How to Protect Office 365 with Azure Sentinel

Special thanks to Clive Watson” and “Ofer Shezafthat collaborating with me on this blog post.


 


Due to the COVID-19 crisis, the usage of Office 365 has increased which introduces new security monitoring challenges for SOC teams. Increase usage means that the service should be more focal for defenders.


 


Over the past few mounts I have been working with my customers, on approaches to onboard Office 365 and related services into Azure Sentinel and the benefit of built-in solutions that a Cloud based Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) bring, such as these use cases.


 


This blog post is built as a checklist and covers the following topics:


 



  • Required data sources for Office 365 and related workloads

  • Onboarding of data sources

  • Visualizing data

  • Using of out of the box Analytics Rules templates

  • Hunting with Azure Sentinel

  • Integration of 3rd party Threat Intelligence (TI)

  • Data enrichment capabilities

  • Automation with SOAR capabilities

  • Integration with Ticketing Systems

  • Integration with 3rd party SIEMs


 


Required data sources for Office 365 and related workloads


Choosing the right telemetry for Office 365 and related workloads depends on the enterprise’s security model. For instance, if an enterprise which follow the Zero Trust approach from Microsoft would focus on different telemetry than an enterprise with a classical security approach.


 


The following data sources should be the minimum onboarded to monitor Office 365:


 



 


In addition, the sources below are optional as they depend on additional licenses. Azure Sentinel can benefit from these expert systems and it is recommended to onboard if licensed or consider adding these to aid with detection and use cases.


 



  • Azure Activity Directory Identity Protection alerts

  • Office 365 Advanced Threat Protection and Threat Investigation and Response alerts

  • Microsoft Cloud App Security alerts


 


Lastly, the following data sources are optional and would unlock more value by correlating different data sources using SIEM and SOAR capabilities.


 



  • Logs from Domain Controllers and Azure Advanced Threat Protection alerts

  • Telemetry from client devices

  • Logs and alerts from Proxies and Firewalls

  • 3rd Party Threat Intelligence feeds           


 


Onboarding of data sources


Azure Sentinel comes with a several built-in and custom connectors to onboard Office 365 and related workloads.


 














































Data Source



Default Connector



Custom Connector



Azure Active Directory Sign-In and Audit Logs



Reference URL



n/a



Office 365 / Exchange Online Logs


Office 365 / SharePoint Online Logs


Office 365 / Microsoft Teams Logs



Reference URL



n/a



Office 365 Audit.General Logs



n/a



Azure Function App connector



Office 365 – DLP.All Logs



n/a



Azure Function App connector



Office 365 Security and Compliance Alerts



n/a



Azure Logic App connector



Office 365 Message Trace Logs



n/a



Azure Function App connector



Microsoft Secure Score Recommendations



n/a



Azure Logic App connector



 


GIFT Demonstration – Enable the Office 365 data connector:


 


Office 367 Data Connector Next Steps.gif


 


For a full list, please see, the Azure Sentinel Grand List.


 


Visualizing data


Azure Sentinel has many built-in workbooks that provide extensive reporting capabilities analyzing your connected data sources to let you quickly and easily deep dive into the data generated by those services. The built-in workbooks can be changed and customized as needed.  The Workbooks are provided by Microsoft, our data connector partners and the community.


 


These built-in Workbooks are available in Azure Sentinel for Office 365 and related workloads.


 






















Workload / Purpose



Sample Workbooks



General



Azure Sentinel Workbooks 101 (with sample Workbook)


 


Usage Reporting for Azure Sentinel


 


Security Alerts



Azure Active Directory



Azure Active Directory Sign-In Logs


 


Azure Active Directory Audit Logs


 


Additional Azure Monitor Workbooks for Azure AD


 


How to use Azure Sentinel to follow users travel and map their location



Office 365



Office 365 General


Office 365 Exchange Online


 


Office 365 SharePoint Online


 


Office 365 Exchange, SharePoint and Teams DLP Workbooks


 


Graph Visualization of External MS Teams Collaborations in Azure Sentinel


 


Office 365 Message Trace



 


For more information and instructions on how to use Azure Sentinel Workbooks, please see:


 


Visualize your data using Azure Monitor Workbooks in Azure Sentinel | Microsoft Docs


 


In case you prefer to use Power BI for analytics and visualization:


 


Import Azure Monitor log data into PowerBI:


https://docs.microsoft.com/en-us/azure/azure-monitor/platform/powerbi


 


GIFT Demonstration – How to enable and use the Office 365 Workbook:


 


Office 367 Workbook.gif


 


Using out of the box Analytics Rule Templates


Once you have connected your required data sources, you can use the Analytics Rule templates available in Azure Sentinel to generate incidents when certain criteria are matched. The Analytics Rules can be changed and customized as needed.


 


These Analytics Rule templates are available in Azure Sentinel for Office 365 and related workloads.


