Microsoft 365 - Cloud Log Collection Configuration

Owned by Andrew Madge
Last updated: Feb 29, 2024 by Marlon Morales
12 min read

 

Introduction

Microsoft 365 is Microsoft’s cloud-powered productivity platform widely used by many organisations. Microsoft 365 (formerly known as Office 365) offers a range of productivity tools, such as Microsoft Teams, Word, Excel, PowerPoint, Outlook, OneDrive, and much more.

Snare Central is offering a convenient way to collect audit logs generated by a variety of Microsoft 365 apps and tools and store them in the Snare Central Archive for reporting, analysis and compliance.

This setup guide will cover the basic required setup for the SNARE - Microsoft 365 cloud log collection to work. Security related setup, charges you may incur, and other intricacies related to Microsoft 365 will not be covered in detail in this guide.

 

Overview

Snare Central can be configured to collect audit logs from Microsoft 365 cloud using the Office 365 Management API.

Snare Central needs to request authentication keys from Microsoft Entra ID in order to connect to the API. Once authentication is accepted, Snare Central will be able subscribe for the target audit logs and collect those logs as well.

 

Snare Central and Office 365 Management API communication

In order for the Snare Central to properly communicate with Office 365 Management API, these things need to be configured first on Microsoft 365 side:

  • Turn the Microsoft 365 log auditing on.

  • Register Snare Central in Microsoft Entra ID.

 

Turning Microsoft 365 log auditing on or off

Before you can access details and logs through the Office 365 Management API, you must enable unified audit logging for your Microsoft 365 organization. This is done by turning on the Microsoft 365 audit log.
An administrator must turn on audit logging from the Security & Compliance Center.

For instructions, see https://learn.microsoft.com/en-us/purview/audit-log-enable-disable#turn-on-auditing.

 

Register Snare Central in Microsoft Entra ID

To allow Snare Central to access the Office 365 Management APIs, Snare Central must be registered in Microsoft Entra ID formerly known as Azure Active Directory (AD). This allows the Snare Central to establish an identity and specify the needed permission levels for the API access.
The Office 365 Management APIs use Microsoft Entra ID to provide authentication services that you can use to setup necessary permission rights for the Snare Central to access them.

Prerequisites:
To register Snare Central in Microsoft Entra ID, client must have a subscription to Microsoft 365 and a subscription to Azure that has been associated with your Microsoft 365 subscription.

For more details, see https://docs.microsoft.com/en-us/office/developer-program/office-365-developer-program.

Step 1: App registration

  • Create a dedicated application for Snare Central inside Microsoft Entra ID.

  • Follow steps 1~6 on this link, last output screen should look like this:

  • Target output:
    Application (client) ID - Generated by Microsoft Entra ID, Snare Central will use this value when requesting consent from tenant admins and when requesting app-only tokens from Microsoft Entra ID. Make sure to save this value, it will be used to setup Snare Central’s connection towards Office 365 Management API.


Step 2: Key or client secret generation

  • Generate the necessary client secret that will be used by Snare Central’s authentication towards Office 365 Management API.

  • Follow steps 1~4 on this link, last output screen should look like this:

  • Target output:
    Client Secret: Make sure to copy and save the text in the “Value” column for the generated credential. Microsoft Entra ID only displays this value at the time of its generation, it will be masked after that. Also, this value will be used to setup Snare Central’s connection towards Office 365 Management API.
    Note: A user is allowed to create and use multiple client credentials.

 

Step 3: Setting up APIs permissions

  • Configure and setup the required permissions for Office 365 Management API connection and interaction with Snare Central.

  • Follow steps 1~5 on this link, last output screen should look like this:

  • Target output: The following permissions were set for Office 365 Management APIs, where Type is Application and Admin consent required is set to Yes.

    • ActivityFeed.Read

    • ActivityFeed.ReadDlp

    • ServiceHealth.Read

 

Setting Up Snare Central - Microsoft 365 Cloud Log Collection

Starting from Snare Central v8.6.0, Microsoft 365 Cloud Log Collection functionality will be available as long as you have the proper license for it.

This capability requires a license with either Office 365 Logs Collection (IA_CLOUD_O365) or Cloud Logs Collection (IA_CLOUD) license features.

This guide will help you setup up your Snare Central and start collecting supported Microsoft 365 audit logs in no-time by simply using the intuitive Cloud Log Collection Configuration Web UI of Snare Central.

Step 1. Go to Snare Central and navigate to System > Administrative Tools > Cloud Log Collection Configuration.

