How-To: O365 Event Ingest into LogScale via Microsoft Graph (using pre-defined CrowdStream O365 Activity/Services)
Multiple types and sets of information can be pulled from Microsoft depending on the options configured and the permissions granted to the application/assigned user used to access Microsoft data.
You can use one of our integration options like packages to ingest and parse Microsoft data, see Microsoft Corporation for more information.
CrowdStream / Cribl Stream supports receiving multiple types of Microsoft data, depending on which data type and option selected:
Office 365 Activity
The Office 365 Management Activity API facilitates analyzing actions and events on Azure Active Directory, Exchange, and SharePoint, along with global auditing and Data Loss Prevention data.
For more information, see https://docs.cribl.io/stream/sources-office-365-activity/
In Azure Active Directory, the application representing your Cribl Stream instance must be granted the following permissions to pull data. Each permission's Type must be
Application - Delegatedis not sufficient:ActivityFeed.Read— Required for all Content Types except DLP.All.ActivityFeed.ReadDlp— Required for the DLP.All Content Type.
Office 365 Services
The Microsoft Graph service communications API facilitates analyzing the status and history of service incidents on multiple Microsoft cloud services, along with associated incident and Message Center communications. For details, see Microsoft's Overview of the Graph API.
For more information, see https://docs.cribl.io/stream/sources-office-365-services/
In Azure Active Directory, the application representing your Cribl Stream instance must be granted the following permissions to pull data. (The permission Type for both must be
Application;Delegatedis not sufficient:)ServiceHealth.Read.AllServiceMessage.Read.All
Office 365 Message Trace
Not covered in this walkthrough
This mail-flow metadata can be used to detect and report on malicious activity including bulk emails, spoofed-domain emails, and data exfiltration.
For more information, see https://docs.cribl.io/stream/sources-office365-msg-trace/
At a minimum, your Office 365 service account should include a role with Message Tracking and View Only Recipients permissions, assigned to the Office 365 user that will integrate with Cribl Stream. Assign these permissions in the Exchange admin center (https://admin.exchange.microsoft.com).
Overview for Collecting O365 Data into LogScale
Register Microsoft application, generate secret, and add permissions
Note
The Client Secret received from Microsoft Azure AD requires periodic rotation according to the expiration duration that you select.
Add permissions for Microsoft Azure AD
Add permissions for Microsoft Defender for O365
For LogScale use case, kick-off Microsoft Content Subscription (CrowdStream/Cribl pre-req to be done in Microsoft via PowerShell or curl command)
Verify successful data connection via CrowdStream / CriblStream
Verify successful data ingest in LogScale
Step-by-Step Config (example for use with CrowdStream)
Login to portal.azure.com
Select on the left dropdown
Select App registrations
Click on New registration
Provide a name and leave the rest as default
Click the button at the bottom of the page
Navigate to overview and copy the Application (client) ID:
Select Endpoints and copy the OAuth 2.0 token:
Once it is created, navigate to API permissions
Click on Microsoft Graph
You should see an additional panel to allow for selection of permissions
Note that there are 2 types of permissions, Delegated and Application.
For the purpose of pulling audit logs, ensure you select Application Permissions
For Microsoft Azure AD permissions, search for audit and you should see it appear.
Click the Application permissions checkbox (Delegated is not sufficient per Cribl)
Select the checkbox for AuditLog.Read.All
For Microsoft Defender for O365, repeat the steps above for additional security events such as:
SecurityEvents.Read.All
SecurityAlert.Read.All
SecurityIncident.Read.All
For permissions related to the data collection outlined in CrowdStream docs (across MS Activity, Services, Trace), the following additional permissions can be added:
Office 365 Activity
The Office 365 Management Activity API facilitates analyzing actions and events on Azure Active Directory, Exchange, and SharePoint, along with global auditing and Data Loss Prevention data.
For more information, see https://docs.cribl.io/stream/sources-office-365-activity/
In Azure Active Directory, the application representing your Cribl Stream instance must be granted the following permissions to pull data. Each permission's Type must be Application - Delegated is not sufficient:
ActivityFeed.Read- Required for all Content Types except DLP.All.ActivityFeed.ReadDlp- Required for the DLP.All Content Type.
Office 365 Services
The Microsoft Graph service communications API facilitates analyzing the status and history of service incidents on multiple Microsoft cloud services, along with associated incident and Message Center communications. For details, see Microsoft's Overview of the Graph API.
For more information, seehttps://docs.cribl.io/stream/sources-office-365-services/
In Azure Active Directory, the application representing your Cribl Stream instance must be granted the following permissions to pull data. (The permission Type for both must be
Application - Delegatedis not sufficient:)ServiceHealth.Read.AllServiceMessage.Read.All
Office 365 Message Trace not covered in this walkthrough
This mail-flow metadata can be used to detect and report on malicious activity including bulk emails, spoofed-domain emails, and data exfiltration.
For more information, see https://docs.cribl.io/stream/sources-office365-msg-trace/
At a minimum, your Office 365 service account should include a role with Message Tracking and View Only Recipients permissions, assigned to the Office 365 user that will integrate with Cribl Stream. Assign these permissions in the Exchange admin center (https://admin.exchange.microsoft.com).
