BMC Defender Office 365 adapter (deprecated)

(Deprecated with version 6.2)

This space provides a detailed description of the Microsoft Office 365 Agent Adapter. This is an optional set of files and executables added to the BMC Defender Server that expands the role of the system to include the monitoring of Microsoft Office 365 Cloud App Security service using Microsoft embedded functions.


Related topic

Monitoring-adapters

The space provides information on specific features and capabilities of this special software, including installation procedures, operating theory, application notes, and certain features not documented elsewhere.

Note

To use this specific adapter, the BMC Defender administrator cooperates with the Office 365 administrator to receive the Java, a security token, and other parameters from the Microsoft Cloud App Security portal. The software herein requires a subscription to the Office 365 Cloud App Security functions and does not operate without this purchased function. If you do not have a subscription to this Microsoft service, acquire it before proceeding.

This space is intended for BMC Defender users who operate the system, as well as system administrators responsible for installing the software components. This information is also of interest to program developers and administrators who want to extend the range of the BMC Defender system's role within an enterprise to include a collection of arbitrary files.

Microsoft supports its Office 365 implementation with a RESTful API that furnishes information on alerts from connected apps, including user activities, visibility to performance, and security features. It also affords general security monitoring of Office 365 implementations.

This interface is furnished by Microsoft and is a purchased option. The interface consists of a Java SIEM Agent program that executes on the BMC Defender Server, which is placed in the installationDirectory\o365 folder. Replace installationDirectory with the directory in which you installed the product. The default directory is C:\Program Files\BMC Software\BMC Defender. For more details about installation directory, see Installing-BMC-Defender-Office-365-adapter.

The Java SIEM agent runs as a persistent process at the BMC Defender Server, and periodically checks for new activity and alerts by polling the Office 365 RESTful interface. When new log activity exists in Office 365 Cloud, this information is pulled from the cloud and sent to the BMC Defender Server (in near real-time) where it appears as a log message like other devices.

The BMC Defender Server furnishes a screen, in the Messages > Adapters > Office 365 tab of Installation, that allows you to easily configure, start, and stop the Microsoft SIEM Agent. For information about this screen, see Configuring-BMC-Defender-Office-365-Adapter.

The net result of this scheme is that Office 365 information is received and processed like other log messages, furnishing visibility into app and user activity taking place in the cloud.

Note

The Microsoft SIEM Agent program is not a BMC furnished software and BMC takes no responsibility for this Microsoft component. Questions regarding this software might necessitate your contact to Microsoft to resolve specific issues. No BMC warranty, expressed or implied, exists for this software. You can acknowledge this by using any of the softwares described in here.

For more information about SIEM integration from Microsoft, see https://docs.microsoft.com/en-us/cloud-app-security/siem.

Note

The only required components of the system are the CO-o365.exe program and the configuration file, documented herein.

Caveats and cautions

Several minor caveats exist to installing and using the software, as follows:

  • Do not install the Office 365 Agent (installationDirectory\o365) on a remote network disk. This can interfere with the performance and stability of the Microsoft agent. The Jar file should reside on the local disk, in the o365 folder of the BMC Defender Server root directory. 
  • If any problems exist with starting the agent, the status indicator (at the top of the screen) becomes red, and further information is available on clicking the View Process Log link.

  • The Office 365 Agent program generates messages in Common Event Format (CEF) and is constrained to generate that format. BMC Defender Server has no problem accepting or processing this type of message.

    Note

    CEF format is known to be difficult for humans to read (being highly encumbered by odd and unnecessary syntax such as pipes, poorly delimited fields, and cryptic and ambiguous message tags). Information on CEF format is available on the web from a variety of sources.

  • The administrator should assure that the CO-o365.exe program has permissions to any input folders specified in the configuration file. If permissions are not correctly set, you can log and view the appropriate indications of this condition using the Process Log link at the top-middle section of the screen.

This section contains information about the following topics:


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*