Microsoft Office 365 Audit
Overview
Microsoft provides a single pane of glass for all Office 365 tasks through the Office 365 management APIs. This includes service communications, security, compliance, reporting and auditing related events.
Event Manager can provide an assessment of all the data contained in these events by analyzing it and alerting based on custom rules.
Registering Event Manager with Microsoft Azure
To authenticate with the Microsoft identity platform endpoint you need to register an app in your Microsoft Azure portal app registrations section.
Click New registration.
Type Event Manager as the name of the app, choose the desired account type and click Register.
The app is now registered and you can see information about it in the overview section.
Make a note of the client and tenant IDs as you will need them later on.
Certificates and secrets
You can generate a password to use during the authentication process.
Go to Certificates & secrets and click New client secret:
API Permissions
The application needs specific API permissions to be able to request the Office 365 activity events. In this case you are looking for permissions related to the https://manage.office.com resource.
To configure the application permissions go to the API permissions page, choose Add a permission, then select the Office 365 Management APIs and click on Application permissions.
You need to add the following permissions under the ActivityFeed group:
-
ActivityFeed.Read: Reads activity data for your organization.
-
ActivityFeed.ReadDlp: Reads DLP policy events including detected sensitive data.
Content types
The Office 365 management activity API aggregates actions and events into tenant-specific content blobs. There are five categories depending on the type and source of the content:
-
Audit.AzureActiveDirectory: User identity management.
-
Audit.Exchange: Mail and calendaring server.
-
Audit.SharePoint: Web-based collaborative platform.
-
Audit.General: Includes all other workloads not included in the previous content types.
-
DLP.All: Data loss prevention workloads.
You can find more details about the events and their properties associated with these here.
Subscriptions
Finally, besides all the previous steps (Registering Event Manager with Microsoft Azure, Certificates and secrets, API Permissions) you need to ensure that subscriptions to required Content types are enabled.
You can find more details about the starting a subscription here.
You can directly use this Powershell script below (use file extension .ps1) that will start the subscription for the 5 content types mentioned previously:
$content_Type = "application/x-www-form-urlencoded" $grant_type = "client_credentials" $resource = "https%3A%2F%2Fmanage.office.com" $api_version = "1.0" #Change the following entries with your own data $client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" $client_secret = "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" $tenant_id = "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz" # Get Access Token $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $headers.Add("Content-Type", $content_Type) $body = "grant_type=" + $grant_type + "&resource=" + $resource + "&client_id=" + $client_id + "&client_secret=" + $client_secret $url = 'https://login.windows.net/' + $tenant_id + '/oauth2/token?api-version=' + $api_version $response = Invoke-RestMethod $url -Method 'POST' -Headers $headers -Body $body #Subscribe $headersSubscribe = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" $AppAccessToken = 'Bearer ' + $response.access_token #Write-Output $AppAccessToken $headersSubscribe.Add("Authorization", $AppAccessToken) #Subscribe -> Stop Audit.AzureActiveDirectory $urlStopSubscribe_Audit_AzureActiveDirectory = 'https://manage.office.com/api/v1.0/' + $tenant_id + '.onmicrosoft.com/activity/feed/subscriptions/stop?contentType=Audit.AzureActiveDirectory' $responseSubscribe = Invoke-RestMethod $urlStopSubscribe_Audit_AzureActiveDirectory -Method 'POST' -Headers $headersSubscribe $responseSubscribe | ConvertTo-Json #Subscribe -> Start