Mike Suding

Office 365 monitoring

Recommended Posts

This is unofficial...On my own and on the side, I designed a DataSource to monitor Office 365 using Microsoft's API. See more on my blog http://blog.MikeSuding.com.  All the usual disclaimers apply...use at your own risk. I will try to help if it doesn't work for you.

Edited by Mike Suding

Share this post


Link to post
Share on other sites

I am seeing this error when trying to create the application:

Quote

New-AzureADApplication : Error occurred while executing NewApplication
Code: Request_BadRequest
Message: Cannot convert a primitive value to the expected type 'Edm.Guid'. See the inner exception for more details.
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At C:\Users\jamiller\Downloads\Office365\Setup-Office365Monitoring_7.ps1:449 char:27
+ ... reatedApp = New-AzureADApplication -DisplayName $TargetApplicationNam ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureADApplication], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewAppl
   ication

 

I tried add an application manually and it was saying I needed Azure AD premium.  Could this be a reason this is not working?

Share this post


Link to post
Share on other sites

Yes...If you can't add an application manually, I would guess you don't have an account that supports it or you don't have enough permissions.

Share this post


Link to post
Share on other sites

I got this up and running in my tenant, we put a lot of restrictions in Azure so I had to use my Global Admin to setup the app. Not sure if it requires that high of a privilege but it got the job done.

  • Upvote 1

Share this post


Link to post
Share on other sites

Hello all,

 

reviving an old post but I was wondering if @Jason Miller or @Mike Suding found a solution to the error posted above? I'm also having the same issue and not sure what is causing it. I have made an account on Azure AD with Application Administrator and still no luck. Here is the error message:

True
New-AzureADApplication : Error occurred while executing NewApplication
Code: Request_BadRequest
Message: Invalid value specified for property 'resourceAppId' of resource 'RequiredResourceAccess'.
RequestId: c5cdfae2-8e7e-4593-afcd-1495f4c121e1
DateTimeStamp: Thu, 28 Feb 2019 16:02:45 GMT
Details: PropertyName  - resourceAppId, PropertyErrorCode  - InvalidValue
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At C:\Users\navee.sharma\Downloads\Office365-master\Setup-Office365-Monitoring_18.ps1:467 char:27
+ ... reatedApp = New-AzureADApplication -DisplayName $TargetApplicationNam ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureADApplication], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewAppl
   ication

Any help would be greatly appreciated :)

Share this post


Link to post
Share on other sites

Sorry, I don't know the solution by looking at this. I sent you a direct message a minute ago to schedule time with you.

thanks

Share this post


Link to post
Share on other sites

Hi Mike

I've been looking at testing this out but continually getting API response of 1041.

The properties get populated for the device but the datasources dont.

Any ideas what would be causing that?

Thanks

[05/23/2019 11:45:36] API call: https://XXXXX.logicmonitor.com/santaba/rest/device/devices?filter=displayName:xxxxxxxx
[05/23/2019 11:45:36] Response code is 200
[05/23/2019 11:45:36] Deploying tokens of target app
[05/23/2019 11:45:36] Generating Oauth Form
[05/23/2019 11:46:19] Requesting Office 365 tokens
[05/23/2019 11:46:20] Response: Token type: Bearer; Scope: ServiceHealth.Read; Expires in: 3600; Resource: https://manage.office.com
[05/23/2019 11:46:20] Requesting Graph API tokens
[05/23/2019 11:46:20] Response: Token type: Bearer; Scope: Reports.Read.All; Expires in: 3599; Resource: https://graph.microsoft.com
[05/23/2019 11:46:20] Updating device properties, device id is 383
[05/23/2019 11:46:20] API call: https://XXXXX.logicmonitor.com/santaba/rest/device/devices/383?patchFields=customProperties&opType=replace
[05/23/2019 11:46:20] Response code is 200
[05/23/2019 11:46:20] Importing Office 365 datasource template.
[05/23/2019 11:46:20] Importing DataSource.
[05/23/2019 11:46:20] API call: https://XXXXXX.logicmonitor.com/santaba/rest/setting/datasources/importxml
[05/23/2019 11:46:20] Response code is 1041

...................... all imports give 1041

Share this post


Link to post
Share on other sites

Hi Mike,

Thanks for the offer of a meeting. I found a workaround which was to manually import the XML files. Its working away and datasources are pulling in the data.

Would you happen to know if anyone in the community has done anything on monitoring/alerting on security in O365?

BTW- the datasources are great and I definitely will have a use for them on first view.

Joe

Share this post


Link to post
Share on other sites

@joedalton, What exactly do you want to monitor with regards to security? I did create a prototype for the 'risky sign-ins' and 'identity' stuff (I forgot Microsoft terminology) but I was not able to simulate/create events so I couldn't test it.  If you have events that you want to detect/monitor, and are willing to let me test on your account, please let me know.

Share this post


Link to post
Share on other sites

Thanks for this Mike. I've Set this up and it's working great in my environment!

Keep up the good work

Edited by Neil White

Share this post


Link to post
Share on other sites

Hi Mike, The customer wants the O365 Audit logs monitored and a report to be submitted daily. What we currently have now is a powershell script that pulls out a csv with relevant security events. We then present a daily report based on these events. It is a bit labor intensive and I think we can use LM to automate it. I'm trying to develop a PS script to embed in a datasource to search this audit log at set intervals. If I can have LM pull these events in (not too worried about the alerting for now) I can then create a dashboard & reports. When you say test on my account, do you mean the O365 a/c? I dont have anything in LM yet as I'm still cooking a PS script to do what I need.

This is what I am currently using to pull events for the previous 24 hours.

 

$CreateEXOPSSession = (Get-ChildItem -Path $env:userprofile -Filter CreateExoPSSession.ps1 -Recurse -ErrorAction SilentlyContinue -Force | Select -Last 1).DirectoryName
. "$CreateEXOPSSession\CreateExoPSSession.ps1"
Connect-EXOPSSession -UserPrincipalName test@test.com

#Output files directory
$outputFile = "C:\Users\john.doe\Desktop\AuditRecords.csv"

# Set Dates
$StartDate = (Get-Date).AddDays(-1)
$EndDate = (Get-Date)


$AlertOperations = @('FileDeletedFirstStageRecycleBin','FileDeletedSecondStageRecycleBin',...............................................LOTS MORE!!!!)


Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Operations $AlertOperations -ResultSize 5000|epcsv $outputFile -NoTypeInformation -Append

EXIT

 

 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.