Set up collection of Microsoft Office 365 logs

Alert Logic Log Manager supports Microsoft Office 365 log collection. To collect Office 365 logs in Log Manager, you must first create and set up an Alert Logic application in Microsoft Azure.

Before you begin

To perform the set up required to grant Alert Logic permission access to collect Office 365 logs, you must have access to the following:

  • A Microsoft Office 365 account with administrative privileges
  • A Microsoft Azure account with administrative privileges
  • An Alert Logic account with administrative privileges

You cannot complete this procedure without administrative privileges in all three accounts.

Verifying Alert Logic administrative privileges

  1. Log in to the Azure portal and click the Cloud Shell icon to activate Azure Cloud Shell. If prompted, select the Bash command shell. The commands in this procedure commands do not work in PowerShell. Create a storage account if prompted to do so.
  2. In the command line, copy and paste the commands in this Admin Test file.
  3. If the response indicates you are an administrator, continue with this procedure. Otherwise, contact Alert Logic Support for assistance at (877) 484-8383 (US) or +44 (0) 203 011 5533 (UK).

Download Azure Resource Manager template

To set up the application in Azure, you must first download an Alert Logic Azure Resource Manager (ARM) template. This template is stored as a JSON file on the Alert Logic public GitHub repository.

To download the ARM template:

If you plan to install the application through the Cloud Shell, you do not need to download the template.
  1. Access the Alert Logic GitHub public repository at https://github.com/alertlogic/azure-collector.
  2. Open the file, template.json.
  3. Click Raw.
  4. Save the file to the local Downloads folder as a .json file. If your browser asks to confirm the JSON format, do so.

Register a new application

Office 365 log collection requires the use of the "create an application" function in Microsoft Office 365. Alert Logic provides an ARM template for this purpose.

Create the application

This section describes how to create the application in Microsoft Office 365 from an ARM template.

  1. Log into the Office 365 portal.
  2. Click the Admin tile, which takes you to the Office Admin center.
  3. Click the Domains tile.
  4. Note the Office 365 domain name from which you will collect logs. You will need the domain name for the Office 365 Tenant ID field under Deploy the application through the Microsoft Azure portal.
    The domain name should match the domain in your user ID (the part after the @).
  5. In the left navigation bar, click Admin centers, and then click Azure AD to open a limited version of the Azure Active Directory admin center.
    Later in the procedure you will need the full Azure console.
  6. Click Azure Active Directory.
  7. Click App registrations.
  8. Click New application registration.
  9. Enter a name for the application. Leave Application type as "Web app/API."
  10. In the Sign-on URL field, type any URL.
Later in the procedure you will need the full Azure console.
  1. Click Azure Active Directory.
  2. Click App registrations.
  3. Click New application registration.
  4. Enter a name for the application. Leave Application type as "Web app/API."
  5. In the Sign-on URL field, type any URL.
    Microsoft Azure requires a URL in this field. Alert Logic does not use this information.
    Example Sign on URL entry: http://<APPLICATIONNAME>.com
  6. Click Create.
  7. Search for the application you created, and then click the application.
  8. Note the Application ID, which you need for the App Client ID field under Deploy the application through the Microsoft Azure portal.
  9. Click Keys, and then enter a Key description.
  10. Set Duration to "Never expires."
  11. Click Save.
  12. Click the newly created key.
  13. Note the key ID number, which you need for the App Client Secret Key field under Deploy the application through the Microsoft Azure portal.
    The key ID does not appear again, and it cannot be retrieved later. If you do not note the key ID number now, you must perform this procedure to create another key.
  14. Close the Keys blade.

Set up Active Directory security permissions

You must be logged into the Office 365 portal to set the application permissions to allow Alert Logic to collect the Office 365 logs.

  1. Under Settings for the application, click Required permissions.
  2. Click +Add.
  3. Click Select an API.
  4. Select Office 365 Management APIs, and then click Select.
  5. Under Application Permissions, select the following:
    • Read service health information for your organization
    • Read activity data for your organization
    • Read threat intelligence data for your organization
    • Read activity reports for your organization
      The Azure portal duplicates the last two permission options. You must select both instances of each of the duplicated permissions.
  6. Click Select.
  7. Click Done.
  8. On the required permissions blade, click Grant Permissions.
  9. Click Yes.
    If the process stops at this point in the procedurehere, you do not have administrative privileges in Office 365. Contact your Office 365 administrator for the necessary privileges.
  10. Go to Azure Active Directory.
  11. Click App registrations.
  12. Click the application name.
  13. Under Managed application in local directory, click the application name link.
    You must click this particular link, or you will gather the wrong Object ID value, and the installation will not complete.
  14. Click Properties.
  15. Note the Object ID, which you will need for the Service Principal ID field under Deploy the application through the Microsoft Azure portal.
  16. Close this blade.

Create an Alert Logic access key

You must log into the Azure portal to create the Alert Logic access keys.