Audit.AzureActiveDirectory $urlStartSubscribe_Audit_AzureActiveDirectory = 'https://manage.office.com/api/v1.0/' + $tenant_id + '.onmicrosoft.com/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory' $responseSubscribe = Invoke-RestMethod $urlStartSubscribe_Audit_AzureActiveDirectory -Method 'POST' -Headers $headersSubscribe $responseSubscribe | ConvertTo-Json #Write-Output $responseSubscribe #Subscribe -> Stop Audit.Exchange $urlStopSubscribe_Audit_Exchange = 'https://manage.office.com/api/v1.0/' + $tenant_id + '.onmicrosoft.com/activity/feed/subscriptions/stop?contentType=Audit.Exchange' $urlStopSubscribe_Audit_Exchange = 'https://manage.office.com/api/v1.0/' + $tenant_id + '.onmicrosoft.com/activity/feed/subscriptions/stop?contentType=Audit.Exchange' $responseSubscribe = Invoke-RestMethod $urlStopSubscribe_Audit_Exchange -Method 'POST' -Headers $headersSubscribe $responseSubscribe | ConvertTo-Json #Subscribe -> Start Audit.Exchange $urlStartSubscribe_Audit_Exchange = 'https://manage.office.com/api/v1.0/' + $tenant_id + '.onmicrosoft.com/activity/feed/subscriptions/start?contentType=Audit.Exchange' $responseSubscribe = Invoke-RestMethod $urlStartSubscribe_Audit_Exchange -Method 'POST' -Headers $headersSubscribe $responseSubscribe = Invoke-RestMethod $urlStartSubscribe_Audit_Exchange -Method 'POST' -Headers $headersSubscribe $responseSubscribe | ConvertTo-Json #Write-Output $responseSubscribe #Subscribe -> Stop Audit.SharePoint $urlStopSubscribe_Audit_SharePoint = 'https://manage.office.com/api/v1.0/' + $tenant_id + '.onmicrosoft.com/activity/feed/subscriptions/stop?contentType=Audit.SharePoint' $responseSubscribe = Invoke-RestMethod $urlStopSubscribe_Audit_SharePoint -Method 'POST' -Headers $headersSubscribe $responseSubscribe | ConvertTo-Json $responseSubscribe | ConvertTo-Json #Subscribe -> Start Audit.SharePoint $urlStartSubscribe_Audit_SharePoint = 'https://manage.office.com/api/v1.0/' + $tenant_id + '.onmicrosoft.com/activity/feed/subscriptions/start?contentType=Audit.SharePoint' $responseSubscribe = Invoke-RestMethod $urlStartSubscribe_Audit_SharePoint -Method 'POST' -Headers $headersSubscribe $responseSubscribe | ConvertTo-Json #Write-Output $responseSubscribe #Subscribe -> Stop Audit.General $urlStopSubscribe_Audit_General = 'https://manage.office.com/api/v1.0/' + $tenant_id + '.onmicrosoft.com/activity/feed/subscriptions/stop?contentType=Audit.General' $responseSubscribe = Invoke-RestMethod $urlStopSubscribe_Audit_General -Method 'POST' -Headers $headersSubscribe $responseSubscribe | ConvertTo-Json #Subscribe -> Start Audit.General $urlStartSubscribe_Audit_General = 'https://manage.office.com/api/v1.0/' + $tenant_id + '.onmicrosoft.com/activity/feed/subscriptions/start?contentType=Audit.General' $responseSubscribe = Invoke-RestMethod $urlStartSubscribe_Audit_General -Method 'POST' -Headers $headersSubscribe $responseSubscribe | ConvertTo-Json #Write-Output $responseSubscribe #Subscribe -> Stop DLP.All $urlStopSubscribe_DLP_All = 'https://manage.office.com/api/v1.0/' + $tenant_id + '.onmicrosoft.com/activity/feed/subscriptions/stop?contentType=DLP.All' $responseSubscribe = Invoke-RestMethod $urlStopSubscribe_DLP_All -Method 'POST' -Headers $headersSubscribe $responseSubscribe | ConvertTo-Json #Subscribe -> Start DLP.All $urlStartSubscribe_DLP_All = 'https://manage.office.com/api/v1.0/' + $tenant_id + '.onmicrosoft.com/activity/feed/subscriptions/start?contentType=DLP.All' $responseSubscribe = Invoke-RestMethod $urlStartSubscribe_DLP_All -Method 'POST' -Headers $headersSubscribe $responseSubscribe | ConvertTo-Json #Write-Output $responseSubscribe
If script runs successfully, output should show something similar to:
"" { "contentType": "Audit.AzureActiveDirectory", "status": "enabled", "webhook": null } "" { "contentType": "Audit.Exchange", "status": "enabled", "webhook": null } "" { "contentType": "Audit.SharePoint", "status": "enabled", "webhook": null } "" { "contentType": "Audit.General", "status": "enabled", "webhook": null } "" { "contentType": "DLP.All", "status": "enabled", "webhook": null }
where all 5 content types are enabled.