circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Ingest Logs

hashtag
Prerequisites

  • Logpoint version: v7.5.0 or later

  • Microsoft 365 subscription with:

    • a tenant admin account

    • a service user account

  • Outbound access to the following URLs (allowlist these in your network):

    • https://login.microsoftonline.com/{tenant_id}

    • https://login.microsoftonline.com

    • https://manage.office.com/api/v1.0/list/activity/feed/subscriptions

    • https://login.microsoftonline.com/{tenant_id}/oauth2/authorize

    • https://login.windows.net/

hashtag
Install the integration

  1. Download the .pak file from the Service Deskarrow-up-right.

  2. Go to Settings >> System Settings.

  3. Click Applications.

  4. Click Import.

  5. Upload the downloaded .pak file.

  6. Verify the integration appears under Settings >> System Settings >> Plugins.

hashtag
Configure log ingestion

You can configure this integration using one of the following methods:

  1. Log source template (recommended)

  2. Devices

hashtag
Method 1: Configure using a log source template

Office365 provides a Microsoft365 log source template with pre-defined settings for:

  • Source

  • Connector

  • Routing

  • Normalization

  • Enrichment

Some fields in the template must be configured manually.

hashtag
Create a log source

  1. Go to Settings >> Log Sources.

  2. Click + Add Log Source.

  3. Click + Create New.

  4. Select Microsoft365.

hashtag
Integration-specific configuration

The Microsoft365 log source template has pre-defined settings, but you must configure some fields manually.

Configure the following template sections:

Source

  1. Click Source.

  2. Enter the log source Name.

  3. Set Fetch Interval (min).

  4. Select Charset.

  5. Select Time Zone.

Connector

  1. Click Connector.

  2. Enter Client Secret, Subscription Id, Tenant ID, and Client ID (obtained when configuring Microsoft Entra ID).

Routing

  1. Click Routing.

  2. Click + Create Repo.

  3. Enter a Repo name and Path to store incoming logs.

  4. Enter Retention (Days) to specify the number of days logs are kept in a repository before they are automatically deleted.

  5. In Availability, select the Remote logpoint and Retention (Days).

  6. Click Create Repo.

  7. In Repo, select the created repo to store logs.

Create Routing Criteria

  • Click + Add row.

  • Enter Key and Value (criteria applied only to logs with this key/value).

  • Select an Operation:

    • Store raw message — store incoming and normalized logs

    • Discard raw message — discard incoming, store normalized

    • Discard entire event — discard both incoming and normalized logs

To delete a routing criteria, click the delete icon under Action.

Normalization Select a normalization policy that includes Office365CompiledNormalizer. (If you do not have a policy, create one using the compiled normalizer.)

Enrichment In enrichment, select an enrichment policy for the incoming logs. Enrichment policies are used to add additional information to a log, such as user information, device type or geolocation, before analyzing it.

  1. Click Enrichment.

  2. Select an Enrichment Policy.

  3. Click Create Log Source to save the configurations of Source, Connector, Routing, Normalization, and Enrichment.

hashtag
Method 2: Configure using devices

circle-info

When you run the Office365 fetcher for the first time, Logpoint creates subscriptions to the audit log sources in the API. After subscriptions are created, there can be a 12–24 hour delay before logs start arriving.

hashtag
Create a normalization policy (required)

  1. Go to Settings >> Configuration.

  2. Click Normalization Policies.

  3. Click Add.

  4. Enter a policy name.

  5. Select Office365CompiledNormalizer.

  6. Click Submit.

hashtag
Create a processing policy

  1. Go to Settings >> Configuration.

  2. Click Processing Policies.

  3. Click Add.

  4. Enter a policy name.

  5. Select the Office 365 normalization policy you created earlier.

  6. Select your enrichment policy (if applicable).

  7. Select your routing policy.

  8. Click Submit.

hashtag
Configure the Office365 fetcher

Before you configure the fetcher in Logpoint, configure Microsoft Entra ID (Azure portal) and collect the required values: Client secret, Certificate thumbprint, Certificate file, Tenant ID, Client ID, and Subscription ID.

  1. Go to Settings >> Configuration >> Devices.

  2. Under the localhost device, click Add collectors/fetchers.

  3. Select Office365 Fetcher.

  4. Click Add.

  5. Select Authentication mode.

  6. Enter Subscription Id.

  7. If you selected Public Client, enter Username.

    1. If you selected Public Client, enter Password.

  8. If you selected Client Secret, enter Client Secret.

  9. If you selected Certificate, enter Certificate Thumbprint.

    1. If you selected Certificate, upload the Certificate File (.pem).

  10. Enter Fetch Interval (minutes).

  11. Select the Processing Policy that uses the Office 365 normalization policy.

  12. Enter Tenant ID (Directory/tenant ID).

  13. Enter Application ID (Application/client ID).

  14. If you use a proxy, select Enable Proxy.

  15. If proxy is enabled, enter IP/Port.

  16. If proxy is enabled, select HTTP or HTTPS.

  17. Click Test to validate the configuration.

  18. Click Submit.

hashtag
Verify ingestion

Use the following query to verify logs are ingested:

Confirm that events appear in the expected repository after the fetch interval (and account for the first-time 12–24 hour subscription delay).

Last updated

Was this helpful?