Tech Note-Office 365 Securlet - Symantec CloudSOC Tech Note - Broadcom
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Tech Note--Office 365 Securlet Symantec CloudSOC Tech Note
Tech Note--Office 365 Securlet Copyright statement Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com. Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein, neither does it convey any license under its patent rights nor the rights of others. Copyright © 2020 Symantec Corp. 2
Tech Note--Office 365 Securlet
Table of Contents
Introduction
Prerequisites
Scanning scope
Enabling the Office 365 Securlet
Enabling the Securlet for additional Office 365 accounts
Troubleshooting
Office 365 DvNext deployments
User impersonation error
Supported activities
Outlook (Exchange) events
Sharepoint (Sites) events
OneDrive events
Admin activities
Azure AD
Exchange
Sharepoint/OneDrive
Mailbox audit logging events
APIs used
Remediation options
Revision history
Copyright © 2020 Symantec Corp. 3
Tech Note--Office 365 Securlet
Introduction
This tech note describes how to set up the Office 365 Securlet™ on
CloudSOC™. The Securlet for a SaaS application lets CloudSOC obtain user
activity data and user information. CloudSOC uses this information to auto-
import users from the SaaS application.
The Office 365 Securlet offers the flexibility to secure just OneDrive for Business or OneDrive for
Business and Outlook Mail. If you are interested in securing Outlook Mail in addition to OneDrive,
contact your CloudSOC account representative to enable this feature.
The Office 365 Securlet:
● Imports your users from Azure AD.
● Obtains activity data for specified OneDrive users
● Scans emails of specified Outlook Mail and Exchange users.
Note: When you subscribe to the Office 365 Securlet, it comes bundled with the Yammer
Securlet. However, you must activate the two Securlets separately. See the CloudSOC Tech Note
Yammer Securlet for more information.
Prerequisites
To activate the Office 365 Securlet on your CloudSOC account:
● You must have SysAdmin privileges for your CloudSOC account.
● You must have an Office 365 Enterprise account.
● You must have Global Administrator privileges for your Office 365 account.
Copyright © 2020 Symantec Corp. 4
Tech Note--Office 365 Securlet
● The email address you use as the username for the administrator login on your Office 365
account must be exactly the same as the email address that you use as your CloudSOC
username. Furthermore, this email address must be within the primary or secondary
domains listed for your CloudSOC account. To confirm, login to CloudSOC, go to the gear
icon on the top right corner, then to General, and check your domains as shown in the
following.
If necessary, contact Symantec Support via MySymantec to add additional secondary
domains.
Note: We recommend that you contact your CloudSOC representative and have them enable
the onmicrosoft.com domain that matches your office365.com domain as a secondary domain on
your CloudSOC account. For example, if your Office 365 domain is mycompany.office365.com,
ask your representative to enable mycompany.onmicrosoft.com as a secondary domain. We
have found that many customers who subscribe to the Office 365 Securlet are unaware that
some of their users have primary email addresses within the onmicrosoft.com domain. The
Office365 Securlet does not track these users' activities unless you have onmicrosoft.com added
as a secondary domain.
Copyright © 2020 Symantec Corp. 5
Tech Note--Office 365 Securlet
Scanning scope
The Office 365 Securlet tracks and reports user activity as described in Supported activities, and
uses ContentIQ to scan the following content for risks and other profile matches:
App Content scanned
Outlook Content in emails, including subject line and attachments, in all folders except
Drafts
OneDrive All files and folders
Sharepoint All files and folders in document libraries
Teams Files and Wiki pages (but not Conversation messages)
NOTE: There is not a separate Securlet for Microsoft Teams. The documents
shared using Microsoft Teams are stored on their respective sites, and are
scanned during site scanning by default.
Groups Documents saved within each Office 365 Group
In order to ensure fast turnaround for the documents of greatest concern, we limit the scope of
the content being scanned. We also apply slightly different scanning criteria to paid customers
versus trial customers.
The following table describes the scanning scopes for trial and paid customers.
