
tenant = <entra-app-tenant-name>
frequency = <seconds>
cron = <cron-expression>
Note: Cron has higher priority and will be considered for scheduling instead of frequency, if both are defined.
It is preferable to define only one, either cron or frequency.
secret = <secret-stanza-name>
global = <global-stanza-name>
disabled = 0/1
[management://<specify_name>]
host = <host-name>, Default is current system hostname
repo = <repository-name>
source = Audit.AzureActiveDirectory | Audit.Exchange |
Audit.SharePoint | Audit.General |
DLP.All
sourcetype = dataelicit/m365:m365-management-activity
startDate = <YYYY-MM-DDTHH:MM:SS> (Must be in the last 7 days, Default 7 days ago)
tenant = <entra-app-tenant-name>
frequency = <seconds>
cron = <cron-expression>
Note: Cron has higher priority and will be considered for scheduling instead of frequency, if both are defined.
It is preferable to define only one, either cron or frequency.
secret = <secret-stanza-name>
global = <global-stanza-name>
disabled = 0/1
[cas://<specify_name>]
host = <host-name>, Default is current system hostname
repo = <repository-name>
source = Cloud.Discovery | policies | entities | alerts | files
sourcetype = dataelicit/m365:m365-cloud-application-security
tenant = <entra-app-tenant-name>
frequency = <seconds>
cron = <cron-expression>
Note: Cron has higher priority and will be considered for scheduling instead of frequency, if both are defined.
It is preferable to define only one, either cron or frequency.
secret = <secret-stanza-name>
global = <global-stanza-name>
disabled = 0/1
Source & Sourcetype Mapping for Reports #
Source | Sourcetype |
---|---|
MailboxUsageDetail | dataelicit/m365:m365-mailbox |
MailboxUsageMailboxCounts | dataelicit/m365:m365-mailbox |
Office365GroupsActivityDetail | dataelicit/m365:m365-office365 |
Office365ServicesUserCounts | dataelicit/m365:m365-office365 |
OneDriveUsageAccountDetail | dataelicit/m365:m365-onedrive |
OneDriveUsageStorage | dataelicit/m365:m365-onedrive |
SharePointSiteUsageDetail | dataelicit/m365:m365-sharepoint |
SharePointSiteUsageFileCounts | dataelicit/m365:m365-sharepoint |
TeamsUserActivityCounts | dataelicit/m365:m365-teams |
TeamsUserActivityUserDetail | dataelicit/m365:m365-teams |
YammerGroupsActivityDetail | dataelicit/m365:m365-yammer |
YammerGroupsActivityGroupCounts | dataelicit/m365:m365-yammer |
Example #
[reports://mailboxusage]
source = MailboxUsageDetail
sourcetype = dataelicit/m365:m365-mailbox
period = 30
frequency = 300
secret = m365creds
global = app365
[reports://mailboxcounts]
source = MailboxUsageMailboxCounts
sourcetype = dataelicit/m365:m365-mailbox
period = 30
cron = 0 0 1 * *
secret = m365creds
global = app365
[reports://groupsactivity]
source = Office365GroupsActivityDetail
sourcetype = dataelicit/m365:m365-office365
period = 30
frequency = 300
secret = m365creds
global = app365
[reports://usercounts]
source = Office365ServicesUserCounts
sourcetype = dataelicit/m365:m365-office365
period = 30
cron = 0 0 1 * *
secret = m365creds
global = app365
[reports://onedrive_usercounts]
source = OneDriveActivityUserCounts
sourcetype = dataelicit/m365:m365-onedrive
period = 30
frequency = 300
secret = m365creds
global = app365
[reports://onedrive_account]
source = OneDriveUsageAccountDetail
sourcetype = dataelicit/m365:m365-onedrive
period = 30
cron = 0 0 1 * *
secret = m365creds
global = app365
[reports://onedrive_storage]
source = OneDriveUsageStorage
sourcetype = dataelicit/m365:m365-onedrive
period = 30
frequency = 300
secret = m365creds
global = app365
[reports://sharepoint_usage]
source = SharePointSiteUsageDetail
sourcetype = dataelicit/m365:m365-sharepoint
period = 30
cron = 0 0 1 * *
secret = m365creds
global = app365
[reports://sharepoint_filecount]
source = SharePointSiteUsageFileCounts
sourcetype = dataelicit/m365:m365-sharepoint
period = 30
frequency = 300
secret = m365creds
global = app365
[reports://teams_user_count]
source = TeamsUserActivityCounts
sourcetype = dataelicit/m365:m365-teams
period = 30
cron = 0 0 1 * *
secret = m365creds
global = app365
[reports://teams_user_detail]
source = TeamsUserActivityUserDetail
sourcetype = dataelicit/m365:m365-teams
period = 30
frequency = 300
secret = m365creds
global = app365
[reports://yammer_activity]
source = YammerGroupsActivityDetail
sourcetype = dataelicit/m365:m365-yammer
period = 30
cron = 0 0 1 * *
secret = m365creds
global = app365
[reports://yammer_group_counts]
source = YammerGroupsActivityGroupCounts
sourcetype = dataelicit/m365:m365-yammer
period = 30
frequency = 300
secret = m365creds
global = app365
[service://service_msg]
source = messages
sourcetype = dataelicit/m365:m365-service
frequency = 300
secret = m365creds
global = app365
[service://service_issues]
source = issues
sourcetype = dataelicit/m365:m365-service
frequency = 300
secret = m365creds
global = app365
[audit://audit_signins]
source = AuditLogs.SignIns
sourcetype = dataelicit/m365:m365-audit-logs
frequency = 300
secret = m365creds
global = app365
[msgtrace://message_trace]
source = Message_Trace
sourcetype = dataelicit/m365:m365-message-trace
frequency = 300
secret = m365creds
global = app365
[management://audit_azureAD]
source = Audit.AzureActiveDirectory
sourcetype = dataelicit/m365:m365-management-activity
frequency = 300
secret = m365creds
global = app365
[management://azure_exchange]
source = Audit.Exchange
sourcetype = dataelicit/m365:m365-management-activity
frequency = 300
secret = m365creds
global = app365
[management://azure_sharepoint]
source = Audit.SharePoint
sourcetype = dataelicit/m365:m365-management-activity
frequency = 300
secret = m365creds
global = app365
[management://audit_general]
source = Audit.General
sourcetype = dataelicit/m365:m365-management-activity
frequency = 300
secret = m365creds
global = app365
[management://dlp_all]
source = DLP.All
sourcetype = dataelicit/m365:m365-management-activity
frequency = 300
secret = m365creds
global = app365
[cas://cas_policies]
source = policies
sourcetype = dataelicit/m365:m365-cloud-application-security
frequency = 300
secret = m365creds
global = app365
[cas://cas_alerts]
source = alerts
sourcetype = dataelicit/m365:m365-cloud-application-security
frequency = 300
secret = m365creds
global = app365
[cas://cas_entities]
source = entities
sourcetype = dataelicit/m365:m365-cloud-application-security
frequency = 300
secret = m365creds
global = app365
[cas://cas_files]
source = files
sourcetype = dataelicit/m365:m365-cloud-application-security
frequency = 300
secret = m365creds
global = app365
[cas://cloud_discovery]
source = Cloud.Discovery
sourcetype = dataelicit/m365:m365-cloud-application-security
frequency = 300
secret = m365creds
global = app365
Note #
Make sure that the stanza name you define in local/connector.conf is not already disabled in default/connector.conf, else it will get skipped.