Breadcrumbs

(LRCloud Only) Configure Office 365 Management Activity Using Cloud to Cloud

This document explains how to configure the collection from O365 management activity using the web console's cloud to cloud functionality. This is available to LRCloud customers only.

Prerequisites

Before you start to configure the collection from O365, you must ensure the following:

  • 0365 is configured to send logs via Rest API. (See Configure Office 365 Management Activity for instructions.)

  • Customer is an LRCloud customer that has their environment hosted.

  • You have the required values for 0365 Management Activity: Client secret and Tenant Domain.

Initialize the Log Source

  1. Log into the web console as a Restricted Administrator User.

  2. On the top navigation bar, click the Administration icon and select Cloud Log Collection.

  3. At the top of the page, click New Log Source.

  4. Select the tile for Office 365 Management Activity Sysmon Agent.
    The Add Office 365 Management Activity Log Source screen appears.
    0365.png

  5. Enter the following details:

    Setting

    Default Value

    Description

    Name

    N/A

    Enter the name for this log source.

    Description

    N/A

    (Optional) Enter a description for this log source.

    Management Activity API Host

    manage.office.com

    (Enterprise plan)

    Host name of the Management Activity API. The default value is for Enterprise customers. The following table indicates values for government plans.

    Government Plan

    Value

    GCC government

    manage-gcc.office.com

    GCC high government

    manage.office365.us

    DoD government

    manage.protection.apps.mil


    Login URL

    login.microsoftonline.com

     Enter the value based on your plan. Following are example values:

    Tenant Domain

    N/A

    Specify your domain in the following format:

    <YOUR_DOMAIN>.onmicrosoft.com

    Client ID or Application ID

    N/A

    Enter the Client ID (alternatively known as the Application ID). You can obtain the ClientID from the Azure AD portal. This can be found in your App Registration > Overview screen. For example, a0b2345c-1aa2-ab1c-ab34-abc12345acbe.

    Tenant ID or Directory ID

    N/A

    Enter the Tenant ID (alternatively known as the Directory ID). You can obtain the TenantID from the Azure AD portal. This can be found in your App Registration > Overview screen. For example, a0b2345c-1aa2-ab1c-ab34-abc12345acbe

    Client Secret

    N/A

    Enter the client secret "Value" that is generated from the Azure AD portal (not the "Secret ID"). For example, a0b2345c-1aa2-ab1c-ab34-abc12345a.

    For instructions on generating your client secret, see REST API - Obtaining your Client Secret.

    Audit General

    false

    Enable auditing of General events. Option of false or true.

    Audit Azure Active Directory

    false

    Enable auditing of Azure Active Directory Management events. Option of false or true

    Audit Exchange

    false

    Enable auditing of Exchange Management events. Option of false or true.

    Audit Sharepoint

    false

    Enable auditing of Sharepoint events. Option of false or true.

    Audit DLP

    false

    Enable auditing of General events. Option of false or true.


  6. Click Save.

Using the information provided, a new active log source is created and accepted in the client console. Collection should start automatically within a couple of minutes.

The log source's host is the Platform Manager. However, it is recommended that a new host entity is created and the log sources are moved to the new host. This is done in the log source properties screen, not from the log source grid.

For security purposes, the values entered are encrypted using LRCrypt.

Default Config Values for 0365 Management Activity

Setting

Default Value

Timeout

300

LogApiRequests

false

MaxBatchSize

10

StopCountFetchNewContentIds

1000

StopCountCacheFiles

50

NumOfBackMinutesData

15

CollectionDelay

1

Recommendations

Create a Separate Log Source for Each Office 365 Event Stream

The Office 365 Management Activity Log Source consists of multiple event streams from within the Office 365 environment. We recommend you split these streams into separate log sources. This enables ease of analytics and increases log source throughput efficiency.

To create separate log sources, do the following:

  1. Create a different cloud to cloud configuration in the web console for each events stream within Office 365. In each configuration file, select one of the events streams to be true, and all other events streams to be false. The possible events streams you can enable are:AuditAzureActiveDirectoryAuditExchangeAuditSharepointDLPEventsAuditGeneral

  2. Name each log source to correspond to the events stream you selected to be true in that configuration. 

    Example

    Events stream: AuditAzureActiveDirectory

    Configuration file settings:

    • AuditAzureActiveDirectory=true

    • AuditExchange=false

    • AuditSharepoint=false

    • DLPEvents=false

    • AuditGeneral=false


  3. Repeat this process for all of the remaining event streams you wish to enable.

    The log source type for all of the events streams will still be API - Office 365 Management Activity.