This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Office 365 Log Collecting/Rules

ErnieCastro
New Contributor
New Contributor

‎2020-03-03 09:39 AM

I recently integrated Office 365 logs into NetWtiness.  I installed all 5 parser packs and everything works fine. 

 

I want to set up dashboards and enable some rules and would like to know a good baseline to start.

 

Has anyone made Office 365 dashboards? What do they display and what are some specific things to look for?

 

Are my current rules going to trigger from these cloud log sources even though the event types are different or do i need to implement a whole new set of rules for Office 365?

 

Any info from anyone collecting logs from Office 365 would be great, thank you!

4 REPLIES 4

EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)

‎2020-03-03 10:03 AM

Ernie Castro‌,

 

I've moved your question to the RSA NetWitness Platform" data-type="space space where it will be seen by the product's support engineers, other customers and partners.  Please bookmark this page and use it when you have product-specific questions.

 

Alternatively, from the RSA Customer Support page, click on Ask A Question on the blue navigation bar and choose Ask A Product Related Question.  From there, scroll to RSA NetWitness Platform" data-type="space and click Ask A Question.  That way your question will appear in the correct space.

 

Regards,

Erica

0 Likes

lawrencekkk
Contributor
Contributor

‎2020-07-07 10:54 PM

From where did you check the office365 logs in RSA and know that "everything works fine" ?

I am also currently working on office365 integration , but I can't seem to find any of the office365 logs. 
My log collector's log say something about waiting for config on STDIN.

0 Likes

ErnieCastro
New Contributor
New Contributor
In response to lawrencekkk

‎2020-07-08 11:38 AM

Lawrence, you've completed the setup per the implementation guide yet you don't see "msoffice365" as an event type? (Investigate ->Device Type -> show more -> msoffice365

 

When you added the Event Source in your log collector, does the test pass??

Log Collector -> Event Sources ->Event Categories -> Sources

0 Likes

lawrencekkk
Contributor
Contributor
In response to ErnieCastro

‎2020-07-08 09:45 PM

Hi Ernie, yes I followed the Microsoft_Office365 guide from RSA but I don't see msoffice365 as event type.
Ya, the test pass when I added the event source.
Are there any more steps that you did that are not stated within the guide?

 

My log collector's log are spamming messages like "[office365audit.office365] [processing] [WorkUnit] [processing] 2020-07-09T08:01:14Z Office365auditCollector waiting for config on STDIN..."


I am using netwitness 11.4 if that even matters.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.