To send Office 365 audit logs to Blumira, follow these steps:
- Go to office.com and log in.
- Navigate to the Microsoft Admin Center
- Select Azure Active Directory
- Select All Services (in left panel) > Azure Active Directory.
- Click on “App Registrations” in second-to-left panel.
- Click “Register an Application” button or “+ New Registration” button.
- Enter name, such as “Office 365 Audit Logs to Blumira”.
- Choose “Accounts in THIS organizational directory only”
- Leave Redirect URI empty.
- Click “Register” button.
- Make a note of the client ID and tenant ID as you will need these later.
- The “Application (client) ID” value is used for the “App Client ID” Module Configuration.
- The “Directory (tenant) ID” value is used for the “Tenant ID to monitor” Module Configuration.
- Click “API permissions” in second-to-left panel
- Click “Add a Permission” button
- Click “Office 365 Management API”
- Click “Application Permissions”
- Expand ActivityFeed, and check ActivityFeed.Read, ActivityFeed.ReadDlp
- Click “Add permissions” button (at bottom).
- Click “Grant admin consent” button.
- Remove delegated User.Read permission (which is added by default)
- Click “Certificates & secrets”
- Click “New client secret” button
- In the Description field, type a descriptive name such as “Blumira sensor” or leave it blank.
- Choose any timeframe you’re comfortable with (up to 24 months) – Be sure to set a reminder to update this when it expires
- Click Add.
- Make a note of the client secret as you will need this later.
- The “Client Secret” value is used for the “App Client Secret” Module Configuration.
On the Blumira side, configuration is easy:
- Log in to app.blumira.com
- Go to Infrastructure / Sensors
- Click on the sensor where you want to poll for Office 365 audit logs.
- Scroll down to the Modules section and click Add Module.
- Choose Office 365 Module (Sensor Office 365 Module)
- Enter in the parameters you noted down while configuring Office 365.
- Click Install.
Get a Free Cloud SIEM Trial
Try out Blumira’s automated detection & response platform for free and deploy a cloud SIEM in hours.