Microsoft 365

Version – Microsoft 365 (E3, E5, F3 licenses for Enterprise; Basic, Standard, Premium licenses for Business; G3, G5 license for Government Community Cloud (GCC); GCC High, and Department of Defence (DoD) subscriptions).

Microsoft 365 is a cloud-based subscription service that combines best-in-class apps like Excel and Outlook with powerful cloud services such as OneDrive and Microsoft Teams. Microsoft 365 helps to create and share anywhere on any device.

Microsoft 365 Data Source Integration for Netsurion Open XDR captures important activities in Exchange, Azure Active Directory, SharePoint, OneDrive, and Teams. Monitoring these activities is critical from a security aspect and necessary for compliance reasons. Learn more about Microsoft 365 security coverage below or start with an introduction to protecting Microsoft 365.

Netsurion Open XDR manages logs retrieved from Microsoft 365. The alerts, reports, dashboards, and saved searches in Netsurion Open XDR are enhanced by capturing important and critical activities in Microsoft 365.

Azure Active Directory (AD)

  • Monitors the action by the admin users like user accounts added or deleted, escalation of privilege. You can also monitor the password or policy changes.
  • Tracks user login activity to Microsoft 365 with a geographic location for identifying compromised accounts.
  • Identifies suspicious login attempts using user location affinity. Alerts user login from a new location / suspicious IP address for the first time.
  • Detects brute force login attempts with geographic information.
  • Complies with Microsoft guidelines by monitoring sign-ins from multiple geographies, sign-ins from unknown sources, user administration activities, group administration activities, and application administration activities.

Microsoft 365 Exchange Online

  • Audits the administrator actions, including mailbox creation and deletion
  • Traces emails
  • Identifies the users who access mailbox folders, purge deleted items, access other mailbox accounts
  • Monitors the changes to Exchange policies that might result in security loopholes for malware/spam/spoof emails
  • Complies with Microsoft guidelines by monitoring mailbox activity, changes to mail forwarding rules, and mail transport rules

Microsoft 365 SharePoint

  • Monitors the action performed by the SharePoint admins like a site added, deleted, modified, etc
  • Monitors the file activities like file shared with outside people, file upload, and download.

Microsoft 365 OneDrive

  • Monitors the action performed by the OneDrive admins like a site added, deleted, modified, etc.
  • Monitors the file activities like file shared with outside people, file upload, and download.

Microsoft 365 Advance Threat Protection (Microsoft Defender)

  • Detects the malicious mail received by the Exchange online.
  • Identifies the attacker using its geolocation.
  • Detects malicious attachment in Exchange online.

Azure Active Directory Multifactor Authentication (MFA)

  • Tracks user with MFA, login activity to Microsoft 365 with a geographic location for identifying compromised accounts.
  • Monitors user’s MFA activity such as enable and disable strong authentication requirements.

Microsoft 365 Data Loss Prevention (DLP)

  • Tracks sensitive information loss in Outlook and SharePoint.

Microsoft Cloud App Security

  • Monitor all cloud services, assign each a risk ranking, identifies all users and third-party apps able to log in.
  • Identify and control sensitive information (DLP) response to classification labels on content.

The following are the key assets available in this Data Source Integration.

