cloud.office365
- Former user (Deleted)
- Virginia Camuñas Núñez
- Laszlo Frazer
Introduction
The tags beginning with cloud.office365 identify events with workload generated by Microsoft 365 Copilot cloud products (formerly Office 365).
Valid tags and data tables
The full tag must have at least 2 levels. The first 2 are fixed as cloud.office365. The third level identifies the type of events sent. The fourth level indicates the event subtype.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
|---|---|---|
Microsoft 365 |
|
|
Microsoft 365 Entra ID (formerly Azure Active Directory) |
|
|
Microsoft Defender for Cloud Apps alerts |
|
|
Microsoft 365 Data Loss Prevention |
|
|
Microsoft Defender for Endpoint alerts |
|
|
Microsoft 365 Exchange |
|
|
Microsoft 365 Identity Alerts |
|
|
Microsoft 365 management |
|
Union table This is a union table that collects events from a set of tables for easy access and analysis. Learn more about this union table in this article. |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
Microsoft 365 message tracing |
|
|
- |
|
|
Microsoft 365 OneDrive |
|
|
- |
|
|
Microsoft 365 reports |
|
|
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
Microsoft 365 security events |
|
|
|
| |
|
| |
Microsoft 365 Security & Compliance Center |
|
|
Microsoft 365 SharePoint |
|
|
Microsoft 365 SIEM agent |
|
|
|
| |
Microsoft 365 Teams |
|
|
For more information, read more About Devo tags.
How is the data sent to Devo?
cloud.office365.exchange
You can forward logs generated by Microsoft 365 using any Syslog drain (for example, Syslog-ng).
cloud.office365.management.*
To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can learn how to use it in Office 365 collector.
cloud.office365.siem_agent_alert / cloud.office365.siem_agent_event
This procedure describes how to send event and alert activities from Microsoft 365 Business to your Devo relay using a SIEM agent created inMicrosoft Cloud App Security.
Prerequisites
You must have an Microsoft 365 Business and possess the permissions necessary to set up the SIEM agent in Microsoft Cloud App Security.
You must have an active Devo domain.
You must have access to a Devo relay within your secure environment.
Overview
There are four steps to this procedure:
Step 1: Set up the Microsoft SIEM agent in the Cloud App Security portal
The agent that you create will dictate how, where, and what to send to a remote syslog host; in this case, your Devo relay.
Go to the Microsoft Cloud App Security portal and follow the instructions in the Microsoft online documentation to configure the agent that will send events to Devo:
In step 1 of the wizard, select Generic CEFas the SIEM format, then select the Include PRI and Include system name checkboxes.
In step 2, enter the IP address of your Devo relay and the port to which you will send the events. We recommend that you select TCP as the protocol.
In step 3, indicate which events you want to send to Devo.
This process generates a JAR file which you will use in step 3 to install the agent on a server within the same secure network as your Devo relay.
Step 2: Set up the rules on your Devo relay
Below are the guidelines for the rules you need to define on the relay. These rules will apply to events received on the specified port and, based on a string found in an event's content, apply the correct Devo tag. We recommend that you set the rules up in the order indicated here.
In the examples below, we use port 13009 but you should use the free port you specified when you set up the SIEM agent.
Rule 1: Office365 events
Source port
13009Source data
EVENT_Target tag
cloud.office365.siem_agent_eventCheck the Stop processing and Sent without syslog tag checkboxes.
Rule 2: Office365 alerts
Source port
13009Source data
ALERT_Target tag
cloud.office365.siem_agent_alertCheck the Stop processing and Sent without syslog tag checkboxes.
Step 3: Download the JAR file and run it on your server
Follow the instructions in the Microsoft online documentation to install the SIEM agent.
Step 4: Validate that the SIEM agent is working
Follow the instructions in the Microsoft online documentation to ensure that the SIEM agent is running.
Check the Finder in your Devo domain to see that the new tables appear. If the tables do not appear:
Review the IP address and port you defined in the SIEM agent.
Make sure the rules were defined on the same port as specified in the SIEM agent.
Alternative configuration
It is also possible to establish a connection that sends event and alert data directly to Devo without using a Devo relay.
This is not recommended for production deployments for the following reasons:
It is not possible to use TLS to encrypt the data transferred
Both event and alert-type events delivered to Devo will be saved in the same table: cef0.mcas.siemAgent
However, for testing purposes, this can be done by entering your Devo domain hostname and port in step 2 when you set up the SIEM agent. To find your domain's endpoint and port, open the Devo web app and go to Administration Relays and ELBs. Click Add New Relay and enable Fast Sending.
Table structure
These are the fields displayed in these tables: