fbpx

Cloud SIEM for Microsoft 365

Email services and productivity tools such as Microsoft 365 (formerly Office 365 or O365) are often targeted due to the amount of sensitive information stored in these systems, but also because they can be a gateway to other systems through password resets using email.

 

Blumira integrates with Microsoft 365 productivity suite to stream security event logs and alerts to the Blumira service for threat detection and actionable response. Blumira protects Microsoft 365 productivity suite by streaming security events, logs, and alerts to the Blumira service which we then apply threat intelligence on to automatically detect suspected threats and deliver an actionable response.

 

Sign Up For Blumira’s Free Edition

SMBs can gain protection and greater insight into their Microsoft 365 environment with Blumira’s Free Edition for unlimited users and data – no credit card or licensing required.

 

What you get with for free:

  • Coverage for unlimited users and data for Microsoft 365 (no additional licensing required)
  • Easy setup with Cloud Connectors — in minutes
  • Detections automatically rolled out to your account, pre-tuned to filter out the noise
  • Summary dashboard of key findings and security reports
  • Playbooks with each finding to guide you through response steps

 

It takes only minutes to set up and start realizing security value.

 

Sign Up Free

You can configure Microsoft 365 productivity suite to send security event logs and alerts to Blumira for threat detection. Blumira then intelligently analyzes those logs to automatically detect suspected threats, notify you of those threats, and provide you with an actionable response.

Before you begin

Before you can configure Microsoft 365 in Blumira, you must configure Microsoft 365 to send us logs.

To configure Microsoft 365 to send logs to Blumira:

  1. Log in to to https://compliance.microsoft.com.
  2. In the left pane of the Compliance Center, click Audit.
  3. If auditing is not enabled for your organization, a message appears that prompts you to start recording user and admin activity. Click Start recording user and admin activity, and wait up to 60 minutes for the change to take effect.
  4. Log in to https://aad.portal.azure.com/.
  5. Click Azure Active Directory.
  6. Under Manage, click App registrations.
  7. Click Register an application or + New registration.
  8. Type the name (e.g., Microsoft 365 Audit Logs to Blumira).
  9. Select Accounts in this organizational directory only, and then click Register.
  10. From the window that appears, document the following:
    Microsoft 365 parameter Corresponding field in Blumira
    Application (client) ID App Client ID
    Directory (tenant) ID Tenant ID (or Tenant ID to monitor)

  11. In the second-to-left panel, click API permissions.
  12. Click Add a Permission.
  13. Click Office 365 Management API.
  14. Click Application Permissions.
  15. Expand ActivityFeed, and select ActivityFeed.Read, ActivityFeed.ReadDlp.
  16. At the bottom, click Add permissions.
  17. Important: Click Grant admin consent.

Screen_Shot_2021-12-30_at_2.51.05_PM.png

  1. In the Status column, confirm that Admin consent was granted for Blumira (a green check box appears)
  2. Click Certificates & secrets.
  3. Click New client secret.
  4. In the Description box, type a descriptive name (e.g., Blumira sensor).
  5. Select any timeframe you’re comfortable with (up to 24 months)
    Tip: Ensure that you set yourself a reminder to update this when it expires.
  6. Click Add.
  7. Copy and document the key in the “Value” column under the Client secrets section:

0365-6-1024x731.png
Important: Do not use the “Secret ID”, a common misstep that will result in no logs being sent to Blumira.

Note: There can be approximately one minute of latency between when Microsoft generates a Client secret and when it successfully works in an API request.

  1. The Client secret Value is the final key needed in Blumira:
    Microsoft 365 parameter Corresponding field in Blumira
    Client Secret Value Client Secret
  2. Go to one of the following sections:
    • If you want to integrate using the cloud, wait at least one minute after generating the Client secret, and then go to Integrating with Microsoft 365 using a Cloud Connector.
    • If you want to integrate with an existing sensor module go to Integrating with Microsoft 365 using a sensor module.

Integrating with Microsoft 365 using a Cloud Connector

Cloud Connectors automates the configuration of your integrations without requiring you to use a sensor. After you obtain your integration’s configuration parameters, you can then enable Blumira to collect your logs.

  1. In the Blumira app, go to the Cloud Connectors page (Infrastructure > Cloud Connectors).
  2. Click + Add Cloud Connector.
  3. In the Available Cloud Connectors window, click the connector that you want to add.
  4. If you want to change the name of the Cloud Connector, type the new name in the Cloud Connector Name box.
  5. (Optional) Type a name for this log deployment in the Log Source Name box. This name is what will appear in the “device_address” column in the results of your event data queries. If you might have additional modules collect logs for different integrations in the future, this will help you distinguish them.
  6. Enter the API credentials that you collected in the section above.
  7. Click Connect.
    On the Cloud Connectors screen, under Current Status, you can view the configuration’s progress. When the configuration completes, the status changes to Online (green dot).
  8. Important: If you previously deployed a Module for this integration, then you must remove it via the Sensors page (Infrastructure > Sensors) to avoid log duplication.

Integrating with Microsoft 365 using a sensor module

To collect Microsoft 365 logs on an existing sensor in the sensor UI, you must add a Microsoft module.

To add a module on an existing sensor:

  1. In Blumira, click Infrastructure.
  2. Click Sensors.
  3. Click the sensor on which you want to add a module.
  4. On detail page for the sensor, scroll down and click Add Module.
  5. In the Add New Module window, select the latest available version of this integration’s module.
  6. (Optional) Type a name for this log deployment in the Log Source Name box. This name is what will appear in the “device_address” column in the results of your event data queries. If you might have additional modules collect logs for different integrations in the future, this will help you distinguish them.
    Note: The name can only contain alphanumeric characters, periods, and hyphens; no spaces or underscores are allowed.
  7. Enter the API credentials that you gathered in the section above.
  8. Click Install.