Docs

Manual

Installation and configuration guide for the M365 connector.

Manual

Installation

Install the LogScale package into your Falcon LogScale repository.

Download m365.tgz from the Connectors tab and extract the tar into <Installation-Path>/LogConnector/connectors directory.

tar -xzf m365.tgz

m365 connector directory:

/opt/LogConnector/connectors/m365$ ls 
bin    default    template    manifest.yaml    README.md

Configuration

Create local directory and configure connector.conf, global.conf, secret.conf as per your requirements:

/opt/LogConnector/connectors/m365$ mkdir local 
/opt/LogConnector/connectors/m365$ cd local 
/opt/LogConnector/connectors/m365/local$ nano connector.conf 
/opt/LogConnector/connectors/m365/local$ nano secret.conf 
/opt/LogConnector/connectors/m365/local$ nano global.conf 
/opt/LogConnector/connectors/m365/local$ ls 
connector.conf    global.conf    secret.conf

Note

Check conf specific conf.ini files in template/ directory for how to configure the conf files.

Available sources

You can configure the following types of sources:

Management Activity – All audit events visible through the Microsoft 365 Management Activity API.
Audit.AzureActiveDirectory – Audit logs for Microsoft Azure Active Directory.
Audit.Exchange – Audit logs for Microsoft Exchange.
Audit.SharePoint – Audit logs for Microsoft SharePoint.
Audit.General – General audit logs for Microsoft 365.
DLP.All – All log information for DLP.
Service Health & Communications – Access the health status and message center posts:
- issues – Health information of a specified service for a tenant.
- messages – Message information of a specified service for a tenant.
Mailbox – Audit events and reports visible through Microsoft Graph API endpoints for mailbox activity.
MailboxUsageDetail – Details about mailbox usage.
MailboxUsageMailboxCounts – Details about active mailbox counts.
Office 365 – Audit events and reports visible through Microsoft Graph API endpoints for Office 365.
Office365GroupsActivityDetail – Group activity details.
Office365ServicesUserCounts – Microsoft 365 services user counts.
OneDrive – Audit events and reports for OneDrive via Microsoft Graph API.
OneDriveActivityUserCounts – OneDrive user activity counts.
OneDriveUsageAccountDetail – OneDrive usage by account.
OneDriveUsageStorage – OneDrive storage usage.
SharePoint – Audit events and reports for SharePoint via Microsoft Graph API.
SharePointSiteUsageDetail – SharePoint site usage details.
SharePointSiteUsageFileCounts – File counts and activity for SharePoint.
Teams – Audit events and reports for Microsoft Teams via Microsoft Graph API.
TeamsUserActivityCounts – Counts of Teams activity by type.
TeamsUserActivityUserDetail – Teams user activity details.
Yammer – Audit events and reports for Yammer via Microsoft Graph API.
YammerGroupsActivityDetail – Yammer group activity details.
YammerGroupsActivityGroupCounts – Yammer group activity counts.
Audit Logs – Audit events and reports visible through Microsoft Graph API endpoints.
AuditLogs.SignIns – User sign-ins to an Azure tenant.
Cloud Application Security – Service policies, alerts and entities from Microsoft Cloud Application Security:
- policies – Threat protection policy information.
- alerts – Risks identified.
- entities – Accounts and users of cloud apps.
- files – Files and folders metadata.
Cloud.Discovery – Cloud Discovery reports.
Message_Trace – Summary information about processing of email messages that passed through Microsoft 365.

References

https://learn.microsoft.com/en-us/graph/api/overview?view=graph-rest-1.0 https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference https://learn.microsoft.com/en-us/defender-cloud-apps/api-introduction https://learn.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984335(v=office.15)

✉️Still stuck? How can we help?

Updated on July 6, 2025

connector.conf →