Microsoft Office 365 Integration

<div class="condensed-table">
| | |
| --- | --- |
| Version | 2.8.0 (View all) |
| Compatible Kibana version(s) | 8.13.0 or higher |
| Supported Serverless project types
What’s this? | Security
Observability |
| Subscription level
What’s this? | Basic |
| Level of support
What’s this? | Elastic |

</div>
This integration is for Microsoft Office 365. It currently supports user, admin, system, and policy actions and events from Office 365 and Azure AD activity logs exposed by the Office 365 Management Activity API.

To use this package you need to enable Audit Log and register an application in Microsoft Entra ID (formerly known as Azure Active Directory).

Once the application is registered, configure and/or note the following to setup O365 Elastic integration:

1. Note Application (client) ID and the Directory (tenant) ID in the registered application’s Overview page.

2. Create a new secret to configure the authentication of your application.

   • Navigate to Certificates & Secrets section.
   • Click New client secret and provide some description to create new secret.
   • Note the Value which is required for the integration setup.

3. Add permissions to your registered application. Please check O365 Management API permissions for more details.

   • Navigate to API permissions page and click Add a permission
   • Select Office 365 Management APIs tile from the listed tiles.
   • Click Application permissions.
   • Under ActivityFeed, select ActivityFeed.Read permission. This is minimum required permissions to read audit logs of your organization as provided in the documentation. Optionally, select ActivityFeed.ReadDlp to read DLP policy events.
   • Click Add permissions.
   • If User.Read permission under Microsoft.Graph tile is not added by default, add this permission.
   • After the permissions are added, the admin has to grant consent for these permissions.

Once the secret is created and permissions are granted by admin, setup Elastic Agent’s Microsoft O365 integration:

• Click Add Microsoft Office 365.
• Enable Collect Office 365 audit logs via Management Activity API using CEL Input.
• Add Directory (tenant) ID noted in Step 1 into Directory (tenant) ID parameter. This is required field.
• Add Application (client) ID noted in Step 1 into Application (client) ID parameter. This is required field.
• Add the secret Value noted in Step 2 into Client Secret parameter. This is required field.
• Oauth2 Token URL can be added to generate the tokens during the oauth2 flow. If not provided, above Directory (tenant) ID will be used for oauth2 token generation.
• Modify any other parameters as necessary.

We request users upgrading from integration version < 1.18.0 to >= 1.18.0 to follow these steps:

1. Upgrade the Elastic Stack version to >= 8.7.1.

2. Upgrade the integration navigating via Integrations -> Microsoft Office 365 -> Settings -> Upgrade

3. Upgrade the integration policy navigating via Integrations -> Microsoft Office 365 -> integration policies -> Version (Upgrade). If Upgrade option doesn’t appear under the Version, that means the policy is already upgraded in the previous step. Please go to the next step.

4. Modify the integration policy:

   • Disable existing configuration (marked as Deprecated) and enable Collect Office 365 audit logs via CEL configuration.
   • Add the required parameters such as Directory (tenant) ID, Application (client) ID, Client Secret based on the previous configuration.
   • Verify/Update Initial Interval configuration parameter to start fetching events from. This defaults to 7 days. Even if there is overlap in times, the events are not duplicated.
   • Update the other configuration parameters as required and hit Save Integration.

Please refer Upgrade an integration in case of any issues while performing integration upgrade.

The ingest-geoip and ingest-user_agent Elasticsearch plugins are required to run this module.

Uses the Office 365 Management Activity API to retrieve audit messages from Office 365 and Azure AD activity logs. These are the same logs that are available under Audit Log Search in the Security and Compliance Center.

{
    "@timestamp": "2020-02-07T16:43:53.000Z",
    "agent": {
        "ephemeral_id": "50dde7f7-f3a3-4597-9ce3-fd6c21fbe6df",
        "id": "a6ce2e4c-5271-405f-acc5-cb378534481d",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.12.1"
    },
    "client": {
        "address": "213.97.47.133",
        "ip": "213.97.47.133"
    },
    "data_stream": {
        "dataset": "o365.audit",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "a6ce2e4c-5271-405f-acc5-cb378534481d",
        "snapshot": false,
        "version": "8.12.1"
    },
    "event": {
        "action": "PageViewed",
        "agent_id_status": "verified",
        "category": [
            "web"
        ],
        "code": "SharePoint",
        "dataset": "o365.audit",
        "id": "99d005e6-a4c6-46fd-117c-08d7abeceab5",
        "ingested": "2024-04-01T12:10:04Z",
        "kind": "event",
        "original": "{Site=d5180cfc-3479-44d6-b410-8c985ac894e3, ObjectId=https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx, UserKey=i:0h.f|membership|1003200096971f55@live.com, ItemType=Page, OrganizationId=b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd, Operation=PageViewed, ClientIP=213.97.47.133, Workload=OneDrive, EventSource=SharePoint, RecordType=4, Version=1, UserId=asr@testsiem.onmicrosoft.com, WebId=8c5c94bb-8396-470c-87d7-8999f440cd30, CreationTime=2020-02-07T16:43:53, UserAgent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0, CustomUniqueId=true, Id=99d005e6-a4c6-46fd-117c-08d7abeceab5, CorrelationId=622b339f-4000-a000-f25f-92b3478c7a25, ListItemUniqueId=59a8433d-9bb8-cfef-6edc-4c0fc8b86875, UserType=0}",
        "outcome": "success",
        "provider": "OneDrive",
        "type": [
            "info"
        ]
    },
    "host": {
        "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
        "name": "testsiem.onmicrosoft.com"
    },
    "input": {
        "type": "cel"
    },
    "network": {
        "type": "ipv4"
    },
    "o365": {
        "audit": {
            "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25",
            "CreationTime": "2020-02-07T16:43:53",
            "CustomUniqueId": true,
            "EventSource": "SharePoint",
            "ItemType": "Page",
            "ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875",
            "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx",
            "RecordType": "4",
            "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3",
            "UserId": "asr@testsiem.onmicrosoft.com",
            "UserKey": "i:0h.f|membership|1003200096971f55@live.com",
            "UserType": "0",
            "Version": "1",
            "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30"
        }
    },
    "organization": {
        "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"
    },
    "related": {
        "ip": [
            "213.97.47.133"
        ],
        "user": [
            "asr"
        ]
    },
    "source": {
        "ip": "213.97.47.133"
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "o365-cel"
    ],
    "user": {
        "domain": "testsiem.onmicrosoft.com",
        "email": "asr@testsiem.onmicrosoft.com",
        "id": "asr@testsiem.onmicrosoft.com",
        "name": "asr"
    },
    "user_agent": {
        "device": {
            "name": "Mac"
        },
        "name": "Firefox",
        "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
        "os": {
            "full": "Mac OS X 10.14",
            "name": "Mac OS X",
            "version": "10.14"
        },
        "version": "72.0."
    }
}