Key considerations to include:
Why should I enable it
How do I enable it
Once it is enabled, how do I use the data for security
Purpose
An analyst wants to detect
...
malicious behavior in
...
Microsoft 365 related tools. Using the Microsoft 365 API collector to send
...
activity logs to Devo, the analyst will find
...
unauthorized accesses to organization resources. As a result, the analyst will
...
detect and neutralize intruders access attempts, preventing them from disrupting private network services.
Prerequisites
Office 365 subscription
Azure subscription associated with your Office 365 subscription.
Data sources
...
Data source
...
Security Purpose
...
API endpoint
Example Tables
Devo table |
|---|
...
Active Directory
...
Audit.AzureActiveDirectory
...
azure_active_directory
...
Description |
|---|
|
...
Sharepoint
...
Audit.Sharepoint
This table collects logs generated by the Microsoft Entra ID services. |
|
...
This table collects logs generated by the Sharepoint tool. | |
|
...
Exchange
...
Audit.Exchange
This table collects logs generated by the OneDrive service. |
|
...
General Audit
...
Audit.General
...
general_audit
Authorize It
...
This table collects logs generated by the Exchange email service. |
|
...
DLP
...
DLP.All
...
dlp
...
Any table listed above
...
URI Retry
| Note |
|---|
This service is mandatory for retrying any URI that failed from any service. |
...
-
...
uri_retry
...
Any service above.
This union table allows perform general auditing over the tables whose 3 first levels fit with this one. Check the list of tables |
Authorize It
Register your application in Microsoft Entra ID
Register Devo application in Microsoft Entra ID from the Azure
...
Get Office 365 tenant admin consent.
...
Request access tokens from Microsoft Entra ID.
...
Call the Office 365 Management APIs
Get Microsoft OAuth authentication credentials:
Directory (tenant) ID
Application (client) ID
Client secret value
Minimum configuration required for basic pulling
Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.
| Info |
|---|
This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details. |
...
Setting
...
Details
...
tenant_id
...
The Azure application tenant ID
...
client_id
...
The Azure application client ID
...
client_secret
...
portal:
Access Microsoft Entra ID(1) > App registration(2) > New registration(3).
On the Register an application page:
Assign a name for the application. Ex:
devo_integrationDefine application use and API access
Redirect URI field can be left blank.
Click “Register” button.
| Note |
|---|
Make note of the Client ID and Tenant ID generated during this registration process. |
Generate a new key for the application
To exchange an authorization code for an access tokens you need to generate keys (
client_secrets):Access Azure portal Microsoft Entra ID > App registrations > Application
Upload certificates(1) and create a new key(2) by accessing Certificates & secrets(3)> New client secret(4)specifying the key description and duration(5).
Click “Add” button(6).
Go to Client secrets(7-8) to copy the client secret value to the clipboard(9).
Specify the permissions required to access the Office 365 Management APIs
From Azure portal, go to App registrations>All applications select the application and the API permissions>Add a permission to display the Request API permission.
On the Microsoft APIs tab, select Office 365 Management APIs.
Select the Application permissions type.
Enable permissions:
Read activity data from your organization.
Read service health information from your organization.
Read DLP policy events including detected sensitive data (only if pulling
DLP.Allfrom Management Activity).
Select Add permissions.
Get Office 365 tenant admin consent
The tenant admin must sign in to Microsoft Entra ID by using the following specially constructed URL, to review the application's requested permissions. This step is not required when using the APIs to access data from your own tenant.
HTTP
Code Block https://login.windows.net/common/oauth2/authorize?response_type=code&resource=https%3A%2F%2Fmanage.office.com&client_id={your_client_id}&redirect_uri={your_redirect_url }The redirect URL must match or be a sub-path under one of the Reply URLs configured for your application in Microsoft Entra ID.
Accept and use the authorization code from the page to access and store the Tenant ID.
| Code Block |
|---|
http://www.mycompany.com/myapp/?code=AAABAAAAvPM1KaPlrEqdFSB... |
Request access tokens from Microsoft Entra ID
After admin grants consent, the application receives an authorization code as a query string parameter and redirects to the designated URL.
The application will make an HTTP REST POST to Entra ID to exchange the authorization code for an access token.
The access token return a JWT token. Extract the tenant ID “tid“ fromt the token an store to be used ro request additional access tokens.
Request an access token by using client credentials
Now, you can make service-to-service calls which require using an X.509 certificate to create client assertion in the form of a base64-encoded, SHA256 signed JWT bearer token (See JSON example).
| Code Block |
|---|
HEADER:
{
"alg": "RS256",
"x5t": "{thumbprint of your X.509 certificate used to sign the token",
}
PAYLOAD:
{
"aud": "https://login.windows.net/{tenantid}/oauth2/token",
"iss": "{your app client ID}",
"sub": "{your app client ID}",
"jti": "{random GUID}",
"nbf": "{epoch time, before which the token is not valid}",
"exp": "{epoch time, after which the token is not valid}"
}
|
Run It
In the Cloud Collector App, create a Microsoft 365 collector instance using this parameters template, replacing the values enclosed in < >.
| Code Block |
|---|
{ "inputs": { " |
...
office365": { "id": " |
...
<short_ |
...
unique_id", "enabled": true, " |
...
credentials": { " |
...
client_ |
...
id": |
...
"<client_id_value>", |
...
"tenant_id": "<tenant_id_value>", |
...
"client_secret": "<secret_value>" }, "services": { "azure_active_directory": { " |
...
start_ |
...
time_ |
...
in_ |
...
utc": " |
...
<start_time_in_utc_value>", " |
...
override_ |
...
tag": " |
...
<override_tag_ |
...
value>" |
...
, |
...
|
...
"override_bloom_filter_size": " |
...
<override_bloom_filter_size_value>", " |
...
override_bloom_filter_buffer_size": " |
...
<override_bloom_filter_buffer_size_value>" }, } } } } } |
Secure It
Microsoft 365 logs work with these Exchange Activeboards:
Devo provides compatible Alert packs:
Monitor It
Create an
...
each alert to detect interruptions of transfer of data from the source to the
...
Microsoft 365 Management API using the query
| Code Block |
|---|
from |
...
devo.collectors.out where toktains( |
...
msg,"collector |
...
failed Connection closed by server."), |
...
toktains(collector_image," |
...
office365") group every 5m by collector_name, job_id select count() as |
...
messages_unsuccessfully_ |
...
processed |
Set the
...
each alert to keep track of the
...
messages_unsuccessfully_processed ever 5n minutes.