Tech Note--Office 365 Securlet
Copyright statement Broadcom, the pulse logo, Connecting
everything, and Symantec are among the trademarks of Broadcom. The
term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
For more information, please visit www.broadcom.com. Broadcom
reserves the right to make changes without further notice to any
products or data herein to improve reliability, function, or
design. Information furnished by Broadcom is believed to be
accurate and reliable. However, Broadcom does not assume any
liability arising out of the application or use of this
information, nor the application or use of any product or circuit
described herein, neither does it convey any license under its
patent rights nor the rights of others.
Copyright © 2020 Symantec Corp. 2
Enabling the Securlet for additional Office 365
accounts
Troubleshooting
Introduction
This tech note describes how to set up the Office 365 Securlet on
CloudSOC. The Securlet for a SaaS application lets CloudSOC
obtain user activity data and user information. CloudSOC uses
this information to auto-import users from the SaaS
application.
The Office 365 Securlet offers the flexibility to secure just
OneDrive for Business or OneDrive for Business and Outlook
Mail. If you are interested in securing Outlook Mail in addition to
OneDrive, contact your CloudSOC account representative to
enable this feature.
The Office 365 Securlet:
Obtains activity data for specified OneDrive users
Scans emails of specified Outlook Mail and Exchange
users.
Note: When you subscribe to the Office 365 Securlet, it comes
bundled with the Yammer Securlet. However, you must activate
the two Securlets separately. See the CloudSOC Tech Note
Yammer Securlet for more information.
Prerequisites
To activate the Office 365 Securlet on your CloudSOC
account:
You must have SysAdmin privileges for your CloudSOC
account.
You must have an Office 365 Enterprise account.
You must have Global Administrator privileges for your Office 365
account.
Copyright © 2020 Symantec Corp. 4
Tech Note--Office 365 Securlet
The email address you use as the username for the administrator
login on your Office 365 account must be exactly the same as
the email address that you use as your CloudSOC username.
Furthermore, this email address must be within the primary or
secondary domains listed for your CloudSOC
account.
The Office 365 Securlet uses the primary and secondary domains in
the CloudSOC tenant to determine which users are internal or
external collaborators. Users whose email address are in the
primary domain or any secondary domains are considered
internal collaborators. Any other domain in an email address
is considered an external collaborator.
If necessary, contact Symantec Support using MySymantec to add
additional secondary domains.
Note: Best practice is that you contact your CloudSOC
representative and have them enable the onmicrosoft.com
domain that matches your office365.com domain as a secondary domain
on your CloudSOC account. For example, if your Office 365
domain is mycompany.office365.com, then ask your
representative to enable mycompany.onmicrosoft.com as a secondary
domain. Many customers who subscribe to the Office 365
Securlet are unaware that some of their users have primary
email addresses within the onmicrosoft.com domain. The Office365
Securlet does not track these users' activities unless you
have onmicrosoft.com added as a secondary domain.
Copyright © 2020 Symantec Corp. 5
Scanning scope
App Content scanned
Outlook Content in emails, including subject line and
attachments, in all folders except Drafts
OneDrive All files and folders
Sharepoint All files and folders in document
libraries
Teams Files and Wiki pages but not Conversation
messages NOTE: There is not a separate Securlet for
Microsoft Teams. The documents shared using Microsoft Teams
are stored on their respective sites, and are scanned during
site scanning by default.
Groups Documents saved within each Office 365
Group
Scan type Emails Scanned Files Scanned
First scan Emails less than 30 days old
Paid customers All files Trial customers
All exposed files (no time limit) Unexposed files less than
30 days old
"Re-scan Content" from Securlet dashboard
Emails exposed within last 30 days
All exposed files
Selected email Selected file
All emails All new docs All edited docs
Enabling the Office 365 Securlet
This section describes how to enable the Office 365 Securlet for a
single Office 365 account. If you want to enable the Office
365 Securlet for multiple Office 365 accounts, follow this
procedure to activate the Office 365 Securlet for the first
account, then use the procedure in Enabling the Securlet for
additional Office 365 accounts.
1. Login to CloudSOC using your administrator
credentials.
4. On the entry for Office, click Details.
Tech Note--Office 365 Securlet
CloudSOC sends an activation request to the CloudSOC team for the
Office 365 Securlet. The label on the Enable button changes
to “Request Pending.”
6. Click Activate.
CloudSOC prompts you to select either a full or selective scan of
your Office 365 account users and folders.
Tech Note--Office 365 Securlet
11. If you have custom URLs for your OneDrive, Mail, and
Sites:
a. Mark the Use custom endpoints checkbox. The page shows the
custom URLs options.
c. Leave the Admin's OneDrive URL box blank if you are activating
the Securlet on an Office 365 account for which mail is your
only service, such that there are no Sites and no OneDrive.
Otherwise, enter the URL for the OneDrive admin's workspace.
This is where CloudSOC moves or copies files that are quarantined
by the Protect app Preserve Content feature.
Note: Do not mark the ACS auth checkbox unless you are so
instructed by Symantec Support. See Troubleshooting for more
information.
