Office 365 Configuration To Send Logs To AIS Managed SIEM

2 minute read


  • At least one Microsoft 365 E5 license is required on office 365 tenant
  • Need to log in with Office 365 Account that has Security Admin and Compliance Admin permissions

  1. Log in to Office 365 Admin.
  2. Enable mailbox auditing in Office 365 using PowerShell (1-2019, MS enabled auditing by default BK)
  3. Enable Exchange Online tracking -
  4. Enable auditing.
    • Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditEnabled $true
  5. Configure auditing.
    • Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditOwner @{Add=MailboxLogin”,“HardDelete”,“SoftDelete”}
  6. Validate audit settings.
    • Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | FL Name,Audit*
  7. Confirm account used has Security Admin and Compliance Admin permissions.
    • Office 365 Admin-gtAdmin Centers-gtSecurity Compliance-gtPermissions-gtCompliance Administrator(checkbox)-gtMembers-gtEdit-gtChoose Members-gtAdd.
  8. Click checkbox next to “Account Name”.
  9. Click “Add”.
  10. Click “Done”.
  11. Click “Save”.
    • Security Administrator(checkbox)-gtMembers-gtEdit-gtChoose Members-gtAdd-gtClick checkbox next to Account Name-gtClick Add-gtClick Done-gtSave-gtClose
  12. In Security Compliance Center, go to “Search investigation”.
  13. Click “Audit log search”.
  14. Click “Start recording user and admin activities”. (Note: If this option is not shown, that means Audit logging is already enabled, proceed to next step.)
  15. Click or Security Compliance-gtAlerts-gtManage advanced alerts.
  16. Click checkbox “Turn on Office 365 Cloud App Security”
  17. Click “Go to Office 365 Cloud App Security”.
    • Note: If this option is not shown, it’s likely the Microsoft 365 E5 license is not present or not assigned to a user.
  18. On the left hand side, hover over the icon second to last from the bottom and select “Control”.
  19. Click “Policies”.
  20. Review to ensure policies are enabled, if Malware detection is disabled, click the 3 vertical dots on the right-hand side, then click “Enable”.
  21. Click the “Settings” Gear on top right of page:
    • Security Extensions-gtSIEM Agents-gtClick + sign on the right-side to add-gtStart Wizard-gtAdd Agent Name:
  22. Select your SIEM: Format Generic CEF-gtAdvanced Settings
  23. Click checkboxes for “Include PRI” and “Include System Name”
  24. Click “Next”.
  25. Enter the remote syslog host.
  26. Enter the remote syslog port.
  27. Select the remote syslog protocol:
    • UDP-gtNext-gtEnsure that the slider on the right-side is enabled for both “All Alerts” and “All Activities”.
  28. Click “Close”.
  29. Log in to AIS Foreman
  30. Go to Cron Job Puppet Class:
  31. Click “Smart Class Parameter”.
  32. Click “Jobs” on the left side.
  33. Scroll down, find the line.
  34. Click the two arrows next to the “Value” field on this line to expand the values.
  35. Add another “Command” entry to the bottom, following the exact same format as the others.
  36. Click the two arrows at the top right to collapse the field.
  37. Click “Submit”.

Last modified April 15, 2021
Get Started Now