AlertLogic Office 365 Log Collector
This repository contains Azure Web application Node.js source code and an ARM template for setting up a data collector in Azure which will collect and forward Office 365 log data to the Alert Logic Cloud Defender Log Manager (LM) feature.
Installation requires the following steps:
- Register a new O365 web application in O365 portal for collecting O365 logs.
- Set up the required Active Directory security permissions for the application to authorize it to read threat intelligence data and activity reports for your organization.
- Create an Access Key that will allow the application to connect to the Alert Logic Cloud Defender and Cloud Insight backend.
- Download and deploy a custom ARM template to Microsoft Azure to create functions for collecting and managing O365 log data
- Verify that installation was successful using Alertlogic CloudDefender UI.
In order to install O365 Log collector:
-
Log into O365 portal as AD tenant administrator.
-
Navigate to
Admin Centers
andAzure AD
. -
On the left side panel click
Azure Active Directory
andApp Registrations
. -
Click
+New application registration
, fill in configuration parameters and clickCreate
:Name
- for examplealo365collector
.- Select
Web app/ API
asApplication type
. - In
Sign-on URL
enter some URL, for examplehttp://alo365collector.com
. Note, it is not used anywhere.
-
After application is created select it and make a note of
Application Id
, for example,a261478c-84fb-42f9-84c2-de050a4babe3
- On the
Settings
panel and selectRequired permissions
and click+Add
- Hit
Select an API
and choseOffice 365 Management APIs
, clickSelect
- In
Application permissions
selectRead service health information for your organization
,Read activity data for your organization
,Read threat intelligence data for your organization
andRead activity reports for your organization
. ClickSelect
andDone
buttons. - On
Required permissions
panel clickRequired permissions
button and confirm the selection. Note, only AD tenant admin can grant permissions to an Azure AD application. - On the
Settings
panel of the application and selectKeys
. - Enter key
Description
andDuration
and clickSave
. Note, please save the key value, it is needed later during template deployment. - Save the
Application ID
andService Principal Id
for use below. To get theService Principal Id
, navigate to theRegistered App
blade, click on the link underManaged application in local directory
. Then clickProperties
. TheService Principal Id
is labeledObject ID
on the properties page. Caution This is not the sameObject ID
listed in theProperties
blade reached by clickingSettings
orAll Settings
from theRegistered app
. It is also not theObject ID
shown on theRegistered app
blade itself.
From the Bash command line in Azure Cloud Shell run the following commands, where <username>
is your Alert Logic user and <password>
is your Alert Logic password:
export AL_USERNAME='<username>'
auth=$(curl -X POST -s -u $AL_USERNAME https://api.global-services.global.alertlogic.com/aims/v1/authenticate); export AL_ACCOUNT_ID=$(echo $auth | jq -r '.authentication.account.id'); export AL_USER_ID=$(echo $auth | jq -r '.authentication.user.id'); export AL_TOKEN=$(echo $auth | jq -r '.authentication.token'); if [ -z $AL_TOKEN ]; then echo "Authentication failure"; else roles=$(curl -s -X GET -H "x-aims-auth-token: $AL_TOKEN" https://api.global-services.global.alertlogic.com/aims/v1/$AL_ACCOUNT_ID/users/$AL_USER_ID/roles | jq -r '.roles[].name'); if [ "$roles" != "Administrator" ]; then echo "The $AL_USERNAME doesn’t have Administrator role. Assigned role is '$roles'"; else curl -s -X POST -H "x-aims-auth-token: $AL_TOKEN" https://api.global-services.global.alertlogic.com/aims/v1/$AL_ACCOUNT_ID/users/$AL_USER_ID/access_keys | jq .; fi; fi; unset AL_USERNAME;
An example of a successful response is:
{
"access_key_id": "712c0b413eef41f6",
"secret_key": "1234567890b3eea8880d292fb31aa96902242a076d3d0e320cc036eb51bf25ad"
}
Note: if the output is blank please double-check the Alert Logic user permission, you should have administrator access. More details about AIMS APIs can be found here.
Make a note of the access_key_id
and secret_key
values for use in the deployment steps below.
Note: Only five access keys can be created per user. If you get a "limit exceeded" response you will need to delete some keys in order to create new ones. Use the following command to list access keys:
curl -s -X GET -H "x-aims-auth-token: $AL_TOKEN" https://api.global-services.global.alertlogic.com/aims/v1/$AL_ACCOUNT_ID/users/$AL_USER_ID/access_keys | jq
Then use the selected access_key_id in the following curl command to delete it:
curl -X DELETE -H "x-aims-auth-token: $AL_TOKEN" https://api.global-services.global.alertlogic.com/aims/v1/$AL_ACCOUNT_ID/users/$AL_USER_ID/access_keys/<ACCESS_KEY_ID_HERE>
Log into Azure portal. Note, In order to perform steps below you should have an active Azure subscription, to find out visit Azure subscriptions blade.
If multiple Active Directory tenants are used within your organization please login into the same tenant where application registration was created during Register a New O365 Web Application in O365. How to find Office365 tenant id see here.
