This is unofficial...On my own and on the side, I designed a DataSource to monitor Office 365 using Microsoft's API. See more on my blog http://blog.MikeSuding.com. All the usual disclaimers apply...use at your own risk. I will try to help if it doesn't work for you.
Hi Mike, The customer wants the O365 Audit logs monitored and a report to be submitted daily. What we currently have now is a powershell script that pulls out a csv with relevant security events. We then present a daily report based on these events. It is a bit labor intensive and I think we can use LM to automate it. I'm trying to develop a PS script to embed in a datasource to search this audit log at set intervals. If I can have LM pull these events in (not too worried about the alerting for now) I can then create a dashboard & reports. When you say test on my account, do you mean the O365 a/c? I dont have anything in LM yet as I'm still cooking a PS script to do what I need.
This is what I am currently using to pull events for the previous 24 hours.
$CreateEXOPSSession = (Get-ChildItem -Path $env:userprofile -Filter CreateExoPSSession.ps1 -Recurse -ErrorAction SilentlyContinue -Force | Select -Last 1).DirectoryName
. "$CreateEXOPSSession\CreateExoPSSession.ps1"
Connect-EXOPSSession -UserPrincipalName test@test.com
#Output files directory
$outputFile = "C:\Users\john.doe\Desktop\AuditRecords.csv"
# Set Dates
$StartDate = (Get-Date).AddDays(-1)
$EndDate = (Get-Date)
$AlertOperations = @('FileDeletedFirstStageRecycleBin','FileDeletedSecondStageRecycleBin',...............................................LOTS MORE!!!!)
Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Operations $AlertOperations -ResultSize 5000|epcsv $outputFile -NoTypeInformation -Append
EXIT
Hi @Mike Suding,
Trying to use the Office365 Datasource but it failing to configure
[05/19/2020 12:36:40] Connecting to AzureAD
[05/19/2020 12:36:50] Getting list of registered applications
[05/19/2020 12:36:50] Creating new App
[05/19/2020 12:36:52] App Id is 9b6b0f04-8583-407b-9283-3bbea0281005
[05/19/2020 12:37:07] Application verified
[05/19/2020 12:37:07] Disconnecting from AzureAD
[05/19/2020 12:37:07] Step 1 complete. Continue with Step2.
[05/19/2020 12:37:14] Obtaining list of devices
[05/19/2020 12:37:14] API call: https://xxxxxx.logicmonitor.com/santaba/rest/device/devices?filter=displayName:xxxxxx
[05/19/2020 12:37:15] Response code is 200
[05/19/2020 12:37:15] Deploying tokens of target app
[05/19/2020 12:37:15] Generating Oauth Form
[05/19/2020 12:40:30] Requesting Office 365 tokens
[05/19/2020 12:40:31] Response: Token type: ; Scope: ; Expires in: ; Resource:
[05/19/2020 12:40:31] Requesting Graph API tokens
[05/19/2020 12:40:31] Response: Token type: ; Scope: ; Expires in: ; Resource:
[05/19/2020 12:40:31] Updating device properties, device id is 27
[05/19/2020 12:40:31] API call: https://xxxxxxxx.logicmonitor.com/santaba/rest/device/devices/27?patchFields=customProperties&opType=replace
[05/19/2020 12:40:32] Response code is 1007
Any ideas what would be causing that?
Are you using the out of the box O365 datasources? We've incorporated comprehensive monitoring into the core out of the box datasources. If you don't have them, you need to pull them into your portal.
