Version:

Configuring Office365

To configure Office365 in Logpoint, you must first configure it in the Azure portal and retrieve the Client secret, Certificate Thumbprint, Certificate File, tenant ID, client ID and Subscription ID.

Note

While we provide Azure portal instructions in this guide, it’s important to be aware that the Azure portal interface may change over time. To ensure you have the most up-to-date information and to navigate any potential changes in the Azure portal interface, we recommend referring to the official Azure portal documentation.

Configuring Office365 Fetcher in Microsoft Entra ID

Registering the Office365 Fetcher in Microsoft Entra ID

  1. Go to the Azure Portal.

  2. Go to Microsoft Entra ID >> App registrations.

  3. Click New registration.

  1. Enter a Name.

  2. Select Supported account types.

  3. In the Redirect URI (optional):

    7.1 Select Public client (mobile & desktop).

    7.2 Enter the following address.

    http://localhost

  4. Click Register.

_images/Office365_newApp_create.png

Creating a New Application

Note

You need the Application (client) ID and the Directory (tenant) ID to Configure the Office365 Fetcher in Logpoint and to Configure Office365 from Log Source.

_images/Office365_applicationID.png

Application ID

  1. Go to API permissions and click Add a permission.

_images/office365_applicationpermission.png

Adding a Permission

  1. Click Microsoft APIs.

  2. Select Office 365 Management APIs.

_images/office365_office365managementAPIs.png

Selecting Office 365 Management APIs

  1. Click Application permissions.

_images/office365_permissions.png

Application Permissions

  1. Select all the available read permissions.

  2. Click Add permissions.

_images/office365_.selectingreadpermissions.png

Selecting Read Permissions

  1. Click Grant admin consent for Default Directory.

_images/office365_grantpermissionsforlp.png

Granting Admin Consent

  1. Click Yes.

_images/office365_dialoguebox.png

Confirmation Dialog Box

_images/office365_grantconsent.png

Grant Consent

  1. Go to Authentication.

  2. Enable Allow public client flows to Yes.

_images/office365.png

Public Client Flows

Alternatively, you can add the following key to the Manifest in the Azure portal.

"allowPublicClient": true

  1. Click Certifictes & secrets and Client secrets.

  2. Click New client secret.

_images/clientsecret.png

Client Secret

  1. Enter a Description.

  2. Select expiration date for the client secret in the Expires.

  3. Click Add.

_images/clientsecretdd.png

Adding a Client Secret

Uploading Certificates in the Microsoft Entra ID

  1. Run the following commands to generate certificates. The certificates can be generated from any device (Linux server/Windows machine) where OpenSSL is installed. We recommend using Logpoint console via li-admin as OpenSSL is pre-installed in Logpoint.

    1.1. Enter the following command in command prompt to generate a certificate key:

    openssl genrsa -out server.pem 2048

    1.2. Enter the following command to create a certificate request:

    openssl req -new -key server.pem -out server.csr

    1.3. Enter the following command in the command prompt to generate certificates:

    openssl x509 -req -days 365 -in server.csr -signkey server.pem -out server.crt

  2. Save the two generated certificates. You will upload the certificate with the .crt extension to the Azure Portal and use the .pem extension certificate when configuring Office365 in Logpoint.

  3. Click Certificates & secrets on application page in Microsoft Entra ID.

  4. Click Certificates and Upload Certificate.

_images/certificate.png

Uploading a Certificate

  1. Select and upload the previously saved certificate with the extension .crt.

  2. Enter a Description for the certificate.

  3. Click Add.

_images/uploadcertificate.png

Uploading a Certificate

Note down the Thumbprint of the certificate. You need it to Configure the Office365 Fetcher in Logpoint.

_images/value.png

Value of Client Secret

Accquiring Subscription ID

Follow the steps outlined in Find your Azure subscription to get your Subscription ID. This is used to to Configure Office365 from Log Source.

Configuring Office365 from Devices

After configuring Office365 in Azure Portal and retrieving authentication credentials, you can now setup Office365 in Logpoint.

When you configure and run Office365 for the first time, a subscription is created to different audit log sources in the API. Once set, there is a time gap of 12 to 24 hours before the logs start to come in.

Adding a Normalization Policy

You can add a normalization policy using the Office365CompiledNormalizer, which normalizes and standardizes logs for storage, analysis, and retrieval. This normalization policy can be used in the processing policy to process Office365 logs.

  1. Go to Settings >> Configuration from the navigation bar and click Normalization Policies.

  2. Click Add.

  3. Enter a Policy Name.

  4. Select Office365CompiledNormalizer.

  5. Click Submit.

_images/office365_addNormalizationPolicy.png

Adding a Normalization Policy

Adding a Processing Policy

  1. Go to Settings >> Configuration from the navigation bar and click Processing Policies.

  2. Click Add.

  3. Enter a Policy Name.

  4. Select the Normalization Policy created for Office365.

  5. Select the Enrichment Policy and Routing Policy.

  6. Click Submit.

_images/office365_addProcessingPolicy.png

Adding a Processing Policy

Configuring Office365 Fetcher

After adding normalization and processing policies, you can now add Office365 Fetcher in Logpoint. Before that, you must also configure Microsoft Entra ID and retrieve the office365 authentication credentials.

  1. Go to Settings >> Configuration from the navigation bar and click Devices.

  2. Click the Add collectors/fetchers (add) icon under Actions of the localhost device.

  3. Click Office365 Fetcher.

  4. Click Add.

  5. Select a mode of Authentication:

    • If you select Public Client, enter the Office 365 Username and Password.

      _images/publicclient.png

      Public Client

    • If you select Client Secret, enter the value of client secret in the Client Secret.

      _images/clientsecret321.png

      Client Secret

    • If you select Certificate,

      • Enter the Office 365 Certificate Thumbprint in the Certificate Thumbprint.

      • Upload the previously saved Certificate with the .pem extension in the Certificate File.

        _images/certficate234.png

        Certificate Thumbnail

  6. Enter the Fetch Interval (minutes).

  7. Select a Processing Policy that uses the previously created normalization policy.

  8. Enter the Directory (tenant) ID in the Tenant ID.

  9. Enter the Application (client) ID in the Application ID.

  1. Select Enable Proxy if you use a proxy server.

  2. In Proxy Configuration:

    12.1 Enter the proxy server IP Address and the Port number.

    12.2 Select HTTP or HTTPS protocol.

  3. Click Test to validate the configuration.

  4. Click Submit.

Configure Office365 from Log Source

Office365 consists of the log source template Microsoft365 which has pre-defined settings and configurations to fetch logs. However, there are some fields in the template which must be configured manually.

  1. Go to Settings >> Log Sources from the navigation bar and click + Add Log Source.

  2. Click + Create New and select Microsoft365.

Source

In source, you can add details about the log source from where the S3Fetcher fetches logs.

  1. Click Source.

  2. Enter the Log Source’s Name.

  3. Select the frequency at which data is retrieved in Fetch Interval (min).

  4. Select the Charset and Time Zone.

Connector

Connector is a pathway for transmitting logs from various sources to Logpoint. In connector, you can configure how S3Fetcher and the log source communicate with each other.

  1. Click Connector.

  1. Enter the Client Secret, Subscription Id, Tenant ID, and Client ID. You get all of these values while Configuring Office365 Fetcher in Microsoft Entra ID.

Routing

In routing, you can create repos and routing criteria for S3 Fetcher. Repos are locations where incoming logs are stored and routing criteria is created to determine the conditions under which these logs are sent to repos.

To create a repo:

  1. Click Routing and + Create Repo.

  2. Enter a Repo name.

  3. In Path, enter the location to store incoming logs.

  4. In Retention (Days), enter the number of days logs are kept in a repository before they are automatically deleted.

  5. In Availability, select the Remote logpoint and Retention (Days).

  6. Click Create Repo.

In Repo, select the created repo to store logs.

To create Routing Criteria:

  1. Click + Add row.

  2. Enter a Key and Value. The routing criteria is only applied to those logs which have this key-value pair.

  3. Select an Operation for logs that have this key-value pair.

    3.1. Select Store raw message to store both the incoming and the normalized logs in the selected repo.

    3.2. Select Discard raw message to discard the incoming logs and store the normalized ones.

    3.3. Select Discard entire event to discard both the incoming and the normalized logs.

  4. In Repository, select a repo to store logs.

Click the (uninstall) icon under Action to delete the created routing criteria.

Normalization

In normalization, you can select normalizers for the incoming logs. Normalizers transform incoming logs into a standardized format for consistent and efficient analysis.

  1. Click Normalization.

  2. You can either select a previously created normalization policy from the Select Normalization Policy dropdown or select a Normalizer from the list and click the swap(Swap) icon.

Enrichment

In enrichment, you can select an enrichment policy for the incoming logs. Enrichment policies are used to add additional information to a log, such as user information, device type or geolocation, before analyzing it. For more information on enrichment, go to: Enrichment Policies.

  1. Click Enrichment.

  2. Select an Enrichment Policy.

Click Create Log Source to save the configurations of Source, Connector, Routing, Normalization, and Enrichment.

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support