Integrate your SIEM server with Office 365 Cloud App Security
|Evaluation >||Planning >||Deployment >||Utilization|
||You are here!
You can integrate Office 365 Cloud App Security with your security information and event management (SIEM) server to enable centralized monitoring of alerts. This is especially beneficial for organizations who are using cloud services and on-premises server applications. Integrating with a SIEM server allows your security team to better protect your Office 365 applications while maintaining your usual security workflow, by automating certain security procedures and correlating between cloud-based and on-premises events.
When you first integrate your SIEM server with Office 365 Cloud App Security, alerts from the last two days are forwarded to the SIEM server, as well as all alerts from then on (based on any filters you select). Additionally, if you disable this feature for an extended period, when you enable it again, it will forward the past two days of alerts and then all alerts from then on.
SIEM integration architecture
A SIEM agent is set up in your organization's network. When deployed and configured, the SIEM agent pulls the data types that were configured (alerts) using Office 365 Cloud App Security RESTful APIs. The traffic is then sent over an encrypted HTTPS channel on port 443.
When a SIEM agent retrieves data from Office 365 Cloud App Security, it sends the Syslog messages to your local SIEM server using the network configurations that are provided during setup (TCP or UDP with a custom port).
Supported SIEM servers
Office 365 Cloud App Security currently supports the following SIEM servers:
- Micro Focus ArcSight
- Generic CEF
You must be a global administrator or security administrator to perform the tasks described in this article. See Permissions in the Office 365 Security & Compliance Center
You must have Office 365 Cloud App Security enabled for your organization.
Audit logging must be turned on for Office 365
You must have a standard server that meets the following requirements in order to configure SIEM server integration:
You must have details about your Remote syslog host and Syslot port number. A network administrator or security administrator should be able to help you locate that information.
Integrate Office 365 Cloud App Security
Step 1: Set it up in the Office 365 Cloud App Security portal
Go to https://protection.office.com and sign in using your work or school account for Office 365. (This takes you to the Security & Compliance Center.)
Go to Alerts > Manage advanced alerts.
Choose Go to Office 365 Cloud App Security.
Click Settings > Security extensions.
Choose Add SIEM agent.
Choose Start wizard.
In the General step, specify a name, and Select your SIEM format and set any Advanced settings that are relevant to that format. Then choose Next.
In the Remote Syslog step, specify the IP address or hostname of the Remote syslog host and the Syslog port number. Select TCP or UDP as the Remote Syslog protocol. (You can work with your network administrator or security administrator to get these details if you don't have them.) Then choose Next.
In the Data Types step, do one of the following, and then click Next:
- Keep the default setting of All Alerts
- Click All alerts, and then choose Specific filters. Define filters to select the kinds of alerts you want to send to your SIEM server.
- Keep the default setting of All Alerts
On the Congratulations screen, copy the token and save it for later.
At this point, you have set up a SIEM agent in Office 365 Cloud App Security, but your SIEM server integration is not yet finished. Proceed to the next step to continue your SIEM server integration.
After you click Close and leave the wizard, on the Security extensions screen, you can see the SIEM agent you added in the table. It will show a status of Created until it's connected later.
Step 2: Download the JAR file and run it on your server
Extract the .jar file from the zipped folder and run it on your server.
After running the file, run the following: command:
java -jar mcas-siemagent-0.87.20-signed.jar [--logsDirectory DIRNAME] [--proxy ADDRESS[:PORT]] --token TOKEN
The file name may differ depending on the version of the SIEM agent.
We recommend that you run the JAR fill on your server during server setup.
Windows: Run as a scheduled task, making sure to configure the task to Run whether the user is logged on or not and clear the Stop the task if it runs longer than option.
Linux: Add the run command with an & to the
java -jar mcas-siemagent-0.87.20-signed.jar [--logsDirectory DIRNAME] [--proxy ADDRESS[:PORT]] --token TOKEN &
Parameters in brackets  are optional, and should be used only if relevant. Use the following variables:
- DIRNAME is the path to the directory you want to use for local agent debug logs.
- ADDRESS[:PORT] is the proxy server address and port that the server uses to connect to the Internet.
- TOKEN is the SIEM agent token you copied in the first procedure.
- To get help, type
Step 3: Validate that the SIEM agent is working
Make sure the status of the SIEM agent in the Office 365 Cloud App Security portal is not displayed as Connection error or Disconnected and that there are no agent notifications.
For example, here we can see the SIEM server is connected:
And here, we can see the SIEM server is disconnected:
In your Syslog/SIEM server, make sure you see that alerts have arrived from Office 365 Cloud App Security.
Regenerating your token
If you lose your token, you can always regenerate it. In the table, locate the row for the SIEM agent. Click the ellipses, and then choose Regenerate token.
Editing your SIEM agent
To edit your SIEM agent, in the table, locate the row for the SIEM agent. Click the ellipses, and then choose Edit. If you edit the SIEM agent, you do not need to re-run the .jar file; it updates automatically.
Deleting your SIEM agent
To delete your SIEM agent, in the table, locate the row for the SIEM agent. Click the ellipses, and then choose Delete.
Here's an alerts logfile example that might be sent to a SIEM server:
2017-07-15T20:42:30.531Z CEF:0|MCAS|SIEM_Agent|0.102.17|ALERT_CABINET_EVENT_MATCH_AUDIT|myPolicy|3|externalId=596a7e360c204203a335a3fb start=1500151350531 end=1500151350531 msg=Activity policy ''myPolicy'' was triggered by ''email@example.com'' firstname.lastname@example.org destinationServiceName=Box cn1Label=riskScore cn1= cs1Label=portalURL cs1=https://cloud-app-security.com/#/alerts/596a7e360c204203a335a3fb cs2Label=uniqueServiceAppIds cs2=APPID_BOX cs3Label=relatedAudits cs3=1500151288183_acc891bf-33e1-424b-a021-0d4370789660 cs4Label=policyIDs cs4=59f0ab82f797fa0681e9b1c7 2017-07-16T09:36:26.550Z CEF:0|MCAS|SIEM_Agent|0.102.17|ALERT_CABINET_EVENT_MATCH_AUDIT|test-activity-policy|3|externalId=596b339b0c204203a33a51ae start=1500197786550 end=1500197786550 msg=Activity policy ''test-activity-policy'' was triggered by ''email@example.com'' firstname.lastname@example.org destinationServiceName=Salesforce cn1Label=riskScore cn1= cs1Label=portalURL cs1=https://cloud-app-security.com/#/alerts/596b339b0c204203a33a51ae cs2Label=uniqueServiceAppIds cs2=APPID_SALESFORCE cs3Label=relatedAudits cs3=1500197720691_b7f6317c-b8de-476a-bc8f-dfa570e00349 cs4Label=policyIDs cs4= 2017-07-16T09:17:03.361Z CEF:0|MCAS|SIEM_Agent|0.102.17|ALERT_CABINET_EVENT_MATCH_AUDIT|test-activity-policy3|3|externalId=596b2fd70c204203a33a3eeb start=1500196623361 end=1500196623361 msg=Activity policy ''test-activity-policy3'' was triggered by ''email@example.com'' firstname.lastname@example.org destinationServiceName=Office 365 cn1Label=riskScore cn1= cs1Label=portalURL cs1=https://cloud-app-security.com/#/alerts/596b2fd70c204203a33a3eeb cs2Label=uniqueServiceAppIds cs2=APPID_O365 cs3Label=relatedAudits cs3=1500196549157_a0e01f8a-e29a-43ae-8599-783c1c11597d cs4Label=policyIDs cs4= 2017-07-16T09:17:15.426Z CEF:0|MCAS|SIEM_Agent|0.102.17|ALERT_CABINET_EVENT_MATCH_AUDIT|test-activity-policy|3|externalId=596b2fd70c204203a33a3eec start=1500196635426 end=1500196635426 msg=Activity policy ''test-activity-policy'' was triggered by ''email@example.com'' firstname.lastname@example.org destinationServiceName=Microsoft Office 365 admin center cn1Label=riskScore cn1= cs1Label=portalURL cs1=https://cloud-app-security.com/#/alerts/596b2fd70c204203a33a3eec cs2Label=uniqueServiceAppIds cs2=APPID_O365_PORTAL cs3Label=relatedAudits cs3=1500196557398_3e102b20-d9fa-4f66-b550-8c7a403bb4d8 cs4Label=policyIDs cs4=59f0ab35f797fa9811e9b1c7 2017-07-16T09:17:46.290Z CEF:0|MCAS|SIEM_Agent|0.102.17|ALERT_CABINET_EVENT_MATCH_AUDIT|test-activity-policy4|3|externalId=596b30200c204203a33a4765 start=1500196666290 end=1500196666290 msg=Activity policy ''test-activity-policy4'' was triggered by ''email@example.com'' firstname.lastname@example.org destinationServiceName=Microsoft Exchange Online cn1Label=riskScore cn1= cs1Label=portalURL cs1=https://cloud-app-security.com/#/alerts/596b30200c204203a33a4765 cs2Label=uniqueServiceAppIds cs2=APPID_OUTLOOK cs3Label=relatedAudits cs3=1500196587034_a8673602-7e95-46d6-a1fe-c156c4709c5d cs4Label=policyIDs cs4= 2017-07-16T09:41:04.369Z CEF:0|MCAS|SIEM_Agent|0.102.17|ALERT_CABINET_EVENT_MATCH_AUDIT|test-activity-policy2|3|externalId=596b34b10c204203a33a5240 start=1500198064369 end=1500198064369 msg=Activity policy ''test-activity-policy2'' was triggered by ''email@example.com'' firstname.lastname@example.org destinationServiceName=Google cn1Label=riskScore cn1= cs1Label=portalURL cs1=https://cloud-app-security.com/#/alerts/596b34b10c204203a33a5240 cs2Label=uniqueServiceAppIds cs2=APPID_33626 cs3Label=relatedAudits cs3=1500197996117_fd71f265-1e46-4f04-b372-2e32ec874cd3 cs4Label=policyIDs cs4=
And here's a sample in CEF format
|CEF field name||Description|
|msg||alert description as shown in the Office 365 Cloud App Security portal|
|suser||alert subject user|
|destinationServiceName||alert originating app, such as Office 365, SharePoint, or OneDrive|
|csLabel||Varies (labels have different meanings). Typically, labels are self-explanatory, like targetObjects.|
|cs||Information corresponding to a label (such as the target user of an alert as per the label example)|