Microsoft has a lot of options to view Azure log data in one form or another. There is the Security Center, Azure Sentinel, Log Analytics, and Insights. This is fine for an Azure centric organization, but many organizations already have log collection systems in place such as Splunk, and using multiple logging platforms is not efficient. This article walks through sending Azure AD and Office 365 logs to Splunk.
Splunk is a leading log management solution used by many organizations. This article and accompanying video explain how to send log data from Azure AD and O365 to Splunk. The log data includes Azure AD Audit and Login activity, Exchange Online, SharePoint, Teams, and OneDrive.
This article uses the Splunk Add-on for Microsoft Office 365 to collect log data from Azure AD and O365. Once that’s in place, the Microsoft 365 App for Splunk is used to visualize the log data.
The steps to send O365 log data to Splunk include:
- Add the Splunk Add-on for Microsoft Office 365
- Turn on Office 365 Audit Logging
- Create the Application in Azure AD
- Configure the Splunk Add-on for Microsoft Office 365
- Verify Logging
- Add the Microsoft 365 App for Splunk Add-on
Add the Splunk Add-on for Microsoft Office 365
I start with a clean install of Splunk for this example. I’m using the free download options available at Splunk.com. If you are following along with a new install, remember to open port 8000 on the server firewall to access the admin web page from other computers.
From the Splunk admin page, go to +Find More Apps
Search for Splunk Add-on for Microsoft Office 365 and click Install to install the Add-on
Enter your Splunk.com username and password to install the add-on. When prompted, restart the Splunk application. It will take a couple of minutes for the service to restart.
Log back in and go to the home screen. You should see a new App called Splunk Add-on for Microsoft Office 365. Click on that to view the settings.
From inside the new App, click on Tenant, and Add Tenant to view the required settings.
Notice this page requires the Tenant ID, Client ID, and a Client Secret. We will get this information in a couple of steps. First, let’s make sure logging is configure on the tenant.
Turn on Office 365 Audit Logging
Office 365 logging is not always enabled by default on a tenant. To verify it’s enabled, log into the Office 365 Admin portal at https://admin.microsoft.com as a Global Administrator. Expand Show all to view all the services.
Select Security to go to the Security and Compliance Center. Next, expand Search and click on Audit Log Search.
If you see an image like the one below, click Turn on Auditing to enable audit log collection. If you don’t see an image like the one below, audit logging is already enabled.
Close the Office Portals when finished.
Create the Application in Azure AD
In this step, we create the Azure AD Application. An Azure AD Application is not what you would traditionally think of as an application. It’s the representation of an application that will access Azure AD. It’s similar to a Service Account in Windows.
Go to the Azure portal and go to Azure AD, App Registrations, and click New Registration.
Give the App a name and add a Redirect URI. The URI is not used can point to https://localhost.
Next, go to API Permissions and Add a Permission to configure access to the API.
Click on the Office 365 Management APIs box.
Go to Application Permissions.
Expand and select each permission. This gives the App read permission to all the log files Splunk will collect. Click Add Permissions when finished.
The permissions require admin consent to take effect. Click Grant Admin consent for “Tenant” to continue. Notice that some permissions have the status of not granted. These are duplicate, log collection will work with the permissions granted
Next, go to Overview in the App Registration. Make a note of the Application (Client) ID and Directory (Tenant) ID. Both these ID’s are needed to configure Splunk in an upcoming step.
The Splunk Add-on also needs a secret to authenticate the App to Azure AD. Go to Certificates & Secrets and click on New Client Secret.
Select the desired expiration for the secret and add a description. Note that log collection will stop when the password expires and a new secret will need to be created. Click Add when finished.
A value for the new secret displays. Copy this value and keep is someplace safe. You will not be able to access this value after exiting the window. You can create another, but not view existing.
Configure the Splunk Add-on for Microsoft Office 365
Now that the App Registration is set up and we have the values needed, we can configure the Splunk Add-on for Microsoft Office 365.
