From aa0a65275c3962b291c0c03480854b2d98ac5d55 Mon Sep 17 00:00:00 2001 From: Kim Pohas Date: Tue, 15 Oct 2024 22:59:18 -0700 Subject: [PATCH 1/5] Update ms-office-audit-source.md --- .../ms-office-audit-source.md | 29 +++++++++++-------- 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md b/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md index d4fbcf3b86..4989b41ccb 100644 --- a/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md +++ b/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md @@ -42,31 +42,36 @@ Audit log data can contain sensitive information. When you configure any audit l * [Enable Exchange Audit Logging](#enable-exchange-audit-logging) * Authentication must be with a new Office 365 Audit Source, we do not support re-authenticating existing sources. + ## Office 365 admin roles -Office 365 comes with a set of admin roles that you can assign to users in your organization. Each admin role maps to common business functions and gives people in your organization permissions to do specific tasks in the Office 365 admin center.  +Office 365 comes with a set of admin roles that you can assign to users in your organization. Each admin role maps to common business functions and gives people in your organization permissions to do specific tasks in the Office 365 admin center. + +When you configure a Microsoft Office 365 Audit Source in Sumo Logic, you will need to authenticate with Microsoft using standard OAuth v2. The user who authenticates must have Microsoft Office 365 admin rights for the content that is being audited. For the sake of the principle of least privilege (PoLP), the authenticating account should have the minimum necessary permissions while still enabling appropriate access. The appropriate role depends on the Office 365 edition you use and your security policies. -When you configure a Microsoft Office 365 Audit Source in Sumo you will need to authenticate with Microsoft using standard OAuth v2. The user who authenticates must have Microsoft Office 365 admin rights for the content that is being audited. For the sake of the principle of least privilege (PoLP), the authenticating account should be as restrictive as possible while enabling appropriate access. What's appropriate for you depends on which Office 365 edition you use and your security policies. +Using the **Global Reader** role is recommended to reduce security risks, as it provides read-only access: -Using the Global Administrator role is recommended: +| Role | Description | +|:-----|:-------------| +| Global Reader | This role provides read-only access to the Office 365 environment without the ability to modify settings or content, minimizing security risks. | -| Role  | Description | -|:-----------------------|:-------------| -| Global Administrator  | This role enables access to all administrative features in your Office 365 subscription. | +In cases where read-only access is insufficient and additional permissions are required, you may need to use the **Global Administrator** role, which provides full access: -You could take a different, more granular, approach to assign roles to -the authenticating account. There are approximately 40 Office 365 roles, -and some subset of those roles might meet your collection requirements. -For more information, see the following topics in Microsoft help: +| Role | Description | +|:-----|:------------| +| Global Administrator | This role enables access to all administrative features in your Office 365 subscription. Use this role only when absolutely necessary, as it grants full control. | + +Alternatively, you could assign more granular roles to the authenticating account. There are approximately 40 Office 365 roles, and some subset of those roles might meet your collection requirements. For more information, see the following topics in Microsoft help: * [Permissions in the Office 365 Security & Compliance Center](https://support.office.com/en-us/article/permissions-in-the-office-365-security-compliance-center-d10608af-7934-490a-818e-e68f17d0e9c1?ui=en-US&rs=en-US&ad=US) * [About Office 365 admin roles](https://support.office.com/en-us/article/about-office-365-admin-roles-da585eea-f576-4f55-a1e0-87090b6aaa9d) * [Assigning administrator roles in Azure Active Directory](https://docs.microsoft.com/en-gb/azure/active-directory/active-directory-assign-admin-roles-azure-portal) :::note -The variety and range of configurations of Office 365 environments preclude exhaustive testing log ingestion from Office 365 sources. You might need to experiment with several roles to ensure that you are ingesting the data you want. Note also that Office 365 administrators must enable logging in their environments for the logs to be available. +The variety and range of configurations in Office 365 environments preclude exhaustive testing of log ingestion from Office 365 sources. You might need to experiment with several roles to ensure you are ingesting the data you want. Note also that Office 365 administrators must enable logging in their environments for the logs to be available. ::: + ## Enable Exchange Audit Logging Before you can configure a Sumo Logic Microsoft Office 365 Audit Source for Exchange log data, enable Exchange Audit Logging within your Office 365 tenant by following the steps at https://technet.microsoft.com/library/dn879651.aspx. @@ -90,7 +95,7 @@ You must configure a separate Source for each Office 365 application you want to During the configuration, you will need to authenticate to Microsoft using standard OAuth v2. The user who authenticates must have Microsoft Office 365 admin rights for the content that is being audited. Refer to the API references in this article for additional information on Microsoft admin rights. ::: -1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**.
[**New UI**](/docs/get-started/sumo-logic-ui). In the Sumo Logic top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**.
