Microsoft Office 365

The IBM® QRadar® DSM for Microsoft Office 365 collects events from Microsoft Office 365 online services.

Important: The Service Communications API endpoint is no longer available for use because it was deprecated by Microsoft. For more information, see APAR IJ37562 (https://www.ibm.com/support/pages/apar/IJ37562).
The following table describes the specifications for the Microsoft Office 365 DSM:
Table 1. Microsoft Office 365 DSM specifications
Specification Value
Manufacturer Microsoft
DSM name Microsoft Office 365
RPM file name DSM-MicrosoftOffice365-QRadar_version-build_number.noarch.rpm
Supported versions N/A
Protocol Office 365 REST API
Event format JSON
Recorded event types Exchange Audit, SharePoint Audit, Azure Active Directory Audit
Automatically discovered? No
Includes identity? No
Includes custom properties? No
More information Microsoft website (https://www.microsoft.com)
To integrate Microsoft Office 365 with QRadar, complete the following steps:
  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the IBM Support Website onto your QRadar Console.
    • Protocol Common RPM
    • Office 365 REST API Protocol RPM
    • Microsoft Office 365 DSM RPM
  2. Configure a Microsoft Office 365 account in the Microsoft Azure portal.
  3. Add a Microsoft Office 365 log source on the QRadar Console. For more information about adding a log source, see the Adding a log source topic. The following table describes the log source parameters that require specific values for Microsoft Office 365 event collection:
    Table 2. Microsoft Office 365 log source parameters
    Parameter Value
    Log Source type Microsoft Office 365
    Protocol Configuration Office 365 REST API
    Log Source Identifier

    A unique identifier for the log source.

    The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you configured multiple Microsoft Office 365 log sources, you might want to identify the first log source as MSOffice365-1, the second log source as MSOffice365-2, and the third log source as MSOffice365-3.

    Client ID In your application configuration of Azure Active Directory, this parameter is under Client ID.
    Client Secret In your application configuration of Azure Active Directory, this parameter is under Value.
    Tenant ID Used for Azure AD authentication.
    Event Filter
    The type of audit events to retrieve from Microsoft Office.
    • Azure Active Directory
    • Exchange
    • SharePoint
    • General
    • DLP
    Use Proxy

    For QRadar to access the Office 365 Management APIs, all traffic for the log source travels through configured proxies.

    Configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields.

    If the proxy does not require authentication, keep the Proxy Username and Proxy Password fields empty.

    EPS Throttle

    The maximum number of events per second.

    The default is 5000.

    Show Advanced Options Show optional advanced options for event collection. The Advanced Options values are in effect whether they are shown or not.
    Management Activity API URL Specify the Office 365 Management Activity API URL. Default is https://manage.office.com.
    Azure AD Sign-in URL Specify the Azure AD sign-in URL. Default is https://login.microsoftonline.com.
  4. Test the connectivity to the Office365 log source. Follow in the instructions in this technote: QRadar: Test connectivity to set up an Office365 log source.