 






















Workload



Analytics Rules Templates



Azure Active Directory



Azure Active Directory Sign-In Logs


 


Azure Active Directory Audit-Logs


 


Correlation Rules for Azure Active Directory



Office 365



Office 365 Activity


 


Microsoft Teams


 


Office 365 DLP


 


Message Trace



Azure Active Directory Identity Protection


Microsoft Cloud App Security


Azure Advanced Threat Protection



Microsoft Security alert templates



 


Tip: You see the related Analytics Rules (and required data) that match the connector on the “Next Steps” page of the “Add Connector” wizard.


 


Next Step.png


 


Hunting with Azure Sentinel


Azure Sentinel has built-in Hunting Queries to look proactively for new anomalies that you are not yet detecting with your Analytics Rules.  You can use these Hunting Queries and Live Stream  to create interactive sessions that let you test newly created queries as events occur, get notifications from the sessions when a match is found, and launch investigations if necessary. You can quickly create a livestream session using any Log Analytics query.



  • Test newly created queries as events occur



  • You can test and adjust queries without any conflicts to current rules that are being actively applied to events. After you confirm these new queries work as expected, it’s easy to promote them to custom alert rules by selecting an option that elevates the session to an alert.


These Hunting Queries are available in Azure Sentinel for Office 365 and related workloads.


 


















Workload



Hunting Queries



Azure Active Directory



Azure Active Directory Sign-In Logs


 


Azure Active Directory Audit-Logs



Office 365



Office 365 Activity


 


Microsoft Teams


 


Message Trace



 


GIFT Demonstration – Using the Built-In Hunting Queries for Office 365:


 


HUnting.gif



 


Integration with 3rd Party Threat Intelligence


Azure Sentinel lets you import you own threat intelligence indicators, which can enhance your security analysts’ ability to detect and prioritize known threats.


 


You can stream threat indicators to Azure Sentinel by using one of the integrated threat intelligence platform (TIP) products listed in the next section, connecting to TAXII servers, or by using direct integration with the Microsoft Graph Security tiIndicators API.


 


The Threat Intelligence data connector includes out of the box Analytics Rules and Hunting Query templates for Office 365 and related workloads.


 


Threat Intelligence Analytics Rules


Threat Intelligence Hunting Queries


 


Data enrichment capabilities


Data enrichment is key to associating data in context of enterprises. For instance, data enrichment would add additional information or context to the ingested logs to make it more valuable.


 


For Office 365 and related workloads Azure Sentinel provides these enrichment use cases:


 






























Purpose



Source



Enrich User Entities with Azure Active Directory information



Reference URL



Enrich IP Entities with GeoIP information



Reference URL



Enrich IP Entities with VirusTotal information



Reference URL



Enrich URL Entities with VirusTotal information



Reference URL



Sentinel Alert Evidence



Reference URL



 


Automation with SOAR capabilities


Azure Sentinel has built-in SOAR capabilities to orchestrate and automate common and complex tasks. Azure Sentinel uses Azure Logic App and Azure Function Apps for automation. Both services are built-in in Azure. The SOAR use cases are published here: GitHub, and can be deployment via ARM-Templates.


 


Using automation can save time, improve efficiency and help you improve your SOC (Security Operations Center) metrics and reduce the workload for the Securtity analyts.


 


https://docs.microsoft.com/en-us/azure/sentinel/manage-soc-with-incident-metrics


Azure Sentinel includes these automation solutions for Office 365 and related workloads:


 


















































Purpose



Source



Block Azure Active Directory User



Reference URL



Confirm an Azure Active Directory User



Reference URL



Dismiss an Azure Active Directory User



Reference URL



Reset Azure Active Directory User Password



Reference URL



Revoke Azure Active Directory Sign-In Session



Reference URL



Delete Email for User Mailbox



Reference URL



Assign Incident to Specific Owner



Reference URL



Involve the User into Incident Process



Reference URL



Post Incident Details to Microsoft Teams



Reference URL



Post Incident Details to Slack



Reference URL



 


GIFT Demonstration – How to enable the “Block Azure Active Directory User” Playbook:


 


SOAR.gif


 


Integration with Ticketing Systems


As part of the SOAR capabilities, Azure Sentinel support integration with ticketing systems.  You can also just send a simple email or Teams message with the same data if you prefer (or do this in parallel with your Ticket).


 


























Ticketing System



Source



ServiceNow



Open a Service Now Ticket


 


Aggregate Service Now Ticket


 


Close an Incident from Service Now



Jira



Open a Jira Ticket



IBM Resilient (OnPrem)



Create an IBM Resilient Incident



Zendesk



Open a Zendesk Ticket



 


Integration with 3rd Party SIEM


In case you are approaching Side-by-Side along with your exiting SIEM.


 






















Exiting SIEM



Source



Splunk



Reference URL



QRadar



Reference URL



Other 3rd Party SIEMs



Reference URL



 


Summary


Ingesting of Office 365 alert logs are free, Azure Sentinel comes with a lot of use cases which help organizations to monitor and protect Office 365 workload, as well allows easy integration into existing SOC environment.


 


In this post we have covered the basics, looking at the data required, how to on-board connectors, how to manage Alerts, how to Hunt and automate responses to the results, and also connecting to 3rd party ticketing or SIEM solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.