Microsoft Office 365

Use the IBM® QRadar® Microsoft Office 365 Content Extension to closely monitor your Microsoft Office 365 deployment. The IBM Security QRadar Microsoft Office 365 content extension adds rules, building blocks, reports, saved searches, and custom event properties to build on existing QRadar event parsing capabilities for Microsoft Office 365 deployments.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Microsoft Office 365 Content Extensions

IBM Security QRadar Microsoft Office 365 Content Extension V1.4.0
IBM Security QRadar Microsoft Office 365 Content Extension V1.3.0
IBM Security QRadar Microsoft Office 365 Content Extension V1.2.1
IBM Security QRadar Microsoft Office 365 Content Extension V1.2.0
IBM Security QRadar Microsoft Office 365 Content Extension V1.1.0
IBM Security QRadar Microsoft Office 365 Content Extension V1.0.0

IBM Security QRadar Microsoft Office 365 Content Extension V1.4.0

The rules, reports, and saved searches have been removed and migrated to the Hybrid Cloud content extension.

IBM Security QRadar Microsoft Office 365 Content Extension V1.3.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Microsoft Office 365 Content Extension V1.3.0.

Table 1. Custom Properties in IBM Security QRadar Microsoft Office 365 Content Extension V1.3.0
Name	Optimized	Capture Group	Regex
Audit Flags	Yes	1	\bName":"Default","Value":"(.*?)"
Content Information	Yes	1	\bName":"Domains","Value":"(.?)" \bName":"Roles","Value":"(.?)"
Object Name	Yes	1	/"Case"
Object Type	Yes	1	/"ObjectType"
Policy Name	Yes	1	\bObjectId":".?\\\\(.?)"
Role Name	Yes	1	Role.DisplayName.?,"NewValue":"(.?)" \bName":"Identity","Value":"(.*?)"
Search Executed	Yes	1	\bObjectId":".?\\\\(.?)" \bObjectId":".?\\\\(.?)\\\\.?" -SearchName\s+\(\\\"(.?)\\\"\)

IBM Security QRadar Microsoft Office 365 Content Extension V1.2.1

The following table shows the custom properties that are new or updated in IBM Security QRadar Microsoft Office 365 Content Extension V1.2.1.

Table 2. Custom Properties in IBM Security QRadar Microsoft Office 365 Content Extension V1.2.1
Name	Optimized	Capture Group	Regex
ObjectType	Yes	1	ItemType\":\"[^\"]+)
Originating_User	Yes	1	UserId[":]([^"])
Recipient Host	Yes	1	TargetUserOrGroupName\":\"[^\"@]@([^\"])
Recipient_User	Yes	1	Value":"[^"]?:([^"])
Subject	Yes	1	Subject[":]([^"]) Subject[":]([^"])
Target User Name	Yes	1	MailboxOwnerUPN[":]([^"]) ObjectId[":]([^"]) ObjectId[":]([^"])

IBM Security QRadar Microsoft Office 365 Content Extension V1.2.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Microsoft Office 365 Content Extension V1.2.0.

Table 3. Custom Properties in IBM Security QRadar Microsoft Office 365 Content Extension V1.2.0
Name	Optimized	Capture Group	Regex
Policy Name	Yes	1	ObjectId\":\"([^\"]+)
Recipient Host	Yes	1	TargetUserOrGroupName\":\"[^\"@]@([^\"])
Recipient_User	Yes	1	TargetUserOrGroupType\":\"(?:Member\|Guest).*TargetUserOrGroupName\":\"([^\"]+)
Role Name	Yes	1	Roles\",\"Value\":\"([^\"]+) Role\",\"Value\":\"([^\"]+)
Target User Name	Yes	1	TargetUserOrGroupName\":\"([^\"]+)

The following table shows the new rules and building blocks in IBM Security QRadar Microsoft Office 365 Content Extension V1.2.0.

Table 4. New Rules and Building Blocks in IBM Security QRadar Microsoft Office 365 Content Extension V1.2.0
Type	Name	Description
Building Block	BB:CategoryDefinition: Object Access Events	Added new building block to Office 365 content pack
Building Block	BB:CategoryDefinition: Object Download Events	Added new building block to Office 365 content pack
Building Block	BB:CategoryDefinition: Object Upload Events	Added new building block to Office 365 content pack

The following table shows the changed saved searches in IBM Security QRadar Microsoft Office 365 Content Extension V1.2.0.

Table 5. Changed Saved Searches in IBM Security QRadar Microsoft Office 365 Content Extension V1.2.0
Name	Description
Office365: File Activity	The filter for this saved search has been filtered to use BB:CategoryDefinition: Object Access Events, BB:CategoryDefinition: Object Download Events, BB:CategoryDefinition: Object Upload Events

The following table shows the removed reference data in IBM Security QRadar Microsoft Office 365 Content Extension V1.2.0.

Table 6. Removed Reference Data in IBM Security QRadar Microsoft Office 365 Content Extension V1.2.0
Type	Name	Description
Reference Set	Office 365 - File Activity	Contains QIDs for file activity events, such as file created, file modified, file deleted, and file copied.

_{(Back to top)}

IBM Security QRadar Microsoft Office 365 Content Extension V1.1.0

The following table shows the custom properties that are new or updated in IBM Security QRadar Microsoft Office 365 Content Extension V1.1.0.

