If you're having trouble at any stage please contact us at firstname.lastname@example.org.
Office 365 provides a broad set of office applications as document management, web mail, presentation creation and more. Office 365 services are delivered as a cloud service. Office 365 helps organizations move faster with infinite scalability and lower cost for their office applications needs. But at the same time, the public cloud Software as a Service (SaaS) model presents the organization with new security challenges.
The main challenges and needs are to:
- Get and retain full audit of activities in Office 365 account
- Retrieve the Office 365 account activities as users’ access, permissions changes, files are uploaded and shared, security settings changes, emails traffic logs, suspicious alerts from Azure AD and many more.
- The granular activities should be available at the organization’s central log or event management system for compliance, investigation or forensic needs.
- Detect security threats and policy violations
What is it
SkyFormation Cloud Connector for Office 365, is part of the SkyFormation Cloud Connectors module. It continuously ingests audit events from multiple audit sources in the Office 365 account, unify the events into a common application events format, enrich the events with needed detection context and send the events to any existing SIEM/SOC system.
How it works
SkyFormation Cloud Connector for Office 365 retrieves the events from the Office 365 service through the service APIs. Before sending the events to the existing SIEM/SOC system the connector will
- Unify the events into the SkyFormation unified application events format
- Embed the origin event into the SkyFormation event
- Complement the event with missing information
- Enrich the event with detection context as AD identity information
- Encode the resulted event into a standard format as CEF
- Send the event to the existing SIEM/SOC system over syslog
Office 365 Audit Sources & Events Supported
To see a full list of the minimal Office 365 subscription required per endpoint below please refer to: Office 365 Minimal Subscription Requirement Per Endpoint
|Service Covered||Event included||Endpoint/API||Notes||Minimal Subscription Required|
|Azure AD||sign-in events (e.g. login success/failed)||signin-events||See https://docs.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-beta||AAD Premium P2|
|General audit events as group/users management||audit-events||See https://docs.microsoft.com/en-us/graph/api/resources/directoryaudit?view=graph-rest-beta||None|
|Azure AD Identity Protection||Risk and anomalies detection in Azure AD||graph-identity-protection||
For more information on the Azure AD Identity Protection API please refer to:
|Share Point||SharePoint administrative and file management operations||management-activity-api||None|
|Exchange||Exchange administrative operation||management-activity-api||Events from the Exchange admin audit log. Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message. Events from an Exchange mailbox audit log for actions that can be performed on multiple items, such as moving or deleted one or more email messages.||None|
|Message Trace||activity-report-api||email send/receive trace||None|
|DLP||ComplianceDLPSharePoint, ComplianceDLPExchange||management-activity-api||Data loss protection (DLP) events in SharePoint and OneDrive for Business. Data loss protection (DLP) events in Exchange, when configured via Unified DLP Policy. DLP events based on Exchange Transport Rules are not supported.||None|
|Microsoft Cloud App Security (MCAS)||Cloud services anomalies, suspicious activities and violations detected by the Microsoft CASB service||mcas-api||E5 or purchased to other enterprise edition|
Advance Threat Protection (ATP)
|activity-report-api||view information about insider spoofing in your cloud-based organization. Insider spoofing is where the sender’s email address in an inbound message appears to represent your organization, but the actual identity of the sender is different||E3|
|activity-report-api||provides details about the Exchange mail data loss prevention (DLP) policies and rules used in processing email messages.||E3|
|activity-report-api||view the details of messages that contained malware.||E3|
|activity-report-api||provides details about the processing steps taken on email messages identified as containing spam while the message was being processed.||E3|
|Audit events||General audit events||audit-events||Office 365 audit events||None|
|Yammer||Yammer schema||microsoft-graph-api||Yammer events||None|
|Sway||Sway schema||microsoft-graph-api||Sway events||None|
|Microsoft Teams||MicrosoftTeams, MicrosoftTeamsAddOns, MicrosoftTeamsSettingsOperation||microsoft-graph-api||Events from Microsoft Teams.||None|
|Office 365 Threat Detection||signInsFromUnknownSourcesEvents||microsoft-graph-api||E3|
|sign-in from suspicious IP||microsoft-graph-api||E3|
|Malware detection alert||microsoft-graph-api||E3|
|Compromised Credentials||microsoft-graph-api||Azure AD compromised accounts alerts events||E3|
*** Data availability delay of the audit source is approximately 24 hours from the moment that the event was triggered.
How to on-board Office 365 Connector to SkyFormation