Office 365 Feed

The Office 365 IP Address and URL web service is a read-only API provided by Microsoft to expose the URLs and IPs used by Office 365. The Office 365 Feed integration fetches indicators from the service, with which you can create a list (whitelist, blacklist, EDL, etc.) for your SIEM or firewall service to ingest and apply to its policy rules.

Configure Office365 Feed on Demisto


  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Office365 Feed.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionExample
    NameA meaningful name for the integration instance.Office 365 Feed_worldwide_exchange
    Fetch indicatorsSelect this option if you want this integration instance to fetch indicators from the Office 365 feed.N/A
    RegionsThe regions from which to fetch indicators. Supports multi-select. For all regions, you need to select each region.
    ServicesThe services for which to fetch indicators. Supports multi-select. For all services, select the “All” option.Sharepoint, Exchange
    Indicator ReputationThis reputation will be applied to all indicators fetched from this integration instance.Good
    Source ReliabilityThe reliability of the source providing the intelligence data, which affects how this indicator's fields and reputation are populated.A - Completely reliable
    feedExpirationPolicyThe method by which to expire indicators from this integration instance.When removed from the feed
    feedExpirationInterval
    Feed Fetch IntervalHow often to fetch indicators from this integration instance. You can specify the interval in days, hours, or minutes.30 minutes
    Bypass exclusion listWhen selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.N/A
    Trust any certificate (not secure)When selected, certificates are not checked.N/A
    Use system proxy settingsRuns the integration instance using the proxy server (HTTP or HTTPS) that you defined in the server configuration.False
  4. Click Test to validate the URLs and connection.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Get indicators from the feed


Gets indicators from the feed.

Base Command

office365-get-indicators

Input
Argument NameDescriptionRequired
limitThe maximum number of results to return. The default value is 10.Optional
indicator_typeThe indicator type. Can be "IPs", "URLs", or "Both". The default value is "IPs".Optional
Context Output

There is no context output for this command.

Command Example

!office365-get-indicators limit="5"

Human Readable Output

Indicators from Office 365 Feed:

valuetype
0.0.0.0/0CIDR
0.0.0.0/0CIDR
0.0.0.0/0CIDR
0.0.0.0/0CIDR
0.0.0.0/0CIDR
0.0.0.0/0CIDR