Fill in required template parameters and click the Purchase
button to start a deployment:
Name
- Any nameStorage Name
- Any Storage Account name (that does not currently exist)Alert Logic Access Key ID
-access_key_id
returned from AIMs aboveAlert Logic Secret Key
-secret_key
returned from AIMs aboveAlert Logic API endpoint
- usuallyapi.global-services.global.alertlogic.com
Alert Logic Data Residency
- usuallydefault
Office365 Content Streams
- The list of streams you would like to collect. Valid values are:- ["Audit.AzureActiveDirectory","Audit.Exchange","Audit.SharePoint","Audit.General", "DLP.All"]
Service Principal ID
- TheObject ID
of the application that created the subscription. You can obtain it from Azure -> AD -> App registrations -> Your app name -> Link under Managed application in local directory -> Properties -> Object IDApp Client ID
- The GUID of your application that created the subscription. You can obtain it from Azure -> AD -> App registrations -> Your app nameApp Client Secret
- The secret key of your application from App Registrations
You can use either Azure Cloud Shell or local installation of Azure CLI.
- Create a new resource group in, for example, the "Central US" location by executing following command:
az group create --name <new-resource-group-name> --location "Central US"
- Once created go to
Resource groups
blade and select the resource group. - Select
Access Control (IAM)
and addWebsite Contributor
role to AD application identity created above. - Deploy a template by using following command, during its execution enter required parameters when asked.
az group deployment create \ --resource-group <new-resource-group-name> \ --template-uri "https://raw.githubusercontent.com/alertlogic/azure-collector/master/template.json"
Wait until it is deployed successfully.
- Go to
Azure Apps
and choose your function. The last log underFunctions-> Master-> Monitor
should have OK status and should not contain any error messages. - Log into Alertlogic CloudDefender and navigate into
Log Manager -> Sources
page. Check new O365 log source (with a name provided duringaz group deployment create
above) has been created and source status isok
.
Note: the following Azure functions use Application/O365 tenant id (APP_TENANT_ID
web application setting) as a PublisherIdentifier
during O365 management API requests. More info about PublisherIdentifier
can be found here.
The Master
function is a timer trigger function which is responsible for:
- registering the Azure web app in Alertlogic backend;
- reporting health-checks to the backed;
- performing log source configuration updates, which happen via Alertlogic UI.
Note: When releasing a new version of the collector please remember to increment the version number in
npm package.json file. To display the current version locally, issue npm run local-version
The Updater
is a timer triggered function runs deployment sync operation every 12 hours in order to keep entire Web application up to date.
The O365WebHook
function exposes an HTTP API endpoint https://<app-name>/o365/webhook
which is registered as an Office 365 webhook and processes O365 activity notifications. Below is a notification example,
[
{
"contentType": "Audit.AzureActiveDirectory",
"contentId": "20170721121608709004422$20170721121608709004422$audit_azureactivedirectory$Audit_AzureActiveDirectory$IsFromNotification",
"contentUri": "https://manage.office.com/api/v1.0/bf8d32d3-1c13-4487-af02-80dba2236485/activity/feed/audit/20170721121608709004422$20170721121608709004422$audit_azureactivedirectory$Audit_AzureActiveDirectory$IsFromNotification",
"notificationStatus": "Succeeded",
"contentCreated": "2017-07-21T12:16:56.798Z",
"notificationSent": "2017-07-21T12:16:56.798Z",
"contentExpiration": "2017-07-28T12:16:08.709Z"
},
{
"contentType": "Audit.AzureActiveDirectory",
"contentId": "20170721121625590007449$20170721121625590007449$audit_azureactivedirectory$Audit_AzureActiveDirectory$IsFromNotification",
"contentUri": "https://manage.office.com/api/v1.0/bf8d32d3-1c13-4487-af02-80dba2236485/activity/feed/audit/20170721121625590007449$20170721121625590007449$audit_azureactivedirectory$Audit_AzureActiveDirectory$IsFromNotification",
"notificationStatus": "Succeeded",
"contentCreated": "2017-07-21T12:16:56.798Z",
"notificationSent": "2017-07-21T12:16:56.798Z",
"contentExpiration": "2017-07-28T12:16:25.590Z"
}
]
A notification contains a link to the actual data which is retrieved by the O365WebHook
, wrapped into a protobuf structure and is sent into Alertlogic Ingest service.
Note: it can take up to 24 hours before audit content is available. Please follow this link to find the time it takes for the different services in Office 365.
- Clone repo
git clone git@github.com:alertlogic/azure-collector.git
cd azure-collector
- Run
./local_dev/setup.sh
- Edit
./local_dev/dev_config.js
- Run Master function locally:
npm run local-master
- Run Updater function locally:
npm run local-updater
- Run O365WebHook function locally:
npm run local-o365webhook
- Run
npm test
in order to perform code analysis and unit tests.
Please use the following code style as much as possible.
process.env.APP_TENANT_ID
- The GUID of the tenant i.e. 'alazurealertlogic.onmicrosoft.com'process.evn.APP_RESOURCE_GROUP
- The name of the resource group where your application is deployed.process.env.CUSTOMCONNSTR_APP_CLIENT_ID
- The GUID of your application that created the subscription. You can obtain it from Azure -> AD -> App registrations -> Your app nameprocess.env.CUSTOMCONNSTR_APP_CLIENT_SECRET
- A secret key of your application from App Registrations.process.env.CUSTOMCONNSTR_APP_CI_ACCESS_KEY_ID
- access key returned from AIMs above.process.env.CUSTOMCONNSTR_APP_CI_SECRET_KEY
- secret key returned from AIMs above.
- Sometimes deployments fail after siteSync action. We need better updater to handle that in order not to wait for 12 hours for the next update attempt.