Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 5.3.1 External Systems Configuration Guide
    5.3.1
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Microsoft Office365 Audit

    Microsoft Office 365 Audit

    What is Discovered and Monitored

    Office 365 Activity Type Operation
    File and folder activities

    FileAccessed, FileCheckedIn, FileCheckedOut, FileCopied, FileDeleted,FileCheckOutDiscarded, FileDownloaded, FileModified, FileMoved, FileRenamed, FileRestored, FileUploaded
    Sharing and access request activities

    AccessRequestAccepted, SharingInvitationAccepted, CompanyLinkCreated, AccessRequestCreated, AnonymousLinkCreated, SharingInvitationCreated, AccessRequestDenied, CompanyLinkRemoved, AnonymousLinkRemoved, SharingSet, AnonymousLinkUpdated, AnonymousLinkUsed, SharingRevoked, CompanyLinkUsed, SharingInvitationRevoked
    Synchronization activities

    ManagedSyncClientAllowed, UnmanagedSyncClientBlocked, FileSyncDownloadedFull, FileSyncDownloadedPartial, FileSyncUploadedFull, FileSyncUploadedPartial
    Site administration activities

    ExemptUserAgentSet, SiteCollectionAdminAdded, AddedToGroup, AllowGroupCreationSet, CustomizeExemptUsers, SharingPolicyChanged, GroupAdded, SendToConnectionAdded, SiteCollectionCreated, GroupRemoved, SendToConnectionRemoved, PreviewModeEnabledSet, LegacyWorkflowEnabledSet, OfficeOnDemandSet, NewsFeedEnabledSet, PeopleResultsScopeSet, SitePermissionsModified, RemovedFromGroup, SiteRenamed, SiteAdminChangeRequest, HostSiteSet, GroupUpdated
    Exchange mailbox activities

    Copy, Create, SoftDelete, Move, MoveToDeletedItems, HardDelete, SendAs, SendOnBehalf, Update, MailboxLogin
    Sway activities

    SwayChangeShareLevel, SwayCreate, SwayDelete, SwayDisableDuplication, SwayDuplicate, SwayEdit, EnableDuplication, SwayRevokeShare, SwayShare, SwayExternalSharingOff, SwayExternalSharingOn, SwayServiceOff, SwayServiceOn, SwayView
    User administration activities

    Add user, Change user license, Change user password, Delete user, Reset user password, Set force change user password, Set license properties, Update user
    Group administration activities

    Add group, Add member to group, Delete group, Remove member from group, Update group
    Application administration activities

    Add delegation entry, Add service principal, Add service principal credentials, Remove delegation entry, Remove service principal, Remove service principal credentials, Set delegation entry
    Role administration activities

    Add role member to role, Remove role member from role, Set company contact information
    Directory administration activities

    Add domain to company, Add partner to company, Remove domain from company, Remove partner from company, Set company information, Set domain authentication, Set federation settings on domain, Set password policy, Set DirSyncEnabled flag on company, Update domain, Verify domain, Verify email verified domain

    Event Types

    In ADMIN > Device Support > Event Types, search for "MS_Office365" in the Search field to see the event types associated with Office 365.

    Reports

    There are many reports defined in RESOURCES > Reports > Device > Application > Document Mgmt. Search for "Office365" in the main content panel Search... field.

    Configuration in Office 365 Audit

    Enable Office 365 Audit Log Search

    Note: The first step involves enabling Audit logging, which may not be on for your organization.

    Caution: If you turn off auditing in Microsoft 365, you will not be able to use the Office 365 Management Activity API or Microsoft Sentinel to access auditing data for your organization. Turning off auditing by following the steps here means that no results will be returned when you search the audit log using the compliance portal or when you run the Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell. This also means that audit logs will not be available through the Office 365 Management Activity API or Microsoft Sentinel.

    Reference Article - Turn auditing on or off: https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-enable-disable?view=o365-worldwide

    Refer to section Turn on auditing.

    Important: It can take up to 60 minutes for this change to take effect.

    Follow the instructions from Use the compliance portal to turn on auditing. The information has been duplicated here to facilitate configuration.

    1. In the Microsoft Purview compliance portal at https://compliance.microsoft.com, navigate to Solutions > Audit, or navigate directly to the Audit page, and use https://compliance.microsoft.com/auditlogsearch.

