Microsoft Office 365 Cloud App Security

When you configure your Office 365 Cloud App Security (formerly named Office 365 Advanced Security Management) to send log data to USM Appliance, you can use the Office 365 Advanced Security Management plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin.

Plugin Information
Device Details
Vendor Microsoft
Device Type Unified Threat Management
Connection Type Syslog
Data Source Name O365-asm
Data Source ID 1885

Integrating Microsoft Office 365 Cloud App Security

According to the Microsoft documentation, the integration of Office 365 Cloud App Security with a SIEM server requires downloading a SIEM Agent (JAR file) and running it on the server. Since unauthorized modification of USM Appliance can lead to instability, you must install the SIEM Agent on a different machine (nicknamed Syslog Forwarder below) and then forward the syslog messages to USM Appliance.

Before you configure the Microsoft Office 365 Cloud App Security integration, you must have the IP address of the Syslog Forwarder and the USM Appliance Sensor.

To configure Office 365 Cloud App Security to send CEF-formatted alerts to USM Appliance

  1. In the Office 365 Cloud App Security portal, select Settings > SIEM agents.
  2. Click Add SIEM agent to start the wizard.
  3. In the wizard, click Add SIEM agent.
  4. Specify a name for the agent.

  5. In Select your SIEM format, choose Generic CEF.

  6. Extend Advanced settings and select RFC 3164 as the time format to use.
  7. Click Next.
  8. Type the IP address of the Syslog Forwarder as the remote syslog host, specify 514 as the port, and UDP as the protocol.

  9. Click Next.
  10. Select the Activities you want to export to USM Appliance. By default, everything is selected.
  11. Click Next.
  12. Copy the SIEM agent token and save it for later. Then, click Finish to leave the wizard.

    Returning to the SIEM page, you will see the SIEM agent you added.

  13. On the Syslog Forwarder, download the Microsoft Cloud App Security SIEM Agent, unzip and extract the .jar file.

    You must have Java 8 running on the Syslog Forwarder.

  14. Run the .jar file from the CLI:

    java -jar mcas-siemagent-0.87.20-signed.jar --token TOKEN

    Note: The name of the .jar file may vary, depending on the version of the SIEM agent. TOKEN is the SIEM agent token you copied in Step 12.

  15. Confirm that the SIEM agent is working.

    • In the Office 365 Cloud App Security portal, make sure the status of the SIEM agent is Connected.
    • On the Syslog Forwarder, make sure you see alerts arriving from Office 365 Cloud App Security.

  16. Using your preferred method, forward the logs to USM Appliance.

    For example, you can create a syslog configuration with the following content

    *.* @@<USM-Appliance-Sensor-IP-Address>:514

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://support.office.com/en-us/article/integrate-your-siem-server-with-office-365-cloud-app-security-dd6d2417-49c4-4de6-9294-67fdabbf8532?ui=en-US&rs=en-US&ad=US