Scan type Emails Scanned Files Scanned
First scan Emails less than 30 Paid customers
days old All files
Trial customers
● All exposed files (no time limit)
● Unexposed files less than 30 days old
"Re-scan Content" from Emails exposed All exposed files
Securlet dashboard within last 30 days
On-demand re-scan Selected email Selected file
from file details panel
Scan due to end-user All emails ● All new docs
adds/edits ● All edited docs
Copyright © 2020 Symantec Corp. 6
Tech Note--Office 365 Securlet
Enabling the Office 365 Securlet
This section describes how to enable the Office 365 Securlet for a single Office 365 account. If
you want to enable the Office 365 Securlet for multiple Office 365 accounts, follow this
procedure to activate the Office 365 Securlet for the first account, then use the procedure in
Enabling the Securlet for additional Office 365 accounts.
1. Login to CloudSOC using your administrator credentials.
2. Go to the CloudSOC Store by clicking on Store in the left side navigation bar.
3. In the Store, scroll down to the Securlets area and locate the tile for the Office 365
Securlet.
4. On the entry for Office, click Details.
5. On the page about the Office 365 Securlet, click Enable.
Copyright © 2020 Symantec Corp. 7
Tech Note--Office 365 Securlet
CloudSOC sends an activation request to the CloudSOC team for the Office 365 Securlet.
The label on the Enable button changes to “Request Pending.”
When the CloudSOC team approves the activation request, the button label changes
again to “Activate.” During weekday business hours Pacific time, activation usually takes
about 20 minutes. Contact your CloudSOC representative if the activation takes unusually
long.
6. Click Activate.
CloudSOC prompts you to select either a full or selective scan of your Office 365 account
users and folders.
7. Select one option and click Activate Securlet as shown in the following.
8. For Office 365 Tenant ID, enter the Tenant ID shown on your Office 365 Profile page.
Copyright © 2020 Symantec Corp. 8Tech Note--Office 365 Securlet
9. For Account Name, enter the name you want to use to identify this account within the
CloudSOC apps. Use this feature to tell your accounts apart if you register multiple Office
365 accounts as described in Enabling the Securlet for additional Office 365 accounts.
10. If you want CloudSOC to import all your Office 365 users with Active status, mark the
"Import as active users" checkbox as shown in the following. Otherwise, the users'
statuses are automatically set to Inactive, and you must manually change them to Active
later. Inactive users cannot access SaaS apps through the CloudSOC gateway.
11. If you have custom URLs for your OneDrive, Mail, and Sites:
a. Mark the Use custom endpoints checkbox. The page shows the custom URLs
options.
b. In the OneDrive URL box, enter your custom OneDrive URL.
c. Leave the Admin's OneDrive URL box blank if you are activating the Securlet on
an Office 365 account for which mail is your only service (no Sites and no
OneDrive). Otherwise, enter the URL for the OneDrive admin's workspace. This is
where CloudSOC moves or copies files that are quarantined by the Protect app
Preserve Content feature.
Copyright © 2020 Symantec Corp. 9Tech Note--Office 365 Securlet
Note: Do not mark the ACS auth checkbox unless you are so instructed by
Symantec Support. See Troubleshooting for more information.
d. Mark the Mail and Sites checkboxes as appropriate to select the Office 365 apps
to secure. Which check boxes are available might depend on your service
agreement with CloudSOC. Contact your CloudSOC representative for details.
e. Enter your custom URLs for Mail and Sites as appropriate.
12. If you do not have custom URLs as described in the preceding:
a. Make sure the Use custom endpoints checkbox is clear (not checked).
b. Type your Office 365 domain in the Sub Domain box. If you are uncertain what
your domain is, open your Office 365 Admin Center (https://portal.office.com) and
select Admin, and then select Sharepoint. The domain looks something like
“https://subdomain-my.sharepoint.com”.
If you have more than one Office 365 domain, contact your CloudSOC
representative to have the additional domains added as secondary domains on
your CloudSOC account.
c. Leave the Admin's OneDrive URL box blank if you are activating the Securlet on
an Office 365 account for which mail is your only service (no Sites and no
OneDrive). Otherwise, enter the URL for the OneDrive admin's workspace. This is
where CloudSOC moves or copies files that are quarantined by the Protect app
Preserve Content feature.
Copyright © 2020 Symantec Corp. 10Tech Note--Office 365 Securlet
d. Mark the Mail and Sites checkboxes as appropriate to select the Office 365 apps
to secure. Which checkboxes are available might depend on your service
agreement with CloudSOC. Contact your CloudSOC representative for details.
13. If you marked the Sites checkbox, enter your Office 365 login credentials in the
Username and Password boxes, then click Import Sites as shown in the following.
