O365-InvestigationTooling

This project is to help faciliate testing and low-volume activity data acquisition from the Office 365 Management Activity API.

• Activity API Getting Started Guide
• Management Activity API reference
• Powershell cmdlet for Auditing
• Activity API Schema Documentation

Prerequisites for the O365 Investigation Data Acquisition Script

Once you have selected the data store that you want to publish your Activity API data to, simply open the ConfigForO365Investigations.json file and enable and configure the attributes that are relevant to your store. Note you will have to register an application in Azure AD, then populate the config with the AppID (InvestigationAppID) and AppSecret (InvestigationAppSecret) to enable data flow for the Activity API.

Prerequisites for the Activity API

Follow the instructions in the Management Activity API: Getting Started Guide to create a new AAD application and grant it permissions to the tenant's Management Activity API.

Prerequisites for the MySQL Store Pattern

1. If you don't already have a MySQL database, download the Windows MySQL installer. Make sure to include MySQL server, MySQL Workbench, and the ODBC and .Net connectors. (MySQL docs are here: https://dev.mysql.com/doc/refman/5.7/en/json.html

2. Using the mysql command-line client, run

   CREATE DATABASE O365Investigations;

   to create the database.

3. Populate ConfigForO365Investigations.json with your MySQL admin name and password, as well as the hostname and database name.

4. Run the O365InvestigationDataAcquisition.ps1 script to enable the subscriptions and pull the data. Re-run regularly to continue to consume new data.

5. Once you have enough data, open MySQL Workbench, open ActivityAPI-InvestigationQueries.sql and run the approach SQL statements to get answers to your questions.

Prerequisites for the Azure Blob Store Pattern

1. Determine the desired storage account name and update the config file.

2. Determine the desired container name and update the config file.

3. Determine the account name you will use to manage the blob storage and update the config file.

4. Run the PowerShell command

   Read-Host -AsSecureString | ConvertFrom-SecureString

   and provide the password for the account you will use to manage the Azure blob storage, then use the output as the value for AzureAccountSecureString in the ConfigForO365Investigations.json file.

Prerequisites for the SQL Azure Store Pattern

1. Login to your Azure subscription at https://portal.azure.com

2. Ensure you have a storage account set up

3. Select "+ New" in the upper left, then "Data + Storage", then "SQL Database"

4. Name your new database "O365Investigations"

5. Select an existing SQL server (and make note of the hostname), or create a new server (making note of the admin account you used to create the database)

6. Select the source, pricing tier, resource group, and associated subscription, then click "Create".

7. Select SQL Servers from the main navigation, select the server you just created, then click "Show Firewall Settings". In the "Firewall Settings" blade, click "Add Client IP" and add the IP address of the host where you will be running the investigations tooling from. Save and wait for confirmation that the firewall rules have been updated.

8. Use Visual Studio, or download SQL Server Management Studio Express 2014 (for free) and connect to your new database.

9. Create a new SQL database named "O365Investigations"

10. Ensure you have a username and password for an account that can connect to the database.

This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.