Skip to main content
Skip table of contents

(LRCloud Only) Configure Office 365 Management Activity Using Cloud to Cloud

This document explains how to configure the collection from O365 management activity using the web console's cloud to cloud functionality. This is available to LRCloud customers only.

Prerequisites

Before you start to configure the collection from O365, you must ensure the following:

  • 0365 is configured to send logs via Rest API. (See Configure Office 365 Management Activity for instructions.)
  • Customer is an LRCloud customer that has their environment hosted.
  • You have the required values for 0365 Management Activity: Client secret and Tenant Domain.

Initialize the Log Source

  1. Log into the web console as a Restricted Administrator User.
  2. On the top navigation bar, click the Administration icon and select Cloud Log Collection.
  3. At the top of the page, click New Log Source.
  4. Select the tile for Office 365 Management Activity Sysmon Agent.
    The Add Office 365 Management Activity Log Source screen appears.

  5. Enter the following details:

    SettingDefault ValueDescription
    NameN/AEnter the name for this log source.
    DescriptionN/A(Optional) Enter a description for this log source.
    Management Activity API Host

    manage.office.com

    (Enterprise plan)

    Host name of the Management Activity API. The default value is for Enterprise customers. The following table indicates values for government plans.

    Government PlanValue
    GCC governmentmanage-gcc.office.com
    GCC high governmentmanage.office365.us
    DoD governmentmanage.protection.apps.mil
    Login URLlogin.microsoftonline.com

     Enter the value based on your plan. Following are example values:

    PlanValue
    Enterprisehttps://login.microsoftonline.com
    GCC high governmenthttps://login.microsoftonline.us
    Tenant DomainN/A

    Specify your domain in the following format:

    <YOUR_DOMAIN>.onmicrosoft.com

    Client ID or Application IDN/AEnter the Client ID (alternatively known as the Application ID). You can obtain the ClientID from the Azure AD portal. This can be found in your App Registration > Overview screen. For example, a0b2345c-1aa2-ab1c-ab34-abc12345acbe.
    Tenant ID or Directory IDN/A

    Enter the Tenant ID (alternatively known as the Directory ID). You can obtain the TenantID from the Azure AD portal. This can be found in your App Registration > Overview screen. For example, a0b2345c-1aa2-ab1c-ab34-abc12345acbe

    Client SecretN/A

    Enter the client secret "Value" that is generated from the Azure AD portal (not the "Secret ID"). For example, a0b2345c-1aa2-ab1c-ab34-abc12345a.

    For instructions on generating your client secret, see REST API - Obtaining your Client Secret.

    Audit GeneralfalseEnable auditing of General events. Option of false or true.
    Audit Azure Active DirectoryfalseEnable auditing of Azure Active Directory Management events. Option of false or true
    Audit ExchangefalseEnable auditing of Exchange Management events. Option of false or true.
    Audit SharepointfalseEnable auditing of Sharepoint events. Option of false or true.
    Audit DLPfalseEnable auditing of General events. Option of false or true.
  6. Click Save.

Using the information provided, a new active log source is created and accepted in the client console. Collection should start automatically within a couple of minutes.

The log source's host is the Platform Manager. However, it is recommended that a new host entity is created and the log sources are moved to the new host. This is done in the log source properties screen, not from the log source grid.

For security purposes, the values entered are encrypted using LRCrypt.

Default Config Values for 0365 Management Activity

SettingDefault Value
Timeout300
LogApiRequestsfalse
MaxBatchSize10
StopCountFetchNewContentIds1000
StopCountCacheFiles50
NumOfBackMinutesData15
CollectionDelay1

Recommendations

Create a Separate Log Source for Each Office 365 Event Stream

The Office 365 Management Activity Log Source consists of multiple event streams from within the Office 365 environment. We recommend you split these streams into separate log sources. This enables ease of analytics and increases log source throughput efficiency.

To create separate log sources, do the following:

  1. Create a different cloud to cloud configuration in the web console for each events stream within Office 365. In each configuration file, select one of the events streams to be true, and all other events streams to be false. The possible events streams you can enable are:
    • AuditAzureActiveDirectory
    • AuditExchange
    • AuditSharepoint
    • DLPEvents
    • AuditGeneral

  2. Name each log source to correspond to the events stream you selected to be true in that configuration. 

    Example

    Events stream: AuditAzureActiveDirectory

    Configuration file settings:

    • AuditAzureActiveDirectory=true
    • AuditExchange=false
    • AuditSharepoint=false
    • DLPEvents=false
    • AuditGeneral=false

  3. Repeat this process for all of the remaining event streams you wish to enable.

    The log source type for all of the events streams will still be API - Office 365 Management Activity.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close