Get a DemoStart Free TrialSign In

Microsoft 365

Ship your Microsoft 365 logs using Filebeat to your Stack

Configure Microsoft 365 to ship logs via Filebeat to your stacks via Logstash.

Send Your DataLogsPlatformsMicrosoft 365 Guide

Follow this step by step guide to get 'logs' from your system to

Step 1 - Configure Microsoft 365 Logging

By deploying this integration, you can forward Unified Audit Logging logs from Microsoft 365 to using the Microsoft 365 Management API. This approach currently supports several Microsoft 365 content types, including:

  • "Audit.AzureActiveDirectory"
  • "Audit.Exchange"
  • "Audit.SharePoint"
  • "Audit.General"
  • "DLP.All"

To utilize this integration, you'll need an active Microsoft 365 subscription with an administrator account that has the appropriate provisioning. Additionally, Unified Audit Logging must be enabled within Microsoft 365's Security and Audit Center.

Step 2 - Register a new application in Azure AD

  • Sign in to the and navigate to the Azure Active Directory service.
  • Select "App registrations" and click "New registration."
  • Enter a name for the application and select the appropriate account type and redirect URI.
Make sure to take note of the Application (client) ID and Directory (tenant) ID as they will be required for configuring Filebeat at a later step.

Step 3 - Create a client secret for your application

  • Select "App registrations" and click on the application that we created in step 2.
  • Go to the "Certificates & secrets" page and click "New client secret."
  • Enter a description for the client secret and choose an expiration option.
  • Click "Add" to create the client secret and copy the value as it will not be displayed again.
  • Store the client secret value securely, as it cannot be retrieved later.

Step 4 - Create a client secret for your application

  • Go to the "API permissions" on the left hand side and click "Add a permission."
  • On the "Application permissions" tab, activate the "ActivityFeed.Read" and "ActivityFeed.ReadDlp" permissions.

Step 5 - Install Filebeat

To get started first follow the steps below:

  • Install
  • Root access
  • Verify the required port is open

Older versions can be found here 7, 6, 5

Step 6 - Configure Filebeat

Copy the configuration file below and overwrite the contents of the Filebeat module file typically located at /etc/filebeat/modules.d/o365.yml.disabled

Save the file as o365.yml

# Module: o365
# Docs:

- module: o365
    enabled: true

    # Set the application_id (also known as client ID):
    var.application_id: <ApplicationID>

    # Configure the tenants to monitor:
    # Use the tenant ID (also known as directory ID) and the domain name.
    # var.tenants:
    #  - id: "tenant_id_1"
    #    name: ""
    #  - id: "tenant_id_2"
    #    name: ""
    - id: <TenantID>
      name: <TenantName>

    # List of content-types to fetch. By default all known content-types
    # are retrieved:
    # var.content_type:
    #  - "Audit.AzureActiveDirectory"
    #  - "Audit.Exchange"
    #  - "Audit.SharePoint"
    #  - "Audit.General"
    #  - "DLP.All"

    # Use the following settings to enable certificate-based authentication:
    # var.certificate: "/path/to/certificate.pem"
    # var.key: "/path/to/private_key.pem"
    # var.key_passphrase: "myPrivateKeyPassword"

    # Client-secret based authentication:
    # Comment the following line if using certificate authentication.
    var.client_secret: "<ClientSecret>"

    # Advanced settings, use with care:
    # var.api:
    #   # Settings for custom endpoints:
    #   authentication_endpoint: ""
    #   resource: ""
    #   max_retention: 168h
    #   max_requests_per_minute: 2000
    #   poll_interval: 3m

Copy the configuration file below and overwrite the contents of the Filebeat configuration Inputs section, the file is typically located at /etc/filebeat/filebeat.yml

# ============================== Filebeat inputs ===============================
    enabled: true            
    path: modules.d/*.yml

     type: o365
  fields_under_root: true

# ================================== Outputs ===================================
    hosts: ["your-logstash-host:your-ssl-port"]
    loadbalance: true
    ssl.enabled: true

It’s a good idea to run the configuration file through a YAML validator to rule out indentation errors, clean up extra characters, and check if your YAML file is valid. is a great choice.

Step 4 - Validate configuration

If you have issues starting in the next step, you can use these commands below to troubleshoot.

Let's check the configuration file is syntactically correct by running directly inside the terminal. If the file is invalid, will print an error loading config file error message with details on how to correct the problem.


sudo  -e -c /etc//.yml


sudo ./ -e -c .yml


.\.exe -e -c .yml

Step 5 - Start filebeat

Start or restart to apply the configuration changes.

Step 6 - Launch to view your logs

Now you should view your data:

View my data

If you don't see logs take a look at How to diagnose no data in Stack below for how to diagnose common issues.

Step 7 - How to diagnose no data in Stack

If you don't see data appearing in your Stack after following the steps, visit the Help Centre guide for steps to diagnose no data appearing in your Stack or Chat to support now.

Step 8 - Microsoft 365 Overview

Microsoft 365 is a cloud-based productivity suite that includes a range of services such as Exchange Online, SharePoint Online, and Microsoft Teams. To ensure the security of these services, it's important to have a robust monitoring solution in place.

One way to monitor Microsoft 365 activity is by leveraging its auditing capabilities. This allows organizations to track user activity and identify potential security threats in real-time. To make sense of the audit logs, it's essential to have a reliable log management solution that can collect, process, and analyze the data.

One way to achieve this is by using Filebeat to ship Microsoft 365 logs to Logstash and OpenSearch. This process involves creating a new application registration in Azure AD and granting it appropriate permissions to access the Microsoft 365 Management API. A client secret is then created for the application, and the Application (client) ID and Directory (tenant) ID are noted down.

With Microsoft 365 and Filebeat, organizations can proactively monitor user activity, detect potential security incidents, and ensure compliance with industry regulations and standards. By collecting and analyzing data from various sources, organizations can gain valuable insights into their security posture and take appropriate measures to safeguard their environment.

If you need any further assistance with shipping your log data to we're here to help you get started. Feel free to get in contact with our support team by sending us a message via live chat & we'll be happy to assist.

Return to Search
Sign Up

© 2023 Ltd, All rights reserved.