Pandora office 365

It is defined as a server plugin, which generates an agent with each available office 365 service and its features status. available in office 365 and the status of its features.

Introduction

It is defined as a server plugin, which generates an agent with each available office 365 service and the status of its features.

Compatibility matrix

Developed in python 3.8. The compiled binary is distributed and does not require extra dependencies.

Pre requisites

System
Since it is a binary, it does not need specific dependencies for its execution.

In Pandora environment
It is required that the plugin server is enabled

General Permissions

General graph to authenticate

image-1652094125204.png

To access to the service health and download the modules

image-1652094186265.png

Permissions logs

And the following authentication elements:
● TenentID
● ClientID
● Secret

 

Configuration

The plugin is executed by defining the corresponding parameters:

usage: pandora_o365 [-h] -c CLIENTID -t TENANTID -s SECRET [-a AGENT_NAME]
                    [-p PREFIX] [-g GROUP] [-i INTERVAL] [-d DATA_IN] [-l]
                    [-n] [--tentacle_address TENTACLE_ADDRESS]
                    [--tentacle_port TENTACLE_PORT] [--tmp TMP]

Pandora Office365 Status plugin ver. 3.0

optional arguments:
  -h, --help            show this help message and exit
  -c CLIENTID, --clientid CLIENTID
                        Authentication O365 client id
  -t TENANTID, --tenantid TENANTID
                        Authentication O365 Tenant id
  -s SECRET, --secret SECRET
                        Authentication O365 Secret
  -a AGENT_NAME, --agent_name AGENT_NAME
                        Defined agent_name , default: pandora_o365
  -p PREFIX, --prefix PREFIX
                        Prefix for agent names, default O365
  -g GROUP, --group GROUP
                        Pandora agent group, default unknown
  -i INTERVAL, --interval INTERVAL
                        Agent interval in seconds, default: 300
  -d DATA_IN, --data_in DATA_IN
                        Pandora server datain directory, default:
                        /var/spool/pandora/data_in/
  -l, --logs            Get incidents messages to Pandora log collector
  -n, --nodata          Ignores module data (usefull for log retreaving only)
  --tentacle_address TENTACLE_ADDRESS
                        Define tentacle address for remote execution,
                        Default=none
  --tentacle_port TENTACLE_PORT
                        Define tentacle port for remote execution,
                        Default=41121
  --tmp TMP             Pandora temporary file directory for remote execution
                        only, default: /tmp/

The required fields are the authentication fields: clientid, tenantid and secret.

If you run only with the required fields you will obtain the data of the Agents/modules corresponding to each service.
Optional fields:

AGENT_NAME: Name of the agent that will contain the services modules, by default is pandora_o365.

PREFIX: Prefix for the agents generated by the plugin execution by default is O365.

GROUP: Group to which it will be marked in the XMls to assign the agents in Pandora. This group must exist in the environment, otherwise the agents will be assigned to the default group: unknown

INTERVAL: Interval defined for each agent created by default 300 seconds, it should be equal or superior to the plugin execution interval.

DATAIN: Location of the Pandora FMS environment data in directory, by default /var/spool/pandora/data_in.

TMP: Temporary directory where the data is stored before being copied to the data in. By default /tmp

LOGS: Enables the log capture of the o365 incident messages and sends them to the pandora log collector. (The log collector must be configured in the environment). By default disabled.

NODATA: Ignores agent and module data, useful if you want to run the plugin only to collect logs. By default disabled

UTF8: Uses utf8, set to 0 if shell is not in utf8 values will be on raw bytes, default: 1

TENTACLE_ADRESS: Ip of the tentacle server to send the data to.

TENTACLE_PORT: Tentacle port, default is 41121.

Manual execution

Execution of the plugin:

Binary version:

./pandora_o365 -c <client-id> -t <tenant-id> -s <secret>

Optional parameters can be defined such as the location of the data_in directory (-d), a prefix for the name of the generated agents (-p), the time interval defined for the agent (-i) and the group to which the agents are assigned (-g).

./pandora_o365 -c <client-id> -t <tenant-id> -s <secret> -d <data-in directory> -p <prefix> -i <interval> -g <group-game> -l

Modules generated by the plugin

El plugin creará un agente con el nombre que nosotros configuremos con el parámetro -a, que dispondrá de un módulo de status y otro de active issues por cada servicio.

For example:

O365_Bookings_active_issues
O365_Bookings_status
O365_cloudappsecurity_active_issues
O365_cloudappsecurity_status
O365_DynamicsAX_active_issues
O365_DynamicsAX_status
O365_DynamicsCRM_active_issues
O365_DynamicsCRM_status
O365_Exchange_active_issues
O365_Exchange_status
O365_Forms_active_issues
O365_Forms_status
O365_Intune_active_issues
O365_Intune_status
O365_kaizalamessagingservices_active_issues
O365_kaizalamessagingservices_status
O365_Lync_active_issues
O365_Lync_status
O365_MicrosoftFlowM365_active_issues
O365_MicrosoftFlowM365_status
O365_MicrosoftFlow_active_issues
O365_MicrosoftFlow_status
O365_microsoftteams_active_issues
O365_microsoftteams_status
O365_MobileDeviceManagement_active_issues
O365_MobileDeviceManagement_status
O365_O365Client_active_issues
O365_O365Client_status
O365_officeonline_active_issues
O365_officeonline_status
O365_OneDriveForBusiness_active_issues
O365_OneDriveForBusiness_status
O365_OrgLiveID_active_issues
O365_OrgLiveID_status
O365_OSDPPlatform_active_issues
O365_OSDPPlatform_status
O365_Planner_active_issues
O365_Planner_status
O365_PowerAppsM365_active_issues
O365_PowerAppsM365_status
O365_PowerApps_active_issues
O365_PowerApps_status
O365_ProjectForTheWeb_active_issues
O365_ProjectForTheWeb_status
O365_ProjectOnline_active_issues
O365_ProjectOnline_status
O365_RMS_active_issues
O365_RMS_status
O365_SharePoint_active_issues
O365_SharePoint_status
O365_StaffHub_active_issues
O365_StaffHub_status
O365_Stream_active_issues
O365_Stream_status
O365_SwayEnterprise_active_issues
O365_SwayEnterprise_status
O365_Viva_active_issues
O365_Viva_status

O365_yammer_active_issues

O365_yammer_status

Ejemplo de la vista de módulos en el agente

image-1652173609150.png