Integrating LogRhythm SIEM with Azure AD (Office 365) – Part 2

In this second part we will focus on the LogRhythm configuration and use the informations obtained in the first part of the series, Preparing Azure AD (Office 365) for SIEM Integration. This will complete the integration and allow us to obtain audit logs directly from Azure and Office 365 into our SIEM solution.

Populate the office365.ini File

After LogRhythm is identified to Azure, the office365.ini file needs to be edited so the LogRhythm System Monitor Agent can access the Office 365 Management Activity API. The office365.ini file must be located on the host of the Agent collecting logs.

Follow these instructions to edit the office365.ini file:

  1. Open Windows Explorer on the host of the Agent collecting logs, and then go to the following directory: “C:\Program Files\LogRhythm\LogRhythm System Monitor\config”
  2. Open the office365.ini file with a text editor and replace all CHANGE_ME values with the following values:
    • CertificatePath: Paste the location of your .pfx file from the Export Cert in .pfx Format section, including the file name and extension
    • CertificateThumbprint: Paste the Base64Thumbprint generated in the Replace Cert Details in Downloaded Manifest File section
    • CertificatePassword:
      1. Run lrcrypt (LogRhythm Password Encryption Utility) on the certificate password from the Command Line:
        c:\Program Files\LogRhythm\LogRhythm System Monitor>lrcrypt -e <Certificate Password>
      2. Paste the resultant encrypted certificate password into the office365.ini file.
    • ClientID:
      1. Copy the Client ID (Application ID) generated in the Grant Tenant Admin Consent section
      2. Run lrcrypt (LogRhythm Password Encryption Utility) on the Client ID from the Command Line:
        c:\Program Files\LogRhythm\LogRhythm System Monitor>lrcrypt -e <Client ID>
      3. Paste the resultant encrypted Client ID into the office365.ini file
    • TenantID:
      1. Paste the copied Tenant ID into the office365.ini file
  3. Choose which services to audit:
    • To enable auditing of Azure AD Management events, set AuditAzureActiveDirectory to true
    • To enable auditing of Exchange Management events, set AuditExchange to true
    • To enable auditing of SharePoint events, set AuditSharepoint to true

    Note: All of the other fields in the file are optional

  4. If necessary, add proxy settings
    Note: If you use a proxy when collecting from Office 365 and you are having issues, you may need to modify scsm.exe.config, located in “C:\Program Files\LogRhythm\LogRhythm System Monitor” on the collecting Agent host, as highlighted in the image below. Uncomment the defaultProxy section, and replace <proxy_IP>:<proxy_port> with the IP address and port to use on the proxy server. To uncomment the section, delete <!– from the beginning and –> from the end.

    <?xml version="1.0"?>
    <configuration>
      <runtime>
        <gcConcurrent enabled="false"/>
        <gcServer enabled="false"/>
        <generatePublisherEvidence enabled="false"/>
      </runtime>
    <startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2"/></startup>
      <!--For o365 to work with Proxy Server we need to enable this section-->
      <defaultProxy enabled="true" useDefaultCredentials="true">
      <proxy proxyaddress="<proxy_IP>:<proxy_port>"/>
      </defaultProxy>
    </configuration>

Add a Log Source in the Client Console

  1. Log in to the Client Console as a Global Administrator, and then click Deployment Manager
  2. Click the System Monitors tab
  3. Open the System Monitor Agent Properties for the Agent that will be collecting event logs from the Office 365 Management Activity API. Open the properties in one of the following ways:
    • Double-click the Agent
    • Right-click the Agent, and then click Properties
  4. Right-click within the list of Log Message Sources, and then click New
  5. The Log Message Source Properties dialog box appears
  6. Click the icon to the right of the Log Message Source Type box
    The Log Source Type Selector dialog box appears
  7. Select the Log Source type:
    • In the Record Type section, click System
    • In the Text Filter text box, enter Office 365
    • Click Apply
    • Select API – Office 365 Management Activity
    • Click OK

    The Log Message Source Properties window appears

  8. From the Log Message Source drop-down list, select the desired Log Message Processing Mode and MPE Policy. This can be the LogRhythm Default policy or a custom policy you create
  9. Click the Flat File Settings tab
  10. In the File Path box, enter the location of the office365.ini configuration file
  11. Click OK to accept the settings
    The Log Message Source Properties box appears
    Note: If the System Monitor Agent is already running, collection begins soon after clicking OK or Apply Important: Monitor the scsm.log file for error messages until you are satisfied that the event collection has begun successfully
  12. Click OK

Logging HTTP and HTTPS Responses from the API

The O365 log source supports diagnostic logging of all HTTP and HTTPS responses from the O365 API. Logging is disabled by default, and logging is controlled by the LogApiRequests field in the office365.ini file. To enable response logging, set the value of this field to true.

Note: If you enable or disable logging, you must restart the Agent service before the change will take effect.

The API log file uses the same name as the default configuration file. In this case, the log file is /logs/office365.log. The size of the API log file is limited to 100 MB before rolling over to a new file.

Azure, LogRhythm, o365, SIEM

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: