Skip to content

How to collect data from the Office 365 application

This page describes how to collect events from the Office 365 data source.

Log in to the CYBERQUEST web interface with an account that has administrator privileges.

Navigate to Settings > Management > Data Source Manager.

Settings > Management > Data Source Manager

This page contains all the data sources added in the CYBERQUEST application.

Data sources list

Complete the form

Press the "ADD DATA-SOURCE" button and complete the following form:

Add data source form

  • DataSource Type: Select one of the three Office 365 data sources: "CQApi / Office365 AzureActiveDirectory (LogName: Office365 AzureActiveDirectory)", "CQApi / Office365 Exchange (LogName: Office365 Exchange)", or "CQApi / Office365 Sharepoint (LogName: Office365 Sharepoint)";

  • Query Interval: How often the query runs. Defaults to every 60 seconds;

  • Credentials to use: Select appropriate credentials from the drop-down list (See Credential Setup: How to manage Credentials);

  • Tag: A unique identifier automatically assigned to the data source;

  • Administrative Notes: Optional notes for administrators;

  • Anonymize Fields: Select fields to be anonymized. One or more options can be selected;

  • Script: Complete the following keys in the script:

tenant_id: "Directory (tenant) ID"
client_id: "Application (client) ID"
client_secret: "Client Secrets / secret key"

Click the "Save" button to save the data source.

Assign the CYBERQUEST agent

The next step is to assign the CYBERQUEST agent to this data source. Press the drop-down list and choose the agent (often the CQ Server agent).

Assign agent dropdown

  • Edit: Press Edit buttonbutton to modify the data source information. The steps are very similar to adding a new data source.

  • Clone: Press the Clone iconto create a copy of the data source.

  • Delete: To remove a data source, first unassign the Agent, then press "Delete".