    2. If auditing is not turned on for your organization, a banner is displayed prompting you to start recording user and admin activity.

    3. Select the Start recording user and admin activity banner.

      It may take up to 60 minutes for the change to take effect.

    Alternatively, use PowerShell to turn on auditing by taking the following steps.

    1. Connect to Exchange Online PowerShell.

    2. Run the following PowerShell command to turn on auditing.

      Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

    A message will display notifying you that it may take up to 60 minutes for the change to take effect.

    Create the Office 365 API Credential

    Follow these steps to create the Office 365 API credential.

    1. Login to https://portal.azure.com.
    2. Click All Services.
    3. Click Azure Active Directory.
    4. Click App Registrations (on the right panel).
    5. Click New registration and enter the following information:

      Name: FSM

      Supported Account Types: Select Accounts in any organizational directory (Any Azure AD directory – Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).

      Redirect URI: https://your.internal.fsm.ip

    6. Click Register:

      Copy the Application (client) ID to a text editor, you'll need this when entering Office 365 Credentials in FortiSIEM.

      Copy the Directory (tenant) ID to a text editor, you'll need this when entering Office 365 Credentials in FortiSIEM.

    7. Click Certificates & secrets (on the right panel).
    8. New client secret:

      Description: FSM

      Expires in: 2 years

      Copy the value (for example: AC83J.6_nobD:G1Q=DJe/hFiB3BP4+a) to a text editor. You will need this value when entering Office 365 Credentials in FortiSIEM.

    9. Go to API permissions (left panel).
    10. Click Add a permission.
    11. Select Office 365 Management APIs.
    12. Click Application permissions and expand all.
    13. Select all permissions with "Read" access (we don't want to write). Click Add permissions.

      You will see a warning: "Permissions have changed." Users and/or admins will have to consent even if they have already done so previously.

      We'll need to approve all these permission grants.

    14. Click grant admin consent and select Yes when you see the Do you want to grant consent for the requested permissions for all accounts in your_organization? alert. This will update any existing admin consent records this application already has to match what is listed below.

    Sample API Permission

    Configuration in FortiSIEM

    Configuration is done in two parts. Follow the steps in these two sections to configure your FortiSIEM.

    Define Office 365 Management Credential in FortiSIEM

    Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials:
      1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box and click Save:

    1. Settings Description
      Name Enter a name for the credential
      Device Type Microsoft Office365
      Access Protocol Office 365 Mgmt Activity API
      Tenant ID Use the ID from Azure Login URL. See Step 5 in Create Office 365 API Credential.
      Password config

      If you select Manual, take the following steps:

      1. For Client ID, use the value obtained in Step 5 in Create Office 365 API Credential.
      2. For Client Secret, use the value obtained in Step 7 in Create Office 365 API Credential.

      For CyberArk credential method, see CyberArk Password Configuration.
      Organization The organization the device belongs to.
      Description Description of the device.

    • Create IP Range to Credential Association and Test Connectivity

    From the FortiSIEM Supervisor node, take the following steps.

    1. In Step 2: Enter IP Range to Credential Associations, click New to create a new association.
      1. Enter "manage.office.com" in the IP/Host Name field.
      2. Select the name of the credential created in the Define Office 365 Management Credential from the Credentials drop-down list.
      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
    3. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Office 365 Log Collection.

