Microsoft 365

Ship your Microsoft 365 logs using Filebeat to your Logit.io Stack

Configure Microsoft 365 to ship logs via Filebeat to your Logit.io stacks via Logstash.

Install Integration

Please click on the Install Integration button to configure your stack for this source.

Configure Microsoft 365 Logging

By deploying this integration, you can forward Unified Audit Logging logs from Microsoft 365 to Logit.io using the Microsoft 365 Management API. This approach currently supports several Microsoft 365 content types, including:

  • "Audit.AzureActiveDirectory"
  • "Audit.Exchange"
  • "Audit.SharePoint"
  • "Audit.General"
  • "DLP.All"

To utilize this integration, you'll need an active Microsoft 365 subscription with an administrator account that has the appropriate provisioning.

Additionally, Unified Audit Logging (opens in a new tab) must be enabled within Microsoft 365's Security and Audit Center.

Register a new application in Azure AD

  • Sign in to the portal.zure.com and navigate to the Azure Active Directory service.
  • Select "App registrations" and click "New registration."
  • Enter a name for the application and select the appropriate account type and redirect URI.

Make sure to take note of the Application (client) ID and Directory (tenant) ID as they will be required for configuring Filebeat at a later step.

Create a client secret for your application

  • Select "App registrations" and click on the application that we created in step 2.
  • Go to the "Certificates & secrets" page and click "New client secret."
  • Enter a description for the client secret and choose an expiration option.
  • Click "Add" to create the client secret and copy the value as it will not be displayed again.
  • Store the client secret value securely, as it cannot be retrieved later.
  • Go to the "API permissions" on the left hand side and click "Add a permission."
  • On the "Application permissions" tab, activate the "ActivityFeed.Read" and "ActivityFeed.ReadDlp" permissions.

Install Filebeat

To get started you will need to install filebeat. To do this you have two main options:

To successfully install filebeat and set up the required Windows service you will need to have administrator access.

If you have chosen to download the zip file:

  • Extract the contents of the zip file into C:\Program Files.
  • Rename the extracted folder to filebeat
  • Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
  • From the PowerShell prompt, run the following commands to install filebeat as a Windows service:
cd 'C:\Program Files\filebeat'
.\install-service-filebeat.ps1

If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example:

PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1

For more information about Powershell execution policies see here (opens in a new tab).

If you have chosen to download the filebeat.msi file:

  • double-click on it and the relevant files will be downloaded.

At the end of the installation process you'll be given the option to open the folder where filebeat has been installed.

  • Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
  • From the PowerShell prompt, change directory to the location where filebeat was installed and run the following command to install filebeat as a Windows service:
.\install-service-filebeat.ps1

If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example:

PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1

For more information about Powershell execution policies see here (opens in a new tab).

Configure Filebeat

Copy the configuration file below and overwrite the contents of the Filebeat module file typically located at /etc/filebeat/modules.d/o365.yml.disabled

Save the file as o365.yml.

# Module: o365
# Docs: https://www.elastic.co/guide/en/beats/filebeat/8.6/filebeat-module-o365.html
 
- module: o365
  audit:
    enabled: true
 
    # Set the application_id (also known as client ID):
    var.application_id: <ApplicationID>
 
    # Configure the tenants to monitor:
    # Use the tenant ID (also known as directory ID) and the domain name.
    # var.tenants:
    #  - id: "tenant_id_1"
    #    name: "mydomain.onmicrosoft.com"
    #  - id: "tenant_id_2"
    #    name: "mycompany.com"
    var.tenants:
    - id: <TenantID>
      name: <TenantName>
 
    # List of content-types to fetch. By default all known content-types
    # are retrieved:
    # var.content_type:
    #  - "Audit.AzureActiveDirectory"
    #  - "Audit.Exchange"
    #  - "Audit.SharePoint"
    #  - "Audit.General"
    #  - "DLP.All"
 
    # Use the following settings to enable certificate-based authentication:
    # var.certificate: "/path/to/certificate.pem"
    # var.key: "/path/to/private_key.pem"
    # var.key_passphrase: "myPrivateKeyPassword"
 
    # Client-secret based authentication:
    # Comment the following line if using certificate authentication.
    var.client_secret: "<ClientSecret>"
 
    # Advanced settings, use with care:
    # var.api:
    #   # Settings for custom endpoints:
    #   authentication_endpoint: "https://login.microsoftonline.us/"
    #   resource: "https://manage.office365.us"
    #
    #   max_retention: 168h
    #   max_requests_per_minute: 2000
    #   poll_interval: 3m

Copy the configuration file below and overwrite the contents of the Filebeat configuration Inputs section, the file is typically located at /etc/filebeat/filebeat.yml

# ============================== Filebeat inputs ===============================
filebeat.config:
  modules:
    enabled: true            
    path: modules.d/*.yml
 
  fields:
      type: o365
  fields_under_root: true
 
# ================================== Outputs ===================================
output.logstash:
    hosts: ["@logstash.host:@logstash.sslPort"]
    loadbalance: true
    ssl.enabled: true

It's a good idea to run the configuration file through a YAML validator to rule out indentation errors, clean up extra characters, and check if your YAML file is valid. Yamllint.com (opens in a new tab) is a great choice.

Validate configuration

In the directory where Filebeat is installed, run the following command to validate the installation:
.\@beatname.exe test config -c @beatname.yml

If the yml file is invalid, @beatname will print a description of the error. For example, if the output.logstash section was missing, @beatname would print no outputs are defined, please define one under the output section

Launch Logit.io to view your logs

Data should now have been sent to your Stack.

View My Data

If you don't see take a look at How to diagnose no data in Stack below for how to diagnose common issues.

How to diagnose no data in Stack

If you don't see data appearing in your stack after following this integration, take a look at the troubleshooting guide for steps to diagnose and resolve the problem or contact our support team and we'll be happy to assist.

Microsoft 365 Overview

Microsoft 365 is a cloud-based productivity suite that includes a range of services such as Exchange Online, SharePoint Online, and Microsoft Teams. To ensure the security of these services, it's important to have a robust monitoring solution in place.

One way to monitor Microsoft 365 activity is by leveraging its auditing capabilities. This allows organizations to track user activity and identify potential security threats in real-time. To make sense of the audit logs, it's essential to have a reliable log management solution that can collect, process, and analyze the data.

One way to achieve this is by using Filebeat to ship Microsoft 365 logs to Logstash and OpenSearch. This process involves creating a new application registration in Azure AD and granting it appropriate permissions to access the Microsoft 365 Management API. A client secret is then created for the application, and the Application (client) ID and Directory (tenant) ID are noted down.

With Microsoft 365 and Filebeat, organizations can proactively monitor user activity, detect potential security incidents, and ensure compliance with industry regulations and standards. By collecting and analyzing data from various sources, organizations can gain valuable insights into their security posture and take appropriate measures to safeguard their environment.

If you need any further assistance with shipping your log data to Logit.io we're here to help you get started. Feel free to get in contact with our support team by sending us a message via live chat and we'll be happy to assist.