Skip to main content
Sumo Logic

Microsoft Office 365 Audit Source

You can configure Sumo Logic to collect logs for the following Audit Log content types to track and monitor usage of Microsoft Office 365.

Office 365 Audit Log Workload types:

  • Office 365 Exchange Logs. User activity log, admin logs; see pre-configuration steps in note below
  • Office 365 SharePoint Logs. All audit data for file based activity, including those for “OneDrive.”  SharePoint is the underlying service for multiple Office 365 services; User activity and admin logs 
  • Office 365 Azure AD Logs. Logon and admin logs. 

A single Office 365 Audit Source is limited to collecting audit logs of a single content type. If you want to collect logs from more than one of the available content types, you can create an individual Source for each content type under the same Hosted Collector.

You can use the same metadata across all of the Office 365 Audit Sources, or you can vary the metadata per Source.

Create only one Source for a given workload type. If you create an additional Source with the same workload type, none of the Sources with that workload type will work.

Microsoft APIs

The Sumo Logic Microsoft Office 365 Audit Source uses Webhook based integration with the Microsoft Office 365 Management Activity API. For more information on the API, see the following:

Office 365 Management Activity API reference https://msdn.microsoft.com/EN-US/library/office/mt227394.aspx

For information on the format of the audit log data that is returned, see the following:

Office 365 Management Activity API Schema https://msdn.microsoft.com/EN-US/library/office/mt607130.aspx

Message format

Each log file from Microsoft contains one or more log messages formatted as a JSON array. If there is more than one message in the array, we separate each log line in the JSON array into an individual log line message within Sumo Logic.

Configure a Microsoft Office 365 Source

Before you can configure a Sumo Logic Microsoft Office 365 Audit Source for Exchange log data, enable Exchange Audit Logging within your Office 365 tenant by following the steps in this article:
https://technet.microsoft.com/library/dn879651.aspx

You must configure a separate Source for each Office 365 application you want to collect logs for. These can all be configured on the same Hosted Collector. 

  1. In Sumo Logic select Manage Data > Collection > Collection (Manage > Collection in the classic UI). 
  2. Click Add Source next to a Hosted Collector. See Set Up a Hosted Collector for instructions on setting up a new Hosted Collector.
  3. Select Office 365 Audit
  4. Enter a name to identify the Source. Description is optional.
  5. For Content Type, select the type of log to collect. If you want to collect from additional content types, create additional instances of this Source type.
  6. For Source Category, enter any string to tag the output collected from this Source. (Category metadata is stored in a searchable field called _sourceCategory.) This is an important part of limiting access to this content using RBAC.
    Recommended Source Category naming conventions:
    For SharePoint: O365/SharePoint
    For Exchange: O365/Exchange
    For Azure: O365/Azure
  7. Click Sign in with Office 365 to authenticate to Microsoft using standard OAuth v2 interaction.  
  1. Create any Processing Rules you'd like for the new Source.
  2. When you are finished configuring the Source. click Save.

Known Issues 

Refer to the following MSDN article for known issues, and  notes: https://msdn.microsoft.com/EN-US/library/office/mt227394.aspx

Here are a few important items:   

  • (From Microsoft) “When a subscription is created, it can take up to 12 hours for the first content blobs to become available for that subscription.” 
    We have found that data starts to arrive at Sumo Logic much sooner than this, but please wait this long before contacting Support.
  • (From Microsoft) “The content blobs are created by collecting and aggregating actions and events across multiple servers and data centers. As a result of this distributed process, the actions and events contained in the content blobs will not necessarily appear in the order in which they occurred. One content blob can contain actions and events that occurred prior to the actions and events contained in an earlier content blob. We are working to decrease the latency between the occurrence of actions and events and their availability within a content blob, but we cannot guarantee that they appear sequentially.”
  • There can be significant delay between when an event occurs in O365, and when an audit log is available from Microsoft.  We receive the log files as soon as they are made available to us. The latency for log line available varies between content types, and from our observation, is not consistent. This is not within Sumo Logic’s control.  You may monitor this latency by querying the difference between the event time stamp and the receipt time stamp (when we processed the log message).
  •  In your Office 365 logs, you might see intermittent messages that say "Message":"Authorization has been denied for this request."
    This is due to an authorization token synchronization defect that is being fixed, and will be rolled out shortly.  Until then, please ignore this message.

OAuth 2.0 access token and subscription expiration

Access Tokens

An access token is granted by a third party service, such as Microsoft Office 365, to Sumo for accessing audit log APIs required for collecting audit events. Access tokens typically have very short expiration time and thus need to be updated periodically to prevent data loss. In the event of failure to update a token, an entry is logged in the Audit Index.

Subscription Watchpoints

A subscription is a channel established with the third party service to receive notification events. Similar to access tokens, subscriptions are valid only before the expiration time. Before a subscription expires, Sumo invalidates the current subscription and obtains a new subscription. In the event of failure to update a subscription, an entry is logged in the Audit Index.