Location for Activity / Services permissions:
Under Microsoft Graph (for O365 Services info) - Service options need to be permission type Application - Delegated is not sufficient
ServiceHealth.Read.AllServiceMessage.Read.AllUser.Read
Under Office 365 Management APIs (for O365 Activity) - all need to be permission type Application - Delegated is not sufficient
ActivityFeed.ReadActivityFeed.ReadDlpServiceHealth.Read
Click button at bottom of the page
You should now have the same setup as below with a status that the permission is Not granted
Select Grant admin consent for Default Directory (your customer/prospect name may show up vs. Default Directory to grant consent
Example Applied Permissions for the App
Depending on the specific data to be collected, permissions for the new app will vary
In this example, permissions across both LogScale XDR pre-reqs as well as Cribl pre-reqs have been combined
 |
Create API key to allow LogScale to access the logs
Navigate to Certificates & Secrets and create a new client secret
Click New client secret
Provide a description and expiry date for the API key
Click the button at the bottom of the page
Copy this value (immediately) as you will only see it once
Define / Configure Sources for O365 in CrowdStream
To access the list of O365 Source Options:
Log in to your CrowdStream / Cribl instance
For example, this can be a CrowdStream instance at a customer / POV, or it can be a Cribl eval instance you signed up for (both behave the same)
From the main CrowdStream / CriblStream page, click on Manage Stream
Click on the Worker Group which will be used
Typically in a POV / initial setup, the Worker Group will be called default
Click Data → Sources
In the upper-right of the screen, click in the Filter Sources field and search for 365
In a net-new setup, three results should display:
Office 365 Services
See https://docs.cribl.io/stream/sources-office-365-services/
Cribl Stream supports receiving data from the Microsoft Graph service communications API. This facilitates analyzing the status and history of service incidents on multiple Microsoft cloud services, along with associated incident and Message Center communications. For details, see Microsoft's Overview of the Graph API.
Office 365 Activity
See https://docs.cribl.io/stream/sources-office-365-activity/
Cribl Stream supports receiving data from the Office 365 Management Activity API. This facilitates analyzing actions and events on Azure Active Directory, Exchange, and SharePoint, along with global auditing and Data Loss Prevention data.
Office 365 Message Trace
See https://docs.cribl.io/stream/sources-office365-msg-trace/
Cribl Stream supports receiving Office 365 Message Trace data. This mail-flow metadata can be used to detect and report on malicious activity including bulk emails, spoofed-domain emails, and data exfiltration.
For this walk-through, the permissions set earlier in this doc (here) cover Office 365 Services and Office 365 Activity
The same app created in this doc (which has both sets of permissions needed) can be used with two different sources
Creating O365 Activity Source
To configure the O365 Activity Source:
After filtering on 365 for sources, click on the Office 365 Activity tile
In the upper-right of the page, click on "Add Source"
In the General Settings section, fill in the following values for the new source:
Input ID
Can be anything you want - just the name for the source in CrowdStream / CriblStream
For example:
o365_activity_internal_labTenant ID
The Office 365 Azure Microsoft tenant ID for your environment
App ID
The Office 365 Azure Application ID for the newly created Microsoft app
Subscription plan
By default, using Office 365 Enterprise
Authentication method
Leave the default of Manual
Client secret
Include the client secret value (not the Client secret ID) that was created in the earlier setup process (link here)
In the Content Types section at the bottom of the page, click the Enabled slider depending on the types of data to be collected
Click on the Connected Destinations link at the bottom of the left nav panel
Click the QuickConnect option (from the default of Send to Routes)
For this walkthrough, we're passing data directly from the O365 pull to the LogScale destination:
When prompted about the change, click
Click ; the Status widget should display
After saving the new change, in the upper-right part of page, click Commit & Deploy to deploy the new configuration
Add a comment for the update
Click Commit and Deploy in the lower-right part of the popup
Enabling Microsoft Subscription to Generate Data the Activity Source Can Access
Note
The App Subscription kick-off is a
requirement to start
collection of data (O365 Activity) by CrowdStream/CriblStream
From Cribl documentation: https://docs.cribl.io/stream/sources-office-365-activity/#start-subscriptions
Content subscriptions (a different concept from the O365 subscription plans) are required in order for Cribl Stream / CrowdStream to be able to begin retrieving O365 data
There is a separate subscription required for each Content Type. If you are using an existing Azure-registered application ID that already has subscriptions started, then you can ignore this section. But if you are:
Using a newly registered application ID, and therefore never had any subscriptions started, or
Reusing an application ID that had subscriptions started, but are currently stopped
Then you will need to use this procedure to manually start the necessary subscriptions. Follow either of the two methods below, using (respectively) PowerShell or curl.