CloudSOC uses the credentials only to retrieve the top-level sites. It then discards the
credentials without storing them.
Note: CloudSOC does not support SSO for importing top level sites.
14. (Optional) To import your Sites from a CSV format file, click the Select CSV file to upload
box, or drag a CSV file into the box, then click Import via CSV.
Note: The CSV file must list the sites with their full URLs but without trailing slashes, as
shown in the following.
Copyright © 2020 Symantec Corp. 11Tech Note--Office 365 Securlet
15. Click Save.
16. CloudSOC redirects you to the Office 365 login page.
Note: If the Save button is disabled (grayed out), it might mean that CloudSOC did not
properly grant you access to the Office 365 Securlet. Contact your CloudSOC
representative if this happens.
17. Login to Office 365 using your Office 365 global administrator username and password.
Office 365 prompts you to grant CloudSOC permission to access your Office 365
resources.
Copyright © 2020 Symantec Corp. 12Tech Note--Office 365 Securlet
18. Click Accept to grant access to all requested resources.
19. If you chose Selective Scan in Step 7, use the tools on the Define Scan Policies dialog box
to create granular scan policies that scan only specific users or groups, or exclude
specific users or groups from Securlet scanning:
a. Use the Policy Type buttons to select whether the Securlet scans only the items
described in the policy, or scans everything except the described items.
b. Use the Users menu to select which groups and users are included or excluded as
shown in the following.
Copyright © 2020 Symantec Corp. 13Tech Note--Office 365 Securlet
c. Use the Folders menu to select which folders are included or excluded as shown
in the following. To add a folder, select Specific folders matching keywords and
then enter a full or partial folder name.
d. Click Add Rule near the bottom of the box to add additional user, group, or folder
rules to the scan policy.
e. Click Start Scan.
You have completed the Securlet setup for Office 365. CloudSOC starts scanning your
Office 365 resources, and redirects you to the Office 365 Securlet dashboard in
CloudSoC. For more information, see our Tech Note Using the Securlet Dashboards.
Enabling the Securlet for additional Office 365 accounts
If you want to enable the Office 365 Securlet for more than one Office 365 account, first use the
procedure in Enabling the Office 365 Securlet to enable the Securlet for the first account. Then
use the following procedure to enable the Securlet for additional Office 365 accounts.
1. In the CloudSOC Store, click the tile for the Office 365 Securlet.
2. Click Configure, and from the Account information menu, select Register New Account as
shown in the following.
Copyright © 2020 Symantec Corp. 14Tech Note--Office 365 Securlet
3. Fill in the information as shown in the following. For Account Name, enter the name you
want to use to identify this account within the CloudSOC apps.
4. Click Register Account and follow the prompts to complete the registration.
Troubleshooting
Office 365 DvNext deployments
If you know you have a DvNext Office 365 deployment and the Securlet activation fails, contact
Symantec Support via MySymantec for special installation guidance. They might instruct you to
use the ACS auth option and also do additional configuration and provisioning to authorize
CloudSOC to access your Office 365 resources.
User impersonation error
Problem: Securlet activation fails with the following error:
Another user from your domain has already signed up for Elastica service. OR you are not an
active administator of that Elastica Account. Please contact the Elastica support team at
support@elastica.net
Why this happens: When this happens, it is usually because you tried to activate the Securlet
while you are logged in to CloudSOC and Office 365 with identities at different domains.
CloudSOC disallows this scenario in order to thwart user impersonation exploits.
Copyright © 2020 Symantec Corp. 15Tech Note--Office 365 Securlet
Solution: If the admin account you used to authorize CloudSoC on Office 365 is, say,
o365_admin@mycompany.co, make sure that a user with the same email exists in CloudSOC’s
user database and has administrator privileges.
If the problem persists, log into CloudSOC and double-check the email address configured for
your administrator account. The domain for this account must match the sub domain that you
enter when activating the Office 365 Securlet.
Supported activities
The following tables lists all of the objects and activities that are tracked by the CloudSOC Office
365 Securlet
Note: Certain admin activities such as user login events are not reported in real time. Notification
may lag behind the event by 6 to 12 hours (in some cases up to 24 hours), subject to availability
from Microsoft. For a full list of admin activities, see Admin activities.
If you select selective scan during Securlet activation, the Securlet processes activities for
OneDrive, Sharepoint and Mail only for the users within the scope of the selective scan.
