Office 365 Monitoring with Logstail SIEM
Introduction
In the evolving landscape of cloud services, maintaining the security and efficiency of Office 365 environments has become paramount for organizations worldwide. As enterprises increasingly rely on Office 365 for collaboration, communication, and productivity tools, the need for comprehensive monitoring solutions has never been more critical. Enter Logstail SIEM (Security Information and Event Management), a cutting-edge platform designed to enhance the visibility, security, and management of Office 365 deployments. By leveraging Logstail SIEM, your organization can effectively monitor the Office 365 infrastructure, ensuring robust security, compliance, and operational efficiency. This innovative approach not only aids in detecting potential security threats but also provides valuable insights into usage patterns and system performance, enabling your businesses to optimize Office 365 environment and safeguard digital assets against the evolving threat landscape.
Getting Started
Requirements:
- Logstail Enterprise Key
- Enable Audit Logging on Office 365
- Register a Microsoft Azure Application
Logstail Enterprise Key
If you’re ready to elevate your Office 365 monitoring to the next level, Logstail Enterprise plan is the key to unlocking a comprehensive suite of advanced features tailored to meet your organization’s unique needs. With an enterprise key, you’ll gain access to Logstail SIEM plus in managing your Office 365 environment. Don’t miss out on the opportunity to harness the full potential of Logstail for your business. Get in touch with us today to explore our enterprise solutions and take the first step towards a more secure and optimized Office 365 experience. Reach out now to secure your enterprise key and transform how you monitor Office 365 with Logstail.
Enable Audit Logging on Office 365
- Navigate to https://security.microsoft.com/ and Login as Admin
- Go to Solutions → Audit
- Alternatively navigate to https://compliance.microsoft.com/auditlogsearch?viewid=Async%20Search
- If auditing isn’t turned on for your organization, a banner is displayed prompting you start recording user and admin activity
- Select the Start recording user and admin activity banner. It may take some time for the change to take effect.
Reference: https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-enable-disable?view=o365-worldwide
Register a Microsoft Azure Application
To successfully connect to the Office365 API, an authentication process is required. To do this, we must provide the tenant_id, client_id, and client_secret of the application that we authorize in the organization.
- Navigate to https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
- Click on New registration
- Fill in the name of your app, choose the desired account type and click on the Register button
- The app is now registered, and you can see information about it in its Overview section, at this point we can get the client and tenant IDs.
- Generate a password to use during the authentication process. Go to Certificates & secrets and click on New client secret, then the name and the expiration date of the New client secret are requested.
- Copy and save the value section.
The application needs specific API permissions to be able to request the Office 365 activity events. In this case, you are looking for permissions related to the https://manage.office.com resource.
- Go to the API permissions page and choose Add a permission. Select the Office 365 Management APIs and click on Application permissions.You need to add the following permissions under the ActivityFeed group:
- ActivityFeed.Read. Read activity data for your organization.
- ActivityFeed.ReadDlp. Read DLP policy events including detected sensitive data
- Grant Admin consent for API permission changes.
Configuration
Next, you need to configure your SIEM collector to fetch the logs from your Office 365. Make sure you have installed Logstail Agent and enabled the SIEM Collector. The following process should be done in one agent inside your organization. If you have multiple agents installed in your organization avoid making the following changes to more than one agent to avoid having replicated events.
- Edit the config for the SIEM Collector.
- Add the following code block. We suggest adding this above the local_file block.
<office365>
<enabled>yes</enabled>
<interval>1m</interval>
<curl_max_size>1M</curl_max_size>
<only_future_events>no</only_future_events>
<api_auth>
<tenant_id>YOUR_TENANT_ID</tenant_id>
<client_id>YOUR_CLIENT_ID</client_id>
<client_secret>YOUR_CLIENT_SECRET</client_secret>
</api_auth>
<subscriptions>
<subscription>Audit.SharePoint</subscription>
<subscription>Audit.AzureActiveDirectory</subscription>
<subscription>Audit.General</subscription>
<subscription>Audit.Exchange</subscription>
<subscription>DLP.All</subscription>
</subscriptions>
</office365>
- If new lines are added between the above code block from the Copy Paste procedure, please delete them to avoid Errors.
- Edit the subscriptions you want to monitor in your organization.
Subscriptions
- Audit.AzureActiveDirectory: User identity management.
- Audit.Exchange: Mail and calendaring server.
- Audit.SharePoint: Web-based collaborative platform.
- Audit.General: Includes all other workloads not included in the previous content types.
- DLP.All: Data loss prevention workloads.
- Save the configuration files
- Restart the Siem Agent (Stop and then Start again).
Observe your data
- Login to your Logstail Account
- Go to Analytics → Dashboards → Logstail SIEM Office365 (Make sure to have added the Dashboard from Apps.)
The Logstail SIEM Office365 Dashboard offers a comprehensive view into your organization’s Office 365 activities, highlighting subscription activity, user actions, and event severities over time. It enables administrators to pinpoint suspicious activities, like unusual access attempts or file sharing, especially during non-business hours, and quickly assess event statuses and details. By facilitating the monitoring of IP-related events and providing in-depth event analyses, the dashboard is crucial for detecting and addressing potential security threats promptly. This proactive surveillance ensures robust security, helping safeguard data integrity and stay ahead of cyber threats, thereby bolstering your organization’s defense against unauthorized access and enhancing overall cybersecurity posture.
