Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Microsoft 365

cloud.office365

cloud.office365

Microsoft 365 Azure Active Directory

cloud.office365.aad

cloud.office365.aad

Microsoft Defender for Cloud Apps alerts

cloud.office365.cloud_apps.alerts

cloud.office365.cloud_apps.alerts

Microsoft 365 Data Loss Prevention

cloud.office365.dlp

cloud.office365.dlp

Microsoft Defender for Endpoint alerts

cloud.office365.endpoint.alerts

cloud.office365.endpoint.alerts

Microsoft 365 Exchange

cloud.office365.exchange

cloud.office365.exchange

Microsoft 365 Identity Alerts

cloud.office365.identity.alerts

cloud.office365.identity.alerts

Microsoft 365 management

cloud.office365.management

cloud.office365.management

Note

Union table

This is a union table that collects events from a set of tables for easy access and analysis.

Learn more about this union table in this article.

cloud.office365.management_all

cloud.office365.management_all

cloud.office365.

oldmanagement

management.aip

cloud.office365.management.

oldmanagement

aip

cloud.office365.management.

aip

airinvestigation

cloud.office365.management.

aip

airinvestigation

cloud.office365.management.

airinvestigation

appgovernance

cloud.office365.management.

airinvestigation

appgovernance

cloud.office365.management.azureactivedirectory

cloud.office365.management.azureactivedirectory

cloud.office365.management.cca

cloud.office365.management.cca

cloud.office365.management.compliance

cloud.office365.management.compliance

cloud.office365.management.compliancemanager

cloud.office365.management.compliancemanager

cloud.office365.management.compliancemanagerposturemanager

cloud.office365.management.compliancemanagerposturemanager

cloud.office365.management.copilot

cloud.office365.management.copilot

cloud.office365.management.corereporting

cloud.office365.management.corereporting

cloud.office365.management.crm

cloud.office365.management.crm

cloud.office365.management.dlpsensitiveinformationtype

cloud.office365.management.dlpsensitiveinformationtype

cloud.office365.management.dynamics365businesscentral

cloud.office365.management.dynamics365businesscentral

cloud.office365.management.endpoint

cloud.office365.management.endpoint

cloud.office365.management.exchange

cloud.office365.management.exchange

cloud.office365.management.mcas

cloud.office365.management.mcas

cloud.office365.management.mesh

cloud.office365.management.mesh

cloud.office365.management.microsoft365group

cloud.office365.management.microsoft365group

cloud.office365.management.microsoftdefenderforidentity

cloud.office365.management.microsoftdefenderforidentity

cloud.office365.management.microsoftflow

cloud.office365.management.microsoftflow

cloud.office365.management.microsoftforms

cloud.office365.management.microsoftforms

cloud.office365.management.microsoftstream

cloud.office365.management.microsoftstream

cloud.office365.management.microsoftteams

cloud.office365.management.microsoftteams

cloud.office365.management.microsofttodo

cloud.office365.management.microsofttodo

cloud.office365.management.mip

cloud.office365.management.mip

cloud.office365.management.myanalytics

cloud.office365.management.myanalytics

cloud.office365.management.officeapps

cloud.office365.management.officeapps

cloud.office365.management.onedrive

cloud.office365.management.onedrive

cloud.office365.management.onedriveforbusiness

cloud.office365.management.onedriveforbusiness

cloud.office365.management.planner

cloud.office365.management.planner

cloud.office365.management.powerapps

cloud.office365.management.powerapps

cloud.office365.management.powerbi

cloud.office365.management.powerbi

cloud.office365.management.powerplatform

cloud.office365.management.powerplatform

cloud.office365.management.powerplatformadmin

cloud.office365.management.powerplatformadmin

cloud.office365.management.project

cloud.office365.management.project

cloud.office365.management.projectfortheweb

cloud.office365.management.projectfortheweb

cloud.office365.management.publicendpoint

cloud.office365.management.publicendpoint

cloud.office365.management.quarantine

cloud.office365.management.quarantine

cloud.office365.management.rdl

cloud.office365.management.rdl

cloud.office365.management.se

cloud.office365.management.se

cloud.office365.management.securitycompliancecenter

cloud.office365.management.securitycompliancecenter

cloud.office365.management.securitycompliancerbac

cloud.office365.management.securitycompliancerbac

cloud.office365.management.sharepoint

cloud.office365.management.sharepoint

cloud.office365.management.skypeforbusiness

cloud.office365.management.skypeforbusiness

cloud.office365.management.threatintelligence

cloud.office365.management.threatintelligence

cloud.office365.management.workplaceanalytics

cloud.office365.management.workplaceanalytics

cloud.office365.management.yammer

cloud.office365.management.yammer

Microsoft 365 message tracing

cloud.office365.messagetracing

cloud.office365.messagetracing

-

cloud.office365.oldmanagement

cloud.office365.oldmanagement

Microsoft 365 OneDrive

cloud.office365.onedrive

cloud.office365.onedrive

-

cloud.office365.other

cloud.office365.other

