O365 configuration to forward events to CCE

Last Updated on: 9/24/2019

Configuration of events from O365 to the Seceon CCE, requires two steps as explained in the following sections:

Configure the CCE on the O365 portal:

1.Go to: https://www.office.com/?auth=2

2. Login with your credentials: 

username-  For example: Someone@seceon.onmicrosoft.com

3. Go in security and compliance :  


4.- Expand Alert menu -> manage advanced alerts-> click on go to office 365 Cloud App Security

5.Go to setting option right up corner -> click on security extension


Please Note

The option "Security Extension" appears with a separate extension and may not be visible without enabling it. In case, you are not seeing this option from your account login, please contact the Microsoft support team to get it enabled.

6. select SIEM Agents -> add SIEM Agents->start wizards -> add SIEM agent name "Seceon SIEM Agent" 

  •  select SIEM Format "Generic CEF"

8.Enter the remote syslog host "127.0.0.1 is used for internal forwarding"

  • Enter the remote syslog port "514"

9. Select the remote syslog protocol "UDP"

10.Select the data type you want to export to your SIEM agent:

   "All activities"

11. Copy token - For example: "XEpMSkBBAVpcHQFfQF1bTkMBTENAWktOX19cSkxaXUZbVgFMQEJTGEwXTk4dTRYcHx1NSx5LHB1JGx8fGR5KHxkZG04YGh0WSk4YHBhLHRoaTktMShgfHB8eHhcfF0kfGB5LSUossjsjj==" (for example)


Note : Invalid token will cause container to restart , in this case  installation will  fail.

Configure the O365 from the Seceon GUI:

1. Log in to the Seceon GUI(tenant side, if into an MSSP) with the administrator role. Go to "Provisioning" tab.

2. Go to the "Cloud Device Configuration".


3. Click on Add button, and choose "Office 365" in "Cloud Log Devices".

4. Fill in the form with CCE IP and token ID

URLs needs to be allowed:

  1. graph.microsoft.com
  2. manage.office.com
  3. login.microsoftonline.com
  4. login.windows.net

Notes:

Microsoft has 2 main products: Microsoft Cloud App Security & Office365 Cloud App Security The Seceon instructions prior provided is for Microsoft Cloud App Security: https://docs.microsoft.com/en-us/cloud-app-security/siem On that same link, there is a Compare area for MCAS and 0365CAS: https://docs.microsoft.com/en-us/cloud-app-security/editions-cloud-app-security-o365 MCAS includes: Alerts and activity logs for cross-SaaS apps O365CAS includes: For Office 365 alerts only, those who purchased an E5 license for our Office365 environment, thus can only see Office365 Alerts only