Microsoft 365
Version – Microsoft 365 (E3, E5, F3 licenses for Enterprise; Basic, Standard, Premium licenses for Business; G3, G5 license for Government Community Cloud (GCC); GCC High, and Department of Defence (DoD) subscriptions).
Microsoft 365 is a cloud-based subscription service that combines best-in-class apps like Excel and Outlook with powerful cloud services such as OneDrive and Microsoft Teams. Microsoft 365 helps to create and share anywhere on any device.
Microsoft 365 Data Source Integration for Netsurion Open XDR captures important activities in Exchange, Azure Active Directory, SharePoint, OneDrive, and Teams. Monitoring these activities is critical from a security aspect and necessary for compliance reasons. Learn more about Microsoft 365 security coverage below or start with an introduction to protecting Microsoft 365.
Netsurion Open XDR manages logs retrieved from Microsoft 365. The alerts, reports, dashboards, and saved searches in Netsurion Open XDR are enhanced by capturing important and critical activities in Microsoft 365.
Azure Active Directory (AD)
- Monitors the action by the admin users like user accounts added or deleted, escalation of privilege. You can also monitor the password or policy changes.
- Tracks user login activity to Microsoft 365 with a geographic location for identifying compromised accounts.
- Identifies suspicious login attempts using user location affinity. Alerts user login from a new location / suspicious IP address for the first time.
- Detects brute force login attempts with geographic information.
- Complies with Microsoft guidelines by monitoring sign-ins from multiple geographies, sign-ins from unknown sources, user administration activities, group administration activities, and application administration activities.
Microsoft 365 Exchange Online
- Audits the administrator actions, including mailbox creation and deletion
- Traces emails
- Identifies the users who access mailbox folders, purge deleted items, access other mailbox accounts
- Monitors the changes to Exchange policies that might result in security loopholes for malware/spam/spoof emails
- Complies with Microsoft guidelines by monitoring mailbox activity, changes to mail forwarding rules, and mail transport rules
Microsoft 365 SharePoint
- Monitors the action performed by the SharePoint admins like a site added, deleted, modified, etc
- Monitors the file activities like file shared with outside people, file upload, and download.
Microsoft 365 OneDrive
- Monitors the action performed by the OneDrive admins like a site added, deleted, modified, etc.
- Monitors the file activities like file shared with outside people, file upload, and download.
Microsoft 365 Advance Threat Protection (Microsoft Defender)
- Detects the malicious mail received by the Exchange online.
- Identifies the attacker using its geolocation.
- Detects malicious attachment in Exchange online.
Azure Active Directory Multifactor Authentication (MFA)
- Tracks user with MFA, login activity to Microsoft 365 with a geographic location for identifying compromised accounts.
- Monitors user’s MFA activity such as enable and disable strong authentication requirements.
Microsoft 365 Data Loss Prevention (DLP)
- Tracks sensitive information loss in Outlook and SharePoint.
Microsoft Cloud App Security
- Monitor all cloud services, assign each a risk ranking, identifies all users and third-party apps able to log in.
- Identify and control sensitive information (DLP) response to classification labels on content.
The following are the key assets available in this Data Source Integration.
