Microsoft Cloud and SIEM Integration Part 1 (Audit log search)

By | November 11, 2017

In today’s cloud world we’ve hugh and “unlimited” information about our organization that includes: Identity, locations, application, security and many other information. This information can brings us many benefits but the the problem that we cannot handle this information and cannot process each information that occur by the users or the systems.
The Microsoft Cloud whether is Office365, Azure and others holding trillions of data about each action that made in the systems and allow us to analyze the information that belongs to each tenant.
Once we’re working with the Microsoft Cloud for example with Office 365 we’ve a lot of data about each actions, whether it’ user actions, security breaches and admin activity. In many situations we need to know if users made some suspicious actions or just to know what is happening is our system.
For example the Office 365 Security & Compliance allow us to work with Audit log search and view the user activity

Or maybe to receive information about changes in Role administration


Of course the Audit log search have a lots of search parameters and activities and this is only for Audit Log Search.

Beside Audit Log Search the Microsoft Cloud brings many ways and products to view  information such: users information, anomalous, behavior, activities and many other information. Some of the tools and products is available in your license for free and some of the products isn’t free (unless you’ve the SPE E5 license that includes all needs and specially for security ,I hope so for you).

Microsoft Graph, Rest API’s, what we can do with so much information?

Each organization handle the information in a various ways, some of the organization work with SIEM, some of them using the built in tools in the Microsoft Cloud services and some of them using additional third party products to handle the information.
One of my favorite system to work with so much information is the Log Analytics that is a part of Microsoft OMS and brings a useful tools and many ways to handle hugh information and specifically Security information that allow us to work with incident management, compliance, data flow and more.

General view from Log Analytics dashboard

Another example is the Sign-In logs from Azure AD that provide information about the usage of managed applications and user sign-in activities.


Of course there are may others products that provide hugh, important and critical information such: Windows Defender ATP, Cloud App Security, Office 365 Cloud App Security.

All of these information, tools and products based on one huge platforms:  Microsoft Graph and Office 365 Management APIs ! The general platforms to work with is:

Microsoft Graph – platform that connects multiple services and devices and interact with the data of trilithons of users in the Microsoft cloud.  You can use Microsoft Graph to build apps that connect to a wealth of resources, relationships, and intelligence, all through a single endpoint.

Microsoft Intelligent Security Graph – hugh platform that provide trillions of data about security threat , advanced attacks and risks about the Microsoft Cloud.  The Intelligent Security Graph process includes: Machine Learning, big-data analytics, advanced security analytics and others.

Office 365 Management APIs – provide a single extensibility platform for all Office 365 customers’ and partners’ management tasks, including service communications, security, compliance, reporting, and auditing. Also the API deliver a cohesive platform experience, with REST APIs built in a consistent fashion including URL naming, data format, and authentication.

Note: There are other APIs to work with  that isn’t described here.

The data can audited with Office 365 is

Exchange: Admin activity, end-user (mailbox) activity and more
OneDrive: Admin activities, file activity and more
SharePoint: File activity, sharing activity and more
Security and Compliance Center: User and Admin activity
Azure AD
: O365 logins, directory activities and more
Power BI: Admin activities

Some of these audit settings are enabled by default, such the admin activities in Exchange Online, but others, like the mailbox activities, must be turned on manually.

You don’t have to use the Office 365 embedded application to interpret or use the collected data. You can install the Management Activity API to get the data out and use it as you need. There are 300+ applications from Microsoft partners that use the API.

So your next step is to create Unified Center with all information from Microsoft Cloud services from Exchange to Azure AD and you get all the logs together,of course you’re able to query them inside the Security & Compliance portal in Office 365.

All audit log entries are kept for 90 days. Note that it can take up to 24 hours after an event occurs for it to be shown in an audit query.

Audit log search and SIEM Integration

So there’s a need to connect a SIEM system to Office 365 Audit log search and receive information about User and Admin Activity.
To configure Audit log search with SIEM follow this actions:

Enable Audit log search
Configure Azure AD
Configure SIEM system (local or cloud solution)

Enable Audit log search

Go to Security and Compliance Portal 
Choose Search & Investigation then choose Audit log search
Then choose “Start recording users and admin activities” then choose Turn On
Image result for enable Audit log search

*Make sure that your Audit log search enable for searching and receive information

You can enable or check if Audit log search from PowerShell

Configure Azure AD

Go to Azure AD Portal
Choose Azure AD > Properties
Copy Directory ID (to configure on SIEM)

The create Application on the Azure AD that allow to work with Management API

Go to App Registration Choose New Application Registration and type the information for your SIEM including Sign-on url and Save the settings


The choose the App Registration and copy your Application ID (this is for you client key)


Choose Keys from API ACCESS


Create you Client Key with your Application ID and provide expiration date
(this can done only once then the key will be hidden)


The next steps is to select the API and grant permissions

From API ACCESS choose Required permissions


Choose Add


Select the Office 365 Management APIs



Then Grant permissions


Set permissions based on you needs




Once you finished the basic configuration on the cloud you need to take these values and configure on you SIEM solution whether is MacAfee, Arcsight or any other SIEM solutions.

In summary the first article of focused on short introduction about Microsoft Cloud APIs and the way to integrate with SIEM solutions.
The next article will provide other APIs and the way to receive data for Analyze.

(Visited 999 times, 1 visits today)