However, the Securlet receives and reports on Azure AD activities (for example, user logins) for
all the users, even the ones not within the scope of the selective scan.
Outlook (Exchange) events
Object Activity
Email_File_Attachment received
sent
Email_Message deleted
received
sent
Sharepoint (Sites) events
Object Activity
File/Folder Delete
Edit
Move
MoveAway Object (doc moved
from one list to another)
Copyright © 2020 Symantec Corp. 16Tech Note--Office 365 Securlet
MoveInto Object (doc moved from
one list to another)
Rename
Restore
ScopeAdd
ScopeDelete
Share
Unshare
Upload
List Add
Delete
Edit
Restore
ScopeAdd
ScopeDelete
Share
Unshare
Sharepoint (Sites) events, Continued
Object Activity
Site GroupSiteCreated
SiteCollectionDeleted
ScopeAdd
ScopeDelete
Share
SiteCollectionCreated
SiteCollectionDeleted
Copyright © 2020 Symantec Corp. 17Tech Note--Office 365 Securlet
Unshare
SubSiteCreated
SubSiteDeleted
User Add (adding access request on a
file for a user)
Note: The SubSiteDeleted event does not report the correct time for the deletion event. It reports
the event as having happened at the time it was recorded, not when it actually occurred.
OneDrive events
Object Activity
File/Folder Delete
Edit
Move
Rename
Restore
ScopeAdd (breaking inheritance
chain of permissions)
ScopeDelete (restoring/reverting
to the inherited permissions)
Share
Unshare
Upload
List Edit
ScopeAdd
ScopeDelete
Share
Unshare
Site ScopeAdd
ScopeDelete
Share
Unshare
User Add (adding access request on a
file for a user)
Copyright © 2020 Symantec Corp. 18Tech Note--Office 365 Securlet
Admin activities
The following subsections describe admin activities for Office 365 apps:
● Azure AD
● Exchange
● Sharepoint/OneDrive
Note: The events in these sections are not reported in real time. Notification may lag behind the
event by 6 to 12 hours (in some cases up to 24 hours), subject to availability. The historic data
reported by the Securlet is limited to the 24 hours prior to when you activated the Securlet.
Azure AD
Object Activity
Group Add group
Delete group
Update group
User Add member to group
Add member to role
Add user
Change user license
Change user password
Delete user
InvalidLogin
Login
Remove member from group
Remove member from role
Reset user password
Restore user
Update user
Copyright © 2020 Symantec Corp. 19Tech Note--Office 365 Securlet
Exchange
Object Activity
Group New-DynamicDistributionGroup
Remove-DistributionGroup
Set-DistributionGroup
Set-DynamicDistributionGroup
Update-DistributionGroupMember
User Add-MailboxPermission
Add-RecipientPermission
Set-Mailbox
Sharepoint/OneDrive
Object Activity Notes
File Download Supported for both OneDrive and
Sharepoint Sites feature.
File/Folder Delete Although these events are logged via
the Main API, we do capture these
Edit events under specific scenarios via
the Management activity API (for both
Move
OneDrive and Sites).
Rename
Restore
Share (public only)
Unshare (public only)
Upload
Group GroupAdded
GroupRemoved
GroupUpdated
Site SiteAdminChangeRequest
SiteCollectionAdminAdded
SiteCollectionCreated
Copyright © 2020 Symantec Corp. 20Tech Note--Office 365 Securlet
SitePermissionsModified
User AddedToGroup
RemovedFromGroup
UserAddedToGroup
UserRemovedFromGroup
Mailbox audit logging events
The Office 365 Securlet reports the following Exchange events when Mailbox audit logging is
enabled in Office 365:
Event Description
Add-MailboxPermission When a new permission is added to a user’s mailbox, such
as SendAs
FolderBind When a delegated user accesses a folder
MailboxLogin When a user logs in to their own mailbox
MessageBind When a delegated user opens an email
Remove-MailboxPermission When a new permission is removed from a user’s mailbox,
such as SendAs
SendAs When a user sends an email as another user.
SendOnBehalf When user sends an email on behalf of another user.
For more information about enabling Mailbox audit logging in Exchange 2016, see this Microsoft
TechNet article:
https://technet.microsoft.com/en-us/library/ff459237(v=exchg.160).aspx
APIs used
The following table describes the Office 365 APIs used by the CloudSOC Securlet.