[**New UI**](/docs/get-started/sumo-logic-ui). In the Sumo Logic top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 1. Click **Add Source** next to a Hosted Collector. If you dont already have a hosted collector, see [Set Up a Hosted Collector](/docs/send-data/hosted-collectors/configure-hosted-collector) for instructions on setting up a new Hosted Collector. 1. Select **Office 365 Audit**.  1. Enter a name to identify the Source. **Description** is optional. From 0f71136bc66bc71069f9713b2a359a9a75f7a74a Mon Sep 17 00:00:00 2001 From: "Kim (Sumo Logic)" <56411016+kimsauce@users.noreply.github.com> Date: Tue, 15 Oct 2024 23:00:31 -0700 Subject: [PATCH 2/5] Update docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md --- .../hosted-collectors/microsoft-source/ms-office-audit-source.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md b/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md index 4989b41ccb..90a733bc70 100644 --- a/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md +++ b/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md @@ -42,7 +42,6 @@ Audit log data can contain sensitive information. When you configure any audit l * [Enable Exchange Audit Logging](#enable-exchange-audit-logging) * Authentication must be with a new Office 365 Audit Source, we do not support re-authenticating existing sources. - ## Office 365 admin roles Office 365 comes with a set of admin roles that you can assign to users in your organization. Each admin role maps to common business functions and gives people in your organization permissions to do specific tasks in the Office 365 admin center. From 5e50fc347ca544386752a5b3dd2806cd221eca6d Mon Sep 17 00:00:00 2001 From: "Kim (Sumo Logic)" <56411016+kimsauce@users.noreply.github.com> Date: Tue, 15 Oct 2024 23:01:14 -0700 Subject: [PATCH 3/5] Update docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md --- .../hosted-collectors/microsoft-source/ms-office-audit-source.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md b/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md index 90a733bc70..aa2ffc2034 100644 --- a/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md +++ b/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md @@ -70,7 +70,6 @@ Alternatively, you could assign more granular roles to the authenticating accoun The variety and range of configurations in Office 365 environments preclude exhaustive testing of log ingestion from Office 365 sources. You might need to experiment with several roles to ensure you are ingesting the data you want. Note also that Office 365 administrators must enable logging in their environments for the logs to be available. ::: - ## Enable Exchange Audit Logging Before you can configure a Sumo Logic Microsoft Office 365 Audit Source for Exchange log data, enable Exchange Audit Logging within your Office 365 tenant by following the steps at https://technet.microsoft.com/library/dn879651.aspx. From 38b81b62734eb58564728b9b72ebc4b57b56bc5c Mon Sep 17 00:00:00 2001 From: "Kim (Sumo Logic)" <56411016+kimsauce@users.noreply.github.com> Date: Tue, 15 Oct 2024 23:01:28 -0700 Subject: [PATCH 4/5] Update docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md --- .../microsoft-source/ms-office-audit-source.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md b/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md index aa2ffc2034..9934b9294f 100644 --- a/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md +++ b/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md @@ -93,7 +93,7 @@ You must configure a separate Source for each Office 365 application you want to During the configuration, you will need to authenticate to Microsoft using standard OAuth v2. The user who authenticates must have Microsoft Office 365 admin rights for the content that is being audited. Refer to the API references in this article for additional information on Microsoft admin rights. ::: -1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**.
[**New UI**](/docs/get-started/sumo-logic-ui). In the Sumo Logic top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**.
[**New UI**](/docs/get-started/sumo-logic-ui). In the Sumo Logic top menu select **Configuration**, and then under **Data Collection** select **Collection**. You can also click the **Go To...** menu at the top of the screen and select **Collection**. 1. Click **Add Source** next to a Hosted Collector. If you dont already have a hosted collector, see [Set Up a Hosted Collector](/docs/send-data/hosted-collectors/configure-hosted-collector) for instructions on setting up a new Hosted Collector. 1. Select **Office 365 Audit**.  1. Enter a name to identify the Source. **Description** is optional. From e059fdd66ddb4ec2b6d53d43d6a077e00b69d5e7 Mon Sep 17 00:00:00 2001 From: "Kim (Sumo Logic)" <56411016+kimsauce@users.noreply.github.com> Date: Tue, 15 Oct 2024 23:01:48 -0700 Subject: [PATCH 5/5] Update docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md --- .../microsoft-source/ms-office-audit-source.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md b/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md index 9934b9294f..006b79f5c0 100644 --- a/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md +++ b/docs/send-data/hosted-collectors/microsoft-source/ms-office-audit-source.md @@ -44,7 +44,7 @@ Audit log data can contain sensitive information. When you configure any audit l ## Office 365 admin roles -Office 365 comes with a set of admin roles that you can assign to users in your organization. Each admin role maps to common business functions and gives people in your organization permissions to do specific tasks in the Office 365 admin center. +Office 365 comes with a set of admin roles that you can assign to users in your organization. Each admin role maps to common business functions and gives people in your organization permissions to do specific tasks in the Office 365 admin center. When you configure a Microsoft Office 365 Audit Source in Sumo Logic, you will need to authenticate with Microsoft using standard OAuth v2. The user who authenticates must have Microsoft Office 365 admin rights for the content that is being audited. For the sake of the principle of least privilege (PoLP), the authenticating account should have the minimum necessary permissions while still enabling appropriate access. The appropriate role depends on the Office 365 edition you use and your security policies.