🌙

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Office 365 Management API Integration Guide

cloud integrations microsoft office 365

The Office 365 Management API provides auditing information about various user, admin, system, and policy actions and events from Office 365 and Azure Active Directory activity logs. Secureworks® Taegis™ XDR needs authorization from Azure AD and the Office 365 Management API in order to receive your data.

Important

You must turn on Office 365 audit logging for XDR to receive data from it. Audit logging for Office 365 is off by default. For more information, see Turn Office 365 audit log search on or off in the Microsoft docs.

For more information on the Office 365 Management Activity API, see Office 365 Management APIs Overview in the Microsoft docs.

Data Availability and Collection Times

Alerts are ingested using the Microsoft REST APIs on a polling basis. For information on data availability, see Office 365 and Azure Data Availability.

Data Provided from Integrations

  Antivirus Auth CloudAudit DHCP DNS Email Encrypt HTTP Management Netflow NIDS Thirdparty
MS Office 365   D, V V               V

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Determine Your Subscription

Start Office 365 Commercial

  1. Navigate to Integrations and select Cloud APIs from the left-hand navigation in XDR.
  2. Select the option to Add API Integration and choose the card titled Office 365/Azure.
  3. In the Office 365 Management API section, choose Authorize.
  4. Pick an account that has privileges to grant permissions to the XDR application.

Manage O365 Management API Integration

Manage O365 Management API Integrations

  1. Choose Accept.
  2. Enter a unique name for the integration.

Name the O365 Management API Integration

Manage O365 Management API Integrations

  1. Select Done to complete the integration.

Start Office 365 Government

Note

As a global platform, logs from the Office 365 Management API GCC integration are under the same data residency and sovereignty handling as other parts of XDR.

Register an Application in Entra

Note

The following steps assume you are logged in as a Tenant Admin.

  1. Register an application with Entra ID.

Note the following values as they are used to create the integration in XDR:

  1. Select Application Permissions to configure application permissions.

The following permissions are required:

  1. Click Grant admin consent for <Microsoft tenant name>.

  2. Provide credentials for the application by uploading a certificate.

Important

XDR supports ONLY the Privacy-Enhanced Mail (PEM) format. More information on the PEM format can be found in RFC 7468.

Encrypted keys and client secrets are NOT supported.

Note

Self-signed certificates are supported.

Note

Certificates will expire and need to be renewed both with Microsoft Entra ID and with XDR to allow for continued functionality before their expiration date.

Use one of the following commands to generate a self-signed PEM (.pem extension) certificate using PowerShell or OpenSSL.

# Prompt user for input
$certname = Read-Host -Prompt "Enter certificate name"
$keyname = Read-Host -Prompt "Enter key name"
$mypwd = Read-Host -Prompt "Enter password" -AsSecureString
$location = Read-Host -Prompt "Enter location"
$cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
Export-PfxCertificate -Cert $cert -FilePath "$location\$certname.pfx" -Password $mypwd
Install-Module -Name PSPKI -Scope CurrentUser
Import-Module -Name PSPKI
Convert-PfxToPem -InputFile "$location\$certname.pfx" -Outputfile "$location\$certname.pem"
# Read the PEM file content
$pemContent = Get-Content "$location\$certname.pem" -Raw
# Extract private key and certificate
$privateKey = $pemContent -replace "(?ms).*?(-----BEGIN PRIVATE KEY-----.+?-----END PRIVATE KEY-----).*", '$1'
$certificate = $pemContent -replace "(?ms).*?(-----BEGIN CERTIFICATE-----.+?-----END CERTIFICATE-----).*", '$1'
# Save private key and certificate to separate files
$privateKey | Set-Content "$location\$keyname.pem"
$certificate | Set-Content "$location\$certname.pem"
Write-Host "Files located at: $location"
pause

Note

Copy and paste the preceding code into a text file, save the file with .ps1 extension (e.g., CertGen.ps1), and run the script using Powershell.

Note

Depending on the PowerShell version being used, you may need to replace -Subject with -SubjectName if there are any errors with -Subject.

Or:

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

Add Integration in XDR

  1. From the XDR left-hand navigation, select Integrations → Cloud APIs → Add API Integration.
  2. Select the O365 / Azure card.
  1. Choose Authorize under the Office 365 card that matches your Government subscription; for GCC subscribers, choose Office 365 Government Community Cloud (GCC), and for GCC High subscribers choose Office 365 Government Community Cloud (GCC High)
  1. Enter a name for the integration. This can be any string.
  2. Enter the Tenant ID and the Application Client ID from Step 1 in Register an Application in Entra.
  3. Upload the certificate and its associated private key.
  4. Select Done to complete the integration.

Add O365 Management API GCC Integration

Add O365 Management API Integrations

Linking Secureworks as a Solution Provider for Security is an optional process that enables Microsoft to better understand what customers Secureworks is enabling to achieve their security goals and realize the value of the Microsoft ecosystem. This allows Secureworks better access to Microsoft as a partner, enabling us to provide you, our customer, with better products and services. If you have successfully added access to your Azure environment to allow Secureworks to help enable your business through improved security, we would appreciate if you would additionally add us as a partner link to show that this is in place.

To link Secureworks as a partner, folllow these steps:

  1. Navigate to Link to a partner ID in the Azure Portal.
  2. Use a user with eligible roles or permissions, see Roles and Permissions Required to Receive Credit.
  3. In the Microsoft Partner ID box, enter the value: 4834104
  4. Click on the Link a partner ID button to complete the process.

 

On this page: