O365 Integration With Splunk

O365 Integration With Splunk                               

Hello Everyone !!
We are living in 21st century everything is in the Cloud then why not our Microsoft Office ?

O365 is a Cloud based online product of Microsoft. O365 is a cloud-based software as a service which hosts Exchange Server, Skype for Business Server, and SharePoint etc. In order to protect the business it is essential to track each and every employees activities who are using O365. Today we will show you how to integrate O365 with Splunk. For that we will use one add-on called “Splunk Add-on For Microsoft Office-365″ .

“Splunk Add-on For Microsoft Office-365” allows the Administrator of Splunk software to collect different logs from “Office 365 Management API” are listed below,

1. Audit logs for Azure Active Directory supported by Microsoft Office 365 Management API.
2. SharePoint Online, Exchange Online supported by Microsoft Office 365
   Management API.
3. Historical and current service status and service messages for the 
   corresponding Microsoft Office 365 Management API.
4. Data Loss Prevention on Microsoft Office Management API.

Complete the following steps to integrate “Splunk add-on For Microsoft Office 365” with Splunk.

1. Install the Splunk Add-on for Microsoft Office 365.
2. Configure an integration application in Azure AD for the Splunk Add-on for Microsoft Office 365.
3. Configure a Tenant in the Splunk Add-on for Microsoft Office 365.
4. Configure inputs for the Splunk Add-on for Microsoft Office 365.
5. (Optional) Configure the Optional Settings for the Splunk Add-on for Microsoft Office 365.

Step:1 Installation of “Splunk Add-on For Microsoft Office-365”

You can install the Splunk Add-on for Microsoft Office 365 with Splunk Web or from the command line. You can install the add-on onto any type of Splunk Enterprise or Splunk Cloud instance (indexer, search head, or forwarder).
Follow the screenshots to know How to download and install this Add-on form SplunkWeb.

Go for “Find More Apps”

Here, search for “Splunk Add-on For Microsoft Office-365” and click on “Install”.

 After that give your credentials and check for the License Agreement and click on “Login and Install” . After installation it will ask for a restart. Restart Splunk before configuring this add-on.

“INSTALLATION DONE”.

Step:2 Create an Azure Active Directory Application

An Azure Active Directory application is required to allow Splunk to read information from Azure. The application provides permissions and API access to data for your subscription.

Log in to your Azure Account through the Azure portal.

https://portal.azure.com/

We need below mentioned items.

Azure AD Application

• Application ID (Client ID)
• API Key
• Tenant ID

1)    Select Azure Active Directory.

2)    Select App Registrations

3)    Select New Application Registration

4)    Enter a Name, Select Web app / API and enter a Sign-on URL. Select Create

Note: Sign-on URL does NOT have to be an active URL. The App registration requires the field populated with a value.

5)    Select the application you just created

6)    Select Reply URLs, insert the redirect URL OR leave it blank. Select Save.

7) Copy Application ID (Client ID) – We’ll need this shortly!

8) Select Keys, Enter Description and Duration. Select Save. Once saved, Copy key value. – We’ll need this shortly too!

9) In Azure Active Directory, Select Properties. Copy Directory ID (Tenant ID) – We’ll need this shortly!

 

Assign Application to Subscription Role

10) Select Subscriptions from the side menu

11) Select your Subscription, Select Access Control (IAM), Select Add, Select Reader Role, search for Application Name, Select Application

 Add permissions to your Active Directory Application

The application you created needs permissions to read information the Add-on is configured to retrieve. This includes reading activity reports, activity data and service health information for the specified subscription.

12)  Select your application from Azure Active Directory > App Registrations

13) Select Required Permissions, then select Add.

14) Select an API, Select Office 365 Management APIs. Press Select.

 15) Select Permissions, For BOTH Application and Delegated Permissions, Select

• Read activity reports for your organisation
• Read activity data for your organisation
• Read service health information for your organisation

16) Ensure permissions have been saved correctly.

Step3: Configure a Tenant in the Splunk Add-on for Microsoft Office 365

You must configure at least one Tenant in the Splunk Add-on for Microsoft Office 365.

Set up the add-on using Splunk Web

1. Go to the Splunk Web home screen.

1. Click on Splunk Add-on for Microsoft Office 365 in the left navigation banner.

3. Click on the Tenant

Click on Add Tenant and fill in the fields. Use the parameters you noted when you configured the application in the Azure Active Directory.[SEE ABOVE FOR ALL THE DETAILS and also provide a suitable name in the NAME filed] and Click “Add” to add the Tenant to your local configuration.

4. • Tenant IDis the Directory ID from Azure Active Directory.
   • Client IDis the Application ID from the registered application within the Azure Active Directory.
   • Client Secretis the registered application key for the corresponding application.

See one Tenant has been added.

Step:4 Configure Inputs for the Splunk Add-on for Microsoft Office 365

Configure your inputs using Splunk Web on the Splunk platform instance that you have designated as your configuration server for this add-on.

1. Go to the Splunk Web home screen.

   2. Click on Splunk Add-on for Microsoft Office 365 in the left navigation banner.

3. Click on the Input tab and Click Add Input.

4. Select the input type you want to create and fill up all the required fields.
   • Management Activity– All audit events visible through the Office 365 Management Activity API
     • AzureActiveDirectory– the audit logs for Microsoft Azure Active Directory
     • Exchange– the audit logs for Microsoft Exchange
     • SharePoint– the audit logs for Microsoft SharePoint
     • General– the general audit logs for Microsoft Office 365
     • All– all log information for DLP
   • Fill in the required fields and Click Add.

• Service Status– All service status events visible through the Microsoft Office 365 Service Communication API
  • CurrentStatus– the current service status events
  • HistoricalStatus– historical service status events
  • Fill in the required fields and Click Add.

• Service Message– All service message events visible through the Office 365 Service Communication API
• Fill in the required fields and Click Add.

In this way you can add multiple.

Now,The Splunk Add-on for Microsoft Office 365 has saved your input settings and divides up the data collection tasks included in the input evenly among all the forwarders that you have specified in the Forwarders tab on the Configuration page.

5. Verify that data is successfully arriving by running one of the following searches on your search head depending on which input type you have defined:

sourcetype=o365:management:activity
sourcetype=o365:service:status
sourcetype=o365:service:message
sourcetype=splunk:ta:o365:log

Now  we are getting data in the main index for the specified sourcetype.

Hope you have got to know the step by step process of O365 Integration With Splunk.

Happy Splunking !!