Alerts

TypeNameDescription
SecurityMicrosoft 365 – A potentially malicious URL click was detectedGenerated when a potentially malicious URL click was detected by Microsoft 365.
SecurityMicrosoft 365 – Creation of forwarding/redirect ruleGenerated when a creation of forwarding/redirect rule was detected by Microsoft 365.
SecurityMicrosoft 365 – eDiscovery search started or exportedGenerated when an eDiscovery search start or export was detected by Microsoft 365.
SecurityMicrosoft 365 – Elevation of Exchange admin privilegeGenerated when an elevation of Exchange admin privilege was detected by Microsoft 365.
SecurityMicrosoft 365 – Email messages containing malware removed after deliveryGenerated when an email message containing malware, removed after delivery was detected by Microsoft 365.
SecurityMicrosoft 365 – Email messages containing phish URLs removed after deliveryGenerated when an email message containing phish URL(s), removed after delivery was detected by Microsoft 365.
SecurityMicrosoft 365 – Email reported by user as malware or phishGenerated when an email reported by user as malware or phish was detected by Microsoft 365.
SecurityMicrosoft 365 – Login activities using SAML token detectedGenerated when a login activity using SAML token detected was detected by Microsoft 365.
SecurityMicrosoft 365 – Malware campaign detected after deliveryGenerated when a malware campaign after delivery is detected by Microsoft 365.
SecurityMicrosoft 365 – Malware campaign detected and blockedGenerated when a malware campaign was detected and blocked by Microsoft 365.
SecurityMicrosoft 365 – Malware campaign detected in SharePoint and OneDriveGenerated when a malware campaign in SharePoint and OneDrive was detected by Microsoft 365.
SecurityMicrosoft 365 – Messages have been delayedGenerated when a delay in messages was detected by Microsoft 365.
SecurityMicrosoft 365 – Phish delivered due to tenant or user overrideGenerated when a phish delivered due to tenant or user override is detected by Microsoft 365.
SecurityMicrosoft 365 – Security & compliance alertsGenerated when security & compliance alerts are triggered by Microsoft 365.
SecurityMicrosoft 365 – Suspicious email sending patterns detectedGenerated when suspicious email sending patterns are detected by Microsoft 365.
SecurityMicrosoft 365 – Tenant restricted from sending emailGenerated when a tenant restricted from sending email is detected by Microsoft 365.
SecurityMicrosoft 365 – Unusual increase in email reported as phishGenerated when an unusual increase in email reported as phish is detected by Microsoft 365.
SecurityMicrosoft 365 – Unusual volume of file deletionGenerated when an unusual volume of file deletion is detected by Microsoft 365.
SecurityMicrosoft 365 – User impersonation phish delivered to inbox/folderGenerated when a user impersonation phishing email delivered to inbox/folder is detected by Microsoft 365.
SecurityMicrosoft 365 – Azure AD User Logon failedGenerated when an Azure AD user logon failed is detected by Microsoft 365.
SecurityMicrosoft 365 – CAS alerts has been triggeredGenerated when CAS alerts are triggered by Microsoft 365.
SecurityMicrosoft 365 – Login ActivitiesGenerated when a login activity is detected by Microsoft 365.
SecurityMicrosoft 365 – Sensitive information detected in MailGenerated when sensitive information detected in Mail was detected by Microsoft 365.
SecurityMicrosoft 365 – Sensitive information detected in SharePointGenerated when sensitive information is detected in SharePoint by Microsoft 365.
SecurityMicrosoft 365 – User login failed due to MFAGenerated when a user login failed due to MFA is detected by Microsoft 365.
SecurityMicrosoft 365 – User MFA disabledGenerated when a user disabling MFA is detected by Microsoft 365.
SecurityMicrosoft 365 – Member assigned to global administrator roleGenerated when a user or group assigned to the Global Administrator role is detected by Microsoft 365.
ComplianceMicrosoft 365 – Unusual external user file activityGenerated when an unusual external user file activity is detected by Microsoft 365.
ComplianceMicrosoft 365 – Unusual volume of external file sharingGenerated when an unusual volume of external file sharing is detected by Microsoft 365.
ComplianceMicrosoft 365 – User restricted from sending emailGenerated when a user restricted from sending email is detected by Microsoft 365.

