For Intune, you should select, third party api feed an configure with the appropriate tenant/subscription/ and secret.  

The Teams log, I believe, they end up under the 0365 third party api.   I would configure this and validate.  Maybe antoher community member can chime in here.  

Configure a feed in Google Security Operations to ingest Microsoft 365 logs

1. Go to Google Security Operations settings, and click Feeds.


2. Click Add New.


3. Select Third party API for Source Type.


4. Select Office 365 for Log Type.


5. Click Next.


6. Based on the Microsoft 365 configuration, specify the OAuth client ID, OAuth client secret, and Tenant ID details.


7. Select the Content type for which you are creating this feed. You must create a separate feed for each content type that you require.


8. Click Next and then Submit.

Thanks for that!

Yes, I'm working off the same documentation, but -- it's not working.

Has anyone else had any success with/ Teams logs > Chronicle/SecOps? 🙂

Hi Brian, 

I don't see any parsers for teams logs, I assume you want to collect the audit logs as per here: https://learn.microsoft.com/en-us/purview/audit-log-activities#microsoft-teams-activities 

It looks like Purview from Microsoft has some logging in here, also the default audit log within O365 as this contains these events here: https://learn.microsoft.com/en-us/purview/audit-log-activities

Happy to talk about this, as these are online sources there are other options for parsing. 

Thanks