Set Up Collection of Microsoft Office 365 Logs

Alert Logic® supports Microsoft Office 365 log collection. To collect Office 365 logs, you must first create and set up an Alert Logic application in Microsoft Azure.

Before You Begin

To perform the setup required to grant Alert Logic permission to collect Office 365 logs, you must have access to the following:

• A Microsoft Office 365 account with administrative privileges
• A Microsoft Azure account with administrative privileges
• An Alert Logic account with administrative privileges

You cannot complete the following steps without administrative privileges in all three accounts.

Note: This information and more can also be found within Alert Logic Product Documentation.

Register a New Office 365 Web Application

In the Microsoft Office 365 portal, you must register a new Office 365 web application to collect Office 365 logs.

1. Log into the Office 365 portal as an Active Directory tenant administrator.
   
   
2. Click Show all to expand the left navigation area, and then click Azure Active Directory.
   
   
3. Select App Registrations, and then click + New application registration.
   
   
4. Provide the following information in the fields:
   
   - Name (for example, alo365collector)
   
   - Select Single tenant for supported account types
   
   - Leave the Redirect URI blank
   
   
5. Click Register. Note the Application (client) ID.

Set Up Active Directory Security Permissions

You must set up Active Directory security permissions for the application you created so it can read threat intelligence data and activity reports for your organization.

1. On the main panel of the Office 365 portal, under the new application, click API Permissions, then + Add a permission.
   
   
2. Locate and click Office 365 Management APIs.
   
   
3. In Application permissions, expand and select ActivityFeed.Read, ActivityFeed.ReadDlp, ActivityReports.Read (both), ServiceHealth.Read, and ThreatIntelligence.Read (both).
   
   
4. Ensure all necessary permissions are selected and click Add permissions.
   
   
5. Click Grant admin consent, and then click Accept to confirm.
   
   Note: Only the Active Directory tenant administrator can grant permissions to an Azure Active Directory application.
   
   
6. On the left navigation area, select Certificates & secrets, and then click + New client secret.
   
   
7. Type a key Description and set the duration to Never.
   
   
8. Click Add.
   
   
9. Save the key value, which you need during ARM template deployment.
   
   
10. Click Overview to return to the application summary, and then click the link under Managed application in local directory.
    
    
11. Click Properties, and then note the Object ID associated with the application.
    
    Note: This Object ID is not the same Object ID found under the Registered app view or under Settings.

Create an Alert Logic Access Key

You must generate an access key that allows the application you created to connect to the Alert Logic back end. You can do this from the Alert Logic console.

Access keys contain the two components you need to configure access to the Alert Logic back end, both of which you need to configure a log source:

• Access key ID - Numerical identification for the access key you granted. You can retrieve this value from the Alert Logic console.
• Secret key - Encrypted account information that provides permission for data to flow from Azure to the Alert Logic back end. You cannot retrieve this value after you initially generate the access key. If you lose your secret key, you must generate a new access key.

After you generate a new access key, the Alert Logic console allows you to retrieve only the access key ID. You must store both the access key ID and the secret key immediately after you generate the access key. You can choose to copy and paste the access key ID and the secret key to a file, or you can automatically save your access key information to a .CSV file that you can save to a secure location.

Note: If you lose your access key ID or secret key, you can no longer use the access key to configure new integrations and must generate a new access key.

Generate and store an access key:

1.  In the Alert Logic console, open the main menu () and click Manage > Users.
   
   Note: Cloud Defender customers, click the Settings icon () and click Users.
   
   
2. Scroll to the user account in question and click View.
   
   
3. In the slide-out panel, click the Access Keys tab.
   
   
4. Click Generate new key.
   
   
5. Click Download key file.

To learn how to manage access keys, see the Create and Manage Alert Logic Access Keys documentation.

Download and Deploy the Azure Resource Manager Template

Before you can configure Office 365 log collection, you must log into Microsoft Azure and download and deploy an Azure Resource Manager (ARM) template. You can use either the Microsoft Azure portal or a command line to deploy the template.

Note: The steps in this section require an active Azure subscription.

If your organization uses multiple Active Directory tenants, log into the same tenant used to register a new Office 365 web application. To find your Office 365 tenant ID, see the Microsoft Find your Office 365 tenant ID documentation.

Deploy with the Custom ARM Template Through the Azure Portal

1. Click this link.
   
   
2. Provide the following required template parameters:
   
   - Name - The name of the log source to appear in the Alert Logic console. This must be different from any previous deployment of a Function App.
   
   - Resource Group - Create a new resource group for the collector. This must be different from any previous resource group names.
   
   - Storage Name - Any storage account name that does not currently exist.
   
   - Alert Logic Access Key ID - The access key ID you created above.
   
   - Alert Logic Secret Key - The secret key you generated above.
   
   - Alert Logic API Endpoint - Leave the default value.
   
   - Alert Logic Data Residency - Leave the default value.
   
   - Office 365 Content Streams - The log types you want to collect. Valid values include Audit.AzureActiveDirectory, Audit.Exchange, Audit.SharePoint, and Audit.General.
   
   - Service Principal ID - The Object ID of the application that created the subscription. You can obtain this value from Microsoft Azure > Active Directory > App registrations > Your app name > Link under Managed application in local directory > Properties > Object ID.
   
   - App Client ID - The GUID of your application that created the subscription. You can obtain this value from Microsoft Azure > Active Directory > App registrations > Your app name > Application (client) ID.
   
   - App Client Secret - The secret key of your application from App registrations > Certificates & secrets.
   
   
3. Click Purchase.

Deploy Through Azure Command Line Interface

Use either Azure Cloud Shell or a local installation of Azure CLI.

1. In the command line, type the following to create a new resource group (the below example creates a new resource group in the "Central US" location):
   

   az group create --name <new-resource-group-name> --location "Central US"

2. In the Azure portal, access the Resource groups blade, and then select the resource group you created.
   
   
3. Select Access Control (IAM), and add the Website Contributor role to the Active Directory application identity you created above.
   
   
4. In the command line, type the following command to deploy a template and enter the required parameters when prompted:
   

   az group deployment create \
      --resource-group <new-resource-group-name> \
      --template-uri "https://raw.githubusercontent.com/alertlogic/azure-collector/master/template.json"