tech note--office 365 securlet

Tech Note--Office 365 Securlet
Copyright statement Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com. Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein, neither does it convey any license under its patent rights nor the rights of others.
Copyright © 2020 Symantec Corp. 2
Enabling the Securlet for additional Office 365 accounts
Troubleshooting

Introduction
This tech note describes how to set up the Office 365 Securlet on CloudSOC. The Securlet for a SaaS application lets CloudSOC obtain user activity data and user information. CloudSOC uses this information to auto-import users from the SaaS application.
The Office 365 Securlet offers the flexibility to secure just OneDrive for Business or OneDrive for Business and Outlook Mail. If you are interested in securing Outlook Mail in addition to OneDrive, contact your CloudSOC account representative to enable this feature.
The Office 365 Securlet:
Obtains activity data for specified OneDrive users
Scans emails of specified Outlook Mail and Exchange users.
Note: When you subscribe to the Office 365 Securlet, it comes bundled with the Yammer Securlet. However, you must activate the two Securlets separately. See the CloudSOC Tech Note Yammer Securlet for more information.
Prerequisites
To activate the Office 365 Securlet on your CloudSOC account:
You must have SysAdmin privileges for your CloudSOC account.
You must have an Office 365 Enterprise account.
You must have Global Administrator privileges for your Office 365 account.

The email address you use as the username for the administrator login on your Office 365 account must be exactly the same as the email address that you use as your CloudSOC username. Furthermore, this email address must be within the primary or secondary domains listed for your CloudSOC account.
The Office 365 Securlet uses the primary and secondary domains in the CloudSOC tenant to determine which users are internal or external collaborators. Users whose email address are in the primary domain or any secondary domains are considered internal collaborators. Any other domain in an email address is considered an external collaborator.

If necessary, contact Symantec Support using MySymantec to add additional secondary domains.
Note: Best practice is that you contact your CloudSOC representative and have them enable the onmicrosoft.com domain that matches your office365.com domain as a secondary domain on your CloudSOC account. For example, if your Office 365 domain is mycompany.office365.com, then ask your representative to enable mycompany.onmicrosoft.com as a secondary domain. Many customers who subscribe to the Office 365 Securlet are unaware that some of their users have primary email addresses within the onmicrosoft.com domain. The Office365 Securlet does not track these users' activities unless you have onmicrosoft.com added as a secondary domain.

Scanning scope

App Content scanned
Outlook Content in emails, including subject line and attachments, in all folders except Drafts
OneDrive All files and folders
Sharepoint All files and folders in document libraries
Teams Files and Wiki pages but not Conversation messages NOTE: There is not a separate Securlet for Microsoft Teams. The documents shared using Microsoft Teams are stored on their respective sites, and are scanned during site scanning by default.
Groups Documents saved within each Office 365 Group
Scan type Emails Scanned Files Scanned
First scan Emails less than 30 days old
Paid customers All files Trial customers All exposed files (no time limit) Unexposed files less than 30 days old
"Re-scan Content" from Securlet dashboard
Emails exposed within last 30 days
All exposed files
Selected email Selected file
All emails All new docs All edited docs

Enabling the Office 365 Securlet
This section describes how to enable the Office 365 Securlet for a single Office 365 account. If you want to enable the Office 365 Securlet for multiple Office 365 accounts, follow this procedure to activate the Office 365 Securlet for the first account, then use the procedure in Enabling the Securlet for additional Office 365 accounts.
1. Login to CloudSOC using your administrator credentials.

4. On the entry for Office, click Details.

CloudSOC sends an activation request to the CloudSOC team for the Office 365 Securlet. The label on the Enable button changes to “Request Pending.”

6. Click Activate.
CloudSOC prompts you to select either a full or selective scan of your Office 365 account users and folders.


11. If you have custom URLs for your OneDrive, Mail, and Sites:
a. Mark the Use custom endpoints checkbox. The page shows the custom URLs options.

c. Leave the Admin's OneDrive URL box blank if you are activating the Securlet on an Office 365 account for which mail is your only service, such that there are no Sites and no OneDrive. Otherwise, enter the URL for the OneDrive admin's workspace. This is where CloudSOC moves or copies files that are quarantined by the Protect app Preserve Content feature.
Note: Do not mark the ACS auth checkbox unless you are so instructed by Symantec Support. See Troubleshooting for more information.