Reports

TypeNameDescription
SecurityMicrosoft 365 – Azure active directory login activitiesProvides details about all the Azure active directory login activities monitored by Microsoft 365.
SecurityMicrosoft 365 – User MFA activitiesProvides details about all the user MFA activities monitored by Microsoft 365.
SecurityMicrosoft 365 – Exchange Spam Mail Traffic DetailsProvides details about all the Exchange Spam Mail Traffic Details monitored by Microsoft 365.
SecurityMicrosoft 365 – Threat intelligence activitiesProvides details about all the threat intelligence activities monitored by Microsoft 365.
SecurityMicrosoft 365 – DLP activityProvides details about all the DLP activity monitored by Microsoft 365.
SecurityMicrosoft 365 – User login failed due to MFA activitiesProvides details about all the user login failed due to MFA activities monitored by Microsoft 365.
SecurityMicrosoft 365 – CAS alert triggeredProvides details about all the CAS alert triggered monitored by Microsoft 365.
ComplianceMicrosoft 365 – Exchange admin activitiesProvides details about all the Exchange admin activities monitored by Microsoft 365.
ComplianceMicrosoft 365 – Azure active directory admin activitiesProvides details about all the Azure active directory admin activities monitored by Microsoft 365.
OperationalMicrosoft 365 – Email activity user countsProvides details about all the email activity user counts monitored by Microsoft 365.
OperationalMicrosoft 365 – Email app usage user countsProvides details about all the email app usage user counts monitored by Microsoft 365.
OperationalMicrosoft 365 – Email app usage user detailProvides details about all the email app usage user detail monitored by Microsoft 365.
OperationalMicrosoft 365 – Email app usage version user countsProvides details about all the email app usage version user counts monitored by Microsoft 365.
OperationalMicrosoft 365 – Mailbox usage detailProvides details about all the mailbox usage detail monitored by Microsoft 365.
OperationalMicrosoft 365 – Mailbox usage mailbox countsProvides details about all the mailbox usage mailbox counts monitored by Microsoft 365.
OperationalMicrosoft 365 – Mailbox usage quota status mailbox countsProvides details about all the mailbox usage quota status mailbox counts monitored by Microsoft 365.
OperationalMicrosoft 365 – Mailbox storage usageProvides details about all the mailbox storage usage monitored by Microsoft 365.
OperationalMicrosoft 365 – Activation countsProvides details about all the activation counts monitored by Microsoft 365.
OperationalMicrosoft 365 – Microsoft 365 activation user countsProvides details about all the Microsoft 365 activation user counts monitored by Microsoft 365.
OperationalMicrosoft 365 – Activated user detailProvides details about all the activated user detail monitored by Microsoft 365.
OperationalMicrosoft 365 – Active user countsProvides details about all the active user counts monitored by Microsoft 365.
OperationalMicrosoft 365 – OneDrive activity file countsProvides details about all the OneDrive activity file counts monitored by Microsoft 365.
OperationalMicrosoft 365 – OneDrive activity user countsProvides details about all the OneDrive activity user counts monitored by Microsoft 365.
OperationalMicrosoft 365 – OneDrive usage account countsProvides details about all the OneDrive usage account counts monitored by Microsoft 365.
OperationalMicrosoft 365 – OneDrive usage account detailProvides details about all the OneDrive usage account detail monitored by Microsoft 365.
OperationalMicrosoft 365 – OneDrive usage file countsProvides details about all the OneDrive usage file counts monitored by Microsoft 365.
OperationalMicrosoft 365 – OneDrive usage storageProvides details about all the OneDrive usage storage monitored by Microsoft 365.
OperationalMicrosoft 365 – SharePoint activity user detailsProvides details about all the SharePoint activity user details monitored by Microsoft 365.
OperationalMicrosoft 365 – SharePoint site storage usageProvides details about all the SharePoint site storage usage monitored by Microsoft 365.
OperationalMicrosoft 365 – Exchange Message Trace DetailsProvides details about all the Exchange Message Trace Details monitored by Microsoft 365.
OperationalMicrosoft 365 – Exchange Mail Traffic DetailsProvides details about all the Exchange Mail Traffic Details monitored by Microsoft 365.
OperationalMicrosoft 365 – Exchange Mailbox login activitiesProvides details about all the Exchange Mailbox login activities monitored by Microsoft 365.
OperationalMicrosoft 365 – OneDrive file operationsProvides details about all the OneDrive file operations monitored by Microsoft 365.
OperationalMicrosoft 365 – SharePoint site operationsProvides details about all the SharePoint site operations monitored by Microsoft 365.
OperationalMicrosoft 365 – Skype for business activity user detailProvides details about all the Skype for business user details monitored by Microsoft 365.
OperationalMicrosoft 365 – Skype for business device usage user detailProvides details about all the user device usage of Skype for business monitored by Microsoft 365.
OperationalMicrosoft 365 – Skype for business peer to peer activity user countsProvides details about all the peer-to-peer activity user counts of Skype for business monitored by Microsoft 365.

