USM Anywhere™

AlienApp for Office 365 Requirements

Before you can configure and use the AlienApp for Office 365, you must make sure that your Microsoft Office 365 environment is set up to support Office 365 Management API calls through Microsoft Azure Active Directory (AD)Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. and audit log search.

Office 365 Account Privileges

To access Office 365 Management APIs (such as mail, contacts, calendar, and files), you must have an Office 365 Business account with global administrator privileges.

See the Microsoft Support article to determine which Office 365 Business products you have.

Note: If you have multiple Office 365 accounts, you must deploy a USM Anywhere Sensor in each Office 365 account from which you want to collect events.

Azure AD Registration

AlienApp for Office 365 configuration includes creating an application in Azure AD. This application securely authenticates the AlienApp for Office 365 so that it can access and collect data according to the services and permission levels that you define. This function requires that your Office 365 account is associated with an Azure subscription.

Important: If you do not already have an Azure subscription, you must create one. The subscription is required to register an app in Azure AD for your Office 365 account.

Before registering the application, you must first save a certificate from the AlienApp for Office 365.

To obtain the certificate

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for Office 365, and then click the tile.
  4. Click the Instructions tab.

    The page contains a manifest for the AlienApp and an abbreviated version of following procedure.

  5. Save the content of the value field within the manifest in a file named cert.pem.

To register USM Anywhere in Azure

  1. Log in to the Azure portal and click Azure Active Directory.
  2. Go to App registrations and click New registration.

    Add a new app registration in the Azure console

  3. Register the application:

    1. Enter a name for the application.
    2. In Supported account types, select Accounts in any organizational directory.
    3. In Redirect URI, enter your USM Anywhere login URL, (for example, https://acmecompany.alienvault.cloud).

      Define a new Web app/API application for your Office 365 environment

    4. Click Register.

      The application is created and the overview page displays.

  4. Add permissions for accessing Office 365 Management APIs:

    1. Go to API permissions and click Add a permission.
    2. Under Request API permissions, click Office 365 Management APIs.
    3. Click Delegated permissions, expand the groups to select all permissions, and then click Add permissions.
    4. Repeat step a to c, but this time click Application permissions.

      add permissions

      Warning: You must select all permissions under both Delegated permissions and Application permissions. If the required permissions are not in place, USM Anywhere cannot retrieve events from your Office 365 account.

    5. At the bottom of the page, click Grant admin consent for Default Directory and then Yes when prompted.

      You must grant permissions for the application to work.

  5. Add permissions for pulling Azure AD users:

    1. Go to API permissions and click Add a permission.
    2. Under Request API permissions, click Microsoft Graph.
    3. Click Application permissions.
    4. Expand User and select User.Read.All, and then click Add permissions.

      add permissions

    5. Click Grant admin consent for Default Directory and then Yes when prompted.

      You must grant permissions for the application to work.

  6. Update the credentials of the application:

    1. Go to Certificates & secrets.

      Select the Office 365 API app you created

    2. Select the cert.pem file created in the previous procedure and click Add.

      The credentials of the application are updated.

  7. Return to the overview page of the application and copy the Application (client) ID and Directory (tenant) ID to your clipboard.

    application ID and tenant ID

Return to USM Anywhere to finish setting up the AlienApp for Office 365. See Configuring the AlienApp for Office 365 for details.

Audit Log Search

Office 365 audit logging records almost every major action, including Office 365 logins, viewing documents, downloading documents, sharing documents, setting changes, and password resets. Office 365 includes the Security & Compliance Center to support search capabilities for these logs. You can use the search capabilities to compare events generated by the AlienApp for Office 365 with the information logged in the Office 365 environment.

This feature is required for logs to be collected, and is enabled by default as of January 2019. See the Microsoft Support article for more detailed information.

Mailbox Auditing

To collect additional mailbox access activity in your Office 365 environment, you must enable mailbox audit logging. Microsoft mailbox auditing records actions performed by mailbox owners, delegates, and administrators. Mailbox auditing in Office 365 is not mandatory for log collection using the AlienApp for Office 365, but it is turned on by default starting in January 2019. See the Microsoft Support article for detailed information.

Note: Enabling mailbox auditing requires that you can connect to the Microsoft Exchange Online PowerShell. See Using PowerShell with Exchange Online on the Microsoft site for more information.

It is a best practice to enable global audit logging, including non-owner mailbox access on every mailbox in your tenancy. You can use the following command to enable this auditing:

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox" -or RecipientTypeDetails -eq "SharedMailbox" -or RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "DiscoveryMailbox"}| Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 365 -AuditOwner Create,HardDelete,MailboxLogin,MoveToDeletedItems,SoftDelete,Update,UpdateInboxRule