d. Mark the Mail and Sites checkboxes as appropriate to select the Office 365 apps to secure. Which check boxes are available might depend on your service agreement with CloudSOC. Contact your CloudSOC representative for details.
e. Enter your custom URLs for Mail and Sites as appropriate.
12. If you do not have custom URLs as described in the preceding:
a. Make sure the Use custom endpoints checkbox is clear (not checked).
b. Type your Office 365 domain in the Sub Domain box. If you are uncertain what your domain is, open your Office 365 Admin Center (https://portal.office.com) and select Admin, and then select Sharepoint. The domain is something like “https://subdomain-my.sharepoint.com”.
If you have more than one Office 365 domain, contact your CloudSOC representative to have the additional domains added as secondary domains on your CloudSOC account.
c. Leave the Admin's OneDrive URL box blank if you are activating the Securlet on an Office 365 account for which mail is your only service (no Sites and no OneDrive). Otherwise, enter the URL for the OneDrive admin's workspace. This is where CloudSOC moves or copies files that are quarantined by the Protect app Preserve Content feature.

13. If you marked the Sites checkbox, enter your Office 365 login credentials in the Username and Password boxes, then click Import Sites as shown in the following.
CloudSOC uses the credentials only to retrieve the top-level sites. It then discards the credentials without storing them.
Note: CloudSOC does not support SSO for importing top level sites.

16. CloudSOC redirects you to the Office 365 login page.

Note: If the Save button is disabled (grayed out), it might mean that CloudSOC did not properly grant you access to the Office 365 Securlet. Contact your CloudSOC representative if this happens.

18. Click Accept to grant access to all requested resources.

d. Click Add Rule near the bottom of the box to add additional user, group, or folder rules to the scan policy.
e. Click Start Scan.
You have completed the Securlet setup for Office 365. CloudSOC starts scanning your Office 365 resources, and redirects you to the Office 365 Securlet dashboard in CloudSoC. For more information, see our Tech Note Using the Securlet Dashboards.

Enabling the Securlet for additional Office 365 accounts
If you want to enable the Office 365 Securlet for more than one Office 365 account, first use the procedure in Enabling the Office 365 Securlet to enable the Securlet for the first account. Then use the following procedure to enable the Securlet for additional Office 365 accounts.
1. In the CloudSOC Store, click the tile for the Office 365 Securlet.

4. Click Register Account and follow the prompts to complete the registration.

Office 365 DvNext deployments
If you know you have a DvNext Office 365 deployment and the Securlet activation fails, contact Symantec Support via MySymantec for special installation guidance. They might instruct you to use the ACS auth option and also do additional configuration and provisioning to authorize CloudSOC to access your Office 365 resources.
User impersonation error
Problem: Securlet activation fails with an error similar to the following:
Another user from your domain has already signed up for CloudSOC service. OR you are not an active administrator of that CloudSOC Account. Please contact the support team at [email protected]
Why this happens: When this happens, it is usually because you tried to activate the Securlet while you are logged in to CloudSOC and Office 365 with identities at different domains. CloudSOC disallows this scenario in order to thwart user impersonation exploits.
Solution: If the admin account you used to authorize CloudSoC on Office 365 is something similar to [email protected], make sure that a user with the same email exists in CloudSOC’s user database and has administrator privileges.
If the problem persists, log into CloudSOC and double-check the email address configured for your administrator account. The domain for this account must match the sub domain that you enter when activating the Office 365 Securlet.
Supported activities
The following tables lists all of the objects and activities that are tracked by the CloudSOC Office 365 Securlet
Note: Certain admin activities such as user login events are not reported in real time. Notification may lag behind the event by 6 to 12 hours (in some cases up to 24 hours), subject to availability from Microsoft. For a full list of admin activities, see Admin activities.
If you select a selective scan during Securlet activation, the Securlet processes activities for OneDrive, Sharepoint and Mail only for the users within the scope of the selective scan. However, the Securlet receives and reports on Azure AD activities (for example, user logins) for all the users, even the ones not within the scope of the selective scan.
Object Activity
Email_File_Attachment received
Rename
Restore
ScopeAdd
ScopeDelete
Share
Unshare
Upload
Sharepoint (Sites) events, Continued
Note: The SubSiteDeleted event does not report the correct time for the deletion event. It reports the event as having happened at the time it was recorded, not when it actually occurred.
OneDrive events
Object Activity
Site GroupSiteCreated
SiteCollectionDeleted
ScopeAdd
ScopeDelete
Share
SiteCollectionCreated
SiteCollectionDeleted
Unshare
SubSiteCreated
SubSiteDeleted
User Add (adding access request on a file for a user)
Object Activity
Share
Unshare
Upload
The following subsections describe admin activities for Office 365 apps:
Azure AD
Exchange
Sharepoint/OneDrive
Note: The events in these sections are not reported in real time. Notification may lag behind the event by 6 to 12 hours (in some cases up to 24 hours), subject to availability. The historic data reported by the Securlet is limited to the 24 hours prior to when you activated the Securlet.
Azure AD
Share
Unshare
ScopeDelete
Share
Unshare
User Add (adding access request on a file for a user)
Object Activity
Add member to role
Restore user
Update user
Object Activity
Group New-DynamicDistributionGroup
File Download Supported for both OneDrive and Sharepoint Sites feature.
File/Folder Delete Although these events are logged via the Main API, Symantec do capture these events under specific scenarios via the Management activity API (for both OneDrive and Sites).
Edit
Move
Rename
Restore
Mailbox audit logging events

