fbpx

Cloud SIEM for Microsoft 365

Email services and productivity tools such as Microsoft 365 (formerly Office 365 or O365) are often targeted due to the amount of sensitive information stored in these systems, but also because they can be a gateway to other systems through password resets using email.

 

Blumira integrates with Microsoft 365 productivity suite to stream security event logs and alerts to the Blumira service for threat detection and actionable response. Blumira protects Microsoft 365 productivity suite by streaming security events, logs, and alerts to the Blumira service which we then apply threat intelligence on to automatically detect suspected threats and deliver an actionable response.

 

Get a Free Cloud SIEM Trial

Try out Blumira’s automated detection & response platform for free and deploy a cloud SIEM in hours.

Free Trial

You can configure Microsoft 365 productivity suite to send security event logs and alerts to Blumira for threat detection. Blumira then intelligently analyzes those logs to automatically detect suspected threats, notify you of those threats, and provide you with an actionable response.

Before you begin

Before you can configure Microsoft 365 in Blumira, you must configure Microsoft 365 to send us logs.

To configure Microsoft 365 to send logs to Blumira:

  1. Log in to to https://compliance.microsoft.com.
  2. In the left pane of the Compliance Center, click Audit.
  3. If auditing is not enabled for your organization, a message appears that prompts you to start recording user and admin activity. Click Start recording user and admin activity, and wait up to 60 minutes for the change to take effect.
  4. Log in to office.com.
  5. Navigate to the Microsoft Admin Center.
  6. Click Azure Active Directory.
  7. In the left panel, click All Services.
  8. Click Azure Active Directory.
  9. Under Manage, click App registrations.
  10. Click Register an application or + New registration.
  11. Type the name (e.g., Microsoft 365 Audit Logs to Blumira).
  12. Select Accounts in this organizational directory only, and then click Register.
  13. From the window that appears, document the following:
    Microsoft 365 parameter Corresponding field in Blumira
    Application (client) ID App Client ID
    Directory (tenant) ID Tenant ID (or Tenant ID to monitor)

  14. In the second-to-left panel, click API permissions.
  15. Click Add a Permission.
  16. Click Office 365 Management API.
  17. Click Application Permissions.
  18. Expand ActivityFeed, and select ActivityFeed.Read, ActivityFeed.ReadDlp.
  19. At the bottom, click Add permissions.
  20. Important: Click Grant admin consent.
  21. Clear the delegated User.Read permission checkbox.
  22. Click Certificates & secrets.
  23. Click New client secret.
  24. In the Description box, type a descriptive name (e.g., Blumira sensor).
  25. Select any timeframe you’re comfortable with (up to 24 months)
    Tip: Ensure that you set yourself a reminder to update this when it expires.
  26. Click Add.
  27. In the Status column, confirm that Admin consent was granted for Blumira (a green check box appears):
  28. Document the client secret value.
    Important: Do not copy the “Secret ID,” which is only an object reference to the value.
  29. Go to one of the following sections, depending on whether you want to integrate Blumira with Microsoft 365 using the cloud or an existing sensor module:
    • Integrating with Microsoft 365 using a Cloud Connector
    • Integrating with Microsoft 365 using a sensor module

Integrating with Microsoft 365 using a Cloud Connector

Cloud Connectors automates the configuration of your integrations without requiring you to use a sensor. After you obtain your integration’s configuration parameters, you can then enable Blumira to collect your logs.

  1. In the Blumira app, go to the Cloud Connectors page (Infrastructure > Cloud Connectors).
  2. Click + Add Cloud Connector.
  3. In the Available Cloud Connectors window, click the connector that you want to add.
  4. If you want to change the name of the Cloud Connector, type the new name in the Cloud Connector Name box.
  5. (Optional) Type a name for this log deployment in the Log Source Name box. This name is what will appear in the “device_address” column in the results of your event data queries. If you might have additional modules collect logs for different integrations in the future, this will help you distinguish them.
  6. Enter the API credentials that you collected in the section above.
  7. Click Connect.
    On the Cloud Connectors screen, under Current Status, you can view the configuration’s progress. When the configuration completes, the status changes to Online (green dot).
  8. Important: If you previously deployed a Module for this integration, then you must remove it via the Sensors page (Infrastructure > Sensors) to avoid log duplication.

Integrating with Microsoft 365 using a sensor module

To collect Microsoft 365 logs on an existing sensor in the sensor UI, you must add a Microsoft module.

To add a module on an existing sensor:

  1. In Blumira, click Infrastructure.
  2. Click Sensors.
  3. Click the sensor on which you want to add a module.
  4. On detail page for the sensor, scroll down and click Add Module.
  5. In the Add New Module window, select the latest available version of this integration’s module.
  6. (Optional) Type a name for this log deployment in the Log Source Name box. This name is what will appear in the “device_address” column in the results of your event data queries. If you might have additional modules collect logs for different integrations in the future, this will help you distinguish them.
    Note: The name can only contain alphanumeric characters, periods, and hyphens; no spaces or underscores are allowed.
  7. Enter the API credentials that you gathered in the section above.
  8. Click Install.