i follow all the steps mentioned on the document but i cann't get logs i think ther is a missed permission on O365
any help please.
Hi everyone. Record type 40 in 7.15 maps Device Product incorrectly to eDiscovery rather than Security Compliance Alerts. It kind of threw me for a loop. SD02696513 submitted to document this bug. Here's the map file I created to correct the issue. It includes an extra bonus that creates a URL that will take your analyst to the alert (after they log in). Note: this is specific to 220.127.116.1195.0
SecurityComplianceAlerts,Security Compliance Alerts,"__concatenate(""https://protection.office.com/viewalerts?id="",__split(fileId,"" "",""2""))"
Additional events to add
1) Record Type 29 -- user submitted Phish identification
2) Record Type 51 -- Hygiene event (i'm seeing this trigger when a user hits the spam filters in exchange)
3) Record Type 64 -- AIR investigations. One of the interesting things for this is email header information for zapped emails and what appears to be the offending email that causes the restrict user use case to fire based on span filters. When I get a chance
I've already raised a FR to include the relevant events that we've identified:
SD02377637/FR: CON-22046 | Expand event types supportability of MS Office 365 Connector
However, the best approach is that ArcSight SIEM as security solution provides a fully coverage of all the security events generated, at least the documented ones are mandatory.
Note that there are more events seen on the wild, this is because of Microsoft and I'm not asking to you to cover them, but for sure all the ones "GA" which are fully documented by MS.
This is what another SIEM solutions offers out of the box, and they maintain it frequently,
I appreciate to see progress on this agent, but it is still away to be considered as a reliable data collector for office365.
Hope that this clarifies the current scenario,
While it is truth that the agent has received some updates during these last months, we can still see lots of relevant security events not covered, in fact, only the following ones are supported:1 ExchangeAdmin2 ExchangeItem3 ExchangeItemGroup4 SharePoint6 SharePointFileOperation8 AzureActiveDirectory9 AzureActiveDirectoryAccountLogon11 ComplianceDLPSharePoint13 ComplianceDLPExchange14 SharePointSharingOperation33 ComplianceDLPSharePointClassification55 SharePointContentTypeOperation56 SharePointFieldOperation
This is just a subset from the events produced
Actually, as security solution, they should focus on all the relevant ones for security monitoring, at first glance, I still miss many other events, to highlight:24Discovery28ThreatIntelligence41ThreatIntelligenceUrl47ThreatIntelligenceAtpContent
Is it too difficult to support them? I'm not asking for all of them but just the needed to ensure a proper security monitoring, neither the types "seen on the wild/nor documented"