From Splunk, go to the Splunk Add-on for Microsoft Office 365, Tenant, and select Add Tenant.
You will see the Add Tenant box, as shown below. Add a Name, Select the Endpoint, Government or Worldwide, and add the Tenant ID, Client ID, and Client Secret from the previous step. Click Add when finished
The Tenant tab should look like below when finished.
Once that’s finished, go to Input. This configures the logs that are collected by Splunk. Go to Add Input and start with Management Activity.
Give the log a name, select the Tenant that was configured in the previous step, the content type, and set the index to Main. Once finished, click Add.
Repeat the above step for each Input type and content type. Skip log files if they are not needed. Once finished, the Input screen will look similar to below.
Log data will become available shortly after configuring the tenant and Inputs. Go to the Splunk home page and go to Search & Reporting. I have limited experience with searching in Splunk, but the two commands below should return Azure AD Data if log collection is set up correctly.
Return everything from the “Main” index:
The above command returns a lot of data. Use the command below to filter out some of the noise and format the return into an easier format to read.
index="main" sourcetype="o365:management:activity" | search Operation!="UserLoggedIn" AND Operation!="TeamsSessionStarted"| table CreationTime,Operation,Workload
Notice that the Operations and Workload column indicates multiple event types and log source files.
At this point, logging from Azure AD and O365 to Splunk is working. Log collection is not real-time. It can take 20 minutes or longer for data to show in the results.
Add the Microsoft 365 App for Splunk Add-on
The last item is to add the Microsoft 365 App for Splunk. Go to the Splunk home page and click on +Find More Apps. Search for Microsoft 365. Click Install for the Microsoft 365 App for Splunk.
Click Done once finished. The Microsoft 356 App for Splunk requires three other add-ons listed below to function correctly. Visit this link for details. https://splunkbase.splunk.com/app/3786/#/details
Search and add the three add-ons to finish the Microsoft 365 app for Splunk install.
- Sankey Diagram
- Semicircle Donut
Once finished, go to the Microsoft 365 App for Slunk from the Splunk home page. From here, navigate to find different visualizations of your organizational data.
I hope this was helpful. Thanks for visiting my blog!
11 thoughts on “Use Splunk to Collect Logs from Office 365 and Azure AD”
Great guide friend, helpful & simple. However I found that there’s one piece missing at the end:
Once the M365 app is installed, it calls to a macro.conf file in $SPLUNKHOME/etc/apps/microsoft_cloud_app/default/ where you need to change the stanza from:
definition = “”
definition = index = “main”
and to best practice, create a local directory and place the macros file there once done. Then restart splunk and it should work.
Thanks for sharing that. As I mentioned, my knowledge of Splunk is limited. It seemed to work well as demoed in the video but data collection was limited.
https://splunkbase.splunk.com/app/4994/#/details Have you ever tried working on this add-on? This add-on is required for Microsoft Teams logs but it requires a webhook for which I am not getting a clear answer that what needs to be done to create and make it work with it. Any input on this will be really appreciated.
Sorry, I’m not familiar with that one.
Can’t thank you enough for this article, contained a couple of steps that other articles missed. I now have logs
Thanks, Glad to hear that!
We are setting up “Splunk Add-on for Microsoft Office 365” to pull the event logs from our global tenant. But this is a shared tenant and has data from multiple domains, we would like to pull data only relevant to our domain and restrict other domains. Please let us know if we could achieve this.
You could filter the events at the props/transforms level.
Your instructions show adding 1 api roles, ThreatIntelligence.read. I cannot find this in any API.
The new version of Office365 add-on v2.1.0 has 2 new inputs.
Graph API and CLoud application security.
* create a couple new inputs using Graph API/SharePointSiteUsageDetail but no data is being ingested.
Does something on the Orffice365 environment have to be enabled to get that data?