Table 7. Custom Properties in IBM Security QRadar Microsoft Office 365 Content Extension V1.1.0
Name	Optimized	Capture Group	Regex
Affected Workload	Yes	1	Workload\":\"([^\"]+)
Error Code	Yes	1	LogonError\":\"([^\"]+)
File Directory	Yes	1	SourceRelativeUrl\":\"((?:[^\"]\/)(?=[^\.\"]+\.)\|(?:[^\"]+))[^\"]
File Extension	Yes	1	SourceFileExtension\":\"([^\"]+)
Filename	Yes	1	SourceFileName\":\"([^\"]+)
Group Name	Yes Yes Yes	1 1 1	TargetUserOrGroupType\":\"[^\"]Group.TargetUserOrGroupName\":\"([^\"]+) Group\.DisplayName\",\"Value\":\"([^\"]+)
ObjectType	No	1	ItemType\":\"([^\"]+)
Policy Name	Yes	1	ObjectId\":\"([^\"]+)
Recipient Host	Yes	1	TargetUserOrGroupName\":\"[^\"@]@([^\"])
Recipient_User	Yes	1	TargetUserOrGroupType\":\"(?:Member\|Guest).*TargetUserOrGroupName\":\"([^\"]+)
Target User Area	Yes	1	TargetUserOrGroupType\":\"([^\"]+)
Target User Name	Yes Yes	1	ObjectId\":\"([^\"]*) TargetUserOrGroupName\":\"([^\"]+)
User Agent	No	1	TargetUserOrGroupName\":\"([^\"]+)

The following table shows the changed saved searches in IBM Security QRadar Microsoft Office 365 Content Extension V1.1.0.

Table 8. Changed Saved Searches in IBM Security QRadar Microsoft Office 365 Content Extension V1.1.0
Name	Description
Office 365: Incidents that have impacted the health of an Office 365 Workload	Search is made available to all users.
Office365: File Activity	Search is made available to all users.

_{(Back to top)}

IBM Security QRadar Microsoft Office 365 Content Extension V1.0.0

The following table shows the custom properties in IBM Security QRadar Microsoft Office 365 Content Extension V1.0.0.

Table 9. Custom Properties in IBM Security QRadar Microsoft Office 365 Content Extension V1.0.0
Name	Regex
Filename	"SourceFileName":"(.*?)",
Affected Workload	"Workload":"(.*?)",
OAuth Actor	"Actor":\[\{"ID":"(.*?)",
Policy Name	ObjectId":"(.*?)",

The following table shows the rules and building blocks in IBM Security QRadar Microsoft Office 365 Content Extension V1.0.0.

Table 10. Rules and Building Blocks in IBM Security QRadar Microsoft Office 365 Content Extension V1.0.0
Type	Name	Description
Building Block	BB: Office 365: Removed an OAuth2PermissionsGrant in a directory	Used in the Office 365: Added and Removed an OAuth2PermissionGrant in the directory within a certain time period rule.
Building Block	BB: Office 365: Added an OAuth2PermissionGrant in the directory	Used in the Office 365: Added and Removed an OAuth2PermissionGrant in the directory within a certain time period rule.
Building Block	BB: Office 365: Management Role Assignment Added	Used in the Office 365: Management Policy added and deleted with the same policy name within a certain time period rule.
Building Block	BB: Office 365: Management Role Assignment Removed	Used in the Office 365: Management Policy added and deleted with the same policy name within a certain time period rule.
Rule	Office 365: Added and Removed an OAuth2PermissionGrant in the directory within a certain time period	Detects when an OAuth2PermissionGrant is added and removed in a directory within a certain period.
Rule	Office 365: An event that impacts the health of an Office365 workload has occurred	Detects when an event that impacts the health of an Office 365 workload has occurred.
Rule	Office 365: Management Policy added and deleted with the same policy name within a certain time period	Detects when a management policy with the same name is added and deleted within a certain period.

The following table shows the reports in IBM Security QRadar Microsoft Office 365 Content Extension V1.0.0.

Table 11. Reports in IBM Security QRadar Microsoft Office 365 Content Extension V1.0.0
Report Name	Search Name and Dependencies
Office 365 Incidents that have impacted the health of an Office 365 Workload - Weekly	Saved Search: Office 365: Incidents that have impacted the health of an Office 365 Workload
Office 365 Incidents that have impacted the health of an Office 365 Workload - Monthly	Saved Search: Office 365: Incidents that have impacted the health of an Office 365 Workload
Office 365 File Activity - Weekly	Saved Search: Office 365: File Activity
Office 365 File Activity - Monthly	Saved Search: Office 365: File Activity

The following table shows the reference data in IBM Security QRadar Microsoft Office 365 Content Extension V1.0.0.

Table 12. Reference Data in IBM Security QRadar Microsoft Office 365 Content Extension V1.0.0
Type	Name	Description
Reference Set	Office 365 - File Activity	Contains QIDs for file activity events, such as file created, file modified, file deleted, and file copied.

The following table shows the saved searches in IBM Security QRadar Microsoft Office 365 Content Extension V1.0.0.

Table 13. Saved Searches in IBM Security QRadar Microsoft Office 365 Content Extension V1.0.0
Name	Description
Office 365: File Activity	Used by the Office 365 File Activity reports.
Office 365: Incidents that have impacted the health of an Office 365 Workload	Used by the Office 365 Workload Health reports.

_{(Back to top)}