Office 365 logs - ingest more than 7 days history

schanson · ‎01-29-2017

I'm using the Splunk Add-on for Microsoft Cloud Services to ingest logs from Office 365. Specifically, I'm getting the Exchange Online Audit and Azure AD Audit logs.

After the O365 Management API input was successfully created, 7 days of log history was pulled into Splunk and new logs are rolling in, which is a great start. However, I would like to pull in more historical data. I'm looking for at least 30 days, or better yet, the entirety of log data retention (e.g., up to 90 days). I don't see any configurable options in the app itself, and I poked around in the app's .conf files a bit, but didn't see anything that looked like an option to change the number of days to be ingested. I'm wondering if it may be hard-coded somewhere in the app's logic, where it could be updated to suit my needs.

dstefan · ‎02-10-2017

You need Azure AD Premium for that:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-retention ,you need azure Ad premium for that:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-retention

schanson · ‎02-10-2017

Thanks for the input, but I don't think that is the constraint. When I log into the web console or use Powershell to pull logs, there is retention going back for nearly a year.

Looks like the limitation is in the O365 Management API that the Splunk app relies on:

https://msdn.microsoft.com/office-365/office-365-management-activity-api-reference

"Content older than 7 days cannot be retrieved."

Office 365 logs - ingest more than 7 days history

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...