To send Office 365 audit logs to Blumira, follow these steps:

• Go to office.com and log in.
• Navigate to the Microsoft Admin Center

• Select Azure Active Directory

• Select All Services (in left panel) > Azure Active Directory.

• Click on “App Registrations” in second-to-left panel.

• Click “Register an Application” button or “+ New Registration” button.
• Enter name, such as “Office 365 Audit Logs to Blumira”.
• Choose “Accounts in THIS organizational directory only”
• Leave Redirect URI empty.
• Click “Register” button.
• Make a note of the client ID and tenant ID as you will need these later.

• Click “API permissions” in second-to-left panel
• Click “Add a Permission” button
• Click “Office 365 Management API”
• Click “Application Permissions”
• Expand ActivityFeed, and check ActivityFeed.Read, ActivityFeed.ReadDlp
• Click “Add permissions” button (at bottom).

• Click “Grant admin consent” button.
• Remove delegated User.Read permission (which is added by default)
• Click “Certificates & secrets”
• Click “New client secret” button
• In the Description field, type a descriptive name such as “Blumira sensor” or leave it blank.
• Choose “Never” for the Expiration.
• Click Add.
• Make a note of the client secret as you will need this later.

On the Blumira side, configuration is easy:

1. Log in to app.blumira.com
2. Go to Infrastructure / Sensors
3. Click on the sensor where you want to poll for Office 365 audit logs.
4. Scroll down to the Modules section and click Add Module.
5. Choose Office 365 Module (Sensor Office 365 Module)
6. Enter in the parameters you noted down while configuring Office 365.
7. Click Install.

Get a Free Cloud SIEM Trial

Try out Blumira’s automated detection & response platform for free and deploy a cloud SIEM in hours.