cloud.office365.siem
- Juan Tomás Alonso Nieto (Deactivated)
The tags starting with cloud.office365.siem identify log events generated by Office 365 Business and sent to a Devo relay using a SIEM agent created in Microsoft Cloud App Security.
Tag structure
The full tag must have only three levels. The first two are fixed as cloud.office365. The third level identifies the event type and must be one of siem_agent_event or siem_agent_alert.
Technology | Brand | Type |
|---|---|---|
cloud | office365 |
|
Therefore, the valid tags include:
cloud.office365.siem_agent_event
cloud.office365.siem_agent_alert
Once these events are delivered to Devo, they will be accessible from the Finder in tables with the same names.
For more information, read more about Devo tags.
Configuration
This procedure describes how to send event and alert activities from Microsoft Office 365 Business to your Devo relay using a SIEM agent created in Microsoft Cloud App Security.
Prerequisites
You must have an Office 365 Business and possess the permissions necessary to set up the SIEM agent in Microsoft Cloud App Security.
You must have an active Devo domain.
You must have access to a Devo relay within your secure environment.
Overview
There are four steps to this procedure:
Step 1: Set up the Microsoft SIEM agent in the Cloud App Security portal
The agent that you create will dictate how, where, and what to send to a remote syslog host; in this case, your Devo relay.Â
Go to the Microsoft Cloud App Security portal and follow the instructions in the Microsoft online documentation to configure the agent that will send events to Devo:
In step 1 of the wizard, select Generic CEF as the SIEM format, then select the Include PRI and Include system name checkboxes.
In step 2, enter the IP address of your Devo relay and the port to which you will send the events. We recommend that you select TCP as the protocol.
In step 3, indicate which events you want to send to Devo.
This process generates a JAR file which you will use in step 3 to install the agent on a server within the same secure network as your Devo relay.
Step 2: Set up the rules on your Devo relay
Below are the guidelines for the rules you need to define on the relay. These rules will apply to events received on the specified port and, based on a string found in an event's content, apply the correct Devo tag. We recommend that you set the rules up in the order indicated here.
In the examples below, we use port 13009 but you should use the free port you specified when you set up the SIEM agent.
Rule 1: Office365 events
Source Port → 13009
Source Data → EVENT_
Target Tag → cloud.office365.siem_agent_event
Check the Stop processing and Sent without syslog tag checkboxes.
 Rule 2: Office365 alerts
Source Port → 13009
Source Data → ALERT_
Target Tag → cloud.office365.siem_agent_alert
Check the Stop processing and Sent without syslog tag checkboxes.
Step 3: Download the JAR file and run it on your server
Follow the instructions in the Microsoft online documentation to install the SIEM agent.
Step 4: Validate that the SIEM agent is working
Follow the instructions in the Microsoft online documentation to ensure that the SIEM agent is running.
Check the Finder in your Devo domain to see that the new tables appear. If the tables do not appear:
Review the IP address and port you defined in the SIEM agent.
Make sure the rules were defined on the same port as specified in the SIEM agent.
Alternative configuration
It is also possible to establish a connection that sends event and alert data directly to Devo without using a Devo relay.
This is not recommended for production deployments for the following reasons:
It is not possible to use TLS to encrypt the data transferred
Both event and alert-type events delivered to Devo will be saved in the same table: cef0.mcas.siemAgent
However, for testing purposes, this can be done by entering your Devo domain hostname and port in step 2 when you set up the SIEM agent. To find your domain's endpoint and port, open the Devo web app and go to Administration → Relays and ELBs. Click Add New Relay and enable Fast Sending.