• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

How to pull O365 and Azure Active DIrectory logs into OSSIM

SunilKumarSunilKumar

New Life Form
+1

Hi Guys,

Is there any plugin to pull down the O365 and Azure Active Directory logs into OSSIM server?

I Checked that there is one plugin listed as "o365-asm" but not sure to use and configure it.


Please suggest.

Tagged:

Share post:

Answers

  • Hi Friends,

    Can anyone please help me on this topic?

    Regards

    Sunil

  • OK This is complicated.
    You have to create an SIEM afent connector on your MS Cloud App secutiry admin page (just google it).
    Then you have to download and install the MCAS-SIEM-AGENT jar file onto you OSSIM server.
    Then you need to install JAVA v 8. FOr this you will need to download it from the JAVA site itself as the ones in the AV repository are too old.
    Once you have the JAVA JDK folder you can ove it to anywhwre you like and then launch the JAR file as described in the integration guide on the M$ website.
    One thing to remember is that this agent is designed to sit on a remote server that is NOT the SIEM server itself however it is able to talk to itself without issues as I have found.
    Once you have the agent running you then need to filter off the SIEM_Agent log message sinto the fiile /var/log/o365-asm.log file using a new filter in the /etc/rsyslog.d/ folder, I used aaaaa_o365.conf:-

    if $msg contains "MCAS|SIEM_Agent" then {
      action(type="omfile" File="/var/log/o365-asm.log")
      stop
    }

    Once you can see stuff in the o365-asm.log file the o365-asm plugin will work.

    Good luck!


Sign In or Register to comment.