SOLVED

Office365 S&C Alerts available in Sentinel?

Occasional Contributor

Hey all,

 

we're trying to use our Sentinel to centralize alerts from all different E5 security solutions (wdatp, mcas, o365atp ..) 

Are O365 Alerts available in sentinel? Or are only the base O365 events available via the "officeactivity" ?
For example: "Potentially unsafe URL click was detected

Thanks, Maarten.

13 Replies

Hello Maarten,

I would suggest to follow the following steps:

 

  1. Connect data from Azure Active Directory
    https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory
  2. Connect data from Office 365 Logs
    https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365
  3. Connect data from Azure Activity log
    https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-activity
  4. Connect data from Azure AD Identity Protection (If deployed too)
    https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-ad-identity-protection
  5. Connect alerts from Microsoft Defender Advanced Threat Protection
    https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-defender-advanced-threat-protectio...
  6. Connect data from Azure Security Center
    https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-security-center

Once that is done, Azure Sentinel will be able to get all the data that you listed above.
Then, I would suggest you to go the the "Analytics" blade (Azure Sentinel > Configuration > Analytics) and make sure that the Fusion rule is enabled as you have both Office 365 and MCAS and Fusion is a very advanced engine that correlate incidents from both Office 365 and MCAS to find incidents that are high fidelity, and high severity.

(https://docs.microsoft.com/en-us/azure/sentinel/fusion

Then I would suggest to go to the Rule Templates and select and create the "Microsoft Security" rules, you should find what you are looking for.

CaptureTemp.PNG

(below on the right you can click on "Create"

Kind Regards,
Thomas

The URL events are informational, and don't come over to Sentinel.

 

@mclaes 

best response confirmed by mclaes (Occasional Contributor)
Solution

@mclaes 

 

If i'm not mistaken Office Security & Compliance Center Alerts Connector is currently in private preview.

 

Alternatively, you could ingest these alerts via Graph Security API https://techcommunity.microsoft.com/t5/azure-sentinel/ingesting-office-365-alerts-with-graph-securit...

@ehloworldio 

 

hey all, thanks for the quick replies! We do have all connectors live for the security solutions and have the MCAS/WDATP/ASC/IdentityProtection Analytics rules enabled.

The question was indeed about O365 alerts (not the events/logs) feeding in to Sentinel. I'll give the Graph API way a shot for now! We want to be on top of 'clicked-on-phishing-link' alerts as they present a significant risk to our org so having these alerts in Sentinel would be really helpful

Cheers, Maarten.

@mclaes 

Having the same issue, were you able to integrate the alerts into Sentinel?

Hi @CurlX2305, a private preview for O365 SCC alerts is about to start. Join our Private Previews program to particiapte. 

@Ofer_Shezaf Do you know the name of the preview? Is it the "MDATP Alert Integration Improvements" private preview?

@CurlX : No. Not sure what the official name is but it would be Office ATP and not MDATP.

@Ofer_Shezaf thanks for your reply. Then it might not be an active private preview yet as I dont see it in the preview list I received today...

 

 

@CurlX : I believe the name is "Office 365 Alerts Connector". The latest private preview bulletin is a few weeks old and marks this preview as closed, but it was opened since. 

@chrisbuesold 

 

has this changed?

 

The default "A potentially malicious URL click was detected" alert policy in my demo tenant has these alerts as high severity and as it's a default policy the severity cannot be altered so it appears to be high by default now.

 

The following defaults are all still informational though:

 

  • Email messages containing malware removed after delivery
  • mail messages containing phish URLs removed after delivery
  • Email reported by user as malware or phish

Would be nice if the severity of these could be altered.

 

Paul

@PJR_CDF , @Ofer_Shezaf  - Is it this one? - "Office 365 Advanced Threat Protection (Preview)"