If you're having trouble at any stage please contact us at support@skyformation.com.
Preface
The goal of this guide is to add a new SkyFormation's Office 365 Cloud App Connector to your SkyFormation Platform.
Prerequisites
Mandatory
- Complete the steps detailed at: How to: Create Azure AD Application In Your Office365 Account for SkyFormation Office 365 connector
- For Azure AD events have the AD premium license
- For Exchange ATP events have the ATP license assigned to Office 365 users you want to get ATP events for
- Have the following information available:
() Office 365 tenant ID
() SkyFormation app client ID
() SkyFormation app generated secret ID
- Turn on the Office 365 audit logs recording and auditing
Follow the instructions at:
Turn on the audit log in the Office 365 Security Compliance Center
As mentioned in the above link to enable the Office 365 mailbox audit follow the instructions at:
https://technet.microsoft.com/en-us/library/dn879651.aspx
- Open the following domains are approachable from the SkyFormation machine:
https://*.microsoftonline.com
https://*.microsoft.com
https://*.azure.com
https://*.windows.net
https://*.office.com
https://*.skyformation.net
Optional
a. To get events from your Office 365 Exchange API (e.g. message trace)
() Have a user name and password in Office 365 with the permissions required as stated in
this link: Feature permissions in Exchange Online (See the table at the bottom)
b. To get alerts and events from your Microsoft Cloud App Security (MCAS) service in
case it is supported and enabled in your Office 365 account
() Complete the steps at:
How-to: Setup Microsoft Cloud App Security (MCAS) to allow its events collection
c. To get exposed resources report from OneDrive and Sharepoint services
() have the certificate and private key files ready (see generating X.509 certificate)
Steps
1. Logon to your SkyFormation Platform:
2. Navigate via left navigation panel to "Settings" section
3. Navigate via New Settings left navigation panel to "Accounts" section
4. Click the "Add Account" bottom
5. At the "SELECT SERVICE TO ADD" choose "Office 365 Microsoft"
You will see the below screen:
5. Fill in the following information:
- Account Name
Give this Office 365 a meaningful name for you. This will become your cloud app connector
name displayed in the application and the events sent to external systems as SIEM/Splunk.
e.g. "Office 365 North US production"
- Description
Add and text that describe the cloud app connector.
e.g. "This is our corporate office 365 service used for email, file sharing and more"
- Client-id
The SkyFormation app generated client ID in the prerequisites
e.g. 4e11ab22-6d1c-5077-9d73-f7776d3851e8
- Client-Secret
The SkyFormation app generated secret ID in the prerequisites
e.g. W17FnTeyRWUasdTGBdVeB+A3kASDaYUH0lre+MzuxRT=
- Tenant-id
The Office365 tenant id you got at the prerequisites
e.g. 3d70c501-bb21-1122-9330-c4a25e252086
Exchange Endpoint (Optional)
- Username
This field is required only if you want to get events from the Exchange Admin Reports API.
A user with permissions to communicate with the Exchange Admin Reports APIs
NOTE: This needs the be the email address of the user
e.g. johnd@mycorp.com
- Password
This field is required only if you want to get events from the Exchange Admin Reports API.
e.g. secret
Endpoint Group - MCAS (Optional and only available if MCAS service is enabled)
- Tenant URL
This field is required only if you want to get events from the Exchange Admin Reports API.
A user with permissions to communicate with the Exchange Admin Reports APIs
e.g. johnd
- Token
This field is required only if you want to get events from the Exchange Admin Reports API.
e.g. secret
Endpoint - Exposed Resources
- Certificate
The X.509 certificate.pem file which you generated earlier
- Private-Key
The X.509 key.pem file which you generated earlier
5. Click "SAVE" bottom
6. Make sure the status of the new Office365 connector "STATUS" in the table is OK and green.
Comments
0 comments
Please sign in to leave a comment.