ODFB Activity log integration with Cloud App Secuirty


We have a customer that is currently in the process of rolling out ODFB. At this point we do have controls available in ODFB that can control access via the sync client, Mobile and Browser. However since the Browser restriction also applies currently to SPO, they do not want to enforce Conditional Access for Browsers.
Therefore they would like to have some mechanism on altering / informing them on when users access and download files from Browsers on unmanaged devices.

They have a SIEM tool from IMB – QRadar which can potentially analyze this information with their User Behavior Analysis. However the customer was keen to understand if this is something Microsoft can provide, as they have issues with the IBM tool.

While checking out feasibility, I was exploring the option of using Cloud App Security and have that integrated with Office 365 (OneDrive For Business). Once done, the Cloud App Security will fetch the auditing information from the SharePoint/ODFB logs. Post that create a custom user activity report so that UST is informed when users download files.

Please could you provide some insight if this is something that CAS can do natively with Office 365, as outlined here https://docs.microsoft.com/en-us/cloud-app-security/user-activity-policies ?

Thanks in advance

2 Replies

CAS, as well as it's cheaper version ASM can both read the SPO/ODFB activity logs. Both will also allow you to configure custom notifications or even actions such as blocking the user. If you want direct integration with SIEM however, I beleive only CAS would be able to do that.


Another option is to directly use the API and feed the events to your SIEM. Here's a good starting point: https://msdn.microsoft.com/office-365/office-365-management-activity-api-reference

Thanks Vasil for the prompt response. The customer is intrested on leveraging Microsoft CAS.  The idea in the longer run then is to show more value for other services with CAS and then use this as their main platform.

We did share the SIEM (in their case QRadar) integration with O365 Management API. Hopefully this confirmation allows us to move forward with CAS. Thanks again