Configurations in Azure and Microsoft 365 Defender
The dependencies for this package are:
Microsoft 365™ plan (or Office 365 plan) with access to Microsoft 365 Defender
A new Event Hub
The LogScale Azure Event Hub Collector requires aConsumption Plan as it runs as an Azure Function
LogScale repository and ingest token linked to the microsoft365 parser from the microsoft/microsoft365 package in the LogScale Marketplace
The ingest of logs to LogScale is achieved by using Microsoft 365 Defender™ to send the logs to an Event Hub and then using a LogScale provided Azure Functions App to forward the logs to LogScale.
Configuring Permissions in Azure
Go to https://portal.azure.com .
Go to→ → → → →
Click ReportingWebService.Read.All and in delegated select ReportingWebService.Read.
Configure Microsoft 365 Defender Event Streaming
Log in to Microsoft 365 Defender as a Global Administrator or Security Administrator.
Go to Streaming API setting, configure the following:→ → and in the new
Name: Choose a name for your new settings.
Select Forward events to Event Hub.
Select the Event-types which you want to forward into the LogScale Instance.
The Dashboards in the package require that at least the following data sets:
However, you may want to select additional data sets or all of them as they will be parsed and searchable within LogScale and in future versions new dashboards may be created that make use of the data.
Specify your Event-Hub Resource ID by logging in https://portal.azure.com and navigating to → → →Id
Then specify your Event-hub Name.
We recommended you use a new Event Hub as the LogScale Azure Event Hub Collector will forward all events from the Event Hub to LogScale.
Refer documentation for information on configuring Streaming API.
Install and Configure LogScale Azure Event Hub Collector
The LogScale Azure Event Hub Collector is an Azure Function which will collect the data from Event Hub and forward it to your LogScale service for ingest. It needs to be downloaded here and then uploaded into your Azure tenant where it is configured and run.
Use of the Azure™ function will incur usage charges according to your Azure pricing plan.
Download the latest of the
ARM.jsonfile from Github and save locally.
Go to Azure Portal.
Search for Deploy a custom template
Figure 295. Custom Template
Clickand upload the
Figure 296. Load File
Enter the following configuration for the deployment in the below screen:
Figure 297. Configuration
Subscription - select the subscription plan to use for this deployment
Resource Group - select an existing resource group or add a new one if preferred
Function Name - provide a name e.g. LogScale
Eventhub Name - enter the Name for the Event Hub
LogScale Schedule(Cron job scheduler) - enter a valid cron expression to determine how often the function is run. (e.g. 0 */5 * * * * would be to run every 5 minutes), see Microsoft documentation for information.
LogScale Host URL - enter the base URL of your LogScale service (e.g. cloud.us.humio.com)
LogScale Ingest Token - enter the ingest token that you assigned to the microsoft365 parser in LogScale
Eventhub Connection String - enter the event hub connection string of the event hub created for LogScale, which you can get From → → → Event hub instance created for LogScale» → → (Should Provide at least Listen permission)→Select → Copy ).
Figure 298. Complete
Consumer Group - enter consumer group From → → →select event hub instance created for LogScale → → →
your consumer group name) (we recommend you use a new consumer group for logscale azure function)
Figure 299. Groups
Click. Azure will validate the deployment and should indicate that the Validation Passed. Ensure you understand the terms and conditions.
Click. Various progress messages will display before it is indicated that the deployment is complete as in the below screenshot.
Figure 300. Complete
Now start the function app by going to Azure and searching for function app.
Select Your function App Name and Start function app to send the logs to LogScale.
From the Function app navigate to→logscale_azure_function → to check you can see the events in the monitor tab.
To debug and check logs, users can also check the Log Stream section.