How to Import Microsoft 365 and Entra ID Logs
Introduction
The Cado platform supports acquiring and processing the following logs from Microsoft 365 and Entra ID:
- Microsoft 365 Unified Audit Log (UAL)
- Entra ID Audit logs
- Entra ID Sign-in logs
Note: This feature is currently in Beta, so you need to enable the 'SaaS Imports' feature in the /settings/experiments page.
Before acquiring these logs, a Microsoft Entra application and service principal must be set up and configured in the Azure portal. You can refer to the Microsoft documentation for more details.
Service Principal Setup
To support the acquisition of Microsoft 365 and Entra ID logs, follow these steps to set up a service principal:
Register an Application with Microsoft Entra ID and Create a Service Principal
- While setting up the service principal, using a redirect URL is optional.
Entra ID Roles and Administrators
To pull logs from Exchange, follow these steps:
- Open Entra ID.
- Click on Roles and Administrators.
- Search for Exchange Admin and select the "Exchange administrator" role.
- Click Add Assignments.
- Type the name of the app registration assigned to the Exchange connector and add it.
- Save the changes and try the connector again after a few minutes.
Assign a Role to the Application
- Assign the application to one of your subscriptions.
- Apply the Security Reader role to the application.
Sign In to the Application
Set Up Authentication
- Use Option 3: Create a new client secret.
- Avoid using "Key Vault" and securely store your secret keys elsewhere.
- If any changes are made to the service principal, new secret keys must be generated and used.
Grant Tenant-Wide Admin Consent to an Application
- Go to the Microsoft Entra admin center.
- Under Applications > App Registrations, find and select your newly created application.
- Click API Permissions and select Add a Permission.
- For Microsoft APIs, select Microsoft Graph and add the permission
AuditLog.Read.All.
- For Office 365 logs, add the
ActivityFeed.Readpermission from Office 365 Management APIs.
- For Office 365 Exchange Online, add the
full_access_as_appandExchange.ManageAsApppermissions.
- Once the permissions are added, grant admin consent under Entra Admin Center > Enterprise Applications. Refer to Grant Tenant-wide Admin Consent for further instructions.
Log Acquisition
Once the Microsoft Entra application and service principal are set up in the Azure portal, you can add the credentials to the Cado platform:
- Navigate to Settings > Integrations > Microsoft SaaS (/settings/integrations/microsoft).
- Select Add Credential and enter the following details:
- Name: A friendly name, such as "MS SaaS."
- Tenant ID: Found in the Directory (tenant) ID field in Azure app registration.
- Client ID: Found in the Application (client) ID field in Azure app registration.
- Client Secret: Found in the Client credentials field in Azure app registration.
- Organization: Organization value ending in .onmicrosoft.com.
To import logs, use the import wizard within an investigation and select SaaS. You will see options for:
- Microsoft 365 Logs
- Microsoft Entra ID
After selecting a SaaS application, choose the credentials entered on the integrations page.
You will be presented with options to refine the acquisition based on the SaaS application. For example, for Microsoft 365 UAL acquisition, you can filter by timeframe, user, IP, or workload.
After reviewing your selections, proceed with the import. Once completed, the logs will be available in the main timeline for viewing and searching.
Log Field Mapping
Microsoft 365 Unified Audit Log (UAL)
| UAL Field | Cado Field | Cado Facet Name |
|---|---|---|
| ClientIP | source_hostname | Source Hostname |
| UserID | user | Users |
| Workload | sourcetype | Datatype |
Entra ID Audit Logs
| Audit Log Field | Cado Field | Cado Facet Name |
|---|---|---|
| InitiatedBy.User.IPAddress | source_hostname | Source Hostname |
| InitiatedBy.User.UserPrincipalName | user | Users |
Entra ID Sign-in Logs
| Sign-in Log Field | Cado Field | Cado Facet Name |
|---|---|---|
| IPAddress | source_hostname | Source Hostname |
| UserPrincipalName | user | Users |
| ResourceDisplayName | sourcetype | Datatype |
For example, you can filter data by the "AzureActiveDirectory" workload by selecting it in the Datatype facet.