Microsoft Cloud and SIEM Integration (Audit log search)
In today’s cloud world, we’ve huge and “unlimited” information about our organization that includes: Identity, locations, application, security, and much other information.
This information can bring us many benefits, but we cannot handle this information and cannot process each information that occurs by the users or the systems.
The Microsoft Cloud is Office365, Azure, and others holding trillions of data about each action made in the systems and allows us to analyze the information that belongs to each tenant.
Once we’re working with the Microsoft Cloud, for example, with Office 365, we’ve got a lot of data about each action, whether it’s user actions, security breaches, and admin activity. In many situations, we need to know if users made some suspicious actions or know what is happening in our system.
For example, Office 365 Security & Compliance allows us to work with Audit log search and view the user activity.
Or maybe to receive information about changes in Role administration
Of course, the Audit log search has many search parameters and activities, and this is only for Audit Log Search.
Besides Audit Log Search, the Microsoft Cloud brings many ways and products to view information such: user’s information, anomalous, behavior, activities, and much other information.
Some of the tools and products are available in your license for free, and some of the products aren’t free (unless you’ve got the SPE E5 license that includes all needs and especially for security, I hope so for you).
Microsoft Graph APIs
Each organization handles the information in various ways. Some organizations work with SIEM, some of them using the built-in tools in the Microsoft Cloud services, and some of them using additional third-party products to handle the information.
One of my favorite systems to work with so much information is Log Analytics that is a part of Microsoft OMS and brings useful tools and many ways to handle high information and specifically Security information that allow us to work with incident management, compliance, data flow, and more.
General view from the Log Analytics dashboard
Another example is the Sign-In logs from Azure AD that provide information about the usage of managed applications and user sign-in activities.
Of course, many other products provide high, important, and critical information, such: Windows Defender ATP, Cloud App Security, Office 365 Cloud App Security.
All of this information, tools, and products are based on one huge platform: Microsoft Graph and Office 365 Management APIs! The general platforms to work with is:
Microsoft Graph – a platform that connects multiple services and devices and interacts with the data of trilithons of users in the Microsoft cloud. You can use Microsoft Graph to build apps that connect to a wealth of resources, relationships, and intelligence, all through a single endpoint.
Microsoft Intelligent Security Graph – a huge platform that provides trillions of data about a security threat, advanced attacks, and risks about the Microsoft Cloud. The Intelligent Security Graph process includes Machine Learning, big-data analytics, advanced security analytics, and others.
Office 365 Management APIs – provide a single extensibility platform for all Office 365 customers’ and partners’ management tasks, including service communications, security, compliance, reporting, and auditing. The API also delivers a cohesive platform experience, with REST APIs built consistently, including URL naming, data format, and authentication.
Note: There are other APIs to work with that isn’t described here.
The data can be audited with Office 365
- Exchange: Admin activity, end-user (mailbox) activity, and more
- OneDrive: Admin activities, file activity, and more
- SharePoint: File activity, sharing activity, and more
- Security and Compliance Center: User and Admin activity
- Azure AD: O365 logins, directory activities, and more
- Power BI: Admin activities.
Some of these audit settings are enabled by default, such as the admin activities in Exchange Online, but others, like the mailbox activities, must be turned on manually.
You don’t have to use the Office 365 embedded application to interpret or use the collected data. You can install the Management Activity API to get the data out and use it as you need. There are 300+ applications from Microsoft partners that use the API.
Your next step is to create the Unified Center with all information from Microsoft Cloud services from Exchange to Azure AD, and you get all the logs together. Of course, you’re able to query them inside the Security & Compliance portal in Office 365.
All audit log entries are kept for 90 days. Note that it can take up to 24 hours after an event occurs to be shown in an audit query.
Audit log search and SIEM Integration
So there’s a need to connect a SIEM system to Office 365 Audit log search and receive information about User and Admin Activity. To configure Audit log search with SIEM, follow these actions:
- Enable Audit log search
Configure Azure AD
Configure the SIEM system (local or cloud solution)
Enable Audit log search
Go to Security and Compliance Portal
Choose Search & Investigation, then choose the Audit log search.
Then choose “Start recording users and admin activities,” then choose Turn On.
*Make sure that your Audit log search enable for searching and receive information
You can enable or check if Audit log search from PowerShell
Configure Azure AD
Go to Azure AD Portal
Choose Azure AD > Properties
Copy Directory ID (to configure on SIEM)
The create Application on the Azure AD that allows working with Management API
Go to App Registration Choose New Application Registration and type the information for your SIEM, including Sign-on URL and Save the settings
The choose the App Registration and copy your Application ID (this is for you client key)
Choose Keys from API ACCESS
Create your Client Key with your Application ID and provide the expiration date
(this can be done only once, then the key will be hidden)
The next steps are to select the API and grant permissions
From API ACCESS, choose Required permissions
Select the Office 365 Management APIs
Then Grant permissions
Set permissions based on your needs
Once you finished the basic configuration on the cloud, you need to take these values and configure your SIEM solution, whether it is MacAfee, Arcsight, or any other SIEM solution.
In summary, the first article focused on a short introduction about Microsoft Cloud APIs and the way to integrate with SIEM solutions.
The next article will provide other APIs and the way to receive data for Analyze.