Microsoft 365 integration with 2.4?

[tsmith-spscc]

Version

2.4.60

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

24

RAM

192

Storage for /

1 TB

Storage for /nsm

40 TB

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I'm looking for help on how to ingest logs from Microsoft 365 in Security Onion 2.4. I had it working with 2.3 by registering an Application in Azure (Entra), providing the required permissions to M365 resources and then adding the credentials to the filebeat docker container on my manager node. I have been unable to find information on how to make this work with Elastic Agent in 2.4. I should mention that I have other integrations that were previously working in 2.3 that I want to configure as well, such as Okta, Sophos and sFlow, but I'm not to that point yet. M365 is my primary concern at the moment.

Any suggestions are welcomed and appreciated. Thanks.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[Acewiza]

Kinda off-topic, but I always find those 2 words in the same sentence cringeworthy - Microsoft and integration. It was always more of a Borg-type thing to me, ya know - assimilation.

[dougburks]

@Acewiza please avoid off-topic comments. Thanks.

[InfosecGoon]

All of those items should be supported via Elastic Integrations.

1. Open up Elastic Fleet from the SOC interface.
2. Click on Agent Policies at the top of the screen.
3. Click on the Actions menu to the right of so-grid-nodes-general, then Duplicate policy.
4. Give the new policy a name.
5. Edit this new policy - click on Add Integration in the upper-right, then search for the M365 integration that you want.
6. Click the Add button in the upper right corner of the integration screen.
7. Put in all of the information for the M365 integration.
8. Assign this new policy to one of the agents in your grid, so it can start retrieving the logs for you.

There's a video on our Youtube site for using the Elastic Integration for PFSense logs -- the methodology is similar, that might be worth watching for you.

[tsmith-spscc]

Thank you. I'll give this a try. Much appreciated.