Manual

Installation #

Login into DataElicit’s portal. Download the related logscale package from Connectors/Packages tab.
Install the logscale package into your Falcon LogScale repository.
Download and extract m365.tgz into <Installation-Path>/LogConnector/connectors directory

tar -xzf m365.tgz

m365 connector directory:

/opt/LogConnector/connectors/m365$ ls 
bin  default  template  manifest.yaml README.md

Configuration #

Create local directory and configure connector.conf, global.conf, secret.conf as per your requirements:

/opt/LogConnector/connectors/m365$ mkdir local 
/opt/LogConnector/connectors/m365$ cd local 
/opt/LogConnector/connectors/m365/local$ nano connector.conf 
/opt/LogConnector/connectors/m365/local$ nano secret.conf 
/opt/LogConnector/connectors/m365/local$ nano global.conf 
/opt/LogConnector/connectors/m365/local$ ls 
connector.conf  global.conf  secret.conf

Note #

Check conf specific conf.ini files in template/ directory for how to configure the conf files.

You can configure following types of sources:
- Management Activity – All audit events visible through the Microsoft 365 Management Activity API.
  - Audit.AzureActiveDirectory – the audit logs for Microsoft Azure Active Directory
  - Audit.Exchange – the audit logs for Microsoft Exchange
  - Audit.SharePoint – the audit logs for Microsoft SharePoint
  - Audit.General – the general audit logs for Microsoft 365
  - DLP.All – all log information for DLP
- Service Health & Communications – Access the health status and message center posts.
  - issues – Provides the health information of a specified service for a tenant.
  - messages – Provides the message information of a specified service for a tenant.
- Mailbox – Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
  - MailboxUsageDetail – Lists details about mailbox usage.
  - MailboxUsageMailboxCounts – List details about active mailbox counts.
- Office 365 – Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
  - Office365GroupsActivityDetail – List details about group activity details.
  - Office365ServicesUserCounts – List details about Microsoft 365 Services counts.
- One Drive – Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
  - OneDriveActivityUserCounts – List details about OneDrive user activity.
  - OneDriveUsageAccountDetail – List details about OneDrive usage by account.
  - OneDriveUsageStorage – List details regarding the amount of OneDrive storage.
- Share Point – Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
  - SharePointSiteUsageDetail – List details about SharePoint site usage.
  - SharePointSiteUsageFileCounts – List details about SharePoint file counts and activity.
- Teams – Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
  - TeamsUserActivityCounts – List details about the number of Teams active by activity.
  - TeamsUserActivityUserDetail – List details about Teams user activity.
- Yammer – Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
  - YammerGroupsActivityDetail – List details about Yammer Group activity.
  - YammerGroupsActivityGroupCounts – List details about Yammer group activity.
- Audit Logs – Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
  - AuditLogs.SignIns – List user sign-ins to an Azure tenant.
- Cloud Application Security – All service policies, alerts and entities visible through the Microsoft Cloud Application Security portal.
  - policies – Lists threat protection policy information.
  - alerts – Lists information about risks identified.
  - entities – Lists information about accounts and users of cloud apps.
  - files – Lists information about files and folders metadata.
  - Cloud.Discovery – Lists Cloud Discovery Reports.
- Message_Trace – Provides summary information about the processing of email messages that have passed through the Microsoft 365 system for the organization.