Microsoft Office 365
Use the IBM® QRadar® Microsoft Office 365 Content Extension to closely monitor your Microsoft Office 365 deployment. The IBM Security QRadar Microsoft Office 365 content extension adds rules, building blocks, reports, saved searches, and custom event properties to build on existing QRadar event parsing capabilities for Microsoft Office 365 deployments.
IBM Security QRadar Microsoft Office 365 Content Extensions
- IBM Security QRadar Microsoft Office 365 Content Extension V1.4.0
- IBM Security QRadar Microsoft Office 365 Content Extension V1.3.0
- IBM Security QRadar Microsoft Office 365 Content Extension V1.2.1
- IBM Security QRadar Microsoft Office 365 Content Extension V1.2.0
- IBM Security QRadar Microsoft Office 365 Content Extension V1.1.0
- IBM Security QRadar Microsoft Office 365 Content Extension V1.0.0
IBM Security QRadar Microsoft Office 365 Content Extension V1.4.0
The rules, reports, and saved searches have been removed and migrated to the Hybrid Cloud content extension.
IBM Security QRadar Microsoft Office 365 Content Extension V1.3.0
The following table shows the custom properties that are new or updated in IBM Security QRadar Microsoft Office 365 Content Extension V1.3.0.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Audit Flags | Yes | 1 | \bName":"Default","Value":"(.*?)" |
Content Information | Yes | 1 | \bName":"Domains","Value":"(.*?)" \bName":"Roles","Value":"(.*?)" |
Object Name | Yes | 1 | /"Case" |
Object Type | Yes | 1 | /"ObjectType" |
Policy Name | Yes | 1 | \bObjectId":".*?\\\\(.*?)" |
Role Name | Yes | 1 | Role.DisplayName.*?,"NewValue":"(.*?)" \bName":"Identity","Value":"(.*?)" |
Search Executed | Yes | 1 | \bObjectId":".*?\\\\(.*?)" \bObjectId":".*?\\\\(.*?)\\\\.*?" -SearchName\s+\(\\\"(.*?)\\\"\) |
IBM Security QRadar Microsoft Office 365 Content Extension V1.2.1
The following table shows the custom properties that are new or updated in IBM Security QRadar Microsoft Office 365 Content Extension V1.2.1.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
ObjectType | Yes | 1 | ItemType\":\"[^\"]+) |
Originating_User | Yes | 1 | UserId[":]*([^"]*) |
Recipient Host | Yes | 1 | TargetUserOrGroupName\":\"[^\"@]*@([^\"]*) |
Recipient_User | Yes | 1 | Value":"[^"]*?:([^"]*) |
Subject | Yes | 1 | Subject[":]*([^"]*) Subject[":]*([^"]*) |
Target User Name | Yes | 1 | MailboxOwnerUPN[":]*([^"]*) ObjectId[":]*([^"]*) ObjectId[":]*([^"]*) |
IBM Security QRadar Microsoft Office 365 Content Extension V1.2.0
The following table shows the custom properties that are new or updated in IBM Security QRadar Microsoft Office 365 Content Extension V1.2.0.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Policy Name | Yes | 1 | ObjectId\":\"([^\"]+) |
Recipient Host | Yes | 1 | TargetUserOrGroupName\":\"[^\"@]*@([^\"]*) |
Recipient_User | Yes | 1 | TargetUserOrGroupType\":\"(?:Member|Guest).*TargetUserOrGroupName\":\"([^\"]+) |
Role Name | Yes | 1 |
Roles\",\"Value\":\"([^\"]+) Role\",\"Value\":\"([^\"]+) |
Target User Name | Yes | 1 |
TargetUserOrGroupName\":\"([^\"]+) |
The following table shows the new rules and building blocks in IBM Security QRadar Microsoft Office 365 Content Extension V1.2.0.
Type | Name | Description |
---|---|---|
Building Block | BB:CategoryDefinition: Object Access Events | Added new building block to Office 365 content pack |
Building Block | BB:CategoryDefinition: Object Download Events | Added new building block to Office 365 content pack |
Building Block | BB:CategoryDefinition: Object Upload Events | Added new building block to Office 365 content pack |
The following table shows the changed saved searches in IBM Security QRadar Microsoft Office 365 Content Extension V1.2.0.
Name | Description |
---|---|
Office365: File Activity | The filter for this saved search has been filtered to use BB:CategoryDefinition: Object Access Events, BB:CategoryDefinition: Object Download Events, BB:CategoryDefinition: Object Upload Events |
The following table shows the removed reference data in IBM Security QRadar Microsoft Office 365 Content Extension V1.2.0.