API Used for Reference
Microsoft Graph API Retrieval of users and http://graph.microsoft.io/docs
groups
Outlook Mail REST API Retrieve and remediate https://msdn.microsoft.com/office/offic
emails e365/APi/mail-rest-operations
Office 365 Management Retrieve top level sites https://msdn.microsoft.com/library/offic
Activity API e/mt227394.aspx
SharePoint REST Service Retrieve documents from https://msdn.microsoft.com/library/offic
Copyright © 2020 Symantec Corp. 21Tech Note--Office 365 Securlet
OneDrive and Sharepoint e/fp142380.aspx
Sites, and remediate
Copyright © 2020 Symantec Corp. 22Tech Note--Office 365 Securlet
Remediation options
When you configure Data Exposure via Securlets policies for Office 365 in the CloudSOC Protect
app, you can select the following remediation options:
Office 365 OneDrive
Change Access settings
File Access--Changes access settings for the file. Select one of the following:
Update File Permissions--Changes permissions for the file. Mark the checkbox to see
available settings.
Remove Link--Removes the link from the file, rendering it unshared.
Collaborator Access--Changes collaborator access privileges. Some choices are logically
exclusive of others.
Remove Collaborator--Removes collaborator privileges.
Delete Unique Permissions--Removes unique permissions from the user.
Update Collaborator Permissions/access--Sets collaborator role to that selected.
Mark the checkbox to see available settings.
Preserve Content settings--Select any of:
No Action--Leaves the file in its original location.
Copy--Creates a copy of the file in the admin's Office 365 workspace.
Move--Removes all sharing properties from the file, makes your Office 365 account admin
the file owner, and moves the file to the admin's Office 365 workspace.
Move with tombstone--Takes the actions described in Move, and also creates a text file
replacement that contains information about the move.
Office 365 Mail
Access--Changes access settings for the email:
Delete email--Mark the checkbox to move the email to the Deleted Items folder.
Copyright © 2020 Symantec Corp. 23Tech Note--Office 365 Securlet Before using the Preserve Content remediation features, you must specify the admin's OneDrive URL in the Securlet configuration. In the CloudSOC Store, click the tile for the Office 365 Securlet and then click Configure. On the Configure Securlet page, enter the admin's OneDrive URL as shown in the following, then click Save. See the CloudSOC Tech Note Using the Protect App for more information about using remediation features and configuring Protect policies. Copyright © 2020 Symantec Corp. 24
Tech Note--Office 365 Securlet
Revision history
Date Version Description
10 July 2015-10 1.0-1.11 Initial release and minor changes
October 2016
21 October 2016 2.0 Update activation workflow, add Preserve Content remediation
options
9 November 2016 2.1 Add admin login domain prerequisite
23 November 2016 2.2 Update Outlook events table
2 December 2016 2.3 Update scan policies steps
3 February 2017 2.4 Update Outlook events, add note about historic data.
10 February 2017 2.5 Update time lag info
2 March 2017 2.6 Minor changes to screen captures
22 March 2017 3.0 Address mail-only activation and admin workspace for Preserve
Content feature, update scanning scope section
8 June 2017 3.1 Add file download as Outlook activity, add information about
bundle with Yammer Securlet
12 June 2017 3.2 Add admin login email prerequisite
26 June 2017 3.3 Clarify Office 365 global administrator privileges
7 July 2017 3.4 Add email subject line to scanning scope
28 August 2017 3.5 Clarify that email scanning applies to all folders except Drafts
14 September 2017 4.0 Move scanning scope to beginning, add Teams and Office 365
Groups, update activities tables
18 December 2017 4.1 Remove reference to user logout as a delayed activity
13 February 2018 4.2 Remove Email_Message/Email_File_Attachment saved activity,
address redundant prerequisites
9 March 2018 4.3 Add mailbox audit logging events
16 May 2018 4.4 Minor changes and formatting updates
23 May 2018 4.5 Update support references
14 November 2018 4.6 Change "Scan now" to "Re-scan content"
14 January 2019 4.7 Clarify scanning scope
14 February 2019 4.8 Update scanning scope
12 February 2020 4.9 Added note that CloudSOC does not support SSO for importing
top level sites. Updated list of permissions required by CloudSOC
to access Office 365 resources.
Copyright © 2020 Symantec Corp. 25You can also read
