To say that setting up Office 365 for external access is a bit more involved than your normal data source could be an understatement.

 

I was a little surprised after 20 steps and 3 different portals that there weren't any GUI toggles to finish the job and enable the event feed subscriptions required to see the events so I ended up writing a script to do it (linked below).

 

Let's get started.

 

Part 1: Configure O365

To configure Office 365, the ESM requires three values, the Tenant ID, Client Key and Secret Key.
This process will enable logging, create and authorize an app to access the log data and collect the necessary information to configure the data source on the McAfee ESM.

     

  1. Log into Office 365 at: https://login.microsoftonline.com
  2. Select Security and Compliance from the App list.
    sec_comp.PNG

  3. Expand Search & Investigation and then select Audit log search. If the option has never been selected before, Start recording user and admin activities will show as an active link. |
    If you see this link, click it. Once you have clicked the link or if you don’t see the link then close the tab to return to the O365 App List.
    o365_enable_audit_log-marked.png
  4. Select the Admin tile from the App list.
    admin1.PNG
    This will open a new tab for the Office 365 Admin Portal.

  5. On the bottom of the left menu, expand Admin centers and select Azure AD.

    This will open a new tab for the Azure Active Directory Admin Center.

  6. Select Properties from the menu. The Directory ID is the Tenant ID in the ESM. This string is required for configuration in the ESM so please copy it for later use.
    tenant-id.PNG
  7. Select App Registrations from the Azure AD menu.
  8. Click New Application Registration.
    app_reg1.PNG
  9. Enter the information for the App. The name is arbitrary and the Sign-on URL is a bogus placeholder.
    1. Name: McAfee SIEM
    2. Application Type: Web app / API
    3. Sign-on URL: http://localhost:1234
  10. Click Create at the bottom.
  11. Select the newly registered App.
    new_app1.PNG
  12. Copy the Application ID for later use. This is your Client Key.
    client_key.PNG
  13. Select Keys from the Settings menu.
  14. Give the key a name and set the Duration.
    keys2.PNG
  15. When you Click the Save button you will see the following screen. Copy the Secret Key for later use.
    This will be the only time it will ever visible. Click the X in the top corner to close the Keys settings.

    Note: if you lose your key, just create another one.

  16. Click Required permissions from the menu and select Add at the top.
    perms2.PNG
  17. Click Select an API, then choose Office 365 Management APIs and click the Select button at the bottom.
    perms3.PNG
  18. Click Office 365 Management APIs.
    perms4.PNG
  19. Under Application Permissions, check the boxes for:
    1. Read service health information for your organization
    2. Read activity data for your organization
    3. Read DLP policy events including detected sensitive data
      perms5.PNG
  20. Click the Grant Permissions button at the top.

grant_perms1.PNG


That wraps up the O365 configuration!

 

At this point you should have your Tenant ID (step 6), Client ID (step 12) and Secret Key (step 14) copied and available for later use.

 

Part 2: Enabling Subscriptions

For our next task, subscriptions need to be enabled. The reason that Microsoft would build out a maze of UI’s and portals but leave out checkboxes for these is beyond me, but to fill the gap I created a small script that allows for subscriptions to be enabled or disabled via menu.

 

The script is written in Python 3 for those on *nix based operating systems and is also available as a Windows executable. The EXE is the easiest choice and there are not any special requirements for the Windows machine that it runs on other than it has Internet access.

Generally. the script will be used a just single time to enable some or all of your auditing categories and then it can be deleted.

 

It can be download here: Microsoft Office 365 Subscription Toggle Tool

Source code available at: /https://github.com/andywalden/esm_o365_cfg/

 

When you run the script or executable you will be prompted for the 3 bits of information copied above. Assuming everything is setup properly, the script will list the available descriptions and the current status. Initially all descriptions are disabled. Choose the corresponding number between 1-5 to toggle the subscription to enabled or disabled.

 

============================================================
This script will enable or disable Office 365 subscriptions.
============================================================
Please enter the required data.

The Tenant ID is listed under Azure Active Directory | Properties and labeled "Directory ID".
Example: cb6497bf-4029-455f-9f7a-e76feekf84nf

Enter Tenant ID: cb6497bf-4029-4r5d-1f7g-f73fee6a41da

The Client Key is available after app registration and labeled "Application ID"App Registrations | <ESM App Name> | Application ID
Example: 553dd2ba-251b-47d5-893d-2f7ab26adf29

Enter Client Key: 975403d8-b1d3-49a7-ad4d-ead9c6d9c3a7

The Secret Key is accessible only one time after the App has been registered:
Example: D8perHbL9gAqx4vx5YbuffCDsvz2Pbdswey72FYRDNk=

Enter Secret Key: XN7714rvZlRvoJ2scJ2y4ehNbEyUvgmoJ9Kq7qsekCg=

Enter 1-5 to enable/disable subscriptions or 0 to exit
1. Audit.AzureActiveDirectory: disabled
2. Audit.Exchange: disabled
3. Audit.General: disabled
4. Audit.SharePoint: disabled
5. DLP.All: enabled
Enter 0-5: 1

Enter 1-5 to enable/disable subscriptions or 0 to exit
1. Audit.AzureActiveDirectory: enabled
2. Audit.Exchange: disabled
3. Audit.General: disabled
4. Audit.SharePoint: disabled
5. DLP.All: enabled
Enter 0-5: 5

Enter 1-5 to enable/disable subscriptions or 0 to exit
1. Audit.AzureActiveDirectory: enabled
2. Audit.Exchange: disabled
3. Audit.General: disabled
4. Audit.SharePoint: disabled
5. DLP.All: disabled
Enter 0-5: 3

Enter 1-5 to enable/disable subscriptions or 0 to exit
1. Audit.AzureActiveDirectory: enabled
2. Audit.Exchange: disabled
3. Audit.General: enabled
4. Audit.SharePoint: disabled
5. DLP.All: disabled
Enter 0-5: 0

https://github.com/andywalden/esm_o365_cfg

Use the script to enable the subscriptions to the relevant content types.

 

Part 3: Configure the ESM

  1. On the ESM, select the Receiver that will be handling the O365 events and click the Add icon at the top of the Device Tree.
  2. Select Microsoft at the Data Source Vendor and Office 365 as the Data Source Model.
  3. Check the Parsing box and check the Logging box to send the events to an ELM/ELS.
  4. Populate the 3 fields with the collected information.
    datasource.PNG
  5. Click the Connect box for verification.
    success.PNG
  6. Click OK, Write the data source and roll out the policy.

 

It could take up to 12 hours for events to appear per Microsoft’s documentation.