Configurations in Azure and Microsoft 365 Defender

The dependencies for this package are:

  • Microsoft 365™ plan (or Office 365 plan) with access to Microsoft 365 Defender

  • A new Event Hub

  • The LogScale Azure Event Hub Collector requires a Microsoft Azure Consumption Plan as it runs as an Azure Function

  • LogScale repository and ingest token linked to the microsoft365 parser from the microsoft/microsoft365 package in the LogScale Marketplace

The ingest of logs to LogScale is achieved by using Microsoft 365 Defender™ to send the logs to an Event Hub and then using a LogScale provided Azure Functions App to forward the logs to LogScale.

Configuring Permissions in Azure

  1. Go to https://portal.azure.com .

  2. Go to AD directory App registration Api permissions Add permissionOffice 365 exchange online Application

  3. Click ReportingWebService.Read.All and in delegated select ReportingWebService.Read.

Configure Microsoft 365 Defender Event Streaming

  1. Log in to Microsoft 365 Defender as a Global Administrator or Security Administrator.

  2. Go to Settings Microsoft 365 DefenderStreaming API and in the new Streaming API setting, configure the following:

    • Name: Choose a name for your new settings.

    • Select Forward events to Event Hub.

    • Select the Event-types which you want to forward into the LogScale Instance.

The Dashboards in the package require that at least the following data sets:

  • AlertInfo

  • EmailEvents

  • EmailURLInfo

  • URLClickEvents

  • CloudAppEvents

However, you may want to select additional data sets or all of them as they will be parsed and searchable within LogScale and in future versions new dashboards may be created that make use of the data.

  1. Specify your Event-Hub Resource ID by logging in https://portal.azure.com and navigating to Event-hub namespaceSettings PropertiesId

  2. Then specify your Event-hub Name.

We recommended you use a new Event Hub as the LogScale Azure Event Hub Collector will forward all events from the Event Hub to LogScale.

Refer documentation for information on configuring Streaming API.

Install and Configure LogScale Azure Event Hub Collector

The LogScale Azure Event Hub Collector is an Azure Function which will collect the data from Event Hub and forward it to your LogScale service for ingest. It needs to be downloaded here and then uploaded into your Azure tenant where it is configured and run.

Note

Use of the Azure™ function will incur usage charges according to your Azure pricing plan.

  1. Download the latest of the ARM.json file from Github and save locally.

  2. Go to Azure Portal.

  3. Search for Deploy a custom template

    Custom Template

    Figure 295. Custom Template


  4. Click Load file and upload the ARM.json file.

    Load File

    Figure 296. Load File


  5. Click Save.

  6. Enter the following configuration for the deployment in the below screen:

    Configuration

    Figure 297. Configuration


    • Subscription - select the subscription plan to use for this deployment

    • Resource Group - select an existing resource group or add a new one if preferred

    • Function Name - provide a name e.g. LogScale

    • Eventhub Name - enter the Name for the Event Hub

    • LogScale Schedule(Cron job scheduler) - enter a valid cron expression to determine how often the function is run. (e.g. 0 */5 * * * * would be to run every 5 minutes), see Microsoft documentation for information.

    • LogScale Host URL - enter the base URL of your LogScale service (e.g. cloud.us.humio.com)

    • LogScale Ingest Token - enter the ingest token that you assigned to the microsoft365 parser in LogScale

    • Eventhub Connection String - enter the event hub connection string of the event hub created for LogScale, which you can get From Eventhub Namespace EntitiesEvent hubs→ Event hub instance created for LogScale» SettingsShared Access PolicyAdd Policy (Should Provide at least Listen permission)→Select created policy → Copy Connection-string primary key).

      Complete

      Figure 298. Complete


    • Consumer Group - enter consumer group From Eventhub Namespace EventhubEntities →select event hub instance created for LogScale → EntitiesConsumer groupyour consumer group name) (we recommend you use a new consumer group for logscale azure function)

      Groups

      Figure 299. Groups


  7. Click Review + create. Azure will validate the deployment and should indicate that the Validation Passed. Ensure you understand the terms and conditions.

  8. Click Create. Various progress messages will display before it is indicated that the deployment is complete as in the below screenshot.

    Complete

    Figure 300. Complete


  9. Now start the function app by going to Azure and searching for function app.

    • Select Your function App Name and Start function app to send the logs to LogScale.

    • From the Function app navigate to Functions →logscale_azure_function →monitor to check you can see the events in the monitor tab.

    • To debug and check logs, users can also check the Log Stream section.