Set Up Collection of Microsoft Office 365 Logs
Alert Logic supports Microsoft Office 365 log collection. To collect Office 365 logs, you must first create and set up an Alert Logic application in Microsoft Azure.
To perform the setup required to grant Alert Logic permission to collect Office 365 logs, you must have access to the following:
- A Microsoft Office 365 account with administrative privileges
- A Microsoft Azure account with administrative privileges
- An Alert Logic account with administrative privileges
You cannot complete this procedure without administrative privileges in all three accounts.
In the Office 365 portal, you must register a new Office 365 web application to collect Office 365 logs.
To register an Office 365 web application:
- Log into the Office 365 portal as an Active Directory tenant administrator.
- Click Show all to expand the left navigation area, and then click Azure Active Directory.
- Select App Registrations, and then click + New application registration.
- Provide the following information in the fields:
- Name - for example, alo365collector.
- Select Single tenant for supported account types.
- Leave the Redirect URI blank.
- Click Register.
- Make a note of the Application ID, for example, a261478c-84fb-42f9-84c2-de050a4babe3.
Set up Active Directory security permissions
You must set up Active Directory security permissions for the application you created so it can read threat intelligence data and activity reports for your organization.
To set up Active Directory permissions:
- On the main panel under the new application, select View API Permissions, and then click + Add.
- Locate and click Office 365 Management APIs.
- In Application permissions, expand and select ActivityFeed.Read, ActivityFeed.ReadDlp, ActivityReports.Read(both), ServiceHealth.Read, and ThreatIntelligence.Read (both).
- Ensure all necessary permissions are selected, and then click Add permissions.
- Scroll to the bottom of the page, and then click Grant admin consent.
- Click Yes to confirm.
- On the left navigation area, select Certificates & secrets, and then click + New client secret.
- Type a key Description and set the duration to Never expires.
- Click Add.
- Click Overview to return to the application summary, and then click the link under Managed application in local directory, and then click Properties.
- Note the Object ID associated with the application. The Service Principal ID is labeled as "Object ID" on the properties page.
Create an Alert Logic access key
You must create an access key that allows the application you created to connect to the Alert Logic back end.
From the Bash command line in Azure Cloud Shell, run the following commands, where <username> is your Alert Logic user name and <password> is your Alert Logic password.
auth=$(curl -SX POST -u $AL_USERNAME https://api.global-services.global.alertlogic.com/aims/v1/authenticate); export AL_ACCOUNT_ID=$(echo $auth | jq -r '.authentication.account.id'); export AL_USER_ID=$(echo $auth | jq -r '.authentication.user.id'); export AL_TOKEN=$(echo $auth | jq -r '.authentication.token'); if [ -z $AL_TOKEN ]; then echo "Authentication failure"; else roles=$(curl -SX GET -H "x-aims-auth-token: $AL_TOKEN" https://api.global-services.global.alertlogic.com/aims/v1/$AL_ACCOUNT_ID/users/$AL_USER_ID/roles | jq -r '.roles.name'); if [ "$roles" != "Administrator" ]; then echo "The $AL_USERNAME doesn’t have Administrator role. Assigned role is '$roles'"; else curl -SX POST -H "x-aims-auth-token: $AL_TOKEN" https://api.global-services.global.alertlogic.com/aims/v1/$AL_ACCOUNT_ID/users/$AL_USER_ID/access_keys | jq .; fi; fi; unset AL_USERNAME;
A successful response returns an access key ID and a secret key.
Note the access_key_id and secret_key values, which you need in the deployment steps below.
curl -s -X GET -H "x-aims-auth-token: $AL_TOKEN" https://api.global-services.global.alertlogic.com/aims/v1/$AL_ACCOUNT_ID/users/$AL_USER_ID/access_keys | jq
Use the following command to delete a specific access key:
curl -X DELETE -H "x-aims-auth-token: $AL_TOKEN" https://api.global-services.global.alertlogic.com/aims/v1/$AL_ACCOUNT_ID/users/$AL_USER_ID/access_keys/<ACCESS_KEY_ID_HERE>
Before you can configure Office 365 log collection, you must log into Microsoft Azure and download and deploy an ARM template. You can use either the Microsoft Azure portal or a command line to deploy the template.
The steps in this section require an active Azure subscription. To verify your Azure subscription, visit Azure subscriptions blade.
If your organization uses multiple Active Directory tenants, log into the same tenant used to Register a new Office 365 web application. To find your Office 365 tenant ID, see Find your Office 365 tenant ID.
Deploy with the custom ARM template through the Azure portal
To access and deploy the ARM template through the Azure portal, click this link, and then:
- Provide the following required template parameters:
You can obtain this value from Azure > AD > App registrations > Your app name > Link under Managed application in local directory > Properties > Object ID.
- Name: The name of the log source to appear in the Alert Logic console.
- Resource Group: Create a new resource group for the collector.
- Storage Name: Any storage account name that does not currently exist.
- Alert Logic Access Key ID: The access_key_id you created above.
- Alert Logic Secret Key: The secret_key you created above.
- Alert Logic API endpoint: Leave the default value (api.global-services.global.alertlogic.com).
- Alert Logic Data Residency: Leave the default value.
- Office 365 Content Streams: The log types you want to collect. Valid values are:
- Service Principal ID: The Object ID of the application that created the subscription.
- App Client ID: The GUID of your application that created the subscription. You can obtain it from Azure > AD > App registrations > Your app name
- App Client Secret: The secret key of your application from App Registrations
- Click Purchase.
Deploy through the Azure CLI
To deploy through the Azure command line:
- In the command line, type the following to create a new resource group. (The example below creates a new resource group in the "Central US" location.)
az group create --name <new-resource-group-name> --location "Central US"
- In the Azure portal, access the Resource groups blade, and then select the resource group you created.
- Select Access Control (IAM), and add the Website Contributor role to the Active Directory application identity you created above.
- In the command line, type the following command to deploy a template, and enter the required parameters when prompted.
az group deployment create \
--resource-group <new-resource-group-name> \
Verify the installation
As a best practice, you should verify the template installed successfully.
To verify successful installation of the template:
- In the Azure portal, access Function Apps, and then choose the Alert Logic Office 365 collector function.
- Click Functions > Master > Monitor, and verify the recent log entry has the status of OK and contains no error messages.
- In the Alert Logic console, navigate to Configuration > Deployments > All Deployments > Log Sources, and then filter the list by Push (Office 365, CloudWatch) collection method.
- Verify a new Office 365 log source with the name provided during az group deployment create appears with the source status of OK.
If the collector stops sending information to Alert Logic, the Current Status for the source displays the error, "Collector is offline." If you see this error, try one of the following troubleshooting methods:
- If you either deleted the collector application, or disabled it from the Azure portal, the Alert Logic console may not have removed it. To correct the issue, delete the collector source from the Alert Logic console.
- Occasionally the collector has an issue with the Azure Active Directory, which causes an error. Alert Logic monitors these errors and resolves them, but you may also restart the function app from the Azure portal.
For information about how Azure functions use the Application and Office 365 tenant ID as a PublisherIdentifier during Office 365 management API requests, see How the Office 365 Collector Works.