Alerts
| Type | Name | Description |
| Security | Microsoft 365 – A potentially malicious URL click was detected | Generated when a potentially malicious URL click was detected by Microsoft 365. |
| Security | Microsoft 365 – Creation of forwarding/redirect rule | Generated when a creation of forwarding/redirect rule was detected by Microsoft 365. |
| Security | Microsoft 365 – eDiscovery search started or exported | Generated when an eDiscovery search start or export was detected by Microsoft 365. |
| Security | Microsoft 365 – Elevation of Exchange admin privilege | Generated when an elevation of Exchange admin privilege was detected by Microsoft 365. |
| Security | Microsoft 365 – Email messages containing malware removed after delivery | Generated when an email message containing malware, removed after delivery was detected by Microsoft 365. |
| Security | Microsoft 365 – Email messages containing phish URLs removed after delivery | Generated when an email message containing phish URL(s), removed after delivery was detected by Microsoft 365. |
| Security | Microsoft 365 – Email reported by user as malware or phish | Generated when an email reported by user as malware or phish was detected by Microsoft 365. |
| Security | Microsoft 365 – Login activities using SAML token detected | Generated when a login activity using SAML token detected was detected by Microsoft 365. |
| Security | Microsoft 365 – Malware campaign detected after delivery | Generated when a malware campaign after delivery is detected by Microsoft 365. |
| Security | Microsoft 365 – Malware campaign detected and blocked | Generated when a malware campaign was detected and blocked by Microsoft 365. |
| Security | Microsoft 365 – Malware campaign detected in SharePoint and OneDrive | Generated when a malware campaign in SharePoint and OneDrive was detected by Microsoft 365. |
| Security | Microsoft 365 – Messages have been delayed | Generated when a delay in messages was detected by Microsoft 365. |
| Security | Microsoft 365 – Phish delivered due to tenant or user override | Generated when a phish delivered due to tenant or user override is detected by Microsoft 365. |
| Security | Microsoft 365 – Security & compliance alerts | Generated when security & compliance alerts are triggered by Microsoft 365. |
| Security | Microsoft 365 – Suspicious email sending patterns detected | Generated when suspicious email sending patterns are detected by Microsoft 365. |
| Security | Microsoft 365 – Tenant restricted from sending email | Generated when a tenant restricted from sending email is detected by Microsoft 365. |
| Security | Microsoft 365 – Unusual increase in email reported as phish | Generated when an unusual increase in email reported as phish is detected by Microsoft 365. |
| Security | Microsoft 365 – Unusual volume of file deletion | Generated when an unusual volume of file deletion is detected by Microsoft 365. |
| Security | Microsoft 365 – User impersonation phish delivered to inbox/folder | Generated when a user impersonation phishing email delivered to inbox/folder is detected by Microsoft 365. |
| Security | Microsoft 365 – Azure AD User Logon failed | Generated when an Azure AD user logon failed is detected by Microsoft 365. |
| Security | Microsoft 365 – CAS alerts has been triggered | Generated when CAS alerts are triggered by Microsoft 365. |
| Security | Microsoft 365 – Login Activities | Generated when a login activity is detected by Microsoft 365. |
| Security | Microsoft 365 – Sensitive information detected in Mail | Generated when sensitive information detected in Mail was detected by Microsoft 365. |
| Security | Microsoft 365 – Sensitive information detected in SharePoint | Generated when sensitive information is detected in SharePoint by Microsoft 365. |
| Security | Microsoft 365 – User login failed due to MFA | Generated when a user login failed due to MFA is detected by Microsoft 365. |
| Security | Microsoft 365 – User MFA disabled | Generated when a user disabling MFA is detected by Microsoft 365. |
| Security | Microsoft 365 – Member assigned to global administrator role | Generated when a user or group assigned to the Global Administrator role is detected by Microsoft 365. |
| Compliance | Microsoft 365 – Unusual external user file activity | Generated when an unusual external user file activity is detected by Microsoft 365. |
| Compliance | Microsoft 365 – Unusual volume of external file sharing | Generated when an unusual volume of external file sharing is detected by Microsoft 365. |
| Compliance | Microsoft 365 – User restricted from sending email | Generated when a user restricted from sending email is detected by Microsoft 365. |
Reports
| Type | Name | Description |
| Security | Microsoft 365 – Azure active directory login activities | Provides details about all the Azure active directory login activities monitored by Microsoft 365. |
| Security | Microsoft 365 – User MFA activities | Provides details about all the user MFA activities monitored by Microsoft 365. |
| Security | Microsoft 365 – Exchange Spam Mail Traffic Details | Provides details about all the Exchange Spam Mail Traffic Details monitored by Microsoft 365. |