Dashboards

TypeNameDescription
SecurityMicrosoft 365 – CAS alert triggered by categoryDisplays all the CAS alert triggered by category in Microsoft 365.
SecurityMicrosoft 365 – CAS alert triggered by usernameDisplays all the CAS alert triggered by username in Microsoft 365.
SecurityMicrosoft 365 – CAS suspicious activity by usernameDisplays all the CAS suspicious activity by username in Microsoft 365.
SecurityMicrosoft 365 – CAS alert triggered by alert typeDisplays all the CAS alert triggered by alert type in Microsoft 365.
SecurityMicrosoft 365 – ATP Top Malware Detected detailDisplays all the ATP top malware detected detail in Microsoft 365.
SecurityMicrosoft 365 – ATP User Affected by ThreatDisplays all the ATP user affected by threat in Microsoft 365.
SecurityMicrosoft 365 – ATP Threat CategoryDisplays all the ATP threat category in Microsoft 365.
SecurityMicrosoft 365 – ATP Threat Detection MethodDisplays all the ATP threat detection method in Microsoft 365.
SecurityMicrosoft 365 – ATP Suspicious SenderDisplays all the ATP suspicious sender in Microsoft 365.
SecurityMicrosoft 365 – DLP Action TakenDisplays all the DLP action taken in Microsoft 365.
SecurityMicrosoft 365 – Azure Active Directory login failed reasonDisplays all the Azure Active Directory login failed reason in Microsoft 365.
SecurityMicrosoft 365 – Azure Active Directory EventsDisplays all the Azure Active Directory events in Microsoft 365.
SecurityMicrosoft 365 – Azure Active Directory login activities by StatusDisplays all the Azure Active Directory login activities by status in Microsoft 365.
SecurityMicrosoft 365 – Azure Active Directory login by userDisplays all the Azure Active Directory login by user in Microsoft 365.
SecurityMicrosoft 365 – Azure Active Directory login activities by Client IPDisplays all the Azure Active Directory login activities by client IP in Microsoft 365.
SecurityMicrosoft 365 – Azure Active Directory login failed by CountryDisplays all the Azure Active Directory login failed by country in Microsoft 365.
SecurityMicrosoft 365 – Exchange Malicious Email by SenderDisplays all the Exchange malicious email by sender in Microsoft 365.
SecurityMicrosoft 365 – Exchange Malicious Email by RecipientDisplays all the Exchange malicious email by recipient in Microsoft 365.
SecurityMicrosoft 365 – Exchange Malicious Email by Threat NameDisplays all the Exchange malicious email by threat name in Microsoft 365.
SecurityMicrosoft 365 – Exchange mailbox login by userDisplays all the Exchange mailbox login by user in Microsoft 365.
SecurityMicrosoft 365 – Exchange Top Spam mail by SenderDisplays all the Exchange top spam mail by sender in Microsoft 365.
SecurityMicrosoft 365 – Exchange Top Spam mail by RecipientDisplays all the Exchange top spam mail by recipient in Microsoft 365.
SecurityMicrosoft 365 – MFA failed on User login activities by UserNameDisplays all the MFA failed on user login activities by username in Microsoft 365.
SecurityMicrosoft 365 – MFA succeed on User login activities by UserNameDisplays all the MFA succeed on user login activities by username in Microsoft 365.
SecurityMicrosoft 365 – MFA failed on User login activities by Geo LocationDisplays all the MFA failed on user login activities by geo location in Microsoft 365.
SecurityMicrosoft 365 – MFA succeed on User login activities by Geo LocationDisplays all the MFA succeed on user login activities by geo location in Microsoft 365.
ComplianceMicrosoft 365 – Exchange Admin Activities By UserDisplays all the Exchange admin activities by user in Microsoft 365.
ComplianceMicrosoft 365 – User MFA activities by Targeted UserNameDisplays all the user MFA activities by targeted username in Microsoft 365.
ComplianceMicrosoft 365 – DLP activities by policy nameDisplays all the DLP activities by policy name in Microsoft 365.
ComplianceMicrosoft 365 – DLP activities by mail subjectDisplays all the DLP activities by mail subject in Microsoft 365.
ComplianceMicrosoft 365 – DLP activities by SeverityDisplays all the DLP activities by severity in Microsoft 365.
ComplianceMicrosoft 365 – DLP activities by sensitive information type nameDisplays all the DLP activities by sensitive information type name in Microsoft 365.
ComplianceMicrosoft 365 – User MFA activities by UserNameDisplays all the user MFA activities by username in Microsoft 365.
ComplianceMicrosoft 365 – Teams Login SuccessDisplays all the Teams login success in Microsoft 365.
ComplianceMicrosoft 365 – Teams User Login by GeolocationDisplays all the Teams user login by geolocation in Microsoft 365.
ComplianceMicrosoft 365 – Teams Login trendsDisplays all the Teams login trends in Microsoft 365.
ComplianceMicrosoft 365 – Teams External User Detected in team/chat Per dayDisplays all the Teams external user detected in team/chat per day in Microsoft 365.
ComplianceMicrosoft 365 – Teams External Users Detected in team/chatDisplays all the Teams external users detected in team/chat in Microsoft 365.
ComplianceMicrosoft 365 – Teams Team and Connector ActivityDisplays all the Teams team and connector activity in Microsoft 365.
OperationalMicrosoft 365 – Exchange Top RecipientDisplays all the Exchange top recipient in Microsoft 365.
OperationalMicrosoft 365 – OneDrive Activities by OperationDisplays all the OneDrive activities by operation in Microsoft 365.
OperationalMicrosoft 365 – OneDrive Activities by File TypeDisplays all the OneDrive activities by file type in Microsoft 365.
OperationalMicrosoft 365 – OneDrive Activities by Resource TypeDisplays all the OneDrive activities by resource type in Microsoft 365.
OperationalMicrosoft 365 – OneDrive Activity trendsDisplays all the OneDrive activity trends in Microsoft 365.
OperationalMicrosoft 365 – OneDrive Activities by UserDisplays all the OneDrive activities by user in Microsoft 365.
OperationalMicrosoft 365 – OneDrive Activities by User AgentDisplays all the OneDrive activities by user agent in Microsoft 365.
OperationalMicrosoft 365 – SharePoint Activities by OperationsDisplays all the SharePoint activities by operations in Microsoft 365.
OperationalMicrosoft 365 – SharePoint Activities by File TypeDisplays all the SharePoint activities by file type in Microsoft 365.
OperationalMicrosoft 365 – SharePoint Activities by Resource TypeDisplays all the SharePoint activities by resource type in Microsoft 365.
OperationalMicrosoft 365 – SharePoint Activity trendsDisplays all the SharePoint activities trends in Microsoft 365.
OperationalMicrosoft 365 – SharePoint Activities by UserDisplays all the SharePoint activities by user in Microsoft 365.
OperationalMicrosoft 365 – SharePoint Activities by User AgentDisplays all the SharePoint activities by user agent in Microsoft 365.
OperationalMicrosoft 365 – Teams Device Type UsedDisplays all the Teams device type used in Microsoft 365.
OperationalMicrosoft 365 – Teams Operation related to Members by usernameDisplays all the Teams operation related to members by username in Microsoft 365.
OperationalMicrosoft 365 – Teams Channel and Tab ActivityDisplays all the Teams channel and tab activity in Microsoft 365.
OperationalMicrosoft 365 – Exchange Top SenderDisplays all the Exchange top sender in Microsoft 365.

