Use Splunk to Collect Logs from Office 365 and Azure AD

Microsoft has a lot of options to view Azure log data in one form or another. There is the Security Center, Azure Sentinel, Log Analytics, and Insights.  This is fine for an Azure centric organization, but many organizations already have log collection systems in place such as Splunk, and using multiple logging platforms is not efficient.  This article walks through sending Azure AD and Office 365 logs to Splunk.

Splunk is a leading log management solution used by many organizations.  This article and accompanying video explain how to send log data from Azure AD and O365 to Splunk.  The log data includes Azure AD Audit and Login activity, Exchange Online, SharePoint, Teams, and OneDrive. 

This article uses the Splunk Add-on for Microsoft Office 365 to collect log data from Azure AD and O365.  Once that’s in place, the Microsoft 365 App for Splunk is used to visualize the log data.

The steps to send O365 log data to Splunk include:

  • Add the Splunk Add-on for Microsoft Office 365
  • Turn on Office 365 Audit Logging
  • Create the Application in Azure AD
  • Configure the Splunk Add-on for Microsoft Office 365
  • Verify Logging
  • Add the Microsoft 365 App for Splunk Add-on

Add the Splunk Add-on for Microsoft Office 365

I start with a clean install of Splunk for this example.  I’m using the free download options available at Splunk.com. If you are following along with a new install, remember to open port 8000 on the server firewall to access the admin web page from other computers.

From the Splunk admin page, go to +Find More Apps

Find More Apps

Search for Splunk Add-on for Microsoft Office 365 and click Install to install the Add-on

Splunk Add-on for Microsoft Office 365

Enter your Splunk.com username and password to install the add-on.  When prompted, restart the Splunk application.  It will take a couple of minutes for the service to restart.

Restart Required

Log back in and go to the home screen.  You should see a new App called Splunk Add-on for Microsoft Office 365.  Click on that to view the settings.

New Splunk Office 365 App

From inside the new App, click on Tenant, and Add Tenant to view the required settings.

Add New Tenant

Notice this page requires the Tenant ID, Client ID, and a Client Secret.  We will get this information in a couple of steps.  First, let’s make sure logging is configure on the tenant.

Turn on Office 365 Audit Logging

Office 365 logging is not always enabled by default on a tenant.   To verify it’s enabled, log into the Office 365 Admin portal at https://admin.microsoft.com as a Global Administrator.  Expand Show all to view all the services. 

Select Security to go to the Security and Compliance Center.  Next, expand Search and click on Audit Log Search.

Audit Log Search

If you see an image like the one below, click Turn on Auditing to enable audit log collection.  If you don’t see an image like the one below, audit logging is already enabled. 

Turn on Audit Log Search

Close the Office Portals when finished.

Create the Application in Azure AD

In this step, we create the Azure AD Application. An Azure AD Application is not what you would traditionally think of as an application.  It’s the representation of an application that will access Azure AD.  It’s similar to a Service Account in Windows.

Go to the Azure portal and go to Azure AD, App Registrations, and click New Registration.

New Registration

Give the App a name and add a Redirect URI.  The URI is not used can point to https://localhost.

Register an Application

Next, go to API Permissions and Add a Permission to configure access to the API.

Add API Permission

Click on the Office 365 Management APIs box.

Office 365 Management API

Go to Application Permissions.

Application Permissions

Expand and select each permission.  This gives the App read permission to all the log files Splunk will collect. Click Add Permissions when finished.

Log API Read Access

The permissions require admin consent to take effect.  Click Grant Admin consent for “Tenant” to continue.  Notice that some permissions have the status of not granted.  These are duplicate, log collection will work with the permissions granted

Grant Admin Consent

Next, go to Overview in the App Registration.  Make a note of the Application (Client) ID and Directory (Tenant) ID.  Both these ID’s are needed to configure Splunk in an upcoming step.

Client and Tenant ID

The Splunk Add-on also needs a secret to authenticate the App to Azure AD.  Go to Certificates & Secrets and click on New Client Secret

Select the desired expiration for the secret and add a description.  Note that log collection will stop when the password expires and a new secret will need to be created.  Click Add when finished.

Add a Client Secret

A value for the new secret displays.  Copy this value and keep is someplace safe.  You will not be able to access this value after exiting the window.  You can create another, but not view existing.

Secret Value

Configure the Splunk Add-on for Microsoft Office 365

Now that the App Registration is set up and we have the values needed, we can configure the Splunk Add-on for Microsoft Office 365. 

From Splunk, go to the Splunk Add-on for Microsoft Office 365, Tenant, and select Add Tenant

You will see the Add Tenant box, as shown below.  Add a Name, Select the Endpoint, Government or Worldwide, and add the Tenant ID, Client ID, and Client Secret from the previous step.  Click Add when finished

Add Tenant Setup

The Tenant tab should look like below when finished.

Finished Tenant Setup

Once that’s finished, go to Input.  This configures the logs that are collected by Splunk.  Go to Add Input and start with Management Activity.

Add Management Activity

Give the log a name, select the Tenant that was configured in the previous step, the content type, and set the index to Main. Once finished, click Add.

Add Management Activity Input

Repeat the above step for each Input type and content type.  Skip log files if they are not needed.  Once finished, the Input screen will look similar to below.

Add All Input Types

Verify logging

Log data will become available shortly after configuring the tenant and Inputs.  Go to the Splunk home page and go to Search & Reporting.  I have limited experience with searching in Splunk, but the two commands below should return Azure AD Data if log collection is set up correctly.

Return everything from the “Main” index:

index="main"

The above command returns a lot of data.  Use the command below to filter out some of the noise and format the return into an easier format to read.

index="main" sourcetype="o365:management:activity" | search Operation!="UserLoggedIn" AND Operation!="TeamsSessionStarted"| table CreationTime,Operation,Workload

Notice that the Operations and Workload column indicates multiple event types and log source files. 

Search Results

At this point, logging from Azure AD and O365 to Splunk is working.  Log collection is not real-time.  It can take 20 minutes or longer for data to show in the results.

Add the Microsoft 365 App for Splunk Add-on

The last item is to add the Microsoft 365 App for Splunk.  Go to the Splunk home page and click on +Find More Apps.  Search for Microsoft 365.  Click Install for the Microsoft 365 App for Splunk.

Add Microsoft 365 App for Splunk

Click Done once finished.  The Microsoft 356 App for Splunk requires three other add-ons listed below to function correctly.  Visit this link for details. https://splunkbase.splunk.com/app/3786/#/details

Search and add the three add-ons to finish the Microsoft 365 app for Splunk install.

  • Sankey Diagram
  • Timeline
  • Semicircle Donut

Once finished, go to the Microsoft 365 App for Slunk from the Splunk home page.  From here, navigate to find different visualizations of your organizational data.

Microsoft 365 App for Slunk

I hope this was helpful.  Thanks for visiting my blog!

4 thoughts on “Use Splunk to Collect Logs from Office 365 and Azure AD

  1. Great guide friend, helpful & simple. However I found that there’s one piece missing at the end:

    Once the M365 app is installed, it calls to a macro.conf file in $SPLUNKHOME/etc/apps/microsoft_cloud_app/default/ where you need to change the stanza from:
    [m365_default_index]
    definition = “”
    to:
    [m365_default_index]
    definition = index = “main”

    and to best practice, create a local directory and place the macros file there once done. Then restart splunk and it should work.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.