How to Protect Office 365 with Azure Sentinel
Published Sep 11 2020 02:50 PM 35.9K Views
Microsoft

Special thanks to "Clive Watson" and “Ofer Shezafthat collaborating with me on this blog post.

 

Due to the COVID-19 crisis, the usage of Office 365 has increased which introduces new security monitoring challenges for SOC teams. Increase usage means that the service should be more focal for defenders.

 

Over the past few mounts I have been working with my customers, on approaches to onboard Office 365 and related services into Azure Sentinel and the benefit of built-in solutions that a Cloud based Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) bring, such as these use cases.

 

This blog post is built as a checklist and covers the following topics:

 

  • Required data sources for Office 365 and related workloads
  • Onboarding of data sources
  • Visualizing data
  • Using of out of the box Analytics Rules templates
  • Hunting with Azure Sentinel
  • Integration of 3rd party Threat Intelligence (TI)
  • Data enrichment capabilities
  • Automation with SOAR capabilities
  • Integration with Ticketing Systems
  • Integration with 3rd party SIEMs

 

Required data sources for Office 365 and related workloads

Choosing the right telemetry for Office 365 and related workloads depends on the enterprise’s security model. For instance, if an enterprise which follow the Zero Trust approach from Microsoft would focus on different telemetry than an enterprise with a classical security approach.

 

The following data sources should be the minimum onboarded to monitor Office 365:

 

 

In addition, the sources below are optional as they depend on additional licenses. Azure Sentinel can benefit from these expert systems and it is recommended to onboard if licensed or consider adding these to aid with detection and use cases.

 

  • Azure Activity Directory Identity Protection alerts
  • Office 365 Advanced Threat Protection and Threat Investigation and Response alerts
  • Microsoft Cloud App Security alerts

 

Lastly, the following data sources are optional and would unlock more value by correlating different data sources using SIEM and SOAR capabilities.

 

  • Logs from Domain Controllers and Azure Advanced Threat Protection alerts
  • Telemetry from client devices
  • Logs and alerts from Proxies and Firewalls
  • 3rd Party Threat Intelligence feeds           

 

Onboarding of data sources

Azure Sentinel comes with a several built-in and custom connectors to onboard Office 365 and related workloads.

 

Data Source

Default Connector

Custom Connector

Azure Active Directory Sign-In and Audit Logs

Reference URL

n/a

Office 365 / Exchange Online Logs

Office 365 / SharePoint Online Logs

Office 365 / Microsoft Teams Logs

Reference URL

n/a

Office 365 Audit.General Logs

n/a

Azure Function App connector

Office 365 - DLP.All Logs

n/a

Azure Function App connector

Office 365 Security and Compliance Alerts

n/a

Azure Logic App connector

Office 365 Message Trace Logs

n/a

Azure Function App connector

Microsoft Secure Score Recommendations

n/a

Azure Logic App connector

 

GIFT Demonstration – Enable the Office 365 data connector:

 

Office 367 Data Connector Next Steps.gif

 

For a full list, please see, the Azure Sentinel Grand List.

 

Visualizing data

Azure Sentinel has many built-in workbooks that provide extensive reporting capabilities analyzing your connected data sources to let you quickly and easily deep dive into the data generated by those services. The built-in workbooks can be changed and customized as needed.  The Workbooks are provided by Microsoft, our data connector partners and the community.

 

These built-in Workbooks are available in Azure Sentinel for Office 365 and related workloads.

 

Workload / Purpose

Sample Workbooks

General

Azure Sentinel Workbooks 101 (with sample Workbook)

 

Usage Reporting for Azure Sentinel

 

Security Alerts

Azure Active Directory

Azure Active Directory Sign-In Logs

 

Azure Active Directory Audit Logs

 

Additional Azure Monitor Workbooks for Azure AD

 

How to use Azure Sentinel to follow users travel and map their location

Office 365

Office 365 General

Office 365 Exchange Online

 

Office 365 SharePoint Online

 

Office 365 Exchange, SharePoint and Teams DLP Workbooks

 

Graph Visualization of External MS Teams Collaborations in Azure Sentinel

 

Office 365 Message Trace

 

For more information and instructions on how to use Azure Sentinel Workbooks, please see:

 

Visualize your data using Azure Monitor Workbooks in Azure Sentinel | Microsoft Docs

 

In case you prefer to use Power BI for analytics and visualization:

 

Import Azure Monitor log data into PowerBI:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/powerbi

 

GIFT Demonstration – How to enable and use the Office 365 Workbook:

 

Office 367 Workbook.gif

 

Using out of the box Analytics Rule Templates

Once you have connected your required data sources, you can use the Analytics Rule templates available in Azure Sentinel to generate incidents when certain criteria are matched. The Analytics Rules can be changed and customized as needed.

 

These Analytics Rule templates are available in Azure Sentinel for Office 365 and related workloads.