Copyright © 2020 Symantec Corp. 9
Tech Note--Office 365 Securlet
d. Mark the Mail and Sites checkboxes as appropriate to select the
Office 365 apps to secure. Which check boxes are available
might depend on your service agreement with CloudSOC. Contact
your CloudSOC representative for details.
e. Enter your custom URLs for Mail and Sites as
appropriate.
12. If you do not have custom URLs as described in the
preceding:
a. Make sure the Use custom endpoints checkbox is clear (not
checked).
b. Type your Office 365 domain in the Sub Domain box. If you are
uncertain what your domain is, open your Office 365 Admin
Center (https://portal.office.com) and select Admin, and then
select Sharepoint. The domain is something like
“https://subdomain-my.sharepoint.com”.
If you have more than one Office 365 domain, contact your
CloudSOC representative to have the additional domains added
as secondary domains on your CloudSOC account.
c. Leave the Admin's OneDrive URL box blank if you are activating
the Securlet on an Office 365 account for which mail is your
only service (no Sites and no OneDrive). Otherwise, enter the
URL for the OneDrive admin's workspace. This is where
CloudSOC moves or copies files that are quarantined by the Protect
app Preserve Content feature.
13. If you marked the Sites checkbox, enter your Office 365 login
credentials in the Username and Password boxes, then click
Import Sites as shown in the following.
CloudSOC uses the credentials only to retrieve the top-level sites.
It then discards the credentials without storing
them.
Note: CloudSOC does not support SSO for importing top level
sites.
Copyright © 2020 Symantec Corp. 10
16. CloudSOC redirects you to the Office 365 login
page.
Copyright © 2020 Symantec Corp. 11
Note: If the Save button is disabled (grayed out), it might mean
that CloudSOC did not properly grant you access to the Office
365 Securlet. Contact your CloudSOC representative if this
happens.
18. Click Accept to grant access to all requested
resources.
d. Click Add Rule near the bottom of the box to add additional
user, group, or folder rules to the scan policy.
e. Click Start Scan.
You have completed the Securlet setup for Office 365. CloudSOC
starts scanning your Office 365 resources, and redirects you
to the Office 365 Securlet dashboard in CloudSoC. For more
information, see our Tech Note Using the Securlet
Dashboards.
Copyright © 2020 Symantec Corp. 13
Enabling the Securlet for additional Office 365
accounts
If you want to enable the Office 365 Securlet for more than one
Office 365 account, first use the procedure in Enabling the
Office 365 Securlet to enable the Securlet for the first account.
Then use the following procedure to enable the Securlet for
additional Office 365 accounts.
1. In the CloudSOC Store, click the tile for the Office 365
Securlet.
4. Click Register Account and follow the prompts to complete the
registration.
Copyright © 2020 Symantec Corp. 14
Office 365 DvNext deployments
If you know you have a DvNext Office 365 deployment and the
Securlet activation fails, contact Symantec Support via
MySymantec for special installation guidance. They might instruct
you to use the ACS auth option and also do additional
configuration and provisioning to authorize CloudSOC to
access your Office 365 resources.
User impersonation error
Problem: Securlet activation fails with an error similar to the
following:
Another user from your domain has already signed up for CloudSOC
service. OR you are not an active administrator of that
CloudSOC Account. Please contact the support team at
[email protected]
Why this happens: When this happens, it is usually because you
tried to activate the Securlet while you are logged in to
CloudSOC and Office 365 with identities at different domains.
CloudSOC disallows this scenario in order to thwart user
impersonation exploits.
Solution: If the admin account you used to authorize CloudSoC on
Office 365 is something similar to
[email protected],
make sure that a user with the same email exists in
CloudSOC’s user database and has administrator
privileges.
If the problem persists, log into CloudSOC and double-check the
email address configured for your administrator account. The
domain for this account must match the sub domain that you
enter when activating the Office 365 Securlet.
Supported activities
The following tables lists all of the objects and activities that
are tracked by the CloudSOC Office 365 Securlet
Note: Certain admin activities such as user login events are not
reported in real time. Notification may lag behind the event
by 6 to 12 hours (in some cases up to 24 hours), subject to
availability from Microsoft. For a full list of admin
activities, see Admin activities.
If you select a selective scan during Securlet activation, the
Securlet processes activities for OneDrive, Sharepoint and
Mail only for the users within the scope of the selective scan.
However, the Securlet receives and reports on Azure AD
activities (for example, user logins) for all the users, even
the ones not within the scope of the selective scan.
Copyright © 2020 Symantec Corp. 15
Object Activity
Email_File_Attachment received
Rename
Restore
ScopeAdd
ScopeDelete
Share
Unshare
Upload
Tech Note--Office 365 Securlet
Sharepoint (Sites) events, Continued
Note: The SubSiteDeleted event does not report the correct
time for the deletion event. It reports the event as having
happened at the time it was recorded, not when it actually
occurred.