    Sample Events for Audit 

    [OFFICE365_EVENT_DATA] = {"Actor":[{"ID":"dtomic@my.company.org","Type":5},{"ID":"10030000873CEE9F","Type":3},{"ID":"18ed3507‑a475‑4ccb‑b669‑d66bc9f2a36e","Type":2},{"ID":"User_68d76168‑813d‑4b9f‑88cd‑37b66a5b3841","Type":2},{"ID":"68d76168‑813d‑4b9f‑88cd‑37b66a5b3841","Type":2},{"ID":"User","Type":2}],"ActorContextId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","ActorIpAddress":"<null>","AzureActiveDirectoryEventType":1,"ClientIP":"<null>","CreationTime":"2019‑07‑23T13:16:05UTC","ExtendedProperties":[{"Name":"actorContextId","Value":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318"},{"Name":"actorObjectId","Value":"68d76168‑813d‑4b9f‑88cd‑37b66a5b3841"},{"Name":"actorObjectClass","Value":"User"},{"Name":"actorUPN","Value":"dtomic@my.company.org"},{"Name":"actorAppID","Value":"18ed3507‑a475‑4ccb‑b669‑d66bc9f2a36e"},{"Name":"actorPUID","Value":"10030000873CEE9F"},{"Name":"teamName","Value":"MSODS."},{"Name":"targetContextId","Value":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318"},{"Name":"targetObjectId","Value":"02232019‑4557‑45d6‑9630‑f78694bc8341"},{"Name":"extendedAuditEventCategory","Value":"Application"},{"Name":"targetName","Value":"FSM"},{"Name":"targetIncludedUpdatedProperties","Value":"[\"AppAddress\",\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]"},{"Name":"correlationId","Value":"a854ecc6‑31d6‑4fea‑8d56‑aeed05aa1174"},{"Name":"version","Value":"2"},{"Name":"additionalDetails","Value":"{}"},{"Name":"resultType","Value":"Success"},{"Name":"auditEventCategory","Value":"ApplicationManagement"},{"Name":"nCloud","Value":"<null>"},{"Name":"env_ver","Value":"2.1"},{"Name":"env_name","Value":"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"},{"Name":"env_time","Value":"2019‑07‑23T13:16:05.0208099Z"},{"Name":"env_epoch","Value":"64BOV"},{"Name":"env_seqNum","Value":"25454285"},{"Name":"env_popSample","Value":"0"},{"Name":"env_iKey","Value":"ikey"},{"Name":"env_flags","Value":"257"},{"Name":"env_cv","Value":"##17a913a8‑943a‑42f3‑b8ad‑2ea3bc4bf927_00000000‑0000‑0000‑0000‑000000000000_17a913a8‑943a‑42f3‑b8ad‑2ea3bc4bf927"},{"Name":"env_os","Value":"<null>"},{"Name":"env_osVer","Value":"<null>"},{"Name":"env_appId","Value":"restdirectoryservice"},{"Name":"env_appVer","Value":"1.0.11219.0"},{"Name":"env_cloud_ver","Value":"1.0"},{"Name":"env_cloud_name","Value":"MSO‑AM5R"},{"Name":"env_cloud_role","Value":"restdirectoryservice"},{"Name":"env_cloud_roleVer","Value":"1.0.11219.0"},{"Name":"env_cloud_roleInstance","Value":"AM5RRDSR582"},{"Name":"env_cloud_environment","Value":"PROD"},{"Name":"env_cloud_deploymentUnit","Value":"R5"}],"Id":"fc12de96‑0cbc‑4618‑9c8f‑cc8ab7891e3b","ModifiedProperties":[{"Name":"AppAddress","NewValue":"[\r\n {\r\n \"AddressType\": 0,\r\n \"Address\": \"https://10.222.248.17\",\r\n \"ReplyAddressClientType\": 1\r\n }\r\n]","OldValue":"[]"},{"Name":"AppId","NewValue":"[\r\n \"0388f2da‑dbcc‑4506‑ba57‑a85c578297c0\"\r\n]","OldValue":"[]"},{"Name":"AvailableToOtherTenants","NewValue":"[\r\n false\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"FSM\"\r\n]","OldValue":"[]"},{"Name":"RequiredResourceAccess","NewValue":"[\r\n {\r\n \"ResourceAppId\": \"00000003‑0000‑0000‑c000‑000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8‑ba31‑4d61‑89e7‑88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AppAddress, AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess","OldValue":""}],"ObjectId":"Not Available","Operation":"Add application.","OrganizationId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","RecordType":8,"ResultStatus":"Success","SupportTicketId":"","Target":[{"ID":"Application_02232019‑4557‑45d6‑9630‑f78694bc8341","Type":2},{"ID":"02232019‑4557‑45d6‑9630‑f78694bc8341","Type":2},{"ID":"Application","Type":2},{"ID":"FSM","Type":1}],"TargetContextId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","TenantId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","UserId":"dtomic@my.company.org","UserKey":"10030000873CEE9F@my.company.org","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","phCustId":1}
    Previous
    Next