 

Workload

Analytics Rules Templates

Azure Active Directory

Azure Active Directory Sign-In Logs

 

Azure Active Directory Audit-Logs

 

Correlation Rules for Azure Active Directory

Office 365

Office 365 Activity

 

Microsoft Teams

 

Office 365 DLP

 

Message Trace

Azure Active Directory Identity Protection

Microsoft Cloud App Security

Azure Advanced Threat Protection

Microsoft Security alert templates

 

Tip: You see the related Analytics Rules (and required data) that match the connector on the “Next Steps” page of the “Add Connector” wizard.

 

Next Step.png

 

Hunting with Azure Sentinel

Azure Sentinel has built-in Hunting Queries to look proactively for new anomalies that you are not yet detecting with your Analytics Rules.  You can use these Hunting Queries and Live Stream  to create interactive sessions that let you test newly created queries as events occur, get notifications from the sessions when a match is found, and launch investigations if necessary. You can quickly create a livestream session using any Log Analytics query.

  • Test newly created queries as events occur
  • You can test and adjust queries without any conflicts to current rules that are being actively applied to events. After you confirm these new queries work as expected, it's easy to promote them to custom alert rules by selecting an option that elevates the session to an alert.

These Hunting Queries are available in Azure Sentinel for Office 365 and related workloads.

 

Workload

Hunting Queries

Azure Active Directory

Azure Active Directory Sign-In Logs

 

Azure Active Directory Audit-Logs

Office 365

Office 365 Activity

 

Microsoft Teams

 

Message Trace

 

GIFT Demonstration – Using the Built-In Hunting Queries for Office 365:

 

HUnting.gif

 

Integration with 3rd Party Threat Intelligence

Azure Sentinel lets you import you own threat intelligence indicators, which can enhance your security analysts' ability to detect and prioritize known threats.

 

You can stream threat indicators to Azure Sentinel by using one of the integrated threat intelligence platform (TIP) products listed in the next section, connecting to TAXII servers, or by using direct integration with the Microsoft Graph Security tiIndicators API.

 

The Threat Intelligence data connector includes out of the box Analytics Rules and Hunting Query templates for Office 365 and related workloads.

 

Threat Intelligence Analytics Rules

Threat Intelligence Hunting Queries

 

Data enrichment capabilities

Data enrichment is key to associating data in context of enterprises. For instance, data enrichment would add additional information or context to the ingested logs to make it more valuable.

 

For Office 365 and related workloads Azure Sentinel provides these enrichment use cases:

 

Purpose

Source

Enrich User Entities with Azure Active Directory information

Reference URL

Enrich IP Entities with GeoIP information

Reference URL

Enrich IP Entities with VirusTotal information

Reference URL

Enrich URL Entities with VirusTotal information

Reference URL

Sentinel Alert Evidence

Reference URL

 

Automation with SOAR capabilities

Azure Sentinel has built-in SOAR capabilities to orchestrate and automate common and complex tasks. Azure Sentinel uses Azure Logic App and Azure Function Apps for automation. Both services are built-in in Azure. The SOAR use cases are published here: GitHub, and can be deployment via ARM-Templates.

 

Using automation can save time, improve efficiency and help you improve your SOC (Security Operations Center) metrics and reduce the workload for the Securtity analyts.

 

https://docs.microsoft.com/en-us/azure/sentinel/manage-soc-with-incident-metrics

Azure Sentinel includes these automation solutions for Office 365 and related workloads:

 

Purpose

Source

Block Azure Active Directory User

Reference URL

Confirm an Azure Active Directory User

Reference URL

Dismiss an Azure Active Directory User

Reference URL

Reset Azure Active Directory User Password

Reference URL

Revoke Azure Active Directory Sign-In Session

Reference URL

Delete Email for User Mailbox

Reference URL

Assign Incident to Specific Owner

Reference URL

Involve the User into Incident Process

Reference URL

Post Incident Details to Microsoft Teams

Reference URL

Post Incident Details to Slack

Reference URL

 

GIFT Demonstration – How to enable the "Block Azure Active Directory User" Playbook:

 

SOAR.gif

 

Integration with Ticketing Systems

As part of the SOAR capabilities, Azure Sentinel support integration with ticketing systems.  You can also just send a simple email or Teams message with the same data if you prefer (or do this in parallel with your Ticket).

 

Ticketing System

Source

ServiceNow

Open a Service Now Ticket

 

Aggregate Service Now Ticket

 

Close an Incident from Service Now

Jira

Open a Jira Ticket

IBM Resilient (OnPrem)

Create an IBM Resilient Incident

Zendesk

Open a Zendesk Ticket

 

Integration with 3rd Party SIEM

In case you are approaching Side-by-Side along with your exiting SIEM.

 

Exiting SIEM

Source

Splunk

Reference URL

QRadar

Reference URL

Other 3rd Party SIEMs

Reference URL

 

Summary

Ingesting of Office 365 alert logs are free, Azure Sentinel comes with a lot of use cases which help organizations to monitor and protect Office 365 workload, as well allows easy integration into existing SOC environment.

 

In this post we have covered the basics, looking at the data required, how to on-board connectors, how to manage Alerts, how to Hunt and automate responses to the results, and also connecting to 3rd party ticketing or SIEM solutions.

Version history
Last update:
‎Nov 02 2021 06:10 PM
Updated by: