Follow this step by step guide to get 'logs' from your system to Logit.io:
Step 1 - Configure Microsoft 365 Logging
By deploying this integration, you can forward Unified Audit Logging logs from Microsoft 365 to Logit.io using the Microsoft 365 Management API. This approach currently supports several Microsoft 365 content types, including:
To utilize this integration, you'll need an active Microsoft 365 subscription with an administrator account that has the appropriate provisioning. Additionally, Unified Audit Logging must be enabled within Microsoft 365's Security and Audit Center.
Step 2 - Register a new application in Azure AD
- Sign in to the portal.zure.com and navigate to the Azure Active Directory service.
- Select "App registrations" and click "New registration."
- Enter a name for the application and select the appropriate account type and redirect URI.
Step 3 - Create a client secret for your application
- Select "App registrations" and click on the application that we created in step 2.
- Go to the "Certificates & secrets" page and click "New client secret."
- Enter a description for the client secret and choose an expiration option.
- Click "Add" to create the client secret and copy the value as it will not be displayed again.
- Store the client secret value securely, as it cannot be retrieved later.
Step 4 - Create a client secret for your application
- Go to the "API permissions" on the left hand side and click "Add a permission."
- On the "Application permissions" tab, activate the "ActivityFeed.Read" and "ActivityFeed.ReadDlp" permissions.
Step 6 - Configure Filebeat
Copy the configuration file below and overwrite the contents of the Filebeat module file typically located at
Save the file as
# Module: o365 # Docs: https://www.elastic.co/guide/en/beats/filebeat/8.6/filebeat-module-o365.html - module: o365 audit: enabled: true # Set the application_id (also known as client ID): var.application_id: <ApplicationID> # Configure the tenants to monitor: # Use the tenant ID (also known as directory ID) and the domain name. # var.tenants: # - id: "tenant_id_1" # name: "mydomain.onmicrosoft.com" # - id: "tenant_id_2" # name: "mycompany.com" var.tenants: - id: <TenantID> name: <TenantName> # List of content-types to fetch. By default all known content-types # are retrieved: # var.content_type: # - "Audit.AzureActiveDirectory" # - "Audit.Exchange" # - "Audit.SharePoint" # - "Audit.General" # - "DLP.All" # Use the following settings to enable certificate-based authentication: # var.certificate: "/path/to/certificate.pem" # var.key: "/path/to/private_key.pem" # var.key_passphrase: "myPrivateKeyPassword" # Client-secret based authentication: # Comment the following line if using certificate authentication. var.client_secret: "<ClientSecret>" # Advanced settings, use with care: # var.api: # # Settings for custom endpoints: # authentication_endpoint: "https://login.microsoftonline.us/" # resource: "https://manage.office365.us" # # max_retention: 168h # max_requests_per_minute: 2000 # poll_interval: 3m
Copy the configuration file below and overwrite the contents of the Filebeat configuration
Inputs section, the file is typically located at
# ============================== Filebeat inputs =============================== filebeat.config: modules: enabled: true path: modules.d/*.yml fields: type: o365 fields_under_root: true # ================================== Outputs =================================== output.logstash: hosts: ["your-logstash-host:your-ssl-port"] loadbalance: true ssl.enabled: true
It’s a good idea to run the configuration file through a YAML validator to rule out indentation errors, clean up extra characters, and check if your YAML file is valid. Yamllint.com is a great choice.
Step 4 - Validate configuration
If you have issues starting in the next step, you can use these commands below to troubleshoot.
Let's check the configuration file is syntactically correct by running directly inside the terminal.
If the file is invalid, will print an
error loading config file error message with details on how to correct the problem.
sudo -e -c /etc//.yml
cd <EXTRACTED_ARCHIVE> sudo ./ -e -c .yml
cd <EXTRACTED_ARCHIVE> .\.exe -e -c .yml
Step 5 - Start filebeat
Start or restart to apply the configuration changes.
Step 6 - Launch Logit.io to view your logs
Now you should view your data:
If you don't see logs take a look at How to diagnose no data in Stack below for how to diagnose common issues.
Step 8 - Microsoft 365 Overview
Microsoft 365 is a cloud-based productivity suite that includes a range of services such as Exchange Online, SharePoint Online, and Microsoft Teams. To ensure the security of these services, it's important to have a robust monitoring solution in place.
One way to monitor Microsoft 365 activity is by leveraging its auditing capabilities. This allows organizations to track user activity and identify potential security threats in real-time. To make sense of the audit logs, it's essential to have a reliable log management solution that can collect, process, and analyze the data.
One way to achieve this is by using Filebeat to ship Microsoft 365 logs to Logstash and OpenSearch. This process involves creating a new application registration in Azure AD and granting it appropriate permissions to access the Microsoft 365 Management API. A client secret is then created for the application, and the Application (client) ID and Directory (tenant) ID are noted down.
With Microsoft 365 and Filebeat, organizations can proactively monitor user activity, detect potential security incidents, and ensure compliance with industry regulations and standards. By collecting and analyzing data from various sources, organizations can gain valuable insights into their security posture and take appropriate measures to safeguard their environment.
If you need any further assistance with shipping your log data to Logit.io we're here to help you get started. Feel free to get in contact with our support team by sending us a message via live chat & we'll be happy to assist.