| Security | Microsoft 365 – Threat intelligence activities | Provides details about all the threat intelligence activities monitored by Microsoft 365. |
| Security | Microsoft 365 – DLP activity | Provides details about all the DLP activity monitored by Microsoft 365. |
| Security | Microsoft 365 – User login failed due to MFA activities | Provides details about all the user login failed due to MFA activities monitored by Microsoft 365. |
| Security | Microsoft 365 – CAS alert triggered | Provides details about all the CAS alert triggered monitored by Microsoft 365. |
| Compliance | Microsoft 365 – Exchange admin activities | Provides details about all the Exchange admin activities monitored by Microsoft 365. |
| Compliance | Microsoft 365 – Azure active directory admin activities | Provides details about all the Azure active directory admin activities monitored by Microsoft 365. |
| Operational | Microsoft 365 – Email activity user counts | Provides details about all the email activity user counts monitored by Microsoft 365. |
| Operational | Microsoft 365 – Email app usage user counts | Provides details about all the email app usage user counts monitored by Microsoft 365. |
| Operational | Microsoft 365 – Email app usage user detail | Provides details about all the email app usage user detail monitored by Microsoft 365. |
| Operational | Microsoft 365 – Email app usage version user counts | Provides details about all the email app usage version user counts monitored by Microsoft 365. |
| Operational | Microsoft 365 – Mailbox usage detail | Provides details about all the mailbox usage detail monitored by Microsoft 365. |
| Operational | Microsoft 365 – Mailbox usage mailbox counts | Provides details about all the mailbox usage mailbox counts monitored by Microsoft 365. |
| Operational | Microsoft 365 – Mailbox usage quota status mailbox counts | Provides details about all the mailbox usage quota status mailbox counts monitored by Microsoft 365. |
| Operational | Microsoft 365 – Mailbox storage usage | Provides details about all the mailbox storage usage monitored by Microsoft 365. |
| Operational | Microsoft 365 – Activation counts | Provides details about all the activation counts monitored by Microsoft 365. |
| Operational | Microsoft 365 – Microsoft 365 activation user counts | Provides details about all the Microsoft 365 activation user counts monitored by Microsoft 365. |
| Operational | Microsoft 365 – Activated user detail | Provides details about all the activated user detail monitored by Microsoft 365. |
| Operational | Microsoft 365 – Active user counts | Provides details about all the active user counts monitored by Microsoft 365. |
| Operational | Microsoft 365 – OneDrive activity file counts | Provides details about all the OneDrive activity file counts monitored by Microsoft 365. |
| Operational | Microsoft 365 – OneDrive activity user counts | Provides details about all the OneDrive activity user counts monitored by Microsoft 365. |
| Operational | Microsoft 365 – OneDrive usage account counts | Provides details about all the OneDrive usage account counts monitored by Microsoft 365. |
| Operational | Microsoft 365 – OneDrive usage account detail | Provides details about all the OneDrive usage account detail monitored by Microsoft 365. |
| Operational | Microsoft 365 – OneDrive usage file counts | Provides details about all the OneDrive usage file counts monitored by Microsoft 365. |
| Operational | Microsoft 365 – OneDrive usage storage | Provides details about all the OneDrive usage storage monitored by Microsoft 365. |
| Operational | Microsoft 365 – SharePoint activity user details | Provides details about all the SharePoint activity user details monitored by Microsoft 365. |
| Operational | Microsoft 365 – SharePoint site storage usage | Provides details about all the SharePoint site storage usage monitored by Microsoft 365. |
| Operational | Microsoft 365 – Exchange Message Trace Details | Provides details about all the Exchange Message Trace Details monitored by Microsoft 365. |
| Operational | Microsoft 365 – Exchange Mail Traffic Details | Provides details about all the Exchange Mail Traffic Details monitored by Microsoft 365. |
| Operational | Microsoft 365 – Exchange Mailbox login activities | Provides details about all the Exchange Mailbox login activities monitored by Microsoft 365. |
| Operational | Microsoft 365 – OneDrive file operations | Provides details about all the OneDrive file operations monitored by Microsoft 365. |
| Operational | Microsoft 365 – SharePoint site operations | Provides details about all the SharePoint site operations monitored by Microsoft 365. |
| Operational | Microsoft 365 – Skype for business activity user detail | Provides details about all the Skype for business user details monitored by Microsoft 365. |
| Operational | Microsoft 365 – Skype for business device usage user detail | Provides details about all the user device usage of Skype for business monitored by Microsoft 365. |