OneDrive events
Object Activity
Site GroupSiteCreated
SiteCollectionDeleted
ScopeAdd
ScopeDelete
Share
SiteCollectionCreated
SiteCollectionDeleted
Unshare
SubSiteCreated
SubSiteDeleted
User Add (adding access request on a file for a
user)
Object Activity
Share
Unshare
Upload
The following subsections describe admin activities for Office 365
apps:
Azure AD
Exchange
Sharepoint/OneDrive
Note: The events in these sections are not reported in real time.
Notification may lag behind the event by 6 to 12 hours (in
some cases up to 24 hours), subject to availability. The historic
data reported by the Securlet is limited to the 24 hours
prior to when you activated the Securlet.
Azure AD
Share
Unshare
ScopeDelete
Share
Unshare
User Add (adding access request on a file for a
user)
Object Activity
Add member to role
Restore user
Update user
Object Activity
Group New-DynamicDistributionGroup
File Download Supported for both OneDrive and
Sharepoint Sites feature.
File/Folder Delete Although these events are logged
via the Main API, Symantec do capture these events
under specific scenarios via the Management activity
API (for both OneDrive and Sites).
Edit
Move
Rename
Restore
Mailbox audit logging events
For more information about enabling Mailbox audit logging in
Exchange 2016, see this Microsoft TechNet
article:
https://technet.microsoft.com/en-us/library/ff459237(v=exchg.160).aspx
APIs used
The following table describes the Office 365 APIs used by the
CloudSOC Securlet.
Copyright © 2020 Symantec Corp. 20
User AddedToGroup
Event Description
Add-MailboxPermission When a new permission is added to a
user’s mailbox, such as SendAs
FolderBind When a delegated user accesses a
folder
MailboxLogin When a user logs in to their own
mailbox
MessageBind When a delegated user opens an email
Remove-MailboxPermission When a new permission is removed
from a user’s mailbox, such as SendAs
SendAs When a user sends an email as another
user.
SendOnBehalf When a user sends an email on behalf of another
user.
API Used for Reference
http://graph.microsoft.io/docs
https://msdn.microsoft.com/office/offic
e365/APi/mail-rest-operations
SharePoint REST Service Retrieve documents from
OneDrive and Sharepoint
Sites, and remediate
Remediation options
Office 365 OneDrive
Change Access settings
File Access: Changes access settings for the file. Select
one of the following:
Update File Permissions: Changes permissions for the file.
Mark the checkbox to see available settings.
Remove Link: Removes the link from the file, rendering it
unshared.
Collaborator Access: Changes collaborator access privileges. Some
choices are logically exclusive of others.
Remove Collaborator: Removes collaborator
privileges.
Delete Unique Permissions: Removes unique permissions from the
user.
Update Collaborator Permissions/access: Sets collaborator role to
that selected. Mark the checkbox to see available
settings.
Preserve Content settings: Select any of:
No Action: Leaves the file in its original
location.
Copy: Creates a copy of the file in the admin's Office 365
workspace.
Move: Removes all sharing properties from the file, makes your
Office 365 account admin the file owner, and moves the file
to the admin's Office 365 workspace.
Move with tombstone: Takes the actions described in Move, and also
creates a text file replacement that contains information
about the move.
Office 365 Mail
Access: Changes access settings for the email:
Tech Note--Office 365 Securlet
See the CloudSOC Tech Note Using the Protect App for more
information about using remediation features and configuring
Protect policies.
Copyright © 2020 Symantec Corp. 23
Date Version Description
1.0-1.11 Initial release and minor changes
21 October 2016 2.0 Update activation workflow, add
Preserve Content remediation options
9 November 2016 2.1 Add admin login domain
prerequisite
23 November 2016 2.2 Update Outlook events
table
2 December 2016 2.3 Update scan policies
steps
3 February 2017 2.4 Update Outlook events, add note
about historic data.
10 February 2017 2.5 Update time lag info
2 March 2017 2.6 Minor changes to screen
captures
22 March 2017 3.0 Address mail-only activation and
admin workspace for Preserve Content feature, update scanning
scope section
8 June 2017 3.1 Add file download as Outlook activity,
add information about bundle with Yammer Securlet
12 June 2017 3.2 Add admin login email
prerequisite
26 June 2017 3.3 Clarify Office 365 global
administrator privileges
7 July 2017 3.4 Add email subject line to scanning
scope
28 August 2017 3.5 Clarify that email scanning applies
to all folders except Drafts
14 September 2017 4.0 Move scanning scope to beginning,
add Teams and Office 365 Groups, update activities
tables
18 December 2017 4.1 Remove reference to user logout as
a delayed activity
13 February 2018 4.2 Remove
Email_Message/Email_File_Attachment saved activity, address
redundant prerequisites
9 March 2018 4.3 Add mailbox audit logging
events
16 May 2018 4.4 Minor changes and formatting
updates
23 May 2018 4.5 Update support references
14 November 2018 4.6 Change "Scan now" to "Re-scan
content"
14 January 2019 4.7 Clarify scanning scope
14 February 2019 4.8 Update scanning scope
12 February 2020 4.9 Add note that CloudSOC does not
support SSO for importing top level sites. Update list of
permissions required by CloudSOC to access Office 365
resources.