  1. In the Azure portal, click the Cloud Shell icon to activate Azure Cloud Shell. If prompted, select the Bash command shell. The commands in this procedure commands do not work in PowerShell. Create a storage account if prompted to do so.
  2. In the command line, type:

    export AL_USERNAME='<username>'

    export AL_PASSWORD='<password>'

    auth=$(curl -X POST -s -u $AL_USERNAME:$AL_PASSWORD https://api.global-services.global.alertlogic.com/aims/v1/authenticate); export AL_ACCOUNT_ID=$(echo $auth | jq -r '.authentication.account.id'); export AL_USER_ID=$(echo $auth | jq -r '.authentication.user.id'); export AL_TOKEN=$(echo $auth | jq -r '.authentication.token'); if [ -z $AL_TOKEN ]; then echo "Authentication failure"; else roles=$(curl -s -X GET -H "x-aims-auth-token: $AL_TOKEN" https://api.global-services.global.alertlogic.com/aims/v1/$AL_ACCOUNT_ID/users/$AL_USER_ID/roles | jq -r '.roles[].name'); if [ "$roles" != "Administrator" ]; then echo "The $AL_USERNAME doesn’t have Administrator role. Assigned role is '$roles'"; else curl -s -X POST -H "x-aims-auth-token: $AL_TOKEN" https://api.global-services.global.alertlogic.com/aims/v1/$AL_ACCOUNT_ID/users/$AL_USER_ID/access_keys | jq .; fi; fi; unset AL_USERNAME; unset AL_PASSWORD;

    Where <username> and <password> are your Cloud Insight user name and password.

  3. From the response, make note of the following:
A user account can have only five access keys. If a "limit exceeded" response appears when you create your key, you must delete one or more existing keys before you can create more.

Deployment

You can use one of two methods to deploy the application—the Microsoft Azure portal or a command line.

Deploy the application through the Microsoft Azure portal

You can use the Azure portal to deploy the application.

To deploy the application with the Azure portal:

  1. In the Azure portal search field, type Deploy.
  2. Click Deploy a custom template.
  3. Click Build your own template in the editor.
  4. Click Load file.
  5. Navigate to the ARM template you downloaded from the Alert Logic GitHub repository, and then select it. If necessary, click Open.
  6. Click Save.
  7. Enter the following information:
    • Subscription—Select the subscription for Office 365 monitoring.
    • Resource group—Select Create new, and then enter a name for the new resource group.
      Reusing an existing resource group requires greater permissions. If you want to use an existing resource group, contact Alert Logic Support at (US) (877) 484-8383 or (EU) +44 (0) 203 011 5533 for assistance.
    • Location—Select a location to deploy the application.
    • Name and Storage Name—Use only lowercase letters and numbers to enter the same name in both fields.
      Create a new name here as reuse causes Azure support issues. Alert Logic recommends a name like alertlogiccollector.
    • Alert Logic Access Key ID—Enter the access_key_id value collected in Create an Alert Logic access key.
    • Alert Logic Secret Key—Enter the secret_key value collected in Create an Alert Logic access key.
    • Alert Logic API endpoint—Accept the default value (api.global-services.global.alertlogic.com).
    • Alert Logic Data Residency—Accept the default value (default).
    • Office 365 Content Streams—Select the content streams you want to monitor, and delete any unwanted streams.
      Alert Logic does not recommend collection of the DLP.all stream, because doing so could result in sensitive data being collected without encryption.
    • Office 365 Tenant ID—Enter the active directory GUID in which you deployed application. You collected this value at the end of Set up Active Directory security permissions.
    • Service Principal ID—Enter the Object ID of the application that created the subscription. You collected this value in Set up Active Directory security permissions.
    • App Client ID—Paste the Application ID you collected in Create the application.
    • App Client Secret Key—Paste the key ID number you collected in Create the application.
    • Repository URL—You must use https://github.com/alertlogic/azure-collector.git.
    • Repository Branch—You must use master.
    • Select the I agree to the terms and conditions stated above check box.
    • Select the Pin to dashboard check box (optional).
    • Click Purchase.
      If you receive validation errors, you can click them to view the error details.
      Application deployment takes a few minutes. You can click the Notifications icon to view the status of the deployment.

Deploy the application through Microsoft Azure Cloud Shell

You can use Azure Cloud Shell to deploy the application. Alternately, a local installation of the Azure CLI may be used.

To deploy the application with Cloud Shell:

  1. In Azure, click the Cloud Shell icon .
  2. In the command line, type the following command to create the resource group in the "Central US" location, where <resource-group-name> is something like alertlogiccollect.

    az group create --name <resource-group-name> --location "Central US"

  3. Use the following command to deploy the template using the following command:

    az group deployment create \

    --name <resource-group-name> \

    --resource-group <resource-group-name> \

    --template-uri "https://raw.githubusercontent.com/alertlogic/azure-collector/master/template.json"

    where <resource-group-name> is used for both the name and resource-group. Alert Logic recommends a name like alertlogiccollector.

    If you use an existing name, the process will fail here.
  4. When prompted, enter the following parameters:
Application deployment takes a few minutes. You can click the Notifications icon to view the status of the deployment.

Verify deployment

You should verify the application deployed and the information that appears in the Alert Logic console.

To verify deployment:

  1. Log in to the Alert Logic console.
  2. In the Alert Logic console, click CONFIGURATION, and then click Deployments.
  3. Click the All Deployments tile.
  4. Click the Sources tab.
  5. Type the collector name (default: AlertLogicCollector) in the Type Search Terms blank.
  6. Verify that the Office 365 collector appears. The newly created Office 365 source name contains the application name you entered when you deployed the application.

If the collector stops sending information to Alert Logic, the Current Status for the source displays the error, "Collector is offline." If you see this error, try one of the following troubleshooting methods:

  • If you either deleted the collector application, or disabled it from the Azure portal, the Alert Logic console may not have removed it. To correct the issue, delete the collector source from the Alert Logic console.
  • Occasionally the collector has an issue with the Azure Active Directory, which causes an error. Alert Logic monitors these errors and resolves them, but you may also restart the function app from the Azure portal.