    Microsoft Office365 Audit

    Microsoft Office 365 Audit

    What is Discovered and Monitored

    Office 365 Activity Type Operation
    File and folder activities

    FileAccessed, FileCheckedIn, FileCheckedOut, FileCopied, FileDeleted,FileCheckOutDiscarded, FileDownloaded, FileModified, FileMoved, FileRenamed, FileRestored, FileUploaded
    Sharing and access request activities

    AccessRequestAccepted, SharingInvitationAccepted, CompanyLinkCreated, AccessRequestCreated, AnonymousLinkCreated, SharingInvitationCreated, AccessRequestDenied, CompanyLinkRemoved, AnonymousLinkRemoved, SharingSet, AnonymousLinkUpdated, AnonymousLinkUsed, SharingRevoked, CompanyLinkUsed, SharingInvitationRevoked
    Synchronization activities

    ManagedSyncClientAllowed, UnmanagedSyncClientBlocked, FileSyncDownloadedFull, FileSyncDownloadedPartial, FileSyncUploadedFull, FileSyncUploadedPartial
    Site administration activities

    ExemptUserAgentSet, SiteCollectionAdminAdded, AddedToGroup, AllowGroupCreationSet, CustomizeExemptUsers, SharingPolicyChanged, GroupAdded, SendToConnectionAdded, SiteCollectionCreated, GroupRemoved, SendToConnectionRemoved, PreviewModeEnabledSet, LegacyWorkflowEnabledSet, OfficeOnDemandSet, NewsFeedEnabledSet, PeopleResultsScopeSet, SitePermissionsModified, RemovedFromGroup, SiteRenamed, SiteAdminChangeRequest, HostSiteSet, GroupUpdated
    Exchange mailbox activities

    Copy, Create, SoftDelete, Move, MoveToDeletedItems, HardDelete, SendAs, SendOnBehalf, Update, MailboxLogin
    Sway activities

    SwayChangeShareLevel, SwayCreate, SwayDelete, SwayDisableDuplication, SwayDuplicate, SwayEdit, EnableDuplication, SwayRevokeShare, SwayShare, SwayExternalSharingOff, SwayExternalSharingOn, SwayServiceOff, SwayServiceOn, SwayView
    User administration activities

    Add user, Change user license, Change user password, Delete user, Reset user password, Set force change user password, Set license properties, Update user
    Group administration activities

    Add group, Add member to group, Delete group, Remove member from group, Update group
    Application administration activities

    Add delegation entry, Add service principal, Add service principal credentials, Remove delegation entry, Remove service principal, Remove service principal credentials, Set delegation entry
    Role administration activities

    Add role member to role, Remove role member from role, Set company contact information
    Directory administration activities

    Add domain to company, Add partner to company, Remove domain from company, Remove partner from company, Set company information, Set domain authentication, Set federation settings on domain, Set password policy, Set DirSyncEnabled flag on company, Update domain, Verify domain, Verify email verified domain

    Event Types

    In ADMIN > Device Support > Event Types, search for "MS_Office365" in the Search field to see the event types associated with Office 365.

    Reports

    There are many reports defined in RESOURCES > Reports > Device > Application > Document Mgmt. Search for "Office365" in the main content panel Search... field.

    Configuration in Office 365 Audit

    Enable Office 365 Audit Log Search

    Note: The first step involves enabling Audit logging, which may not be on for your organization.

    Caution: If you turn off auditing in Microsoft 365, you will not be able to use the Office 365 Management Activity API or Microsoft Sentinel to access auditing data for your organization. Turning off auditing by following the steps here means that no results will be returned when you search the audit log using the compliance portal or when you run the Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell. This also means that audit logs will not be available through the Office 365 Management Activity API or Microsoft Sentinel.

    Reference Article - Turn auditing on or off: https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-enable-disable?view=o365-worldwide

    Refer to section Turn on auditing.

    Important: It can take up to 60 minutes for this change to take effect.

    Follow the instructions from Use the compliance portal to turn on auditing. The information has been duplicated here to facilitate configuration.

    1. In the Microsoft Purview compliance portal at https://compliance.microsoft.com, navigate to Solutions > Audit, or navigate directly to the Audit page, and use https://compliance.microsoft.com/auditlogsearch.

    2. If auditing is not turned on for your organization, a banner is displayed prompting you to start recording user and admin activity.

