Microsoft 365

Ship your Microsoft 365 logs using Filebeat to your Logit.io Stack

Configure Microsoft 365 to ship logs via Filebeat to your Logit.io stacks via Logstash.

Send Your Data Logs PlatformsMicrosoft 365 Guide

Follow this step by step guide to get 'logs' from your system to Logit.io:

Step 1 - Configure Microsoft 365 Logging

By deploying this integration, you can forward Unified Audit Logging logs from Microsoft 365 to Logit.io using the Microsoft 365 Management API. This approach currently supports several Microsoft 365 content types, including:

"Audit.AzureActiveDirectory"
"Audit.Exchange"
"Audit.SharePoint"
"Audit.General"
"DLP.All"

To utilize this integration, you'll need an active Microsoft 365 subscription with an administrator account that has the appropriate provisioning. Additionally, Unified Audit Logging must be enabled within Microsoft 365's Security and Audit Center.

Step 2 - Register a new application in Azure AD

Sign in to the portal.zure.com and navigate to the Azure Active Directory service.
Select "App registrations" and click "New registration."
Enter a name for the application and select the appropriate account type and redirect URI.

Make sure to take note of the Application (client) ID and Directory (tenant) ID as they will be required for configuring Filebeat at a later step.

Step 3 - Create a client secret for your application

Select "App registrations" and click on the application that we created in step 2.
Go to the "Certificates & secrets" page and click "New client secret."
Enter a description for the client secret and choose an expiration option.
Click "Add" to create the client secret and copy the value as it will not be displayed again.
Store the client secret value securely, as it cannot be retrieved later.

Step 4 - Create a client secret for your application

Go to the "API permissions" on the left hand side and click "Add a permission."
On the "Application permissions" tab, activate the "ActivityFeed.Read" and "ActivityFeed.ReadDlp" permissions.

Step 5 - Install Filebeat

Windows
Linux
macOS
DEB
RPM

To get started you will need to install filebeat. To do this you have two main options:

Choose the filebeat ZIP file (Windows ZIP x86_64) or
Choose the Microsoft Software Installer MSI file (Windows MSI x86_64 (beta))

To successfully install filebeat and set up the required Windows service you will need to have administrator access.

If you have chosen to download the zip file:

Extract the contents of the zip file into C:\Program Files.
Rename the extracted folder to filebeat
Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
From the PowerShell prompt, run the following commands to install filebeat as a Windows service:

cd 'C:\Program Files\filebeat'

.\install-service-filebeat.ps1

If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example:

PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1

For more information about Powershell execution policies see here

If you have chosen to download the filebeat.msi file:

double-click on it and the relevant files will be downloaded.

At the end of the installation process you'll be given the option to open the folder where filebeat has been installed.

Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
From the PowerShell prompt, change directory to the location where filebeat was installed and run the following command to install filebeat as a Windows service:

.\install-service-filebeat.ps1

If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example:

PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1

For more information about Powershell execution policies see here

To get started you will need to install filebeat. To do this you have two main options:

Choose the AMD / Intel file (x86_64) or
Choose the ARM file (arm64)

You can tell if you have a Linux PC with an AMD / Intel CPU (kernel) architecture by opening a terminal and running the uname -m command. If it displays x86_64 you have AMD / Intel architecture.

To successfully install filebeat you will need to have root access.

If you have an x86_64 system download and extract the contents of the file using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-linux-x86_64.tar.gz
tar xzvf filebeat-8.12.2-linux-x86_64.tar.gz

If you have an arm64 system download and extract the contents of the file using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-linux-arm64.tar.gz
tar xzvf filebeat-8.12.2-linux-arm64.tar.gz

To get started you will need to install filebeat. To do this you have two main options:

Choose the AMD / Intel file (x86_64) or
Choose the ARM file (aarch64)

You can tell if you have a Mac with an ARM CPU architecture by opening the Terminal application and running the arch command. If it displays arm64 you have ARM architecture.

To successfully install filebeat you will need to have root access.