Type | Name | Description |
---|---|---|
Reference Set | Office 365 - File Activity | Contains QIDs for file activity events, such as file created, file modified, file deleted, and file copied. |
IBM Security QRadar Microsoft Office 365 Content Extension V1.1.0
The following table shows the custom properties that are new or updated in IBM Security QRadar Microsoft Office 365 Content Extension V1.1.0.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Affected Workload | Yes | 1 | Workload\":\"([^\"]+) |
Error Code | Yes | 1 | LogonError\":\"([^\"]+) |
File Directory | Yes | 1 | SourceRelativeUrl\":\"((?:[^\"]*\/)(?=[^\.\"]+\.)|(?:[^\"]+))[^\"]* |
File Extension | Yes | 1 | SourceFileExtension\":\"([^\"]+) |
Filename | Yes | 1 | SourceFileName\":\"([^\"]+) |
Group Name | Yes Yes Yes |
1 1 1 |
TargetUserOrGroupType\":\"[^\"]*Group.*TargetUserOrGroupName\":\"([^\"]+) Group\.DisplayName\",\"Value\":\"([^\"]+) |
ObjectType | No | 1 | ItemType\":\"([^\"]+) |
Policy Name | Yes | 1 | ObjectId\":\"([^\"]+) |
Recipient Host | Yes | 1 | TargetUserOrGroupName\":\"[^\"@]*@([^\"]*) |
Recipient_User | Yes | 1 | TargetUserOrGroupType\":\"(?:Member|Guest).*TargetUserOrGroupName\":\"([^\"]+) |
Target User Area | Yes | 1 | TargetUserOrGroupType\":\"([^\"]+) |
Target User Name | Yes Yes |
1 |
ObjectId\":\"([^\"]*) TargetUserOrGroupName\":\"([^\"]+) |
User Agent | No | 1 | TargetUserOrGroupName\":\"([^\"]+) |
The following table shows the changed saved searches in IBM Security QRadar Microsoft Office 365 Content Extension V1.1.0.
Name | Description |
---|---|
Office 365: Incidents that have impacted the health of an Office 365 Workload | Search is made available to all users. |
Office365: File Activity | Search is made available to all users. |
IBM Security QRadar Microsoft Office 365 Content Extension V1.0.0
The following table shows the custom properties in IBM Security QRadar Microsoft Office 365 Content Extension V1.0.0.
Name | Regex |
---|---|
Filename | "SourceFileName":"(.*?)", |
Affected Workload | "Workload":"(.*?)", |
OAuth Actor | "Actor":\[\{"ID":"(.*?)", |
Policy Name | ObjectId":"(.*?)", |
The following table shows the rules and building blocks in IBM Security QRadar Microsoft Office 365 Content Extension V1.0.0.
Type | Name | Description |
---|---|---|
Building Block | BB: Office 365: Removed an OAuth2PermissionsGrant in a directory | Used in the Office 365: Added and Removed an OAuth2PermissionGrant in the directory within a certain time period rule. |
Building Block | BB: Office 365: Added an OAuth2PermissionGrant in the directory | Used in the Office 365: Added and Removed an OAuth2PermissionGrant in the directory within a certain time period rule. |
Building Block | BB: Office 365: Management Role Assignment Added | Used in the Office 365: Management Policy added and deleted with the same policy name within a certain time period rule. |
Building Block | BB: Office 365: Management Role Assignment Removed | Used in the Office 365: Management Policy added and deleted with the same policy name within a certain time period rule. |
Rule | Office 365: Added and Removed an OAuth2PermissionGrant in the directory within a certain time period | Detects when an OAuth2PermissionGrant is added and removed in a directory within a certain period. |
Rule | Office 365: An event that impacts the health of an Office365 workload has occurred | Detects when an event that impacts the health of an Office 365 workload has occurred. |
Rule | Office 365: Management Policy added and deleted with the same policy name within a certain time period | Detects when a management policy with the same name is added and deleted within a certain period. |
The following table shows the reports in IBM Security QRadar Microsoft Office 365 Content Extension V1.0.0.
Report Name | Search Name and Dependencies |
---|---|
Office 365 Incidents that have impacted the health of an Office 365 Workload - Weekly | Saved Search: Office 365: Incidents that have impacted the health of an Office 365 Workload |
Office 365 Incidents that have impacted the health of an Office 365 Workload - Monthly | Saved Search: Office 365: Incidents that have impacted the health of an Office 365 Workload |
Office 365 File Activity - Weekly | Saved Search: Office 365: File Activity |
Office 365 File Activity - Monthly | Saved Search: Office 365: File Activity |
The following table shows the reference data in IBM Security QRadar Microsoft Office 365 Content Extension V1.0.0.
Type | Name | Description |
---|---|---|
Reference Set | Office 365 - File Activity | Contains QIDs for file activity events, such as file created, file modified, file deleted, and file copied. |
The following table shows the saved searches in IBM Security QRadar Microsoft Office 365 Content Extension V1.0.0.
Name | Description |
---|---|
Office 365: File Activity | Used by the Office 365 File Activity reports. |
Office 365: Incidents that have impacted the health of an Office 365 Workload | Used by the Office 365 Workload Health reports. |