If you're having trouble at any stage please contact us at support@skyformation.com.
Preface
The goal of this guide is to add a new SkyFormation's Office 365 Cloud App Connector to your SkyFormation Platform.
Prerequisites
Mandatory
- Complete the steps detailed at: How to: Create Azure AD Application In Your Office365 Account for SkyFormation Office 365 connector
- For Azure AD events have the AD premium license
- For Exchange ATP events have the ATP license assigned to Office 365 users you want to get ATP events for
Starting from release 2.4.108, 2 authentication methods are available:
1) oauth2
2) certificate
For oauth2, you need to provide: client-id and client-secret.
For certificate, you need to provide: client-id, private key and certificate.
- Have the following information available:
* Office 365 tenant ID
* SkyFormation app client ID
* SkyFormation app generated secret ID -only if you chose oauth2 authentication
* Certificate - only if you chose certificate authentication
* Private key - only if you chose certificate authentication
- Turn on the Office 365 audit logs recording and auditing
Follow the instructions at:
Turn on the audit log in the Office 365 Security Compliance Center
As mentioned in the above link to enable the Office 365 mailbox audit follow the instructions at:
https://technet.microsoft.com/en-us/library/dn879651.aspx
Domains and URLs to be Approachable from SkyFormation Machine
- https://manage.office.com
- https://reports.office365.com - only for Exchange Admin Reports endpoints (exchange-admin-report-*)
- https://*.cloudappsecurity.com - only for MCAS endpoints (mcas-*)
- Cloud - Azure AD (global service)
- https://graph.microsoft.com
- http://go.microsoft.com
- https://*.core.windows.net
- https://management.azure.com
- https://management.core.windows.net:8443
- https://*.database.windows.net
- https://gallery.azure.com
- https://login.microsoftonline.com
- https://graph.windows.net
- https://*.vault.azure.net
- https://*.azuredatalakestore.net
- https://*.azuredatalakeanalytics.net
- https://api.loganalytics.io
- https://api.applicationinsights.io
- Cloud - Azure AD China operated by 21Vianet
- https://microsoftgraph.chinacloudapi.cn
- http://go.microsoft.com
- https://management.chinacloudapi.cn
- https://management.core.chinacloudapi.cn:8443
- https://*.database.chinacloudapi.cn
- https://gallery.chinacloudapi.cn
- https://login.chinacloudapi.cn
- https://graph.chinacloudapi.cn
- https://*.core.chinacloudapi.cn
- https://*.vault.azure.cn
- Cloud - Azure AD Germany
- https://graph.microsoft.de
- http://portal.microsoftazure.de
- https://manage.microsoftazure.de
- https://*.core.cloudapi.de
- https://management.core.cloudapi.de:8443
- https://*.database.cloudapi.de
- https://gallery.cloudapi.de
- https://login.microsoftonline.de
- https://graph.cloudapi.de
- https://*.vault.microsoftazure.de
- Cloud - Azure AD for US Government
Optional
a. To get events from your Office 365 Exchange API (e.g. message trace, admin reports)
() Have a user name and password in Office 365 with the permissions required as stated in
this link: Feature permissions in Exchange Online (See the table at the bottom)
Follow this guide for full details: How-to Collect events from Office365 Exchange Admin Reports using the Office365 connector
b. To get alerts and events from your Microsoft Cloud App Security (MCAS) service in
case it is supported and enabled in your Office 365 account
() Complete the steps at:
How-to: Setup Microsoft Cloud App Security (MCAS) to allow its events collection
c. To get exposed resources report from OneDrive and Sharepoint services
() have the certificate and private key files ready (see generating X.509 certificate)
Steps
1. Logon to your SkyFormation Platform:
2. Navigate via left navigation panel to "Settings" section
3. Navigate via New Settings left navigation panel to "Accounts" section
4. Click the "Add Account" bottom
5. At the "SELECT SERVICE TO ADD" choose "Office 365 Microsoft"
You will see the below screen:
5. Fill in the following information:
- Account Name
Give this Office 365 a meaningful name for you. This will become your cloud app connector
name displayed in the application and the events sent to external systems as SIEM/Splunk.
e.g. "Office 365 North US production"
- Description
Add and text that describe the cloud app connector.
e.g. "This is our corporate office 365 service used for email, file sharing and more"
- Authentication Method
Starting from release 2.4.108, can be either oauth2 or certificate
- Client-id
The SkyFormation app generated client ID in the prerequisites
e.g. 4e11ab22-6d1c-5077-9d73-f7776d3851e8
- Client-Secret
The SkyFormation app generated secret ID in the prerequisites
e.g. W17FnTeyRWUasdTGBdVeB+A3kASDaYUH0lre+MzuxRT=
- Certificate
The content of the certificate file from the prerequisites section. Required only if your authentication method is "certificate".
e.g:
-----BEGIN CERTIFICATE-----
*****************
*****************
*****************
.....
-----END CERTIFICATE-----
- Private Key
The content of the private file from the prerequisites section. Required only if your authentication method is "certificate".
e.g:
-----BEGIN PRIVATE KEY-----
**************
**************
**************
.....
-----END PRIVATE KEY-----
- Tenant-id
The Office365 tenant id you got at the prerequisites
e.g. 3d70c501-bb21-1122-9330-c4a25e252086
Exchange Endpoint (Optional)
- Username
This field is required only if you want to get events from the Exchange Admin Reports API.
A user with permissions to communicate with the Exchange Admin Reports APIs
NOTE: This needs the be the email address of the user
e.g. johnd@mycorp.com
- Password
This field is required only if you want to get events from the Exchange Admin Reports API.
e.g. secret
Endpoint Group - MCAS (Optional and only available if MCAS service is enabled)
- Tenant URL
This field is required only if you want to get events from the Exchange Admin Reports API.
A user with permissions to communicate with the Exchange Admin Reports APIs
e.g. johnd
- Token
This field is required only if you want to get events from the Exchange Admin Reports API.
e.g. secret
5. Click "SAVE" bottom
6. Make sure the status of the new Office365 connector "STATUS" in the table is OK and green.
Comments
0 comments
Please sign in to leave a comment.