Microsoft Office 365 Configuration Guide

Document created by RSA Information Design and Development Employee on May 4, 2020Last modified by RSA Product Team on Jun 22, 2020
Version 3Show Document
  • View in full screen mode

Event Source Product Information


Event Source: Office 365

Versions: API v1.0

RSA Product Information

Supported On: Security Analytics 10.6.2 and later

Event Source Log Parser: cef

Note: The CEF parser parses this event source as device.type=msoffice365.

Collection Method: Plugin Framework

Event Source Class.Subclass: Host.Cloud

Document Sections:

Collecting Office 365 Events in NetWitness Platform

Office 365 is a Web-based version of Microsoft's Office suite of enterprise-grade productivity applications. Office 365 is delivered to users through the cloud and includes Exchange Online for email, SharePoint Online for collaboration, Lync Online for unified communications, and a suite of Office Web Apps (web-based versions of the traditional Microsoft Office suite of applications).

The Office 365 integration consumes activity logs using the Office 365 Management Activity API. The Office 365 Management Activity API aggregates actions and events into tenant-specific content blobs, which are classified by the type and source of the content they contain. Currently, these content types are supported:

  • Audit.AzureActiveDirectory
  • Audit.Exchange
  • Audit.SharePoint
  • Audit.General (includes all other workloads not included in the previous content types)
  • DLP.All (DLP events only for all workloads)

Note: Advanced Threat Protection and Threat Intelligence events are available under the Audit.General resource group.

For more details, see the following Microsoft Office 365 web pages:

The following sections describe how to configure Office 365 as an event source:

  • Configure the Office 365 Event Source
  • Set Up the Office 365 Event Source in NetWitness Platform
  • Office 365 Collection Configuration Parameters

Configure the Office 365 Event Source

Perform the following tasks to configure your event source:

  1. Begin Recording User and Admin Activity
  2. (Optional) Enable Audit Logs
  3. Use the Azure Management Portal to Register an Application
  4. Deploy the Office 365 Files from RSA NetWitness Live
  5. Enable Subscription

For more information on Office 365, see the following Microsoft URLs:

Begin Recording User and Admin Activity

This section describes how to begin recording user and admin activity.

  1. Go to admin portal for Office365:
  2. Go to Admin centers > Security and Compliance > Audit Log Search and enable logging. If logging has already been enabled, you may not see the option to enable logs.

    Note: It make take up to 24 hours for some logs to appear once logging has been enabled.

(Optional) Enable Audit Logs

Note: This step is only required if you wish to consume Audit.Exchange logs.

In order to track all activities performed on all mailbox in an organization you need enable audit through a Powershell command.

  1. Connect to Exchange Online using remote PowerShell

    1. Open Windows PowerShell and run the following command:

      $UserCredential = Get-Credential

    2. Type user name and password for an Office 365 global admin account, and then click OK.
    3. Run the following command:

      $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic ‑AllowRedirection

      Import-PSSession $Session

    4. To verify, run the following command:


  2. Enable mailbox audit logging.

    • Below command enables mailbox audit logging for Pilar Pinilla’s mailbox:

      Set-Mailbox -Identity "Pilar Pinilla" -AuditEnabled $true

    • Below command enables mailbox audit logging for all user mailboxes in your organization:

      Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox ‑AuditEnabled $true

  3. Specify owner actions to audit.

    Below command specifies that the MailboxLogin and HardDelete actions are performed by the mailbox owner:

    Set-Mailbox "Pilar Pinilla" -AuditOwner MailboxLogin,HardDelete

    Below command specifies MailboxLogin, HardDelete, and SoftDelete actions performed by the mailbox owner will be logged for all mailboxes in the organization

    Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox ‑AuditOwner MailboxLogin,HardDelete,SoftDelete

Use the Azure Management Portal to Register an Application

This section describes how to use the Azure Management Portal to register your application in Azure AD, and to create a key.

To register your application:

  1. Go to Office365 portal > Admin centers > Azure AD Admin center.
  2. In the left-hand navigation pane, select the Azure Active Directory service, and then select App registrations > New registration.

  3. Provide a name for your application and click Register at the bottom of the blade.

  4. After clicking Register, the Overview page for the application is displayed. Azure AD assigns a unique application (client) ID to your app.

  5. In the left menu bar, click API permissions, then Add a permission > Select an API and choose Office 365 Management APIs.

  6. Under What type of permissions does your application require option, choose Application permissions and enable the permissions as shown here:

    Note: Assign the Read DLP policy events including detected sensitive data permission only if logs are being read from the DLP.All resource group.

  7. Click Add permissions.
  8. Click Grant admin consent, then click Yes when prompted.

Continue to the next procedure, for creating a key.

To create a key:

  1. In the left menu bar, click Certificates & secrets, then click New client secret.

  2. Add new client secret information and click Add.

    Important: Azure only displays the client secret at the time you initially generate it. You cannot navigate back to this page and retrieve the client secret later. Make sure to copy and save this key, as it is needed for further configuration.