    3. Select the Start recording user and admin activity banner.

      It may take up to 60 minutes for the change to take effect.

    Alternatively, use PowerShell to turn on auditing by taking the following steps.

    1. Connect to Exchange Online PowerShell.

    2. Run the following PowerShell command to turn on auditing.

      Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

    A message will display notifying you that it may take up to 60 minutes for the change to take effect.

    Create the Office 365 API Credential

    Follow these steps to create the Office 365 API credential.

    1. Login to https://portal.azure.com.
    2. Click All Services.
    3. Click Azure Active Directory.
    4. Click App Registrations (on the right panel).
    5. Click New registration and enter the following information:

      Name: FSM

      Supported Account Types: Select Accounts in any organizational directory (Any Azure AD directory – Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).

      Redirect URI: https://your.internal.fsm.ip

    6. Click Register:

      Copy the Application (client) ID to a text editor, you'll need this when entering Office 365 Credentials in FortiSIEM.

      Copy the Directory (tenant) ID to a text editor, you'll need this when entering Office 365 Credentials in FortiSIEM.

    7. Click Certificates & secrets (on the right panel).
    8. New client secret:

      Description: FSM

      Expires in: 2 years

      Copy the value (for example: AC83J.6_nobD:G1Q=DJe/hFiB3BP4+a) to a text editor. You will need this value when entering Office 365 Credentials in FortiSIEM.

    9. Go to API permissions (left panel).
    10. Click Add a permission.
    11. Select Office 365 Management APIs.
    12. Click Application permissions and expand all.
    13. Select all permissions with "Read" access (we don't want to write). Click Add permissions.

      You will see a warning: "Permissions have changed." Users and/or admins will have to consent even if they have already done so previously.

      We'll need to approve all these permission grants.

    14. Click grant admin consent and select Yes when you see the Do you want to grant consent for the requested permissions for all accounts in your_organization? alert. This will update any existing admin consent records this application already has to match what is listed below.

    Sample API Permission

    Configuration in FortiSIEM

    Configuration is done in two parts. Follow the steps in these two sections to configure your FortiSIEM.

    Define Office 365 Management Credential in FortiSIEM

    Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials:
      1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box and click Save:

    1. Settings Description
      Name Enter a name for the credential
      Device Type Microsoft Office365
      Access Protocol Office 365 Mgmt Activity API
      Tenant ID Use the ID from Azure Login URL. See Step 5 in Create Office 365 API Credential.
      Password config

      If you select Manual, take the following steps:

      1. For Client ID, use the value obtained in Step 5 in Create Office 365 API Credential.
      2. For Client Secret, use the value obtained in Step 7 in Create Office 365 API Credential.

      For CyberArk credential method, see CyberArk Password Configuration.
      Organization The organization the device belongs to.
      Description Description of the device.

    • Create IP Range to Credential Association and Test Connectivity

    From the FortiSIEM Supervisor node, take the following steps.

    1. In Step 2: Enter IP Range to Credential Associations, click New to create a new association.
      1. Enter "manage.office.com" in the IP/Host Name field.
      2. Select the name of the credential created in the Define Office 365 Management Credential from the Credentials drop-down list.
      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
    3. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Office 365 Log Collection.