Generate a Report
Logstail’s Reporting feature is a cornerstone for businesses seeking to optimize their operational efficiency and bolster security measures. With customized reports, organizations can track user activity, identify trends, monitor compliance with regulatory standards, and pinpoint potential security vulnerabilities. The ability to generate precise, timely reports means decision-makers can swiftly respond to issues, enhance strategic planning, and ensure a secure and productive Office 365 environment. In essence, Logstail’s Reporting feature is not just a tool but a strategic asset, empowering businesses to maintain a competitive edge in today’s fast-paced digital landscape.
- Go to Reports → Create.
- Enter a Name for your Report.
- Select the Logstail SIEM 365 Dashboard.
- Select the Desired Time Range for your Report.
- Select the format.
- Select if it’s an on-demand or a scheduled Report
- Learn more about Reporting Feature here.
- Click Create to finalize the Report.
If the Report isn’t downloaded automatically, click on the link under Generate to download it.
You are now ready to view and share your Report!
Create Alerts
Logstail’s Alerting Feature, plays a pivotal role in the proactive management and security of your organization’s digital ecosystem. This powerful feature allows for the real-time detection of potential threats and anomalies within your Office 365 environment, enabling immediate response to safeguard your data and assets. By setting up customized alerts based on specific events or activities, administrators can swiftly identify and mitigate risks, ranging from unusual login behaviors to potential data breaches. This level of vigilance ensures that any malicious activity is caught and addressed before it can cause significant harm, thereby maintaining the continuous integrity and availability of your Office 365 services. In essence, Logstail’s alerting capability is an essential component in a robust cybersecurity strategy, providing peace of mind and a secure operating environment for businesses leveraging Office 365.
File Downloaded Alert
Creating alerts on file downloads is a critical security measure that enables your organization to monitor and control the flow of sensitive information. By setting up customized alerts for file download activities, you can immediately detect and respond to unauthorized or suspicious data access. This not only helps in preventing potential data leakage but also reinforces compliance with data protection regulations. With Logstail, safeguarding your digital assets becomes straightforward, ensuring that every file download is accounted for and aligned with your organization’s security policies. First make sure you have configured your notification channel in Alerts → Alerting Channels. If not read here how to configure a Notification Channel. Next, go to Alerts → Alerting Dashboard → Monitors → Create Monitor.
- Enter a name.
- Select per query monitor.
- Select extraction query editor.
- Schedule how often you want the Alerting Monitor to run and check your Office 365 logs.
- Enter logstail-siem-alerts-* as your data source. (We use wildcard “*” in order to cover data indexes from each day).
- In the Query enter the below query which is tailored in detecting File Downloads.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
{"size": 1, "query": { "bool": { "must": [{ "query_string": { "query": "data.office365.Operation:FileDownloaded", "fields": [], "type": "best_fields", "default_operator": "or", "max_determinized_states": 10000, "enable_position_increments": true, "fuzziness": "AUTO", "fuzzy_prefix_length": 0, "fuzzy_max_expansions": 50, "phrase_slop": 0, "analyze_wildcard": true, "escape": false, "auto_generate_synonyms_phrase_query": true, "fuzzy_transpositions": true, "boost": 1}},{ "range": { "timestamp": { "from": "now-2m", "to": null, "include_lower": true, "include_upper": true, "boost": 1}}}], "adjust_pure_negative": true, "boost": 1}}} |
- Create a new Trigger.
- Enter a name.
The default trigger condition indicates the Alert will get triggered when at least one file download is found within the specified timerange.
- Create a new Action.
- Enter a name.
- Select your Notification Channel.
- Enter your Message subject.
- Enter your Message body.
- Click Create.
For the Message body you can use our template below if you want to include information from the event which triggered the Alerting Monitor.
Message Template
1 2 3 4 5 6 7 8 9 |
Details: {{#ctx.results.0.hits.hits}} - Description: {{_source.rule.description}} - User: {{_source.data.office365.UserId}} - File: "{{_source.data.office365.ObjectId}}" - User Ip: {{_source.data.office365.ClientIP}} - User Platform: {{_source.data.office365.Platform}} - User Browser: {{_source.data.office365.BrowserName}} {{/ctx.results.0.hits.hits}} |
Your Alerting Monitor is now ready! No more file downloads will go unnoticed inside your organization. Go in your create monitor to view all alerts. Also, remember to test the Alerting by downloading a file from your Office 365 and view the notification in your email!
Conclusion
In conclusion, monitoring Office 365 is an essential aspect of modern cybersecurity and operational management, ensuring that organizations can leverage cloud-based collaboration tools without compromising on security or efficiency. Logstail’s contribution to this domain is both significant and transformative, offering a robust Security Information and Event Management (SIEM) solution that empowers businesses to maintain a vigilant watch over their Office 365 environments. With features like real-time analytics, customizable alerting, and an intuitive dashboard tailored for Office 365, Logstail enables organizations to detect malicious activities, monitor user behavior, and safeguard against potential threats with unparalleled ease and effectiveness. In an era where digital security is paramount, Logstail stands out as a vital ally for businesses aiming to harness the full potential of Office 365 while ensuring their digital landscapes remain secure, compliant, and optimally managed.
Contact Our Experts or Sign Up for Free