Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

Version 1 Next »

Key considerations to include:

  • Why should I enable it

  • How do I enable it

  • Once it is enabled, how do I use the data for security

Purpose

An analyst wants to detect <adjective> behavior in <data source>.  Using the Microsoft 365 API collector to send <type> to Devo, the analyst will find <outcome>.  As a result, the analyst will <verb> the <entity>, preventing  them from <tactic>.

Prerequisites

  • Office 365 subscription

  • Azure subscription associated with your Office 365 subscription.

Data sources

Data source

Security Purpose

API endpoint

Collector service name

Devo table

Active Directory

Audit.AzureActiveDirectory

azure_active_directory

cloud.office365.management.azure_active_directory

Sharepoint

Audit.Sharepoint

sharepoint

cloud.office365.management.sharepoint and cloud.office365.management.onedrive

Exchange

Audit.Exchange

exchange

cloud.office365.management.exchange

General Audit

Audit.General

general_audit

cloud.office365.management.*

DLP

DLP.All

dlp

Any table listed above

URI Retry

This service is mandatory for retrying any URI that failed from any service.

-

uri_retry

Any service above.

Authorize It

  1. Register Devo platform in Microsoft Entra ID from Azure the portal.

  2. Get Office 365 tenant admin consent.

  3. Request access tokens from Microsoft Entra ID.

  4. Call the Office 365 Management APIs

Screenshot 2025-02-06 at 18.18.52.png

  1. Get Microsoft OAuth authentication credentials:

    1. Directory (tenant) ID

    2. Application (client) ID

    3. Client secret value

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting

Details

tenant_id

The Azure application tenant ID

client_id

The Azure application client ID

client_secret

The Azure application client secret

Run It

In the Cloud Collector App, create a Microsoft 365 collector instance using this parameters template, replacing the values enclosed in < >.

{
  "inputs": {
    "sqs_collector": {
      "id": "<FIVE_UNIQUE_DIGITS>",
      "services": {
        "<SERVICE_NAME>": {}
      },
      "credentials": {
              "aws_cross_account_role": "arn:<PARTITION>:iam::<YOUR_AWS_ACCOUNT_NUMBER>:role/<YOUR_ROLE>",
              "aws_external_id": "<EXTERNAL_ID>"
      },
      "region": "<REGION>",
      "base_url": "https://sqs.<REGION>.amazonaws.com/<YOUR_AWS_ACCOUNT_NUMBER>/<QUEUE_NAME>"
    }
  }
}

Secure It

Monitor It

Create an inactivity alert to detect interruptions of transfer of data from the source to the SQS queue using the query

from TABLE 
where toktains(hostchain,"collector-") 
select split(hostchain,"-",1) as collector_id

Set the inactivity alert to keep track of the collector_id.

  • No labels