office365

Note

This module only works on Windows, Linux, and macOS. It is recommended to have it enabled only in one agent to avoid repeated logs.

Configuration options of the Office365 module.

Options

Options

Allowed values

enabled

yes, no

only_future_events

yes, no

interval

A positive number + suffix

curl_max_size

A positive number + suffix

api_auth

N/A

api_auth\tenant_id

Any string

api_auth\client_id

Any string

api_auth\client_secret_path

Any string

api_auth\client_secret

Any string

api_auth\api_type

commercial, gcc, gcc-high

subscriptions

N/A

subscriptions\subscription

Any string

enabled

Enabled the Office365 wodle.

Default value

yes

Allowed values

yes, no

only_future_events

Set it to yes to collect events generated since the ThreatLockDown manager was started.

By default, when ThreatLockDown starts it will only read all log content from Office365 since the manager started.

Default value

yes

Allowed values

yes, no

interval

The interval between ThreatLockDown wodle executions.

Note

When ThreatLockDown starts, it waits for the configured time interval before running the first scan, unless the module has already been running before and the only_future_events option is set to no.

Default value

10m

Allowed values

A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days)

curl_max_size

Specifies the maximum size allowed for the Office365 API response.

Default value

1M

Allowed values

A positive number that should contain a suffix character indicating a size unit, such as b/B (bytes), k/K (kilobytes), m/M (megabytes), and g/G (gigabytes).

api_auth

This block configures the credential for the authentication with the Office365 REST API.

Warning

In case of invalid configuration, after the third scan attempt, a warning message is generated in the log file and an alert is triggered.

Options

Allowed values

api_auth\tenant_id

Any string

api_auth\client_id

Any string

api_auth\client_secret_path

Any string

api_auth\client_secret

Any string

api_auth\api_type

commercial, gcc, gcc-high

api_auth\tenant_id

Tenant id of your application registered in Azure.

Default value

N/A

Allowed values

Any string

api_auth\client_id

Client id of your application registered in Azure.

Default value

N/A

Allowed values

Any string

api_auth\client_secret_path

Path of the file that contains the client secret value of your application registered in Azure. Incompatible with client_secret option.

Default value

N/A

Allowed values

Any string

api_auth\client_secret

Client secret value of your application registered in Azure.

Default value

N/A

Allowed values

Any string

api_auth\api_type

Type of Microsoft 365 subscription plan used by the tenant.

Default value

commercial

Allowed values

commercial, gcc, gcc-high

Note

This block can be repeated to give the possibility to connect with more than one tenant on Office 365.

subscriptions

This block configures the internal options in the Office365 REST API.

Options

Allowed values

subscriptions\subscription

Any string

subscriptions\subscription

This section configures the content types from which to collect audit logs. These are the subscription types that can be configured:

  • Audit.AzureActiveDirectory: User identity management.

  • Audit.Exchange: Mail and calendaring server.

  • Audit.SharePoint: Web-based collaborative platform.

  • Audit.General: Includes all other workloads not included in the previous content types.

  • DLP.All: Data loss prevention workloads.

Default value

N/A

Allowed values

Any string

Example of configuration

<office365>
    <enabled>yes</enabled>
    <interval>1m</interval>
    <curl_max_size>1M</curl_max_size>
    <only_future_events>yes</only_future_events>
    <api_auth>
        <tenant_id>your_tenant_id</tenant_id>
        <client_id>your_client_id</client_id>
        <client_secret>your_client_secret</client_secret>
        <api_type>commercial</api_type>
    </api_auth>
    <subscriptions>
        <subscription>Audit.AzureActiveDirectory</subscription>
        <subscription>Audit.General</subscription>
    </subscriptions>
</office365>

Example of multiple tenants

<office365>
    <enabled>yes</enabled>
    <interval>1m</interval>
    <curl_max_size>1M</curl_max_size>
    <only_future_events>yes</only_future_events>
    <api_auth>
        <tenant_id>your_tenant_id</tenant_id>
        <client_id>your_client_id</client_id>
        <client_secret>your_client_secret</client_secret>
        <api_type>commercial</api_type>
    </api_auth>
    <api_auth>
        <tenant_id>your_tenant_id_2</tenant_id>
        <client_id>your_client_id_2</client_id>
        <client_secret>your_client_secret_2</client_secret>
        <api_type>commercial</api_type>
    </api_auth>
    <subscriptions>
        <subscription>Audit.AzureActiveDirectory</subscription>
        <subscription>Audit.General</subscription>
    </subscriptions>
</office365>