After installing and configuring the Office 365 Module according to instructions here, I'm seeing a couple of issues.
- After running successfully for (exactly) 1 hour, the o365beat process on the Windows 10 machine fails with an error like the following:
ERROR instance/beat.go:916 Exiting: error listing all available content between 2021-08-27 20:32:33 +0000 UTC and 2021-08-27 15:43:44.6768062 -0500 CDT m=+3600.127845301: non-200 status during api request. confirm audit log searching is enabled for the target tenancy (https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off#turn-on-audit-log-search). Message: "Authorization has been denied for this request."
There's more to the error log but that's the essential part. However, the Audit Log feature is definitely enabled, which can be seen by running "Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled" in the Exchange Powershell. I disabled and re-enabled it, I've restarted the computer, the service, etc., numerous times across several days and still get the same issue.
- No data shows up in the dashboard which comes with this module. I can see in the logs that data is being transferred, but there is no sign of it in the Kibana dashboard.