Microsoft 365 audit logs
You can add Microsoft 365 audit log data to the Data Lake. This lets you query Microsoft Graph data with Sophos Live Discover.
You must be a Microsoft 365 administrator.
You must have auditing turned on in Microsoft 365. If you don't, you're prompted to turn it on during setup.
In the properties for your Microsoft Office 365 Management APIs you must have Enabled for users to sign-in? set to Yes. To check and change this, see Manage Microsoft Office 365 APIs.
Add an integration
To integrate Microsoft 365 data with Sophos Central, do as follows:
- In Sophos Central, go to Threat Analysis Center and click Integrations.
Click Microsoft - Office 365 Management Activity API.
If you've already set up integrations of this type, you see them here.
If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.
In Integration steps, if Microsoft 365 auditing isn't already turned on, you can click Turn on Microsoft 365 auditing.
This takes you to Microsoft 365. Turn on auditing, then return to Sophos Central. See Turn auditing on or off.
You may be asked to authenticate by Microsoft to turn on auditing.
It can take up to 12 hours for Microsoft 365 audit log data to appear after you have turned on auditing.
Click Save and continue.
Read the text in Connect to Microsoft 365 then click Proceed.
You are connected to Microsoft 365 to create an application which integrates with Sophos Central.
Enter or select your Microsoft account and sign in.
You're prompted to give permissions to an app. These permissions let us create a Microsoft app to integrate with Sophos Central. Click Accept.
You might be asked to authorize again, depending on your Microsoft 365 environment.
The connection might take a few minutes.
You see confirmation that the app is set up. Click Close.
In Sophos Central, in Integrations > Microsoft - Office 365 Management Activity you see the new integration.
In Live Discover > Query, a new category Microsoft 365 audit data appears. You can run the queries in this category on your Microsoft 365 data.
Manage Microsoft Office 365 APIs
In the properties for this API you must have Enabled for users to sign-in? set to Yes. To check and change this, do as follows.
- In your Microsoft Azure Portal, go to Azure Active Directory > Enterprise Applications > All applications.
In All Applications, filter by Application type == Microsoft Applications.
Click Office 365 Management APIs.
In Office 365 Management APIs | Properties, set Enabled for users to sign-in? to Yes.