SOLVED

O365 Malware report data to Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-960419%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Malware%20report%20data%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-960419%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1096%22%20target%3D%22_blank%22%3E%40Dean%20Gross%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eright%20now%20O365%20connector%20gets%20Onedrive%2C%20Sharepoint%20and%20Exchange%20events%20only.%26nbsp%3B%20we%20plan%20to%20expand%20to%20other%20O365%20events.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20short%20term%2C%20you%20could%20use%20a%20logic%20app%20to%20pull%20the%20O365%20API%20events%20into%20Log%20Analytics.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1005289%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Malware%20report%20data%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1005289%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2864%22%20target%3D%22_blank%22%3E%40Nicholas%20DiCola%20(SECURITY%20JEDI)%3C%2FA%3E%26nbsp%3Bthanks%20for%20the%20suggestion%2C%20but%20I'm%20not%20seeing%20any%20events%20in%20the%20O365%20APIs%20that%20are%20related%20to%20the%20malware%20reporting%20data.%20can%20you%20provide%20me%20some%20details%20about%20how%20this%20can%20be%20accomplished%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1006694%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20Malware%20report%20data%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1006694%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1096%22%20target%3D%22_blank%22%3E%40Dean%20Gross%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlerts%20are%20documented%20in%20the%20schema%20here.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice%2Foffice-365-management-api%2Foffice-365-management-activity-api-schema%23security-and-compliance-alerts-schema%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice%2Foffice-365-management-api%2Foffice-365-management-activity-api-schema%23security-and-compliance-alerts-schema%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELooks%20like%20audit%20log%20has%20two%20entries%20for%20ThreatIntelligence%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice%2Foffice-365-management-api%2Foffice-365-management-activity-api-schema%23enum-auditlogrecordtype---type-edmint32%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice%2Foffice-365-management-api%2Foffice-365-management-activity-api-schema%23enum-auditlogrecordtype---type-edmint32%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EOne%20for%20Exchange%20ATP%2C%20and%20one%20for%20Onedrive%2FSP%2FTeams%20ATP%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-921869%22%20slang%3D%22en-US%22%3EO365%20Malware%20report%20data%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-921869%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EDoes%20anyone%20know%20how%20to%20get%20data%20from%20the%20O365%20Security%20and%20Compliance%20center%20report%20dashboards%20into%20Sentinel%3F%20specifically%20the%20Malware%20Detection%26nbsp%3Bdata%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-921869%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Office%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Respected Contributor

Does anyone know how to get data from the O365 Security and Compliance center report dashboards into Sentinel? specifically the Malware Detection data

3 Replies
best response confirmed by Dean Gross (Respected Contributor)
Solution

@Dean Gross 

right now O365 connector gets Onedrive, Sharepoint and Exchange events only.  we plan to expand to other O365 events.

 

In the short term, you could use a logic app to pull the O365 API events into Log Analytics.

@Nicholas DiCola (SECURITY JEDI) thanks for the suggestion, but I'm not seeing any events in the O365 APIs that are related to the malware reporting data. can you provide me some details about how this can be accomplished? 

@Dean Gross 

 

Alerts are documented in the schema here. https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api...

 

Looks like audit log has two entries for ThreatIntelligence

https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api...

One for Exchange ATP, and one for Onedrive/SP/Teams ATP