If you're having trouble at any stage please contact us at email@example.com.
Office 365 provides a broad set of office applications as document management, web mail, presentation creation and more. Office 365 services are delivered as a cloud service. Office 365 helps organizations move faster with infinite scalability and lower cost for their office applications needs. But at the same time, the public cloud Software as a Service (SaaS) model presents the organization with new security challenges.
The main challenges and needs are to:
- Get and retain full audit of activities in Office 365 account
- Retrieve the Office 365 account activities as users’ access, permissions changes, files are uploaded and shared, security settings changes, emails traffic logs, suspicious alerts from Azure AD and many more.
- The granular activities should be available at the organization’s central log or event management system for compliance, investigation or forensic needs.
- Detect security threats and policy violations
What is it
SkyFormation Cloud Connector for Office 365, is part of the SkyFormation Cloud Connectors module. It continuously ingests audit events from multiple audit sources in the Office 365 account, unify the events into a common application events format, enrich the events with needed detection context and send the events to any existing SIEM/SOC system.
How it works
SkyFormation Cloud Connector for Office 365 retrieves the events from the Office 365 service through the service APIs. Before sending the events to the existing SIEM/SOC system the connector will
- Unify the events into the SkyFormation unified application events format
- Embed the origin event into the SkyFormation event
- Complement the event with missing information
- Enrich the event with detection context as AD identity information
- Encode the resulted event into a standard format as CEF
- Send the event to the existing SIEM/SOC system over syslog
Office 365 Audit Sources & Events Supported
To see a full list of the minimal Office 365 subscription required per endpoint below please refer to: Office 365 Minimal Subscription Requirement Per Endpoint
|Service Covered||Event Types||Events included||Minimal Subscription Required|
|microsoft-graph-api||Azure AD||Azure AD sign-in events||Login success, login failed etc||AAD Premium P2|
|management-activity-api||Azure AD||Azure AD events including some sign-in events||None|
|management-activity-api||Azure Active Directory||AzureActiveDirectory, AzureActiveDirectoryAccountLogon,
|Azure Active Directory events and STS||None|
|management-activity-api||Share Point||SharePoint, SharePointFileOperation, SharePointSharingOperation||SharePoint events,SharePoint file operation events, SharePoint sharing events.||None|
|management-activity-api||Exchange||ExchangeAdmin, ExchangeItem, ExchangeItemGroup||Events from the Exchange admin audit log. Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message. Events from an Exchange mailbox audit log for actions that can be performed on multiple items, such as moving or deleted one or more email messages.||None|
|management-activity-api||DLP||ComplianceDLPSharePoint, ComplianceDLPExchange||Data loss protection (DLP) events in SharePoint and OneDrive for Business. Data loss protection (DLP) events in Exchange, when configured via Unified DLP Policy. DLP events based on Exchange Transport Rules are not supported.||None|
|mcas-api||Office 365 Cloud App Security||Office 365 suspicious activities||E5 or purchased to other enterprise edition|
|activity-report-api||Message Trace||MessageTrace||summary information about the processing of email messages that have passed through the Office 365 system||None|
|Spoof Mail||SpoofMailReport||view information about insider spoofing in your cloud-based organization. Insider spoofing is where the sender’s email address in an inbound message appears to represent your organization, but the actual identity of the sender is different||E3|
|DLP Policy||MailDetailDlpPolicy||provides details about the Exchange mail data loss prevention (DLP) policies and rules used in processing email messages.||E3|
|Malware report||MailDetailMalware||view the details of messages that contained malware.||E3|
|Spam report||MailDetailSpam||provides details about the processing steps taken on email messages identified as containing spam while the message was being processed.||E3|
|microsoft-graph-api||General audit events||Office 365 audit events||None|
|Yammer||Yammer schema||Yammer events||None|
|Sway||Sway schema||Sway events||None|
|Microsoft Teams||MicrosoftTeams, MicrosoftTeamsAddOns, MicrosoftTeamsSettingsOperation||Events from Microsoft Teams.||None|
|microsoft-graph-api||anomalies||sign-in from suspicious IP||E3|
|microsoft-graph-api||Malware detection alert||E3|
|microsoft-graph-api||Compromised Credantials||compromisedCredentials||Azure AD compromised accounts alerts events||E3|
*** Data availability delay of the audit source is approximately 24 hours from the moment that the event was triggered.
How to on-board Office 365 Connector to SkyFormation