This document explains how to configure the collection from O365 management activity using the web console's cloud to cloud functionality. This is available to LRCloud customers only.
Before you start to configure the collection from O365, you must ensure the following:
- 0365 is configured to send logs via Rest API. (See Configure Office 365 Management Activity for instructions.)
- Customer is an LRCloud customer that has their environment hosted.
- You have the required values for 0365 Management Activity: Client secret and Tenant Domain.
Initialize the Log Source
- Log into the web console as a Restricted Administrator User.
- On the top navigation bar, click the Administration icon and select Cloud Log Collection.
- At the top of the page, click New Log Source.
- Select the tile for Office 365 Management Activity Sysmon Agent.
The Add Office 365 Management Activity Log Source screen appears.
Enter the following details:
Setting Default Value Description Name N/A Enter the name for this log source. Description N/A (Optional) Enter a description for this log source. Management Activity API Host
Host name of the Management Activity API. The default value is for Enterprise customers. The following table indicates values for government plans.
Login URL login.microsoftonline.com
Enter the value based on your plan. Following are example values:
Tenant Domain N/A
Specify your domain in the following format:
Client ID or Application ID N/A Enter the Client ID (alternatively known as the Application ID). You can obtain the ClientID from the Azure AD portal. This can be found in your App Registration > Overview screen. For example, a0b2345c-1aa2-ab1c-ab34-abc12345acbe. Tenant ID or Directory ID N/A
Enter the Tenant ID (alternatively known as the Directory ID). You can obtain the TenantID from the Azure AD portal. This can be found in your App Registration > Overview screen. For example, a0b2345c-1aa2-ab1c-ab34-abc12345acbe
Client Secret N/A
Enter the client secret "Value" that is generated from the Azure AD portal (not the "Secret ID"). For example, a0b2345c-1aa2-ab1c-ab34-abc12345a.
For instructions on generating your client secret, see REST API - Obtaining your Client Secret.
Audit General false Enable auditing of General events. Option of false or true. Audit Azure Active Directory false Enable auditing of Azure Active Directory Management events. Option of false or true Audit Exchange false Enable auditing of Exchange Management events. Option of false or true. Audit Sharepoint false Enable auditing of Sharepoint events. Option of false or true. Audit DLP false Enable auditing of General events. Option of false or true.
- Click Save.
Using the information provided, a new active log source is created and accepted in the client console. Collection should start automatically within a couple of minutes.
The log source's host is the Platform Manager. However, it is recommended that a new host entity is created and the log sources are moved to the new host. This is done in the log source properties screen, not from the log source grid.
For security purposes, the values entered are encrypted using LRCrypt.
Default Config Values for 0365 Management Activity
Create a Separate Log Source for Each Office 365 Event Stream
The Office 365 Management Activity Log Source consists of multiple event streams from within the Office 365 environment. We recommend you split these streams into separate log sources. This enables ease of analytics and increases log source throughput efficiency.
To create separate log sources, do the following:
- Create a different cloud to cloud configuration in the web console for each events stream within Office 365. In each configuration file, select one of the events streams to be true, and all other events streams to be false. The possible events streams you can enable are:
Name each log source to correspond to the events stream you selected to be true in that configuration.
Events stream: AuditAzureActiveDirectory
Configuration file settings:
Repeat this process for all of the remaining event streams you wish to enable.
The log source type for all of the events streams will still be API - Office 365 Management Activity.