If you're having trouble at any stage please contact us at support@skyformation.com. 

Preface

The goal of this guide is to add a new SkyFormation's Office 365 Cloud App Connector to your SkyFormation Platform.

Prerequisites

Mandatory

- Complete the steps detailed at: How to: Create Azure AD Application In Your Office365 Account for SkyFormation Office 365 connector

- For Azure AD events have the AD premium license

- For Exchange ATP events have the ATP license assigned to Office 365 users you want to get ATP events for

Starting from release 2.4.108, 2 authentication methods are available:
     1) oauth2
     2) certificate

For oauth2, you need to provide: client-id and client-secret.
For certificate, you need to provide: client-id, private key and certificate.  

- Have the following information available:

  * Office 365 tenant ID 
  * SkyFormation app client ID

  * SkyFormation app generated secret ID -only if you chose oauth2 authentication

   * Certificate - only if you chose certificate authentication
   * Private key - only if you chose certificate authentication

- Turn on the Office 365 audit logs recording and auditing

  Follow the instructions at:
  Turn on the audit log in the Office 365 Security Compliance Center

  As mentioned in the above link to enable the Office 365 mailbox audit follow the instructions at:
  https://technet.microsoft.com/en-us/library/dn879651.aspx

Domains and URLs to be Approachable from SkyFormation Machine

• https://manage.office.com
• https://reports.office365.com - only for Exchange Admin Reports endpoints (exchange-admin-report-*)
• https://*.cloudappsecurity.com - only for MCAS endpoints (mcas-*)
• Cloud - Azure AD (global service)
  • https://graph.microsoft.com 
  • http://go.microsoft.com
  • https://*.core.windows.net
  • https://management.azure.com
  • https://management.core.windows.net:8443
  • https://*.database.windows.net
  • https://gallery.azure.com
  • https://login.microsoftonline.com
  • https://graph.windows.net
  • https://*.vault.azure.net
  • https://*.azuredatalakestore.net
  • https://*.azuredatalakeanalytics.net
  • https://api.loganalytics.io
  • https://api.applicationinsights.io
• Cloud - Azure AD China operated by 21Vianet
  • https://microsoftgraph.chinacloudapi.cn
  • http://go.microsoft.com
  • https://management.chinacloudapi.cn
  • https://management.core.chinacloudapi.cn:8443
  • https://*.database.chinacloudapi.cn
  • https://gallery.chinacloudapi.cn
  • https://login.chinacloudapi.cn
  • https://graph.chinacloudapi.cn
  • https://*.core.chinacloudapi.cn
  • https://*.vault.azure.cn
• Cloud - Azure AD Germany
  • https://graph.microsoft.de 
  • http://portal.microsoftazure.de
  • https://manage.microsoftazure.de
  • https://*.core.cloudapi.de
  • https://management.core.cloudapi.de:8443
  • https://*.database.cloudapi.de
  • https://gallery.cloudapi.de
  • https://login.microsoftonline.de
  • https://graph.cloudapi.de
  • https://*.vault.microsoftazure.de
• Cloud - Azure AD for US Government
  • https://graph.microsoft.us
  • https://manage.windowsazure.us
  • https://*.core.usgovcloudapi.net
  • https://management.usgovcloudapi.net
  • https://management.core.usgovcloudapi.net:8443
  • https://graph.windows.net
  • https://*.vault.usgovcloudapi.net
  • https://api.loganalytics.us

Optional

    a. To get events from your Office 365 Exchange API (e.g. message trace, admin reports)

        () Have a user name and password in Office 365 with the permissions required as stated in
           this link: Feature permissions in Exchange Online (See the table at the bottom)
           Follow this guide for full details: How-to Collect events from Office365 Exchange Admin Reports using the Office365 connector

    b. To get alerts and events from your Microsoft Cloud App Security (MCAS) service in
        case it is supported and enabled in your Office 365 account

       () Complete the steps at:
          How-to: Setup Microsoft Cloud App Security (MCAS) to allow its events collection 

    c. To get exposed resources report from OneDrive and Sharepoint services
        () have the certificate and private key files ready (see generating X.509 certificate)

Steps

 1. Logon to your SkyFormation Platform:

2. Navigate via left navigation panel to "Settings" section

3. Navigate via New Settings left navigation panel to "Accounts" section

4. Click the "Add Account" bottom

5. At the "SELECT SERVICE TO ADD" choose "Office 365 Microsoft" 

You will see the below screen:

5. Fill in the following information:

    - Account Name
        Give this Office 365 a meaningful name for you. This will become your cloud app connector
      name displayed in the application and the events sent to external systems as SIEM/Splunk.

      e.g. "Office 365 North US production"     

    - Description

      Add and text that describe the cloud app connector.

      e.g. "This is our corporate office 365 service used for email, file sharing and more"

   - Authentication Method

      Starting from release 2.4.108, can be either oauth2 or certificate

    - Client-id

       The SkyFormation app generated client ID in the prerequisites

       e.g. 4e11ab22-6d1c-5077-9d73-f7776d3851e8

    - Client-Secret

       The SkyFormation app generated secret ID in the prerequisites

        e.g. W17FnTeyRWUasdTGBdVeB+A3kASDaYUH0lre+MzuxRT=

   - Certificate

       The content of the certificate file from the prerequisites section. Required only if your                            authentication method is "certificate".

       e.g:

-----BEGIN CERTIFICATE-----
*****************
*****************
*****************
.....
-----END CERTIFICATE-----

   - Private Key

      The content of the private file from the prerequisites section. Required only if your                                  authentication method is "certificate".      

      e.g:

-----BEGIN PRIVATE KEY-----
**************
**************
**************
.....
-----END PRIVATE KEY-----

    - Tenant-id

       The Office365 tenant id you got at the prerequisites

        e.g. 3d70c501-bb21-1122-9330-c4a25e252086

   Exchange Endpoint (Optional)

   -  Username

      This field is required only if you want to get events from the Exchange Admin Reports API.
      A user with permissions to communicate with the Exchange Admin Reports APIs
      NOTE: This needs the be the email address of the user

      e.g. johnd@mycorp.com

   -  Password

      This field is required only if you want to get events from the Exchange Admin Reports API.

      e.g. secret

  Endpoint Group - MCAS (Optional and only available if MCAS service is enabled)

   -  Tenant URL

      This field is required only if you want to get events from the Exchange Admin Reports API.
      A user with permissions to communicate with the Exchange Admin Reports APIs

      e.g. johnd

   -  Token

      This field is required only if you want to get events from the Exchange Admin Reports API.

      e.g. secret

 5. Click "SAVE" bottom

 6. Make sure the status of the new Office365 connector "STATUS" in the table is OK and green.

Your are done !