readme.md
Deploy Function App for getting Office 365 Management API data into Azure Sentinel
This function app will poll O365 Activity Managment API every 10 mins for logs. It is designed to get Teams events under Audit.General.
Deployment and Configuration
Add AAD App Permissions
- Go to Azure Active Directory / App Registrations
- Create +New Registration
- Call it "O365APItoAzureSentinel". Click Register.
- Click API Permissions Blade.
- Click Add a Permission.
- Click Office 365 Management APIs.
- Click Appplication Permissions
- Check all permissions for each category. Click Add permissions.
- Click grant admin consent for domain.com
- Click Certificates and Secrets
- Click New Client Secret
- Enter a description, select never. Click Add.
- IMPORTANT. Click copy next to the new secret and paste it somewhere temporaily. You can not come back to get the secret once you leave the blade.
- Copy the client Id from the application properties and paste it somewhere.
- Also copy the tenant Id from the AAD directory properties blade.
Create O365 API Subscription
- Open Powershell
- Run the following commands
$ClientID = "<GUID> from AAD App Registration"
$ClientSecret = "<clientSecret> from AAD App Registrtion"
$loginURL = "https://login.microsoftonline.com/"
$tenantdomain = "<domain>.onmicrosoft.com"
$TenantGUID = "<tenantguid> from AAD"
$resource = "https://manage.office.com"
$body = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body
$headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}
$publisher = "<randomGuid>" Get a guid from https://guidgenerator.com/
- Run this command to enable Audit.General Subscription.
Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://manage.office.com/api/v1.0/$tenantGuid/activity/feed/subscriptions/start?contentType=Audit.General&PublisherIdentifier=$Publisher"
- Run this command to enable DLP.ALL subscription
Invoke-WebRequest -Method Post -Headers $headerParams -Uri "https://manage.office.com/api/v1.0/$tenantGuid/activity/feed/subscriptions/start?contentType=DLP.ALL&PublisherIdentifier=$Publisher"
Deploy the Function App pre-req
- Create a ResourceGroup to host the artefacts of the solution.
- Create a storage account under resource group.
- Create a Function App to host the solution, and download the publish profile.
- Create a Azure Key vault to store sensitive keys.
1: Deploy via Visual Studio
- Download the solution artefacts of Azure Funciton app from Github.
- Open Solution using Visual Studio (Express and above)
- Build the solution.
- Publish the function app, using publish profile downloaded in previous section step.
- Deploy.
- Press enter to accept the name
- Pick a location
- Deployment will begin.
- Wait for the deployment to complete
- Click yes to all to upload.
- Go to the resource group that was created. Click the Function.
- Click Stop.
- Click Platform Features Tab.
- Click Identity
- Click On under system assigned. Click Save. Click Yes.
Create a Key Vault
- Go to the Azure Portal.
- Go to the resource group that was created. Click Add.
- Type Key Vault.
- Create a Key vault.
- Go to the resource created.
- Click Access Policies.
- Click Add Access Policy
- Select Secret Management from Configure from template
- Click Select Principal
- Search for the name of the function app. Click Select.
- Click Add.
- Click Save
- Click Secrets
- Click Generate
- Enter ClientId. Paste the AAD app Client ID. Click Create.
- Click Generate
- Enter ClientSecret. Paste the app Client secret. Click Create.
- Click Generate
- Enter StorageContainerConnectionString. Paste the storage connection string. Click Create.
- Click Generate
- Enter SentinelCustomerId. Paste the Sentinel workspace Id. Click Create.
- Click Generate
- Enter SentinelSharedkey. Paste the Sentinel shared key. Click Create.
Confiugure Settings for the Function
- Go to the Azure Portal.
- Go to the resource group that was created. Click the Function.
- Click Platform Features Tab.
- Click Configuration under General.
- Add keys by clicking new Application Settings
-
KeyVaultEnabled = true/false ( if key vault is enabled)
-
KeyVaultBaseUrl = "https://.vault.azure.net",
-
ClientId = ""
-
ClientSecret = ""
-
TenantId = ""
-
AADInstance = "https://login.microsoftonline.com/{0}"
-
ResourceId = "https://manage.office.com"
-
PublisherGUID = from .onmicrosoft.com
-
publisher is a random guid for throttling that we used in steps to create subscription.
-
AuditLogExtractionStartDate = "4/15/2020 12:00:01 AM"
-
"Start time and end time must be specified (or both omitted) and must be less than or equal to 24 hours apart, with the start time prior to end time and start time no more than 7 days in the past." *If not provided then Current UTC Time is taken as default.
-
ConnectionIntervalinMinutes = from .onmicrosoft.com
-
Indicating the time range of content to return , read more on https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference
-
StorageContainerConnectionString = "Stroage container string"
-
If key vault is enabled then leave it blank.
-
LogContainerName = "log"
-
Container name where function specific log info will be stored.
-
LogFileName = "logs.txt""
-
log file name.
-
EnableArchiving = true/false ,
-
DataContainerName = "data"
-
Container name where blobs will be stored, depending on EnableArchiving flag
-
EnableDirectInjestionToWorkSpace = true/false,
-
Indicates if the audit logs to be directly injested to analytics workspace
-
SentinelCustomerId = "Sentinel workspace Id"
-
If keyvault is enabled then leave blank
-
SentinelSharedkey = "Shared key"
-
If keyvalut is enabled then leave blank
-
- Click Save
- Go back to the function and click start under the overview blade.