A Bash script for managing, auditing, and troubleshooting Office 365 event log subscriptions via the Office 365 Management Activity API.
The check_o365_subscription.sh script interacts with Microsoft Office 365 Management Activity API (manage.office.com) to manage event log subscriptions. It enables administrators to:
- Check active subscription statuses
- Start or stop event log subscriptions
- Retrieve and validate available content
- Download event logs for auditing purposes
- Activate debug and logging modes for troubleshooting
- Subscription Management: Easily check, start, or stop Office 365 subscriptions.
- Content Listing: Retrieve available content blobs (contentUri).
- Detailed Blob Visibility: Display metadata including:
- Content URI
- Content ID
- Content Type
- Creation timestamp
- Expiration timestamp
- Event Download: Download events directly from contentUri blobs.
- Pagination Support: Handles multi‑page API responses automatically (nextPageUri / @odata.nextLink).
- Token Lifecycle Handling: Automatic OAuth token refresh on authorization failures (401).
- Retry & Throttling Management: Handles API throttling (429) with backoff logic.
- Debugging Mode: Provides detailed information for troubleshooting API calls.
- Logging: Records script activities into timestamped log files.
The check_o365_subscription.sh script helps troubleshoot and resolve issues related to Office 365 event log subscriptions, which are important for SIEM (Security Information and Event Management) solutions.
When connecting to Office 365, administrators may encounter errors such as:
- Unable to start a content subscription. Terminating query thread for [Audit.SharePoint]
- Unable to start a content subscription. Terminating query thread for [Audit.Exchange]
- Access token error
These errors can indicate API authentication issues, misconfigured subscriptions, pagination handling gaps, or throttling conditions, leading to interruptions in security monitoring.
This script provides automated and advanced management of Office 365 audit log subscriptions, ensuring that event logs are correctly retrieved, validated, and downloadable outside the SIEM when needed.
Clone the repository:
git clone https://github.com/zoldax/check_siem_o365_subscription.git
cd check-o365-subscription
chmod +x check_o365_subscription.sh
Create the required config.ini file with your credentials in the same directory:
CLIENT_ID=your_client_id
TENANT_ID=your_tenant_id
CLIENT_SECRET=your_client_secret
PROXY_URL=NONE
# Or:
# PROXY_URL=http://userproxy:userpasswd@proxy.example.lan:3128
Run the script directly:
./check_o365_subscription.sh [--debug] [--log] [--help]
Example usage with debug and logging enabled:
./check_o365_subscription.sh --debug --log
An interactive menu will appear with these options:
1. Check Subscription Status
2. Stop Subscription
3. Start Subscription
4. List Content (blobs) with details
5. Retrieve AND Download Events (contentUri)
6. Change contentType
7. Exit
Choose the appropriate option by entering the corresponding number.
--debug: Enables detailed debug output (API requests/responses).--log: Records detailed execution logs to a timestamped file.--help: Displays help message and usage instructions.
Ensure your config.ini file contains valid credentials and settings:
| Parameter | Description |
|---|---|
| CLIENT_ID | Microsoft Office 365 application ID. |
| TENANT_ID | Your Azure tenant ID. |
| CLIENT_SECRET | Secret for your Office 365 application. |
| PROXY_URL | Proxy URL or NONE if not applicable. |
- curl: Required to make HTTP requests to the Microsoft API.
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | Configuration file missing or invalid |
| 2 | Failed to obtain an access token |
| 3 | API request error |
This project is licensed under the Apache License 2.0.
Full text: https://www.apache.org/licenses/LICENSE-2.0
- Pascal Weber (zoldax)
- Company: Abakus Sécurité
This project is not affiliated with, endorsed by, or supported by Microsoft in any way. "Microsoft" and "Office 365" are trademarks of Microsoft Corporation.
This software/code is provided "as is", without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose, and non-infringement. In no event shall the authors or contributors be held liable for any claim, damages, or other liability, whether in an action of contract, tort, or otherwise, arising from, out of, or in connection with the software or the use of this software.
Use at your own risk. By using this software, you acknowledge that you assume all responsibility and potential risks associated with its usage, including compliance with Microsoft's terms of service.