Deploy the Office 365 Files from RSA NetWitness Live

Office 365 requires resources available in RSA NetWitness Live in order to collect logs.

To deploy the Office 365 content from Live:

  1. In the RSA NetWitness Platform menu, select Live.
  2. Browse Live for the cef parser, using RSA Log Device as the Resource Type.
  3. Select the cef parser from the list and click Deploy to deploy it to the appropriate the Log Decoders.
  4. You also need to deploy the Office 365 package. Browse Live for MS Office 365 content, typing Office 365 into the Keywords text box and click Search.
  5. Select the item returned from the search and click Deploy to deploy to the appropriate Log Collectors.

    Note: On a hybrid installation, you need to deploy the package on both the VLC and the LC. If you deploy the package on the LC, you need to restart the log decoder and log collector services: otherwise, logs are not collected.

  6. Restart the nwlogcollector service.

For more details, see the Add or Update Supported Event Source Log Parsers topic, or the Live Resource Guide on RSA Link.

Enable Subscription

Go to the office office365audit folder on the VLC and execute to subscribe to a resource group:

# cd /etc/netwitness/ng/logcollection/content/collection/cmdscript/office365audit

# source /opt/rh/python27/enable

Note: The previous command (highlighted) is not required for NetWitness 11.0 or later.

# python tenant_id application_id application_key resource_group [--proxy_server PROXY_SERVER] [--proxy_port PROXY_PORT] [--proxy_user PROXY_USER] [--proxy_password PROXY_PASSWORD]

The following screen shows an example of running this script.

Set Up the Office 365 Event Source in NetWitness Platform

This section contains details on setting up the event source in RSA NetWitness Platform. In addition to the procedure, the Office 365 Collection Configuration Parameters are described, as well as how to Microsoft Office 365.

To configure the Office 365 Event Source:

  1. In the RSA NetWitness Platform menu, select Administration > Services.
  2. In the Services grid, select a Log Collector service, and from the Actions menu, choose  View > Config.
  3. In the Event Sources tab, select Plugins/Config from the drop-down menu.

    The Event Categories panel displays the File event sources that are configured, if any.

  4. In the Event Categories panel toolbar, click +.

    The Available Event Source Types dialog is displayed.

  5. Select office365audit from the list, and click OK.

    The newly added event source type is displayed in the Event Categories panel.

  6. Select the new type in the Event Categories panel and click + in the Sources panel toolbar.

    The Add Source dialog is displayed.

  7. Define parameter values, as described in Office 365 Collection Configuration Parameters.
  8. Click Test Connection.

    The result of the test is displayed in the dialog box. If the test is unsuccessful, edit the device or service information and retry.

    Note: The Log Collector takes approximately 60 seconds to return the test results. If it exceeds the time limit, the test times out and RSA NetWitness Platform displays an error message.

  9. If the test is successful, click OK.

    The new event source is displayed in the Sources panel.

Office 365 Collection Configuration Parameters

The following table describes the configuration parameter for the Microsoft Office 365 integration with RSA NetWitness Platform. Fields marked with an asterisk (*) are required.

Note: When run from behind an SSL proxy, if certificate verification needs to be disabled, uncheck the SSL Enable checkbox in the Advanced section.

Note: For more details, see the following Microsoft website:


Name *

Enter an alpha-numeric, descriptive name for the source. This value is only used for displaying the name on this screen.


Select the box to enable the event source configuration to start collection. The box is selected by default.

Application ID *

The Client ID is found the Azure Application Configure tab. Scroll down until you see it.

Application Key *

When you are configuring the event source, the client secret is displayed when you are creating a key, and you select duration of validation.

Make sure to save this, because you will only be able to see it once, and it cannot be retrieved later.

API Resource Base URL *


Authority URL


Tenant Domain * / Tenant ID

Go to the active directory and click on the directory. In the Active Directory list, click the directory that you are using with your Office 365 tenant . The tenant ID for your Office 365 tenant is displayed as part of the URL.

RSA recommends you use a Tenant Domain, rather than an ID.

Example Tenant Domain:

Resource Group Names *

Resource group names specify the Log categories to which you are subscribed. For details, see Microsoft Office 365.

Enter one of the following values:

[Audit.AzureActiveDirectory , Audit.Exchange , Audit.SharePoint , Audit.General, DLP.All]

To subscribe to more than one log category, you need to repeat the Microsoft Office 365 procedure and select another value.

Start Date *

Choose the date from which to start collecting. This parameter defaults to the current date.

Use Proxy

Check to enable proxy.

Proxy Server

If you are using a proxy, enter the proxy server address.

Proxy Port

Enter the proxy port.

Proxy User

Username for the proxy (leave empty if using anonymous proxy).

Proxy Password

Password for the proxy (leave empty if using anonymous proxy).

Source Address

A custom value chosen to represent the hostname for the Office365 Event Source in the customer environment, such as The value of this parameter is captured by the meta key.




For a list of RSA trademarks, go to


You are here

Microsoft Office 365 Configuration Guide