Saved Searches

TypeNameDescription
SecurityMicrosoft 365 – Exchange Spam Mail Traffic DetailsProvides details about all the Exchange spam mail traffic details by Microsoft 365.
SecurityMicrosoft 365 – Exchange Threat Intelligence ActivityProvides details about all the Exchange threat intelligence activity by Microsoft 365.
SecurityMicrosoft 365 – User login failed due to MFA activitiesProvides details about all the user login failed due to MFA activities by Microsoft 365.
SecurityMicrosoft 365 – User MFA disable activitiesProvides details about all the user MFA disable activities by Microsoft 365.
SecurityMicrosoft 365 – CAS Alert activitiesProvides details about all the CAS alert activities by Microsoft 365.
ComplianceMicrosoft 365 – Azure AD Admin ActivityProvides details about all the Azure AD admin activity by Microsoft 365.
ComplianceMicrosoft 365 – Azure AD User Logon ActivityProvides details about all the Azure AD user logon activity by Microsoft 365.
ComplianceMicrosoft 365 – Email Activity by CountProvides details about all the email activity by count by Microsoft 365.
ComplianceMicrosoft 365 – Exchange Admin ActivityProvides details about all the Exchange admin activity by Microsoft 365.
ComplianceMicrosoft 365 – Exchange Mailbox User Logon ActivityProvides details about all the Exchange mailbox user logon activity by Microsoft 365.
ComplianceMicrosoft 365 – Exchange Message TraceProvides details about all the Exchange message trace by Microsoft 365.
ComplianceMicrosoft 365 – User MFA enable activitiesProvides details about all the user MFA enable activities by Microsoft 365.
OperationalMicrosoft 365 – Exchange Mail TrafficProvides details about all the Exchange mail traffic by Microsoft 365.
OperationalMicrosoft 365 – Mailbox Storage UsageProvides details about all the mailbox storage usage by Microsoft 365.

*The DSI items related to message trace are not supported in case of Microsoft 365 GCC, and then, GCC High and DoD Subscriptions.

Documentation

The configuration details are consistent with Netsurion Open XDR 9.3 and later, and Microsoft 365.

Download the Integration Guide for configuration instructions and more information.