Microsoft 365 Audit (Office 365 Audit) - Cloud SIEM
This topic has instructions for collecting Microsoft 365 audit logs and sending them to Sumo Logic to be ingested by Cloud SIEM.
Step 1: Configure Microsoft 365
Before configuring a Sumo Logic collector and source, ensure that the requirements described in the Microsoft Office 365 Audit Source topic have been met. To ensure you have the appropriate Microsoft permissions when configuring the source, that page suggests using Microsoft's Global Administrator role. Note that the permissions this role grants are only necessary to complete the configuration of the Microsoft 365 Audit Source, not for actual ingestion of logs.
Step 2: Configure collection
In this step, you configure an Microsoft 365 Audit Source to collect Microsoft 365 log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to Configure Microsoft 365 Audit Source below. Otherwise, create a new collector as described in Configure a hosted collector below, and then create the Microsoft 365 Audit Source on the collector.
Configure a Hosted Collector
- To create a new hosted collector, see Configure a Hosted Collector.
- Fields.
- If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the +Add Field link, and add a field whose name is
_siemForwardand value is true. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM. - If all sources in this collector will be Microsoft 365 sources, add an additional field with key
_parserand value /Parsers/System/Microsoft/Office 365.
noteIt’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.
- If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the +Add Field link, and add a field whose name is
Configure Office 365 Audit Source
- To configure Microsoft office 365 audit source, see Configure a Microsoft Office 365 Audit source.
- Fields.
- If you have not configured the Hosted Collector to forward all sources in the collector to Cloud SIEM, click the +Add Field link, and add a field whose name is
_siemForwardand value is true. - If you are not parsing all sources in the hosted collector with the same parser, click +Add Field and add a field named
_parserwith value /Parsers/System/Microsoft/Office 365.
- If you have not configured the Hosted Collector to forward all sources in the collector to Cloud SIEM, click the +Add Field link, and add a field whose name is
- Sign in with Office 365. Click to give permission to Sumo Logic to collect Microsoft 365 logs.
- Click Save.
Step 3: Verify ingestion
In this step, you verify that your logs are successfully making it into Cloud SIEM.
- In the top menu click Configuration, and then under Incoming Data select Log Mappings.
- On the Log Mappings page search for Office 365 and check under Record Volume.
- For a more granular look at the incoming records, you can also search the Sumo Logic platform for Office 365 security records.