For more information about enabling Mailbox audit logging in Exchange 2016, see this Microsoft TechNet article:
https://technet.microsoft.com/en-us/library/ff459237(v=exchg.160).aspx
APIs used
The following table describes the Office 365 APIs used by the CloudSOC Securlet.
User AddedToGroup
Event Description
Add-MailboxPermission When a new permission is added to a user’s mailbox, such as SendAs
FolderBind When a delegated user accesses a folder
MailboxLogin When a user logs in to their own mailbox
MessageBind When a delegated user opens an email
Remove-MailboxPermission When a new permission is removed from a user’s mailbox, such as SendAs
SendAs When a user sends an email as another user.
SendOnBehalf When a user sends an email on behalf of another user.
API Used for Reference
http://graph.microsoft.io/docs
https://msdn.microsoft.com/office/offic e365/APi/mail-rest-operations
SharePoint REST Service Retrieve documents from OneDrive and Sharepoint
Sites, and remediate
Remediation options

Office 365 OneDrive
Change Access settings
File Access: Changes access settings for the file. Select one of the following:
Update File Permissions: Changes permissions for the file. Mark the checkbox to see available settings.
Remove Link: Removes the link from the file, rendering it unshared.
Collaborator Access: Changes collaborator access privileges. Some choices are logically exclusive of others.
Remove Collaborator: Removes collaborator privileges.
Delete Unique Permissions: Removes unique permissions from the user.
Update Collaborator Permissions/access: Sets collaborator role to that selected. Mark the checkbox to see available settings.
Preserve Content settings: Select any of:
No Action: Leaves the file in its original location.
Copy: Creates a copy of the file in the admin's Office 365 workspace.
Move: Removes all sharing properties from the file, makes your Office 365 account admin the file owner, and moves the file to the admin's Office 365 workspace.
Move with tombstone: Takes the actions described in Move, and also creates a text file replacement that contains information about the move.
Office 365 Mail
Access: Changes access settings for the email:


See the CloudSOC Tech Note Using the Protect App for more information about using remediation features and configuring Protect policies.

Date Version Description
1.0-1.11 Initial release and minor changes
21 October 2016 2.0 Update activation workflow, add Preserve Content remediation options
9 November 2016 2.1 Add admin login domain prerequisite
23 November 2016 2.2 Update Outlook events table
2 December 2016 2.3 Update scan policies steps
3 February 2017 2.4 Update Outlook events, add note about historic data.
10 February 2017 2.5 Update time lag info
2 March 2017 2.6 Minor changes to screen captures
22 March 2017 3.0 Address mail-only activation and admin workspace for Preserve Content feature, update scanning scope section
8 June 2017 3.1 Add file download as Outlook activity, add information about bundle with Yammer Securlet
12 June 2017 3.2 Add admin login email prerequisite
26 June 2017 3.3 Clarify Office 365 global administrator privileges
7 July 2017 3.4 Add email subject line to scanning scope
28 August 2017 3.5 Clarify that email scanning applies to all folders except Drafts
14 September 2017 4.0 Move scanning scope to beginning, add Teams and Office 365 Groups, update activities tables
18 December 2017 4.1 Remove reference to user logout as a delayed activity
13 February 2018 4.2 Remove Email_Message/Email_File_Attachment saved activity, address redundant prerequisites
9 March 2018 4.3 Add mailbox audit logging events
16 May 2018 4.4 Minor changes and formatting updates
23 May 2018 4.5 Update support references
14 November 2018 4.6 Change "Scan now" to "Re-scan content"
14 January 2019 4.7 Clarify scanning scope
14 February 2019 4.8 Update scanning scope
12 February 2020 4.9 Add note that CloudSOC does not support SSO for importing top level sites. Update list of permissions required by CloudSOC to access Office 365 resources.