Microsoft Office 365 - Securonix Documentation
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Microsoft Office 365
Azure AD/Exchange/SharePoint
Deployment Guide
Date Published: 4/22/2021
Securonix Proprietary Statement This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any third party, nor used by the recipient except under the terms and conditions prescribed by Securonix. The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their respective owners. Securonix Copyright Statement This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any medium, without the prior written authorization of Securonix. However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and reference. Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those agreements. Nothing herein should be construed as constituting an additional warranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without the written permission of Securonix. Copyright © 2021 Securonix. All rights reserved. Contact Information Securonix 5080 Spectrum Drive, Suite 950W Addison, TX 75001 (855) 732-6649 Deployment Guide 2
Revision History Release Date Change History 4/22/2021 Updated the steps required to integrate with O365. 3/9/2021 Removed Postman and Console references. 4/30/2020 New document created. Deployment Guide 3
Table of Contents
Introduction 5
About Office 365 5
Supported Collection Method 5
Taxonomy 5
Office 365 Integration 6
Configuration in SNYPR 14
Event Field Mapping 19
Event Severity Mapping 19
Event Categorization 20
Resources 20
Deployment Guide 4
Introduction Introduction This Deployment Guide provides information on how to integrate the following Office 365 applications for SNYPR: l Azure Active Directory l SharePoint l Exchange About Office 365 Microsoft Office 365 solution includes various products such as Azure Active Directory, SharePoint, Exchange, Outlook, and Office. Office 365 Exchange is Microsoft’s cloud-based email and calendaring application included with the Office 365 suite. At the service level, Office 365 uses the defense-in- depth approach to provide physical, logical, and data layers of security features and operational best practices. Office 365 Exchange logs contain the Email exchange logs. Supported Collection Method The method of collection is O365. Taxonomy The Securonix Open Event Format (OEF) event standard/schema is used. It provides a set of standardized attributes (fields) for consistent representation of logging output from different security and non-security devices and applications. . For additional information on the OEF, refer to the Data Dictionary section on the Securonix documentation portal: https://documentation.securonix.com. Deployment Guide 5
Office 365 Integration Office 365 Integration Complete the following steps to configure Office 365 to export events to SNYPR. Integrate O365 for SNYPR For ingesting logs from Office 365 applications: 1. Logon to the Azure portal as an admin and search for Apps registration from the top search bar. 2. Click + New registration. Deployment Guide 6
Office 365 Integration
3. Enter the following information on the Register an application screen:
l Name: Name of the application. Example: SecuronixConnector.
l Supported account types: Accounts in this organizational directory only (Single
Deployment Guide 7
Office 365 Integration
Tenant)
4. Click Register. You will be redirected to the newly created application screen.
5. Copy the Application (client) ID and Directory (tenant) ID. You will need these for
Deployment Guide 8
Office 365 Integration
API permissions.
6. Click API permissions and click Add a permission.
Deployment Guide 9Office 365 Integration 7. Click Office 365 Management APIs. 8. Select permissions as shown in the below screen: Deployment Guide 10
Office 365 Integration 9. Click Grant admin consent for [User] to provide admin consent for changed Deployment Guide 11
Office 365 Integration
permissions.
The screen displays the confirmation message.
10. Click Certificates and Secrets and click New client secret.
Deployment Guide 12Office 365 Integration
11. Provide the following details when the window appears:
l Description: Name for the Secret Key. Ex. SecuronixSecretKey.
l Expires: Expiry date of the Secret Key. Ex. 1 year.
12. Click the copy icon beside the Value of client secret to copy to clipboard.
Deployment Guide 13Configuration in SNYPR
Configuration in SNYPR
This section describes how to import data from Office365 using a premium connector.
Prerequisites for Importing Events from Office 365
SNYPR uses authentication from Azure AD to connect to the Office 365 Management
API to import data from Office 365. Ensure you have the following information prior
to setting up the connection:
l Tenant ID: The unique global identifier for the Office 365 account. This is different
than your tenant name or domain.
l Key (Client Secret): The access token generated by Azure AD.
l Client ID: A value automatically generated by Azure AD when requesting consent
from tenant admins to use Office 365 Management API to connect.
For information about Office 365 accounts, see Supported Datasources or visit your
Office 365 Azure Management portal.
To import events from Office365, complete the following steps:
Deployment Guide 14Configuration in SNYPR
1. Navigate to Menu > Add Data > Activity.
2. Click + to add a datasource.
3. Select Add Data for Existing Device Type.
4. Click Vendor and select the following:
l Vendors: Microsoft Corporation.
l Device Types: Office 365 Exchange API, Office 365 SharePoint, or Office 365
Azure API.
l Collection Method: Key Value Pair [office 365].
l Import Using: Select Remote Ingester.
Complete the following steps to configure the connection:
De v ice T y pe Infor mation
The following information is populated by the previous step:
a. Functionality: The functionality for the following applications are:
l Microsoft SharePoint: Cloud Content Management System
l Microsoft Azure: Cloud Authentication/SSO
Deployment Guide 15Configuration in SNYPR
l Microsoft Exchange: Email/Email Security
b. Resource Type: Office 365 Exchange API, Office 365 SharePoint, or Office 365
Azure API.
c. Collection Method: Key Value Pair [office 365].
d. Import Using: Select Remote Ingester.
De v ice Infor mation
1. Complete the following information:
a. Datasource Name: Office365.
b. IP Address: Not required.
c. Specify timezone for activity logs: GMT.
Deployment Guide 16Configuration in SNYPR Colle ction Me thod 2. Complete the following information: Deployment Guide 17
Configuration in SNYPR
a. Application Name: Select the Office 365 application from the dropdown based
on the setup. Example: Sharepoint, Exchange, or Azure AD.
b. Tenant ID: Specify the tenant ID.
c. Key (Client Secret): Specify the access token generated by Azure AD.
d. Client ID: Specify the client ID value generated by Azure AD.
4. Click Save & Next to proceed to Reviewing Import Summary.
Editing the Connection
To edit the existing Google connection, navigate to Menu > Add Data > Activity and
complete the following steps:
5. Click and proceed to any of the following steps to edit the information:
l Step 2: Parsing and Normalization
l Step 3: Performing Conditional Actions
l Step 4: Configuring Identity Attribution
Note: For more information, refer to the Data Integration Guide from the
SNYPR documentation portal.
OR
6. Click to delete the datasource.
Deployment Guide 18Event Field Mapping Event Field Mapping This section provides the mapping of the device fields to the corresponding SNYPR fields. Office 365 Exchange Field SNYPR Field Date Time DateTime Status Event Outcome Organization Source Address Sender Address Account name Message TraceID Session ID To IP Destination Address Index Additional Details End Date End Time Size Bytes Out Event Severity Mapping This section provides the SNYPR category severity fields that are mapped to the severity fields in the device. Category Severity Device Severity Alert Very high: 0,1 Criticality High: 2,3 Warning Medium: 4,5 Info Low: 6,7 Deployment Guide 19
Event Categorization
Event Categorization
The following rules used to categorize the events for this datasource.
Category
Rule Category Object Device Severity
Behavior
Status= Delivered Email Communication Success
Sample Line Filters
The Office 365 Exchange is a delimited data file extracted from the API. The file is a
single line filter where the specified delimiter is ( “ | ” or “ ,”).
Resources
https://docs.microsoft.com/en-us/exchange/recipients/create-user-
mailboxes?view=exchserver-2019
Deployment Guide 20You can also read
