Documentation forThreat Monitor

Add Office 365 logs

Before configuring syslog and adding a plugin for Office 365 (O365), complete the following tasks:

  1. Request the API authorization link from
  2. Authorize API access via the link provided.
  3. Provide the email address used to authorize API access to

Configure the O365 syslog

  1. In Threat Monitor, navigate to Admin > Manage Collectors.
  2. In the sensors list, select a collector, and then click Edit.

  3. Click the Syslog tab.

  4. Click the Log Destinations tab, and then click Add.

  5. In the Destination Setup window, select Both File and Elastic SOC.

  6. Enter a unique name based on the data source (For example, o365-AZ-logger).

    When entering a name, do not use spaces.

  7. Enter a file storage location on the collector, select the appropriate plugin (barracuda), and then click Save.

    This is typically located in /var/log/<filename>.log. For example, /var/log/O365.log. You must specify a log destination for each plugin.

  8. Click the Filters tab, and then click Add.

  9. Enter a unique filter name based on the data source (O365).
    The most common filters for o365 are:
    • o365 Exchange: o365logger
    • o365 Azure AD: o365-AZ-logger

    The purpose of this filter is to give Threat Monitor something unique that it can match in the logs so it knows what log it is coming from. The best way to determine what filter to use, is to look at the logs that are being sent over to find something unique and specific.

  10. To set your filter conditions, click Add Row.
  11. From the Condition drop-down list, select n/a.
  12. From the Filter drop-down list, select message.
  13. In the Value field, enter the filter value.
  14. Click the Actions tab, and then click Add.

  15. Add four rows, and then make selections from the Type and Value drop-down lists. For example:
    • Source: local
    • Filter: o365-AZ-logger or o365logger
    • Destination: o365-AZ-logger or o365logger (Elastic SOC)
    • Destination: o365-AZ-logger or o365logger (file)
  16. To save your settings, click Apply changes.
  17. Click the Data Sources tab.
  18. Click New Plugin.
  19. From the Active Plugin list, select O365.
  20. Click the gear icon next to each Play button under the Parser Workers, Storage workers, and Error Workers, and then click Save.

    Please note that this is necessary to create the queues to process your incoming logs.

  21. For each queue, click Play.
  22. Set Parser Workers to 5 and Storage Workers to 10.
  23. Click Save.