After you configure the connection between the AlienApp for Office 365 and the Microsoft Office 365 Management Activity API for a deployed USM Anywhere Sensor, the predefined log collection job performs a query for Office 365 events. When USM Anywhere collects and analyzes the first of these events, the Office 365 dashboards are available in the DASHBOARDS menu (according the type of events that it collects).
Note: Because the AlienApp for Office 365 data queries must rely on information as provided by the O365 Activity API, you could see non-sequential events as well as delayed timestamps for retrieved events and generated alarms. This is beyond AlienVault's control. You can observe the latency by comparing the TIME CREATED ISO8601 and TIME RECEIVED ISO8601 fields of an Office 365 event in USM Anywhere.
The Office 365 Management Activity API aggregates actions and events into tenant-specific content BLOBs (binary large objects). It creates these BLOBs by collecting and aggregating actions and events across multiple servers and data centers. As a result of this distributed process, the actions and events contained in the BLOBs do not necessarily appear in the order in which they occur. Also, the timestamp for logs stored in these BLOBs are based on the BLOB creation, not the events. For detailed information about log collection and aggregation by the Microsoft Activity API, refer to this Microsoft article.
Additionally, the Management Activity API incorporates mechanisms designed to ensure that customers have access to logs through service interruptions. This can result in a time delay of up to 30 minutes, and sometimes 24 hours or more, after an event occurs for the corresponding audit log entry to be collected and provided by the API. For a table listing the time delays of different services in Office 365, refer to this Microsoft article.
This integration requires connectivity between your USM Anywhere Sensor and the Microsoft Office 365 Management Activity API. If you have a Sensor deployed in your Azure subscription, you should use this Sensor to configure the AlienApp. If you use a non-Azure Sensor, you must set your firewall permissions to allow the following ingress/egress connections for the Sensor.
|TCP||443||https://login.windows.net/||Authentication for your Office 365 account|
|TCP||443||https://manage.office.com/api/v1.0/||Queries to retrieve log data from the Microsoft Office 365 Management Activity API|
Before you configure the AlienApp for Office 365, make sure that you have the requirements set up in your Office 365 account for this integration.
The Office 365 Management Activity API provides information about various user, admin, system, and policy actions and events from Office 365. Within an Azure subscription, you define a new app for the Microsoft Office 365 Management Activity API communication with USM Anywhere. Before you create this app, you must have the following items.
- Office 365 subscription from Microsoft
- Azure subscription
- Administrator credentials for the Azure tenant
To set up the app for the Office 365 API
- Access Active Directory in the Azure portal:
Navigate to App registrations and click New application registration.
Define a new app.
In the App registrations list, select the app you just created.
From Settings, click Properties.
At the bottom of the Properties blade, toggle Multi-tenanted to Yes, and then click Save.
Within the Settings blade on the same page, select Required Permissions and click Add.
Click Select an API, select Office 365 Management APIs, and then click the Select button.
Select all of the APPLICATION PERMISSIONS and DELEGATED PERMISSIONS.
Important: You must be sure that all of these permissions are enabled for the application. If the required permissions are not in place, the AlienApp for Office 365 cannot retrieve events for your Office 365 account.
- Click the Select button and then the Done button to complete the API access settings.
Make sure to click Grant Permissions after you add the permissions.
Otherwise, the app won't work and only administrators would be able to execute this action.
Return to the App profile and click Manifest.
In the Edit manifest page, the "keyCredentials" section does not contain a value. When you complete the next task, you will generate the credentials in USM Anywhere and then supply the information here.
After you create the app for the Office 365 API and perform the initial configuration, you're ready to grab the manifest credentials from the AlienApp for Office 365 in USM Anywhere and connect the API app.
To complete the connection to the AlienApp for Office 365
- In USM Anywhere, go to DATA SOURCES > INTEGRATIONS.
Click the AlienApps tab.
- In the AlienApps page, click the Office 365 tile.
If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled AlienApp.
USM Anywhere AlienApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Choose the sensor that can access the integration endpoint.
Click the Status tab to display the Manifest Credentials JSON, similar to the following example:
Copy the entire JSON code block highlighted above (including the opening and closing brackets) to your clipboard.
- Return to the Edit Manifest page in the Azure web UI and paste it into the manifest within "keyCredentials".
In the app profile, copy the Application ID to a text file.
Go to Azure Active Directory > Properties and copy the Directory ID (Tenant ID), then paste it in the same text file.
- Return to the Office 365 page in USM Anywhere and click the Credentials tab.
Enter the copied IDs in the Tenant ID and Application ID fields.
- Click Save Credentials.