AlienApp for Office 365

AlienApp for Office 365

Access Requirements

This integration requires connectivity between your USM Anywhere Sensor and the Microsoft APIs. If you have an Azure Sensor deployed in your Azure subscription, you should use this sensor to configure the AlienApp because you don't need to configure additional permissions.

If you use a non-Azure Sensor, you must set your firewall permissions based on the following table to allow inbound and outbound connections for the sensor:

Protocol    Port     EndpointPurpose
TCP443https://login.windows.net/Authentication for your Office 365 account
TCP443https://graph.microsoft.comQueries to retrieve log data from the Microsoft Graph APIs
TCP443https://manage.office.comQueries to retrieve log data from the Office 365 Management APIs


Note: To access Office 365 US Government, allow connections to graph.microsoft.us instead of graph.microsoft.com and manage.office365.us instead of manage.office.com.

Set Up API Integration

You need to register the AlienApp for Office 365 in Azure for the Office 365 Management Activity API to communicate with USM Anywhere.
To perform this task, you must have the following items:
  1. Microsoft Office 365 subscription
  2. Microsoft Azure subscription
  3. Administrator credentials for the Azure tenant

To register USM Anywhere in Azure

      1. cert.pem file will be shared from WatchTower365 team.
      2. Log in to the Azure portal and click Azure Active Directory.
      3. Go to App registrations and click New registration.
      4. Register the application:
  1. Enter a name for the application.
  2. In Supported account types, select who can use this application.
  3. Your selection decides if this application is single-tenant or multi-tenant in the Microsoft identity platform. See Microsoft Documentation for the description of each type.
  4. In Redirect URI, enter your USM Anywhere login URL (for example, https://acmecompany.alienvault.cloud).
  5. Click Register.
  6. The application is created and the overview page displays.
      5. Add permissions for accessing Office 365 Management APIs:
  1. Go to API permissions and click Add a permission.
  2. Under Request API permissions, click Office 365 Management APIs.
  3. Click Application permissions.
  4. Expand the groups to select ActivityFeed.Read permissions, and then click Add permissions.
      6. Add permissions for pulling Azure AD users:
  1. Go to API permissions and click Add a permission.
  2. Under Request API permissions, click Microsoft Graph.
  3. Click Application permissions.
  4. Expand User to select User.Read.All permissions, and then click Add permissions.
  5. Click Grant admin consent for Default Directory, and then click Yes when prompted.
Important: You must grant permissions for the application to work. You must have the global administrator privileges to successfully grant permissions.

      7. Update the credentials of the application:
  1. Go to Certificates & secrets.
  2. Select the cert.pem file created in the first step and click Add.
  3. The credentials of the application are updated.
      8. Return to the overview page of the application and copy the Application (client) ID and Directory (tenant) ID to your clipboard.

To enable log collection

  1. In the USM Anywhere main menu, go to Settings > Scheduler and search for the collection job for the AlienApp.
  2. Enable the job if it is not already enabled. To customize the log collection rate, click the edit icon and set the desired interval for log collection.

    • Related Articles

    • Configuring the AlienApp for SentinelOne

      SentinelOne API Configuration To configure AlienApp for SentinelOne in USM Anywhere, you need to generate an API key in your SentinelOne instance and enter it into USM Anywhere. To set up your SentinelOne API Log in to your SentinelOne management ...

    • Most recent events in the threat landscape - July 2023

      Let's review some of the most recent events in the threat landscape. During the last month, Threat Actors kept leveraging vulnerabilities to carry out their operations. Storm-0978, also known as RomCom, was actively exploiting the CVE-2023-36884, an ...

    • Most recent events in the threat landscape - June 2023

      Over the past month, Threat Actors have continued to exploit vulnerabilities for their operations. The Cl0p ransomware group actively exploited the latest MOVEit vulnerabilities (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708) to install a web shell ...

    • Supported Cyber Protect features by operating system

      Note: This topic contains information about all Cyber Protect features and the operating systems on which they are supported. Some features might require additional licensing, depending on the applied licensing model. The Cyber Protect features are ...

    • Most recent events in the threat landscape - August 2023

      Threat actors didn't go on vacation during August, and they kept exploiting vulnerabilities to carry out their operations. A zero-day vulnerability tracked as CVE-2023-3519 in Citrix was exploited by a financially motivated actor linked to the FIN8 ...