To send Microsoft Office 365 logs into LimaCharlie, you will need to add Office 365 as a sensor.
First, we need to set up Office 365 keys & gather all the required information.
Gathering Microsoft Office 365 Details
Tenant ID & Domain Name
Following the instructions from Microsoft, find your Tenant ID & Domain Name.
Tenant ID is represented as GUID: 00000000-0000-0000-0000-000000000000 while Domain Name will normally look like myorg.onmicrosoft.com
Client ID & Client Secret
Following the instructions from Microsoft, create a Client ID. Then, by looking at instructions from Microsoft, create a Client Secret. Make sure you copy it right away as it can only be viewed once after the creation.
Publisher ID
Publisher ID will be the same as Tenant ID.
API endpoint
One of:
enterprisegcc-govfor Office 365 GCCgcc-high-govfor Office 365 GCC Highdod-govfor Office 365 DoD
Content Types
List all the data types to subscribe as comma separated values. Refer to the Office 365 Management Activity API reference for all available options, which include:
Audit.AzureActiveDirectory
Audit.Exchange
Audit.SharePoint
Audit.General (includes all other workloads not included in the previous content types)
DLP.All (DLP events only for all workloads)
Onboarding the Microsoft Office 365 Sensor
From the sensors page, select Add Sensor and choose Office 365.
Then, select or create a new installation key.
Select the executable for your architecture & set the ingestion method as Microsoft Office 365 Management API. Then, provide the Office 365 details you have previously collected.
After you have provided all the details, copy the command line & run the adapter on your machine.
Return to the sensor onboarding view to see if any new sensors have successfully registered with LimaCharlie's cloud. It may take a moment for the sensor to enroll after you've installed it.
You should see the sensor come online quickly thereafter.