| Operational | Microsoft 365 – Skype for business peer to peer activity user counts | Provides details about all the peer-to-peer activity user counts of Skype for business monitored by Microsoft 365. |
Dashboards
| Type | Name | Description |
| Security | Microsoft 365 – CAS alert triggered by category | Displays all the CAS alert triggered by category in Microsoft 365. |
| Security | Microsoft 365 – CAS alert triggered by username | Displays all the CAS alert triggered by username in Microsoft 365. |
| Security | Microsoft 365 – CAS suspicious activity by username | Displays all the CAS suspicious activity by username in Microsoft 365. |
| Security | Microsoft 365 – CAS alert triggered by alert type | Displays all the CAS alert triggered by alert type in Microsoft 365. |
| Security | Microsoft 365 – ATP Top Malware Detected detail | Displays all the ATP top malware detected detail in Microsoft 365. |
| Security | Microsoft 365 – ATP User Affected by Threat | Displays all the ATP user affected by threat in Microsoft 365. |
| Security | Microsoft 365 – ATP Threat Category | Displays all the ATP threat category in Microsoft 365. |
| Security | Microsoft 365 – ATP Threat Detection Method | Displays all the ATP threat detection method in Microsoft 365. |
| Security | Microsoft 365 – ATP Suspicious Sender | Displays all the ATP suspicious sender in Microsoft 365. |
| Security | Microsoft 365 – DLP Action Taken | Displays all the DLP action taken in Microsoft 365. |
| Security | Microsoft 365 – Azure Active Directory login failed reason | Displays all the Azure Active Directory login failed reason in Microsoft 365. |
| Security | Microsoft 365 – Azure Active Directory Events | Displays all the Azure Active Directory events in Microsoft 365. |
| Security | Microsoft 365 – Azure Active Directory login activities by Status | Displays all the Azure Active Directory login activities by status in Microsoft 365. |
| Security | Microsoft 365 – Azure Active Directory login by user | Displays all the Azure Active Directory login by user in Microsoft 365. |
| Security | Microsoft 365 – Azure Active Directory login activities by Client IP | Displays all the Azure Active Directory login activities by client IP in Microsoft 365. |
| Security | Microsoft 365 – Azure Active Directory login failed by Country | Displays all the Azure Active Directory login failed by country in Microsoft 365. |
| Security | Microsoft 365 – Exchange Malicious Email by Sender | Displays all the Exchange malicious email by sender in Microsoft 365. |
| Security | Microsoft 365 – Exchange Malicious Email by Recipient | Displays all the Exchange malicious email by recipient in Microsoft 365. |
| Security | Microsoft 365 – Exchange Malicious Email by Threat Name | Displays all the Exchange malicious email by threat name in Microsoft 365. |
| Security | Microsoft 365 – Exchange mailbox login by user | Displays all the Exchange mailbox login by user in Microsoft 365. |
| Security | Microsoft 365 – Exchange Top Spam mail by Sender | Displays all the Exchange top spam mail by sender in Microsoft 365. |
| Security | Microsoft 365 – Exchange Top Spam mail by Recipient | Displays all the Exchange top spam mail by recipient in Microsoft 365. |
| Security | Microsoft 365 – MFA failed on User login activities by UserName | Displays all the MFA failed on user login activities by username in Microsoft 365. |
| Security | Microsoft 365 – MFA succeed on User login activities by UserName | Displays all the MFA succeed on user login activities by username in Microsoft 365. |
| Security | Microsoft 365 – MFA failed on User login activities by Geo Location | Displays all the MFA failed on user login activities by geo location in Microsoft 365. |
| Security | Microsoft 365 – MFA succeed on User login activities by Geo Location | Displays all the MFA succeed on user login activities by geo location in Microsoft 365. |
| Compliance | Microsoft 365 – Exchange Admin Activities By User | Displays all the Exchange admin activities by user in Microsoft 365. |
| Compliance | Microsoft 365 – User MFA activities by Targeted UserName | Displays all the user MFA activities by targeted username in Microsoft 365. |
| Compliance | Microsoft 365 – DLP activities by policy name | Displays all the DLP activities by policy name in Microsoft 365. |
| Compliance | Microsoft 365 – DLP activities by mail subject | Displays all the DLP activities by mail subject in Microsoft 365. |
| Compliance | Microsoft 365 – DLP activities by Severity | Displays all the DLP activities by severity in Microsoft 365. |
| Compliance | Microsoft 365 – DLP activities by sensitive information type name | Displays all the DLP activities by sensitive information type name in Microsoft 365. |
| Compliance | Microsoft 365 – User MFA activities by UserName | Displays all the user MFA activities by username in Microsoft 365. |
| Compliance | Microsoft 365 – Teams Login Success | Displays all the Teams login success in Microsoft 365. |
| Compliance | Microsoft 365 – Teams User Login by Geolocation | Displays all the Teams user login by geolocation in Microsoft 365. |
