Connect data from Office 365 Logs
You can stream audit logs from Office 365 into Azure Sentinel with a single click. You can stream audit logs from your Office 365 into your Azure Sentinel workspace on the same tenant. The Office 365 activity log connector provides insight into ongoing user activities. You will get information about various user, admin, system, and policy actions and events from Office 365. By connecting Office 365 logs into Azure Sentinel you can use this data to view dashboards, create custom alerts, and improve your investigation process.
If you have an E3 license, before you can access data through the Office 365 Management Activity API, you must enable unified audit logging for your Office 365 organization. You do this by turning on the Office 365 audit log. For instructions, see Turn Office 365 audit log search on or off. See Office 365 management Activity API reference, for more information.
You must be a global administrator or security administrator on your tenant.
Your tenant must have unified auditing enabled. Tenants with Office 365 E3 or E5 licenses have unified auditing enabled by default.
If your tenant does not have one of these licenses, you must enable unified auditing on your tenant using one of these methods:
- Using the Set-AdminAuditLogConfig cmdlet and enable the parameter “UnifiedAuditLogIngestionEnabled”).
- Using the Security & Compliance Center UI.
Currently The O365 Data Connector only captures Exchange and Sharepoint Activty automatically as mentioned on the connector page in the Data types section. We recommend you to check this article in case you require Teams Audit data and protect Teams using Sentinel.
Connect to Office 365
In Azure Sentinel, select Data connectors and then click the Office 365 tile.
If you have not already enabled it, you can do so by going to Data Connectors blade and selecting Office 365 connector. Here you can click the Open Connector Page and under configuration section labeled Configuration select all the Office 365 activity logs you want to connect to Azure Sentinel.
If you already connected multiple tenants in a previously supported version of the Office 365 connector in Azure Sentinel, you will be able to view and modify which logs you collect from each tenant. You will not be able to add additional tenants, but you can remove previously added tenants.
To use the relevant schema in Log Analytics for the Office 365 logs, search for OfficeActivity.
In this document, you learned how to connect Office 365 to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Azure Sentinel.