Collect data from Defender for O365
See the changelog of the HTTP Listener here.
Overview
The following article outlines a basic data flow from Microsoft Defender for Office 365 (MDO) to the Office 365 Listener.
Prerequisites
Administrative access to the Microsoft Defender portal
Contact Onum to get the required JWT token, which will be needed on the Listener setup.
You can also contact us if you cannot generate the required TLS certificates. Note that these certificates must be signed by a recognized Certificate Authority (CA). Self-signed certificates are not accepted.
Defender for Cloud Apps Setup
Microsoft Defender for Office 356 (MDO) can be configured to send logs to Onum. Here's how to set it up:
Access the Microsoft Defender for Office 365 portal.
Go to Azure Active Directory > App registrations
Click New registration and give it a name.
Supported account type - Accounts in this organizational directory only
Redirect URI - Leave blank for now
Click "Register"
Retrieve the Application (Client) ID
Go to the All Applications tab and click on the application name.
On the overview page, you'll see "Application (client) ID" displayed prominently. This is the GUID you need for Onum.
In your new app registration, go to API permissions
Click Add a permission and select Microsoft Graph > Application permissions
Add these permissions
SecurityEvents.Read.AllSecurityEvents.ReadWrite.AllSecurityIncident.Read.AllThreatIntelligence.Read.All
For Office 365 Management API, add
ActivityFeed.ReadActivityFeed.ReadDlpServiceHealth.Read
Click Grant admin consent
Create a client secret
Go to Certificates & secrets
Click New client secret
Add a description and select expiration
Copy the secret value immediately (it won't be shown again)
Locate and save your Tenant ID
Go to Azure Active Directory > App registrations
On the Azure AD overview page, look for Tenant ID in the basic information section. It will be displayed as a GUID (e.g., 12a34567-89b0-12c3-d456-789012ef3456).
Keep it somewhere safe to paste it into the Listener.
Start/stop a subscription
The Office 365 Listener supports the start/stop subscription feature. You can start/stop a subscription using some other Office 365 API or using this curl command:
You should get a response like this:
Use the access_token value to start or stop a subscription. These are the available content values:
Audit.AzureActiveDirectoryAudit.ExchangeAudit.SharePointAudit.GeneralDLP.All
These are some of the requests you can perform:
Start a subscription to begin receiving notifications and retrieving activity data for a tenant.
Stop a subscription to discontinue retrieving data for a tenant:
Content type example (this will subscribe you to active directory and exchange):
Here is the list of all the API requests you can use. Once you start subscription, you can use the Listener to fetch your data.
For easier testing, here is the curl command to fetch the list of updates:
Onum Setup
Log in to your Onum tenant and click Listeners > New listener.
Double-click the Office 365 Listener.
Enter a Name for the new Listener. Optionally, add a Description and some Tags to identify the Listener.
Enter your defender for O365 Azure Tenant ID*.
The Application (client) ID* is needed when accessing Office 365 through APIs or applications. For applications registered in other directories, the Application (Client) ID is located in the application credentials.
Assign your data a Content Type in the form of reusable columns, document templates, workflows, or behaviors. Click Add element to add the required content types.
These are the available content values:
Audit.AzureActiveDirectoryAudit.ExchangeAudit.SharePointAudit.General(includes all other workloads not included in the previous content types)DLP.All(DLP events only for all workloads)
For details about the events and properties associated with these content types, see Office 365 Management Activity API schema.
The Client Secret (also called Application Secret) is used for authentication in Microsoft Entra ID (formerly Azure AD) when accessing APIs. To get it:
Click App registrations under the Manage section.
Select your registered application.
In the left menu, click Certificates & secrets.
Under Client secrets, check if an existing secret is available. You cannot view it, so you must have it saved somewhere.
If you need a new one, create one and copy the value immediately.
Learn more about secrets in Onum in this article.
In Onum, open the Secret field and click New secret to create a new one:
Give the secret a Name.
Turn off the Expiration date option.
Click Add new value and paste the secret corresponding to the JWT token you generated before. Remember that the token will be added in the Microsoft 365 configuration.
Click Save.
You can now select the secret you just created in the corresponding field.
Choose your Subscription Plan* from the list. Find this in the Microsoft Account Portal under Billing > Your Products.
Enter the Polling Interval* frequency in minutes with which to grab events. The minimum value is 1, and the maximum value is 60.
If you are using a proxy to establish the connection, toggle on the Proxy configuration button and enter the details here.
Scheme* - Choose the scheme to connect to.
URL* - The host and port of the proxy URL used to establish the connection
Username - This is the username used to access the proxy.
Password - Enter the proxy passcode.
Decide whether to skip or require TLS validations to the server.
Finally, click Create labels. Optionally, you can set labels to be used for internal Onum routing of data. By default, data will be set as Unlabeled. Click Create listener when you're done.
Learn more about labels in this article.
Click Create listener when you're done.
Ports
The Office 365 Listener has two output ports:
Default port - Events are sent through this port if no error occurs while processing them.
Error port - Events are sent through this port if an error occurs while processing them.
Last updated
Was this helpful?