 

Step 2. Select Microsoft 365 and Click ADD CLOUD COLLECTION button.

 

Step 3. Input all the necessary Microsoft 365 Cloud Collection Configuration Information and click Test Connection Button to check if the configuration is correct and can properly connect to the Office 365 Management API.

  • Name: Any name to easily identify this Microsoft 365 Cloud Log Collector.

  • Enabled: Can be toggled ON/OFF. This will determine if the Microsoft 365 Cloud Collector will be enabled and start log collection (This can also be toggled ON/OFF easily later after setup).

  • Content Types: Defines the target content blobs to be retrieved by the Snare Central from the Office 365 Management API. For supported content_types, please Microsoft’s documentation here.

  • Fetch Interval: Log collection interval (in millisecond) for each log collection request, should not be less than 120000 or greater than 86340000.

  • Domain: Fetch the Primary domain value on the main page of the Azure portal site.

  • Tenant ID: Fetch the Tenant ID value on the same Azure portal site.

  • Organization ID: The organization or company name or you can fetch the Name value on the same Azure portal site.

  • Client ID: Fetch the Application (client) ID that was generated during App registration process above.

  • Client Secret: Fetch the “Value” that was generated during “Key or client secret generation” process.

  • Note: Optional field that you may use to note any related information to this Microsoft 365 Cloud Log Collector

 

Step 4. Click ADD button, then you should be able to see the added Microsoft 365 Cloud Log Collector under the Microsoft 365 Cloud Collection List.

 

 

Updating/Deleting - Microsoft 365 Cloud Log Collection Configuration

If you want to update or delete an existing Microsoft 365 - Cloud Log Collector that were previously configured, you can simply use the Snare Central’s Cloud Log Collection Configuration Web UI and follow the simple steps below.

Step 1. Go to Snare Central and navigate to System > Administrative Tools > Cloud Log Collection Configuration.

 

Step 2. Select Microsoft 365 and Click the Microsoft 365 Log Collector that you want to update.
Collector details panel will open on the right-hand side.
Click the Edit icon on the top right of the details panel.

 

Step 3. In the Edit screen, you can update the configuration and optionally do a Test Connection to check if the updated configuration can successfully connect to the Office 365 Management API, then simply click the SAVE button to save the updated configuration.

 

 

Step 1. Go to Snare Central and navigate to System > Administrative Tools > Cloud Log Collection Configuration.

 

Step 2. Select Microsoft 365 and Click the Microsoft 365 Collector that you want to delete.
Collector details panel will open on the right-hand side.
Click the Delete icon on the top right of the details panel.

 

 

Troubleshooting Guide

This guide will be your resource for resolving common issues and challenges that you may encounter with Microsoft 365 - Cloud Log Collection.

  1. Microsoft 365 icon is gray in System > Administrative Tools > Cloud Log Collection Configuration Web UI.

When Microsoft 365 icon in Cloud Log Providers list is gray, it is possible that Snare Central does not have IA_CLOUD or IA_CLOUD_O365 license.

 

You can check it via navigating to Status > Snare Health Checker or simply click the heart icon in the lower left corner of Snare Central and scroll down to Snare Central License and select Show Details to view the License Information.

 

If there are no IA_CLOUD or IA_CLOUD_O365 in the License Information, then you needed the correct license with IA_CLOUD or IA_CLOUD_O365. Once you have the correct license, click License Page button.

 

In the License Update page, click Browse button and navigate to the correct license then click Load License button.

 

Wait for a while then navigate to System > Administrative Tools > Cloud Log Collection Configuration and you should be able to see Microsoft 365 icon is now green and you should be able to Add Microsoft 365 Cloud Collection.

 

  1. Microsoft 365 Cloud Log Collector icon is gray and the Status is Not Running (Disabled by configuration)

  1. Microsoft 365 Cloud Log Collector icon is red and the Status is Not Running (Could not generate access token for ….)

  1. Microsoft 365 Cloud Log Collector icon is red and the Status is Running (Subscription error on ….)

  1. Microsoft 365 Cloud Log Collector icon is red and the Status is Not Running (Cannot connect to microsoft API, please check the IP configuration …)

  1. Microsoft 365 Cloud Log Collector icon is red and the Status is Not Running (Cannot connect to proxy server, ….)

  1. Microsoft 365 Cloud Log Collector icon is red and the Status is Not Running (Invalid proxy credentials...)

  1. Microsoft 365 Cloud Log Collector icon is red and the Status is Not Running (Invalid proxy type…)