| Compliance | Microsoft 365 – Teams Login trends | Displays all the Teams login trends in Microsoft 365. |
| Compliance | Microsoft 365 – Teams External User Detected in team/chat Per day | Displays all the Teams external user detected in team/chat per day in Microsoft 365. |
| Compliance | Microsoft 365 – Teams External Users Detected in team/chat | Displays all the Teams external users detected in team/chat in Microsoft 365. |
| Compliance | Microsoft 365 – Teams Team and Connector Activity | Displays all the Teams team and connector activity in Microsoft 365. |
| Operational | Microsoft 365 – Exchange Top Recipient | Displays all the Exchange top recipient in Microsoft 365. |
| Operational | Microsoft 365 – OneDrive Activities by Operation | Displays all the OneDrive activities by operation in Microsoft 365. |
| Operational | Microsoft 365 – OneDrive Activities by File Type | Displays all the OneDrive activities by file type in Microsoft 365. |
| Operational | Microsoft 365 – OneDrive Activities by Resource Type | Displays all the OneDrive activities by resource type in Microsoft 365. |
| Operational | Microsoft 365 – OneDrive Activity trends | Displays all the OneDrive activity trends in Microsoft 365. |
| Operational | Microsoft 365 – OneDrive Activities by User | Displays all the OneDrive activities by user in Microsoft 365. |
| Operational | Microsoft 365 – OneDrive Activities by User Agent | Displays all the OneDrive activities by user agent in Microsoft 365. |
| Operational | Microsoft 365 – SharePoint Activities by Operations | Displays all the SharePoint activities by operations in Microsoft 365. |
| Operational | Microsoft 365 – SharePoint Activities by File Type | Displays all the SharePoint activities by file type in Microsoft 365. |
| Operational | Microsoft 365 – SharePoint Activities by Resource Type | Displays all the SharePoint activities by resource type in Microsoft 365. |
| Operational | Microsoft 365 – SharePoint Activity trends | Displays all the SharePoint activities trends in Microsoft 365. |
| Operational | Microsoft 365 – SharePoint Activities by User | Displays all the SharePoint activities by user in Microsoft 365. |
| Operational | Microsoft 365 – SharePoint Activities by User Agent | Displays all the SharePoint activities by user agent in Microsoft 365. |
| Operational | Microsoft 365 – Teams Device Type Used | Displays all the Teams device type used in Microsoft 365. |
| Operational | Microsoft 365 – Teams Operation related to Members by username | Displays all the Teams operation related to members by username in Microsoft 365. |
| Operational | Microsoft 365 – Teams Channel and Tab Activity | Displays all the Teams channel and tab activity in Microsoft 365. |
| Operational | Microsoft 365 – Exchange Top Sender | Displays all the Exchange top sender in Microsoft 365. |
Saved Searches
| Type | Name | Description |
| Security | Microsoft 365 – Exchange Spam Mail Traffic Details | Provides details about all the Exchange spam mail traffic details by Microsoft 365. |
| Security | Microsoft 365 – Exchange Threat Intelligence Activity | Provides details about all the Exchange threat intelligence activity by Microsoft 365. |
| Security | Microsoft 365 – User login failed due to MFA activities | Provides details about all the user login failed due to MFA activities by Microsoft 365. |
| Security | Microsoft 365 – User MFA disable activities | Provides details about all the user MFA disable activities by Microsoft 365. |
| Security | Microsoft 365 – CAS Alert activities | Provides details about all the CAS alert activities by Microsoft 365. |
| Compliance | Microsoft 365 – Azure AD Admin Activity | Provides details about all the Azure AD admin activity by Microsoft 365. |
| Compliance | Microsoft 365 – Azure AD User Logon Activity | Provides details about all the Azure AD user logon activity by Microsoft 365. |
| Compliance | Microsoft 365 – Email Activity by Count | Provides details about all the email activity by count by Microsoft 365. |
| Compliance | Microsoft 365 – Exchange Admin Activity | Provides details about all the Exchange admin activity by Microsoft 365. |
| Compliance | Microsoft 365 – Exchange Mailbox User Logon Activity | Provides details about all the Exchange mailbox user logon activity by Microsoft 365. |
| Compliance | Microsoft 365 – Exchange Message Trace | Provides details about all the Exchange message trace by Microsoft 365. |
| Compliance | Microsoft 365 – User MFA enable activities | Provides details about all the user MFA enable activities by Microsoft 365. |
| Operational | Microsoft 365 – Exchange Mail Traffic | Provides details about all the Exchange mail traffic by Microsoft 365. |
| Operational | Microsoft 365 – Mailbox Storage Usage | Provides details about all the mailbox storage usage by Microsoft 365. |
*The DSI items related to message trace are not supported in case of Microsoft 365 GCC, and then, GCC High and DoD Subscriptions.
Documentation
The configuration details are consistent with Netsurion Open XDR 9.3 and later, and Microsoft 365.
Download the Integration Guide for configuration instructions and more information.