8 STEPS TO ONBOARD MICROSOFT OFFICE 365 DATA INTO SPLUNK
Audit logs are a fantastic source of data and an essential tool for business compliance, security, and human resources in the digital age. Microsoft Office 365 audit logs contain event details for Microsoft SharePoint Online, OneDrive for Business, Skype, Microsoft Exchange Online, Azure Active Directory, Microsoft Teams, Sway, and Power BI. Microsoft retains audit log data in Office 365 for 90 days, and then it is removed and stored offline. However, many businesses are required to collect and preserve event log data for legal or regulatory compliance for several years, not months. Ingesting Microsoft Office 365 logs in Splunk is a great option for expanding security-relevant data collection for centralized analysis as well as for long term storage of regulatory compliance data.
In this quick tutorial, I will demonstrate how to access the Office 365 Management API and ingest this rich data source into Splunk Enterprise. It is a simple process to integrate Microsoft O365 log data with Splunk and can be done for free. It is also highly scalable, however, so if your Office 365 tenants have numerous users generating millions of events each day, your Splunk deployment is perfectly suited to manage an abundance of data as well.
Once data onboarding for an entire suite of Microsoft Office applications is complete, administrators can easily search Office 365 events by date and time, user, device IP addresses, browser, user roles, etcetera. You can archive, document, investigate, and monitor compliance with organizational security policies and federal regulatory standards. You can even expose insider threats spying on sensitive business Microsoft Exchange communications! There are many use cases for O365 log data collection. Archived Office 365 logs have important forensic value as well and may contain critical evidence relevant to a wide range of potential legal disputes, internal, and external investigations. Therefore, there is great value in Office 365 audit log data for businesses large and small. If you have not already onboarded Microsoft Office data into Splunk, here’s how:
1. Install Splunk Add-on for Microsoft Office 365
This can be done via Splunk Web or the command line. There are a few similar apps in Splunkbase, so be sure to install the correct one.
2. Create an Azure Active Directory Subscription
You need to have an Azure Active Directory subscription to allow Splunk to access Office 365 log data from Azure through its management API. A subscription provides the required API access to integrate with Splunk. Go to the Microsoft Azure Portal https://portal.azure.com/#home
You can create an Azure subscription for free and/or sign up for pay as you go.
3. Create an Azure Active Directory Application Registration
Click the portal menu and select Azure Active Directory from the left panel or Azure Services to view your subscription.
You are now a tenant and global administrator. Take note of your tenant ID as you will need to enter this into Splunk later.
Next, click “App registrations” to register an app so you can access the API from anywhere. Click “New registration”.
Complete the application and be sure to put something such as https://localhost in the URI redirect box although optional.
Click “Register” and you’re all done! Take note of your application/client ID as you will need to enter this into Splunk later.
4. Enable Access to Office 365 Management API
Click on “API permissions” from the side panel as shown above. Click “Add a permission” and select Office 365 Management APIs.
Select Application permissions, check the boxes for the data to pull and click Add permissions.
Once your API permissions are added, be sure to click “Grant admin consent for Default Directory”.
5. Generate a Secret Key for Your New App
Splunk requires a client secret key to access data from Microsoft API. Your new app should now be displayed in the App registrations page. Click on the Display Name for the app you just registered. Next, click “Certificates & Secrets” from the left side panel.
Click “New client secret” and enter something in the description box. Click “Add” and you’re all set!
Take note of the Value. This is the client secret you will enter in Splunk, not the Secret ID. We now have everything we need to pull Microsoft Office audit logs in Splunk!
6. Configure a Tenant in the Splunk Add-on for Microsoft Office 365
In Splunk, open the newly installed Splunk Add-on for Microsoft Office 365. You need to configure at least one tenant for data onboarding of inputs. Click Tenant tab and “Add Tenant”.
Enter a Tenant Name, select “Worldwide” for Endpoint, the Tenant ID from your subscription, Client/application ID from your registered app, and the Client Secret is the secret value generated above. Fill out the form.
7. Configure Inputs for the Splunk Add-on for Microsoft Office 365
Configure data inputs using Splunk Web on the Splunk platform instance that you have designated as your configuration server for this add-on. Click the Input tab and click “Add Input”. Select as many inputs as desired and available from these input sources.
Management activity input source contains all audit events visible through the Office 365 Management Activity API, audit logs for Microsoft Azure Active Directory, Microsoft Exchange, Microsoft SharePoint, general audit logs for Microsoft Office 365, and all log information for data loss prevention (DLP) services. Service status pulls events visible through the Microsoft Office 365 Service Communication API, including current and historical service status events. Service message pulls events visible through the Office 365 Service Communication API.
8. Confirm successful Office 365 log data onboarding
Open your Splunk search app to verify that data is being ingested and forwarded to your search head as expected in your Splunk deployment by running a search on your configured inputs. The Office 365 source types that will populate in Splunk are sourcetype=o365:management:activity, sourcetype=o365:service:status, and sourcetype=o365:service:message. If data is not populating in Splunk, make sure audit logging is set to enabled in Microsoft Office through the Office admin portal.