If you have an x86_64 system download and extract the contents of the file using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-darwin-x86_64.tar.gz
tar xzvf filebeat-8.12.2-darwin-x86_64.tar.gz

If you have an aarch64 system download and extract the contents of the file using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-darwin-aarch64.tar.gz
tar xzvf filebeat-8.12.2-darwin-aarch64.tar.gz

To get started you will need to install filebeat. To do this you have two main options:

Choose the AMD / Intel file (x86_64) or
Choose the ARM file (aarch64)

You can tell if you have a PC with an ARM CPU architecture by opening the Terminal application and running the arch command. If it displays arm64 you have ARM architecture.

To successfully install filebeat you will need to have root access.

If you have an x86_64 system download and install filebeat using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-amd64.deb
sudo dpkg -i filebeat-8.12.2-amd64.deb

If you have an aarch64 system download and install filebeat using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-arm64.deb
sudo dpkg -i filebeat-8.12.2-arm64.deb

To get started you will need to install filebeat. To do this you have two main options:

Choose the AMD / Intel file (x86_64) or
Choose the ARM file (aarch64)

You can tell if you have a PC with an ARM CPU architecture by opening the Terminal application and running the arch command. If it displays arm64 you have ARM architecture.

To successfully install filebeat you will need to have root access.

If you have an x86_64 system download and install filebeat using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-x86_64.rpm
sudo rpm -vi filebeat-8.12.2-x86_64.rpm

If you have an aarch64 system download and install filebeat using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-aarch64.rpm
sudo rpm -vi filebeat-8.12.2-aarch64.rpm

# Module: o365 # Docs: https://www.elastic.co/guide/en/beats/filebeat/8.6/filebeat-module-o365.html - module: o365 audit: enabled: true # Set the application_id (also known as client ID): var.application_id: <ApplicationID> # Configure the tenants to monitor: # Use the tenant ID (also known as directory ID) and the domain name. # var.tenants: # - id: "tenant_id_1" # name: "mydomain.onmicrosoft.com" # - id: "tenant_id_2" # name: "mycompany.com" var.tenants: - id: <TenantID> name: <TenantName> # List of content-types to fetch. By default all known content-types # are retrieved: # var.content_type: # - "Audit.AzureActiveDirectory" # - "Audit.Exchange" # - "Audit.SharePoint" # - "Audit.General" # - "DLP.All" # Use the following settings to enable certificate-based authentication: # var.certificate: "/path/to/certificate.pem" # var.key: "/path/to/private_key.pem" # var.key_passphrase: "myPrivateKeyPassword" # Client-secret based authentication: # Comment the following line if using certificate authentication. var.client_secret: "<ClientSecret>" # Advanced settings, use with care: # var.api: # # Settings for custom endpoints: # authentication_endpoint: "https://login.microsoftonline.us/" # resource: "https://manage.office365.us" # # max_retention: 168h # max_requests_per_minute: 2000 # poll_interval: 3m

# ============================== Filebeat inputs =============================== filebeat.config: modules: enabled: true path: modules.d/*.yml fields: type: o365 fields_under_root: true # ================================== Outputs =================================== output.logstash: hosts: ["your-logstash-host:your-ssl-port"] loadbalance: true ssl.enabled: true

Logging

Metrics

Observability

Features

Grafana Demo

Prometheus as a Service

ELK as a Service

Monitoring

Logging

Compliance and Auditing

Analysis

Platform-Specific Logging

CMMC Solution

Datadog Alternative

Splunk Alternative

Logz.io Alternative

New Relic Alternative

Source Integrations

Platform Status

Help Centre

Blog

Integrations

Why Logit?

Security

Consultancy

Partners

Legal

Microsoft 365

Step 1 - Configure Microsoft 365 Logging

Step 2 - Register a new application in Azure AD

Step 3 - Create a client secret for your application

Step 4 - Create a client secret for your application

Step 5 - Install Filebeat

Step 6 - Configure Filebeat

Step 7 - Validate configuration

Step 8 - Start filebeat

Step 9 - Launch Logit.io to view your logs

Step 10 - How to diagnose no data in Stack

Step 11 - Microsoft 365 Overview