The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.
Microsoft’s Office 365 provides cloud-based office apps like Word, Excel, and others. O365 Spotlight for Graylog Illuminate works with the Office 365 Log Events Enterprise Plugin to process Microsoft Office 365 logs by providing normalization and enrichment of common events. The Spotlight comes ready to use with several pre-built dashboard views including O365 Overview and tabs for Exchange, Azure Active Directory, and other O365 applications.
Supported Version(s)
- Current version of O365 as supported by Microsoft and the Graylog Office 365 Log Events Enterprise Plugin.
Stream Configuration
This technology pack includes one stream:
- “Illuminate:O365 Messages”
If this stream name is already defined, then nothing will be changed. If this stream name does not exist, then it will be created.
Index Set Configuration
This technology pack includes one index set definition:
- “Microsoft Office365 Event Log Messages”
If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.
Log Format Example
{"CreationTime":"2021-10-03T00:14:46","Id":"bee3fdad-4243-8f3b-f234-15c294843741","Operation":"SearchMtpStatus","OrganizationId":"bee3fdad-4243-8f3b-f234-15c294843742","RecordType":52,"UserKey":"NOT-FOUND","UserType":5,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"NOT-FOUND","AadAppId":"bee3fdad-4243-8f3b-f234-15c294843740","DataType":"MtpStatus","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/MtpStatus?tenantid=bee3fdad-4243-8f3b-f234-15c294843743","ResultCount":"1"}
Requirements
-
A configured Azure / Office 365 tenant and API keys.
-
A configured Graylog O365 input (see Configuring an O365 Input below).
What is Provided
-
Parsing rules to extract 0365 logs into Graylog schema compatible fields.
-
Dashboards
-
Data lookup tables to assist in normalizing 0365 log messages into the Graylog schema
Configuring an O365 Input
- On the Select Input drop-down menu, select System menu and then choose Inputs.
- Select Office 365 Log Events from the Select Input drop-down menu.
- Click Launch New Input.
- Assign a node or select Global mode.
- Set the Title, Directory (tenant) ID, Application (client) ID, Client Secret, and Subscription Type to correct values for your O365 tenant.
- Click Verify Connection & Proceed.
- Specify the desired Content Types. Options include: AZURE_ACTIVE_DIRECTORY, SHAREPOINT, EXCHANGE, GENERAL, and DLP_ALL.
- Set the polling interval. (Graylog recommends starting with a polling interval of 3 minutes for the System Log API used by the Graylog O365 Log Events plugin.)
- This step is optional: Select Store Full Message. (This option consumes additional Graylog ingestion volume and storage requirements but may be required for compliance or other reasons.)
- Save the input settings.
- If the input does not start automatically, select Start Input to begin retrieving and processing messages from the configured O365 tenant.