Subscribe to and collect logs from Office365 auditing APIs (https://msdn.microsoft.com/en-us/office-365/office-365-management-activity-api-reference). Currently has the option to output to a network socket (when using e.g. Graylog) or a file. Feel free to contribute other outputs if you happen to build any. Default behavior is to retrieve logs of the last 24 hours.
- Ad-lib log retrieval;
- Scheduling regular execution to retrieve the full audit trail.
- Subscribe to the audit logs of your choice through the subscription script;
- Collect General, Exchange, Sharepoint, Azure active directory and/or DLP audit logs through the collector script;
- Output to file or to a Graylog input (i.e. send the logs over a network socket)
- Office365 tenant;
- Azure application created for this script (see instructions)
- AzureAD tenant ID;
- Client key of the new Azure application;
- Secret key (created in the new Azure application, see instructions);
- App permissions to access the API's for the new Azure application (see instructions);
- Subscription to the API's of your choice (General/Sharepoint/Exchange/AzureAD/DLP, run AuditLogSubscription script and follow the instructions).
- Create the 'Web app / API' type app by following these instructions: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications#adding-an-application
- Grant your new app permissions to read the Office API's: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications#configure-a-client-application-to-access-web-apis
- Use the 'AuditLogSubscriber' script to subscribe to the audit API's of your choice
- You can now run the script and retrieve logs.
If you are running this script to get audit events in Graylog you will need to create a Graylog input. If not, just skip this.
- Create a 'raw/plaintext TCP' input;
- Enter the IP and port you want to receive the logs on (you can use these in the script);
- All other settings can be left default.
- Retrieve all logs and send to a network socket / Graylog server:
python3 AuditLogCollector.py 'tenant_id' 'client_key' 'secret_key' --exchange --dlp --azure_ad --general --sharepoint -p 'random_publisher_id' -g -gA 10.10.10.1 -gP 6000
usage: AuditLogCollector.py [-h] [--general] [--exchange] [--azure_ad]
[--sharepoint] [--dlp] [-p publisher_id]
[-l log_path] [-f] [-fP file_output_path] [-g]
[-gA graylog_address] [-gP graylog_port]
tenant_id client_key secret_key`
positional arguments:
tenant_id Tenant ID of Azure AD
client_key Client key of Azure application
secret_key Secret key generated by Azure application`
optional arguments:
-h, --help show this help message and exit
--general Retrieve General content
--exchange Retrieve Exchange content
--azure_ad Retrieve Azure AD content
--sharepoint Retrieve SharePoint content
--dlp Retrieve DLP content
-p publisher_id Publisher GUID to avoid API throttling
-l log_path Path of log file
-f Output to file.
-fP file_output_path Path of directory of output files
-g Output to graylog.
-gA graylog_address Address of graylog server.
-gP graylog_port Port of graylog server.
-d Enable debug logging (large log files and lower performance)
- Add parameter start- and end date for log retrieval.