For example, the following content subscriptions are called out in the Cribl docs relative to collecting Microsoft Office 365 Activity logs
Audit.AzureActiveDirectoryAudit.ExchangeAudit.SharePointAudit.GeneralDLP.All
Browse to a Windows host that can call PowerShell commands
From the Cribl page, https://docs.cribl.io/stream/sources-office-365-activity/#start-subscriptions, create and run a PowerShell script file using the provided content that includes the contents / keys for the PowerShell script
On the Windows host:
Browse to the following url: https://docs.cribl.io/stream/sources-office-365-activity/#start-subscriptions
Copy the sample PowerShell script listed in the Using PowerShell section on the page
Open notepad.exe and paste in the sample PowerShell script contents
At the top of the file, replace the following placeholder values for actual values from your environment / newly-created app:
$AppID$ClientSecret$TenantID
Save the PowerShell script. For example, as
c:\temp\o365_subscriptions.ps1( the script must have ps1 as the file extension).Run the PowerShell script
From cmd window, type: powershell
The prompt will update to reflect the change into PowerShell
Run the script using fully-qualified path
For example
powershellc:\temp\o365_subscriptions.ps1The status changes are displayed in the CMD window as commands are run
Creating O365 Services Source
After filtering on 365 for sources, click on the Office 365 Services tile
 |
In the upper-right of the page, click on Add Source
Fill in the following values for the new source
Input ID
Can be anything you want - just the name for the source in CrowdStream / CriblStream
For example:
o365_services_internal_labTenant ID
The Office 365 Azure Microsoft tenant ID for your environment
App ID
The Office 365 Azure Application ID for the newly created Microsoft app
Subscription plan
By default, using Office 365 Enterprise
Authentication method
Left the default of Manual
Client secret
Include the client secret value (not the Client secret ID) that was created in the earlier setup process (link here)
In the Content Types section at the bottom of the page:
Click the Enabled slider depending on the types of data to be collected
Set the Interval time (default = 15 minutes)
Click on the Connected Destinations link at the bottom of the left nav panel
Click the QuickConnect option (from the default of Send to Routes)
For this walkthrough, we're passing data directly from the O365 pull to the LogScale destination
When prompted about the change, click Yes
Click
After saving the new change, in the upper-right part of page, click Commit & Deploy to deploy the new configuration
Add a comment for the update
Click Commit and Deploy in the lower-right part of the popup
O365 Message Trace Source
Because O365 Message Trace requires additional setup permissions (link here), the Message Trace Source is not configured in this example
From the Cribl O365 Message Trace page:
At a minimum, your Office 365 service account should include a role with Message Tracking and View Only Recipients permissions, assigned to the Office 365 user that will integrate with Cribl Stream. Assign these permissions in the Exchange admin center (https://admin.exchange.microsoft.com).
Check the Status of Each Source
From the main CrowdStream / CriblStream page, click on Data → Sources:
A list of available Push / Pull sources is displayed
To refine down list, click on the Pull filter on left and click on the Configured only slider on the right
Once connections configured, if any connection shows a status issue (red for errors, orange for warnings or indicates you had red, even if green now, green for status good), click on the tile that shows the error condition
For example, in this case, the Office 365 Services connection is reporting an error
From the row(s) that display, click on the row that shows the error
At the top of the page, click on the Job Inspector link
In the job listings that display, click on any of the rows showing an error
In the top of the page, click on Task Errors
Expand and review any errors listed to determine the root cause of the issue
For example, in this case, 403 HTTP errors are listed (The HTTP 403 Forbidden response status code indicates that the server understands the request but refuses to authorize it.)
Define / Configure LogScale Destination in CrowdStream
Step-by-step example of setting up a CrowdStream Destination (with a pointer to LogScale repository) available How-To: How to Configure CrowdStream LogScale Destination.
Connect the CrowdStream O365 Source(s) to a LogScale Destination
Add the New O365 Activity Source to the Source Side
Log in to your CrowdStream / Cribl instance
For example, this can be a CrowdStream instance at a customer / POV, or it can be a Cribl eval instance you signed up for (both behave the same)
From the main CrowdStream / CriblStream page, click on Manage Stream
Click on the Worker Group which will be used
Typically in a POV / initial setup, the Worker Group will be called default
Click on the Overview link (upper-left) to see the UI reference to QuickConnect
Click on the Quick Connect widget to display the QuickConnect page
Click on the Add Source box on left
A list of available Push / Pull sources is displayed
To refine down list, click on the Pull filter on left and click on the Configured only slider on the right
Click on the Office 365 Services tile, and select Select Existing
Click on the existing configured source (anywhere in the row)
When prompted about switching to QuickConnect from Routes, click Yes
Click Add Source again and repeat the process with the Office 365 Activity tile
Connect the Entries from the Sources side to the LogScale Destination
Click and hold on the + symbol on the right side of each source, and drag a line over to the CrowdStrike Falcon LogScale entry on the Destination side
When prompted for the type of connection configuration, leave Passthru selected, and click Save
Repeat process for the other O365 source
When all changes complete, in the upper-right corner, click on Commit & Deploy to deploy the changes
Click Commit and Deploy in the lower-right of the widget
As changes are being updated to the CrowdStream / CriblStream cluster, the status of the cluster will show as yellow in the upper right of the page
Once the changes have been committed and applied and all services update, the status of the workers will change to green