Microsoft 365 reports

cloud.office365.reporting.atptraffic

cloud.office365.reporting.atpraffic

cloud.office365.reporting.dlp

cloud.office365.reporting.dlp

cloud.office365.reporting.dlpdetail

cloud.office365.reporting.dlpdetail

cloud.office365.reporting.maildetailatp

cloud.office365.reporting.maildetailatp

cloud.office365.reporting.mailtraffic

cloud.office365.reporting.mailtraffic

cloud.office365.reporting.messagetrace

cloud.office365.reporting.messagetrace

cloud.office365.reporting.safelinksdetail

cloud.office365.reporting.safelinksdetail

cloud.office365.reporting.spoofmail

cloud.office365.reporting.spoofmail

Microsoft 365 security events

cloud.office365.security.alerts

cloud.office365.security.alerts

cloud.office365.security.scorecontrol

cloud.office365.security.scorecontrol

cloud.office365.security.scores

cloud.office365.security.scores

Microsoft 365 Security & Compliance Center

cloud.office365.securitycompliancecenter

cloud.office365.securitycompliancecenter

Microsoft 365 SharePoint

cloud.office365.sharepoint

cloud.office365.sharepoint

Microsoft 365 SIEM agent

cloud.office365.siem_agent_alert

cloud.office365.siem_agent.alert

cloud.office365.siem_agent_event

cloud.office365.siem_agent.event

Microsoft 365 Teams

cloud.office365.teams

cloud.office365.teams

For more information, read more About Devo tags.

...

Rw ui expands macro
Rw expand
titlecloud.office365.exchange

You can forward logs generated by Microsoft 365 using any Syslog drain (for example, Syslog-ng).

Rw expand
titlecloud.office365.management.*

To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can learn how to use it in Office 365 collector

Rw expand
titlecloud.office365.siem_agent_alert / cloud.office365.siem_agent_event

This procedure describes how to send event and alert activities from Microsoft 365 Business to your Devo relay using a SIEM agent created in Microsoft Cloud App Security.

Prerequisites

  • You must have an Microsoft 365 Business and possess the permissions necessary to set up the SIEM agent in Microsoft Cloud App Security.

  • You must have an active Devo domain.

  • You must have access to a Devo relay within your secure environment.

Overview

There are four steps to this procedure:

Table of Contents
maxLevel4
minLevel4

Step 1: Set up the Microsoft SIEM agent in the Cloud App Security portal

The agent that you create will dictate how, where, and what to send to a remote syslog host; in this case, your Devo relay. 

Go to the Microsoft Cloud App Security portal and follow the instructions in the Microsoft online documentation to configure the agent that will send events to Devo:

  • In step 1 of the wizard, select Generic CEF as the SIEM format, then select the Include PRI and Include system name checkboxes.

  • In step 2, enter the IP address of your Devo relay and the port to which you will send the events.  We recommend that you select TCP as the protocol.

  • In step 3, indicate which events you want to send to Devo.

This process generates a JAR file which you will use in step 3 to install the agent on a server within the same secure network as your Devo relay.

Step 2: Set up the rules on your Devo relay

Below are the guidelines for the rules you need to define on the relay. These rules will apply to events received on the specified port and, based on a string found in an event's content, apply the correct Devo tag.  We recommend that you set the rules up in the order indicated here.

In the examples below, we use port 13009 but you should use the free port you specified when you set up the SIEM agent.

Rule 1: Office365 events
  • Source port → 13009

  • Source data → EVENT_

  • Target tag → cloud.office365.siem_agent_event

  • Check the Stop processing and Sent without syslog tag checkboxes.

 Rule 2: Office365 alerts
  • Source port → 13009

  • Source data → ALERT_

  • Target tag → cloud.office365.siem_agent_alert

  • Check the Stop processing and Sent without syslog tag checkboxes.

Step 3: Download the JAR file and run it on your server

Follow the instructions in the Microsoft online documentation to install the SIEM agent.

Step 4: Validate that the SIEM agent is working

Follow the instructions in the Microsoft online documentation to ensure that the SIEM agent is running.

Check the Finder in your Devo domain to see that the new tables appear. If the tables do not appear:

  • Review the IP address and port you defined in the SIEM agent.

  • Make sure the rules were defined on the same port as specified in the SIEM agent.

Alternative configuration

It is also possible to establish a connection that sends event and alert data directly to Devo without using a Devo relay.

This is not recommended for production deployments for the following reasons:

  • It is not possible to use TLS to encrypt the data transferred

  • Both event and alert-type events delivered to Devo will be saved in the same table: cef0.mcas.siemAgent

However, for testing purposes, this can be done by entering your Devo domain hostname and port in step 2 when you set up the SIEM agent. To find your domain's endpoint and port, open the Devo web app and go to Administration → Relays and ELBs. Click Add New Relay and enable Fast Sending.

...