Search another article?
Microsoft 365 (Office 365) – SGBox SIEM Integration Guide
This Guide explains how to configure SGBox to make API calls to Microsoft 365 (previously called Office 365) with the purpose of collecting events in SGBox SIEM related to activities managed by Microsoft 365.
Requirements
To complete the tasks outlined in this guide, you’ll need the following:
- Generate SGBox App in Microsoft 365.
- Be sure that the SGBox Appliance can communicate with these addresses:
- https://login.windows.net/
- https://manage.office.com/api/v1.0/
- Add a custom Host in SGBox for Microsoft 365.
- Install and configure the Microsoft 365 API package.
- Install and configure the Microsoft 365 package.
Generate SGBox App in Microsoft 365
In order to allow SGBox to connect via API to your Azure tenant and retrieve the Audit logs you need to create a new app for SGBox and assign the correct privileges.
For instructions on how to view logs in your Azure tenant and how to configure an external application to retrieve these logs using API calls, please open a ticket with SGBox support via the ticketing portal, with the ticket subject Microsoft 365 (Office 365) Application Configuration.
Add custom Host in SGBox for Microsoft 365
You must define a Host in SGBox to make sure that the logs collected from Microsoft 365 will be written into the SIEM, to achieve or analyze them.
- Go to SCM > Network > Host list.
- Click the button ➕ New Host.
- Insert “Microsoft365” or “Office365” in the Host field and Save the new host
Install and configure the Microsoft 365 API package
It is also necessary to install a Microsoft 365 API package in SGBox to deploy on the SIEM configuration used to obtain or analyze Microsoft 365 events.
- Go to SCM > Applications > Packages and download the package named Microsoft 365 (Office 365) API by click the button Install.
- Click Install to finish the installation.
Configure SGBox Playbooks for Microsoft 365
- Go to SCM > PB > Playbook and edit [OFFICE 365] Settings and starter.
- Edit node called O365 credentials and insert tenant, client_id, client_secret obtained during the step Generate SGBox App in Microsoft 365, save the changes on node by click Save button.
- On every PB Subflow
- [OFFICE 365] AzureActiveDirectory Audit
- [OFFICE 365] DLP
- [OFFICE 365] Exchange Audit
- [OFFICE 365] General Audit
- [OFFICE 365] SharePoint Audit
- [OFFICE 365] Windows Defender
- You must edit a node called Write log page and in the field choose from list choose “Microsoft365” previously defined in the Host list, save the changes on the node by clicking the Save button.
Schedule the [OFFICE 365] Settings and starter PB by clicking the button with the clock icon 🕓 , set an appropriate time interval (not less than 5 minutes), save the change, to run Playbook, click the Execute button and choose Background run.
If the API connection between Microsoft 365 and SGBox is working, a Green 🟢 icon will appear on the Status column and in the Host list for Microsoft365 host on the Last Log column will start showing the timestamp of the last data received from Microsoft 365 in SGBox.
Notes, to check the availability of data collected by SGBox you can also refer to the Historical search page.In case the execution of PB gives an error, a Red icon 🔴 will be shown, In this case the advice is to better check the configuration part to make sure that there are no errors in the input of the parameters needed for the API connection, or, In case of further problems you can open a ticket to SGBox Support via ticketing portal
Analyzing collected data
- Go to SCM > Applications > Packages and download the package named Microsoft 365 (Office 365) by click the button Install
- During the Installation of the package in the field Select the hosts the package will be associated with choose “Microsoft365” previously defined in the Host list.
- Click Install to finish the installation
- Go to LM > Configuration > Mapping > edit mapping called [O365] and in the field choose from list choose “Microsoft365” previously defined in the Host list, save the changes by click OK button, Confirm.
In this way, after few minutes SGBox will begin to analyze the events it has collected, which will be searchable from the SGBox analysis pages (Class/Pattern analysis, Custom Report List, Dashboard).