...
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables | ||
---|---|---|---|---|
Microsoft 365 |
|
| ||
Microsoft 365 Azure Active Directory |
|
| ||
Microsoft Defender for Cloud Apps alerts |
|
| ||
Microsoft 365 Data Loss Prevention |
|
| ||
Microsoft Defender for Endpoint alerts |
|
| ||
Microsoft 365 Exchange |
|
| ||
Microsoft 365 Identity Alerts |
|
| ||
Microsoft 365 management |
|
| ||
|
| |||
|
|
|
|
|
|
|
|
|
|
|
| ||
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
Microsoft 365 message tracing |
|
|
- |
|
|
Microsoft 365 OneDrive |
|
|
- |
|
|
Microsoft 365 reports |
|
|
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
Microsoft 365 security events |
|
|
|
| |
|
| |
Microsoft 365 Security & Compliance Center |
|
|
Microsoft 365 SharePoint |
|
|
Microsoft 365 SIEM agent |
|
|
|
| |
Microsoft 365 Teams |
|
|
For more information, read more About Devo tags.
...
Rw ui expands macro | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
You can forward logs generated by Microsoft 365 using any Syslog drain (for example, Syslog-ng).
To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can learn how to use it in Office 365 collector.
This procedure describes how to send event and alert activities from Microsoft 365 Business to your Devo relay using a SIEM agent created in Microsoft Cloud App Security. Prerequisites
OverviewThere are four steps to this procedure:
Step 1: Set up the Microsoft SIEM agent in the Cloud App Security portalThe agent that you create will dictate how, where, and what to send to a remote syslog host; in this case, your Devo relay. Go to the Microsoft Cloud App Security portal and follow the instructions in the Microsoft online documentation to configure the agent that will send events to Devo:
This process generates a JAR file which you will use in step 3 to install the agent on a server within the same secure network as your Devo relay. Step 2: Set up the rules on your Devo relayBelow are the guidelines for the rules you need to define on the relay. These rules will apply to events received on the specified port and, based on a string found in an event's content, apply the correct Devo tag. We recommend that you set the rules up in the order indicated here. In the examples below, we use port 13009 but you should use the free port you specified when you set up the SIEM agent. Rule 1: Office365 events
Rule 2: Office365 alerts
Step 3: Download the JAR file and run it on your serverFollow the instructions in the Microsoft online documentation to install the SIEM agent. Step 4: Validate that the SIEM agent is workingFollow the instructions in the Microsoft online documentation to ensure that the SIEM agent is running. Check the Finder in your Devo domain to see that the new tables appear. If the tables do not appear:
Alternative configurationIt is also possible to establish a connection that sends event and alert data directly to Devo without using a Devo relay. This is not recommended for production deployments for the following reasons:
However, for testing purposes, this can be done by entering your Devo domain hostname and port in step 2 when you set up the SIEM agent. To find your domain's endpoint and port, open the Devo web app and go to Administration → Relays and ELBs. Click Add New Relay and enable Fast Sending. |
...