Microsoft Office 365 Input

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

The Microsoft Office 365 Input enables Graylog to ingest logs from Office 365, Microsoft's widely used cloud-based productivity suite.

Hint: Please note that while Microsoft has rebranded their Office 365 product to Microsoft 365, the following input as documented remains unaffected by this change.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • To use the Office 365 plugin, create and authorize a client application through your organization’s Microsoft Azure portal. Your Graylog installation will then poll your Office 365 audit log and ingest new logs into Graylog on a specified interval.

  • A working Office 365 subscription with access to audit logs and to the Microsoft Azure portal for your organization is required. (E5/A5 accounts typically have the required access, but this will need to be verified.) 

Required Third-Party Setup

To enable integration, complete the following required setup with your third-party service:

  1. Create an Azure Active Directory application with the following actions:

    1. Provide an application name (e.g. Graylog Log Access).

    2. Choose Single tenant or Multi-tenant, based on your organization's directory setup.

    3. Skip the Redirect URI option.

  2. After registration, note the following values:

    • Application (client) ID

    • Directory (tenant) ID

  3. Create a client secret.

  4. Add Office 365 Management API permissions and assign select all available permissions.

  5. Grant admin consent to apply permissions.

  6. Navigate to the Audit Log Search page in Microsoft Purview and click the Start recording user and admin activity button to enable audit logging. Up to 24 hours may be needed for logs to enter Graylog the first time Unified Audit Log is enabled. We strongly recommend waiting 24 hours before proceeding with O365 Input setup in Graylog to ensure your subscription in Azure is properly set up for audit logging. If there is no blue button stating Start recording user and admin activity, then audit logging is already enabled, and you can proceed with the remainder of input configuration.

Required Configuration Values

In your third-party configuration, make note of the following values that are required when configuring the input in Graylog:

  • Application (client) ID

  • Directory (tenant) ID

  • Client Secret

Input Type

This input is a pull input type. See Inputs to learn about input types.

Associated Illuminate Content Pack

This log source has associated Illuminate content:

Hint: If an Illuminate pack is available for your log source, enable it before configuring an input to avoid creating duplicate entities.

Input Configuration

Follow the input setup instructions. During setup of this input, you can configure the following options:

Configuration Option Description

Input Name

Provide a unique name for your new input.

Directory (tenant) ID

The ID of the Active Directory instance for which Graylog will collect log data.

Application (client) ID

The ID of the Client Application created above.

Client Secret

This is the client secret of your registered application in Microsoft Entra ID.

Subscription Type

Indicates what type of Office 365 subscription you have. Enterprise and GCC government plans are the most common selections.

Log Types to Collect

Determines which of the five available log types the input will pull from Office 365. All log type options are selected by default: Azure Active Directory, SharePoint, Exchange, General, and DLP.

Polling Interval

Determines how often (in minutes) Graylog checks for new log data. The shortest allowable interval is 5 minutes. We recommend leaving this at the default value. Value should not be less than 1 (minute).

Drop DLP logs containing sensitive data

O365 produces a summary log with no sensitive data and a detailed log with sensitive data for each DLP event. When set, this option causes detailed logs to drop and prevent sensitive data from being stored in Graylog.

Enable Throttling

Enables Graylog to stop reading new data for this input whenever the system falls behind on message processing and needs to catch up.
Store Full Message

Permits Graylog to store the raw log data in the full_message field for each log message. Selection can result in a significant increase in the amount of data stored.

Next Steps

After you complete input setup, visit Input Diagnosis for testing and validation of the new input. Use this functionality to help troubleshoot any connection issues.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: