Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Microsoft Office 365

 

The JSA DSM for Microsoft Office 365 collects events from Microsoft Office 365 online services.

The following table describes the specifications for the Microsoft Office 365 DSM:

Table 1: Microsoft Office 365 DSM Specifications

Specification

Value

Manufacturer

Microsoft

DSM name

Microsoft Office 365

RPM file name

DSM-MicrosoftOffice365-JSA_version-build_number.noarch.rpm

Supported versions

N/A

Protocol

Office 365 REST API

Event format

JSON

Recorded event types

Exchange Audit, SharePoint Audit, Azure Active Directory Audit, Service Communications

Automatically discovered?

No

Includes identity?

No

Includes custom properties?

No

More information

Microsoft website (https://www.microsoft.com)

To integrate Microsoft Office 365 with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console:

    • Protocol Common RPM

    • Office 365 REST API Protocol RPM

    • Microsoft Office 365 DSM RPM

  2. Register an application in Azure Active Directory.

  3. Add a Microsoft Office 365 log source on the JSA console. The following table describes the parameters that require specific values for Microsoft Office 365 event collection:

    Table 2: Microsoft Office 365 Log Source Parameters

    Parameter

    Value

    Log Source type

    Microsoft Office 365

    Protocol Configuration

    Office 365 REST API

    Log Source Identifier

    A unique identifier for the log source.

    The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you have configured multiple Microsoft Office 365 log sources, you might want to identify the first log source as MSOffice365-1, the second log source as MSOffice365-2, and the third log source as MSOffice365-3.

    Client ID

    In your application configuration of Azure Active Directory, this parameter is under Client ID.

    Client Secret

    In your application configuration of Azure Active Directory, this parameter is under Keys.

    Tenant ID

    Used for Azure AD authentication.

    Event Filter

    The type of audit events to retrieve from Microsoft Office.

    • Azure Active Directory

    • Exchange

    • SharePoint

    • Service Communications

    Use Proxy

    For JSA to access the Office 365 Management APIs, all traffic for the log source travels through configured proxies.

    Configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields.

    If the proxy does not require authentication, keep the Proxy Username and Proxy Password fields empty.

    Automatically Acquire Server Certificate(s)

    Automatically downloads the server certificate and begins trusting the target server when selected.

    EPS Throttle

    The maximum number of events per second.

    The default is 5000.

The following table provides a sample event message for the Microsoft Office 365 DSM:

Table 3: Microsoft Office 365 Sample Message Supported by the Microsoft Office 365 Service

Event name

Low level category

Sample log message

Update user-fail

Update Activity Failed

{"CreationTime":"2016-05-05T08:53:
46","Id":"8c1-b601-446b-accd-
5db1bb544200","Operation":
"Update user.","OrganizationId":
"d3fc05f9-1eb4-4a92-bd0b-220dc66
14f75","RecordType":8,"Result
Status":"fail","UserKey":"Not 
Available","UserType":6,"Workload"
:"AzureActiveDirectory","ObjectId"
:"10033FFF9706BDBF","UserId":"e5-
f79d-4402-916f-46a467ce1140",
"AzureActiveDirectoryEventType"
:1,"ExtendedProperties":[{"Name":
"MethodExecutionResult.","Value":
"Microsoft.Online.Workflows.
ValidationException"}],"Actor":
[{"ID":"5-f79d-4402-916f-46a467
ce1140","Type":4},{"ID":"ncipal_
b0c7c0a8-203a-4dbc-b76c-78f82d0c
96f4","Type":2}],"ActorContextId"
:"d3fc05f9-1eb4-4a92-bd0b-220dc
6614f75","InterSystemsId":
"72021b83-22b2-4f7f-ac80-774efca
27742","IntraSystemId":"e546cb1d-
f0f2-4488-853e-c1c6928287f6",
"Target":[{"ID":"5-d9f4-4761-
b70a-3128d3b43700","Type":2},
{"ID":"sql@cis.secu.com","Type"
:1},{"ID":"1706BDBF","Type":3}]
,"TargetContextId":"d3fc05f9-
1eb4-4a92-bd0b-220dc6614f75"}

Site permissions modified

Update Activity Succeeded

{"CreationTime":"2015-10
-20T15:54:05","Id":"ea3942ca
-3096-4487-f59e-08d2d966af07"
,"Operation":"SitePermissions
Modified","OrganizationId":
"d3fc05f9-1eb4-4a92-bd0b-
220dc6614f75","RecordType"
:4,"UserKey":"(empty)",
"UserType":0,"Workload":
"SharePoint","ClientIP":
"32.97.110.60","ObjectId":
"https://ibmsecurity-my.
sharepoint.com/personal/
qradar_admin_ibmsecurity_
onmicrosoft_com","UserId":
"SHAREPOINT\\system",
"EventSource":"SharePoint",
"ItemType":"Web","Site":
"308d9383-a3de-4f38-837d-
50ac91fa5588","UserAgent":
"Mozilla/5.0 (X11; Linux 
x86_64; rv:38.0) Gecko/
20100101 Firefox/38.0"}

Configuring Microsoft Office 365 to Communicate with JSA

Before you can configure a log source for Microsoft Office 365, you might need to request that Microsoft enables content subscriptions for your Tenant ID. By enabling content subscription, JSA can retrieve data from management activity APIs.

The Tenant ID, Client ID, and Client Secret are required.

  1. Run Azure Active Directory PowerShell cmdlet. For more information, see How to install and configure Azure PowerShell (https://azure.microsoft.com/en-us/documentation/articles/powershell-install-configure/).
  2. To obtain the Tenant ID of the tenant that is subscribed to Microsoft Office 365, type the following commands:

    import-module MSOnline

    $userCredential = Get-Credential

    Connect-MsolService -Credential $userCredential

    Get-MsolAccountSku | % {$_.AccountObjectID}

  3. Use Azure Management Portal to register an application in Azure Active Directory.
    1. To sign in Azure Management Portal, use the credentials of the tenant that is subscribed to Microsoft Office 365

    2. Click Active Directory.

    3. Select the directory name where the new application is registered under.

    4. On the directory page, select Applications.

    5. Click Add.

    6. Select Add an application my organization is developing.

    7. Enter a name for the application.

    8. For the type, select Web application and/or web API.

    9. For the Sign-on URL field, type the following:

      http://localhost

    10. For the App ID URL, enter a unique identifier in the form of a URL for the application.

      An example of a unique identifier is the following URL: http://company_name.onmicrosoft.com/QRadarApp.

  4. Configure the application properties.
    1. Select the newly created application in Azure AD.

    2. Select Configure.

    3. Verify that the Application is Multi-Tenant option is set to NO.

    4. Copy the client ID for future use.

    5. Save the configuration.

  5. Generate a client secret for the application.
    1. Under Keys, click Select Duration.

    2. Choose either 1 year or 2 years.

    3. Save the configuration.

    The client secret displays after the configuration is saved. Copy and store the client secret because it appears only once and cannot be retrieved.

  6. Specify the permissions that the application requires to access Office 365 Management APIs.
    1. Under Permissions to other applications, select Add application.

    2. Select Office 365 Management APIs.

    3. Click the check mark to save the selection.

    4. Under Application Permissions and Delegated Permissions, select the following options:

      • Read Activity data for your organization

      • Read service health information for your organization

      • Read activity reports for your organization

    5. Save the configuration.

    The application configuration in Azure AD is complete. You can create a log source for Microsoft Office 365 in JSA. For more information, see Getting started with Office 365 Management APIs (https://msdn.microsoft.com/EN-US/library/office/dn707383.aspx).