    Sample Events for Audit 

    [OFFICE365_EVENT_DATA] = {"Actor":[{"ID":"dtomic@my.company.org","Type":5},{"ID":"10030000873CEE9F","Type":3},{"ID":"18ed3507‑a475‑4ccb‑b669‑d66bc9f2a36e","Type":2},{"ID":"User_68d76168‑813d‑4b9f‑88cd‑37b66a5b3841","Type":2},{"ID":"68d76168‑813d‑4b9f‑88cd‑37b66a5b3841","Type":2},{"ID":"User","Type":2}],"ActorContextId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","ActorIpAddress":"<null>","AzureActiveDirectoryEventType":1,"ClientIP":"<null>","CreationTime":"2019‑07‑23T13:16:05UTC","ExtendedProperties":[{"Name":"actorContextId","Value":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318"},{"Name":"actorObjectId","Value":"68d76168‑813d‑4b9f‑88cd‑37b66a5b3841"},{"Name":"actorObjectClass","Value":"User"},{"Name":"actorUPN","Value":"dtomic@my.company.org"},{"Name":"actorAppID","Value":"18ed3507‑a475‑4ccb‑b669‑d66bc9f2a36e"},{"Name":"actorPUID","Value":"10030000873CEE9F"},{"Name":"teamName","Value":"MSODS."},{"Name":"targetContextId","Value":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318"},{"Name":"targetObjectId","Value":"02232019‑4557‑45d6‑9630‑f78694bc8341"},{"Name":"extendedAuditEventCategory","Value":"Application"},{"Name":"targetName","Value":"FSM"},{"Name":"targetIncludedUpdatedProperties","Value":"[\"AppAddress\",\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAccess\"]"},{"Name":"correlationId","Value":"a854ecc6‑31d6‑4fea‑8d56‑aeed05aa1174"},{"Name":"version","Value":"2"},{"Name":"additionalDetails","Value":"{}"},{"Name":"resultType","Value":"Success"},{"Name":"auditEventCategory","Value":"ApplicationManagement"},{"Name":"nCloud","Value":"<null>"},{"Name":"env_ver","Value":"2.1"},{"Name":"env_name","Value":"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"},{"Name":"env_time","Value":"2019‑07‑23T13:16:05.0208099Z"},{"Name":"env_epoch","Value":"64BOV"},{"Name":"env_seqNum","Value":"25454285"},{"Name":"env_popSample","Value":"0"},{"Name":"env_iKey","Value":"ikey"},{"Name":"env_flags","Value":"257"},{"Name":"env_cv","Value":"##17a913a8‑943a‑42f3‑b8ad‑2ea3bc4bf927_00000000‑0000‑0000‑0000‑000000000000_17a913a8‑943a‑42f3‑b8ad‑2ea3bc4bf927"},{"Name":"env_os","Value":"<null>"},{"Name":"env_osVer","Value":"<null>"},{"Name":"env_appId","Value":"restdirectoryservice"},{"Name":"env_appVer","Value":"1.0.11219.0"},{"Name":"env_cloud_ver","Value":"1.0"},{"Name":"env_cloud_name","Value":"MSO‑AM5R"},{"Name":"env_cloud_role","Value":"restdirectoryservice"},{"Name":"env_cloud_roleVer","Value":"1.0.11219.0"},{"Name":"env_cloud_roleInstance","Value":"AM5RRDSR582"},{"Name":"env_cloud_environment","Value":"PROD"},{"Name":"env_cloud_deploymentUnit","Value":"R5"}],"Id":"fc12de96‑0cbc‑4618‑9c8f‑cc8ab7891e3b","ModifiedProperties":[{"Name":"AppAddress","NewValue":"[\r\n {\r\n \"AddressType\": 0,\r\n \"Address\": \"https://10.222.248.17\",\r\n \"ReplyAddressClientType\": 1\r\n }\r\n]","OldValue":"[]"},{"Name":"AppId","NewValue":"[\r\n \"0388f2da‑dbcc‑4506‑ba57‑a85c578297c0\"\r\n]","OldValue":"[]"},{"Name":"AvailableToOtherTenants","NewValue":"[\r\n false\r\n]","OldValue":"[]"},{"Name":"DisplayName","NewValue":"[\r\n \"FSM\"\r\n]","OldValue":"[]"},{"Name":"RequiredResourceAccess","NewValue":"[\r\n {\r\n \"ResourceAppId\": \"00000003‑0000‑0000‑c000‑000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8‑ba31‑4d61‑89e7‑88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AppAddress, AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess","OldValue":""}],"ObjectId":"Not Available","Operation":"Add application.","OrganizationId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","RecordType":8,"ResultStatus":"Success","SupportTicketId":"","Target":[{"ID":"Application_02232019‑4557‑45d6‑9630‑f78694bc8341","Type":2},{"ID":"02232019‑4557‑45d6‑9630‑f78694bc8341","Type":2},{"ID":"Application","Type":2},{"ID":"FSM","Type":1}],"TargetContextId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","TenantId":"653e32e8‑fb2d‑41aa‑8841‑90f05b340318","UserId":"dtomic@my.company.org","UserKey":"10030000873CEE9F@my.company.org","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","phCustId":1}
    Previous
    Next