Documentation Center
AlienVault® USM Anywhere™

Configuring the AlienApp for Office 365

  Role Availability   Read-Only   Analyst   Manager

After you configure the connection between the AlienApp for Office 365 and the Microsoft Office 365 Management Activity API for a deployed USM Anywhere Sensor, the predefined log collection job performs a query for Office 365 events. When USM Anywhere collects and analyzes the first of these events, the Office 365 dashboards are available in the DASHBOARDS menu (according the type of events that it collects).

Note: Because the AlienApp for Office 365 data queries must rely on information as provided by the O365 Activity API, you could see non-sequential events as well as delayed timestamps for retrieved events and generated alarms. This is beyond AlienVault's control. You can observe the latency by comparing the TIME CREATED ISO8601 and TIME RECEIVED ISO8601 fields of an Office 365 event in USM Anywhere.

The Office 365 Management Activity API aggregates actions and events into tenant-specific content BLOBs (binary large objects). It creates these BLOBs by collecting and aggregating actions and events across multiple servers and data centers. As a result of this distributed process, the actions and events contained in the BLOBs do not necessarily appear in the order in which they occur. Also, the timestamp for logs stored in these BLOBs are based on the BLOB creation, not the events. For detailed information about log collection and aggregation by the Microsoft Activity API, refer to this Microsoft article.

Additionally, the Management Activity API incorporates mechanisms designed to ensure that customers have access to logs through service interruptions. This can result in a time delay of up to 30 minutes, and sometimes 24 hours or more, after an event occurs for the corresponding audit log entry to be collected and provided by the API. For a table listing the time delays of different services in Office 365, refer to this Microsoft article.

This integration requires connectivity between your USM Anywhere Sensor and the Microsoft Office 365 Management Activity API. If you have a Sensor deployed in your Azure subscription, you should use this Sensor to configure the AlienApp. If you use a non-Azure Sensor, you must set your firewall permissions to allow the following ingress/egress connections for the Sensor.

Type Port Endpoint Purpose
TCP 443 Authentication for your Office 365 account
TCP 443 Queries to retrieve log data from the Microsoft Office 365 Management Activity API

Before you configure the AlienApp for Office 365, make sure that you have the requirements set up in your Office 365 account for this integration.