Microsoft 365

Version - Microsoft 365 (E3, E5, F3 licenses for Enterprise; Basic, Standard, Premium licenses for Business; G3, G5 license for Government Community Cloud (GCC); GCC High and Department of Defense (DoD) subscriptions).

Microsoft 365 is a cloud-based subscription service that brings together the best tools for people to work today. It combines best-in-class apps like Excel and Outlook with powerful cloud services such as OneDrive and Microsoft Teams. Microsoft 365 helps create and share anywhere on any device.

Microsoft 365 Data Source Integration for Netsurion Open XDR platform captures important activities in Exchange, Azure Active Directory, SharePoint, OneDrive, and Teams. Monitoring these activities is critical from a security aspect and necessary for compliance reasons. Learn more about Microsoft 365 security coverage below or start with an introduction to protecting Microsoft 365.

Azure Active Directory (AD)

  • Monitors the action by the admin users like user accounts added or deleted, escalation of privilege. You can also monitor the password or policy changes.
  • Tracks user login activity to Microsoft 365 with a geographic location for identifying compromised accounts.
  • Identifies suspicious login attempts using user location affinity. Alerts user login from a new location / suspicious IP address for the first time.
  • Detects brute force login attempts with geographic information.
  • Complies with Microsoft guidelines by monitoring sign-ins from multiple geographies, sign-ins from unknown sources, user administration activities, group administration activities, and application administration activities.

Microsoft 365 Exchange Online

  • Audits the administrator actions, including mailbox creation and deletion
  • Traces emails
  • Identifies the users who access mailbox folders, purge deleted items, access other mailbox accounts
  • Monitors the changes to Exchange policies that might result in security loopholes for malware/spam/spoof emails
  • Complies with Microsoft guidelines by monitoring mailbox activity, changes to mail forwarding rules, and mail transport rules

Microsoft 365 SharePoint

  • Monitors the action performed by the SharePoint admins like a site added, deleted, modified, etc
  • Monitors the file activities like file shared with outside people, file upload, and download.

Microsoft 365 OneDrive

  • Monitors the action performed by the OneDrive admins like a site added, deleted, modified, etc.
  • Monitors the file activities like file shared with outside people, file upload, and download.

Microsoft 365 Advance Threat Protection (Microsoft Defender)

  • Detects the malicious mail received by the Exchange online.
  • Identifies the attacker using its geolocation.
  • Detects malicious attachment in Exchange online.

Azure Active Directory Multifactor Authentication (MFA)

  • Tracks user with MFA, login activity to Microsoft 365 with a geographic location for identifying compromised accounts.
  • Monitors user's MFA activity such as enable and disable strong authentication requirements.

Microsoft 365 Data Loss Prevention (DLP)

  • Tracks sensitive information loss in Outlook and SharePoint.

Microsoft Cloud App Security

  • Monitor all cloud services, assign each a risk ranking, identifies all users and third-party apps able to log in.
  • Identify and control sensitive information (DLP) response to classification labels on content.

After events are received into Netsurion's Open XDR platform, the dashboards and reports can be configured into Netsurion's Open XDR platform.

Alerts

Type Name Description
Security *Microsoft 365 - Spam Mail Detected This alert will trigger whenever spam mail is detected in Microsoft 365 Exchange.
Security Microsoft 365 - Threat Detected This alert will trigger whenever Microsoft 365 ATP module detects malicious/suspicious activity in Exchange.
Security *Microsoft 365 - Malicious Email Detected This alert will trigger whenever some malicious mail is detected in Microsoft 365 Exchange.
Security Microsoft 365 - Security & compliance alerts This alert will trigger when security & compliance alert policies detect suspicious activities in the office environment.
Security Microsoft 365 - A potentially malicious URL click was detected This alert will trigger when a user is protected by Safe Links clicks a malicious link. This event is triggered when URL verdict changes are identified by Microsoft Defender for Microsoft 365 or when users override the Safe Links pages.
Security Microsoft 365 - Creation of forwarding/redirect rule This alert will trigger when someone in your organization creates an inbox rule for their mailbox that forwards or redirects messages to another email account. This policy only tracks inbox rules that are created using Outlook on the web (formerly known as Outlook Web App) or Exchange Online PowerShell.
Security Microsoft 365 - eDiscovery search started or exported This alert will trigger when someone uses the content search tool in the security and compliance center. An alert is triggered when the following content search activities are performed -
  • A content search is started.
  • The results of a content search are exported.
  • A content search report is exported.
Alerts are also triggered when the previous content search activities are performed in association with an eDiscovery case.
Security Microsoft 365 - Elevation of Exchange admin privilege This alert will trigger when someone is assigned administrative permissions in your Exchange Online organization. For example, when a user is added to the organization management role group in Exchange Online.
Security Microsoft 365 - Email messages containing malware removed after delivery This alert will trigger when any messages containing malware are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using zero-hour auto-purge.
Security Microsoft 365 - Email messages containing phish URLs removed after delivery This alert will trigger when any phishing messages are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using zero-hour auto-purge.
Security Microsoft 365 - Email reported by the user as malware or phish This alert will trigger when users in your organization report messages as phishing emails using the report message add-in.
Security Microsoft 365 - Malware campaign detected after delivery This alert will trigger when an unusually large number of messages containing malware are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes.
Security Microsoft 365 - Malware campaign detected and blocked This alert will trigger when someone attempts to send an unusually large number of email messages containing a certain type of malware to users in your organization. If this event occurs, the infected messages are blocked by Microsoft and not delivered to the mailboxes.
Security Microsoft 365 - Malware campaign detected in SharePoint and OneDrive This alert will trigger when an unusually high volume of malware or viruses are detected in the files located in the SharePoint sites or OneDrive accounts in your organization.
Security Microsoft 365 - Messages have been delayed This alert will trigger when Microsoft cannot deliver email messages to your on-premises organization or a partner server by using a connector. When this happens, the message is queued in Microsoft 365. This alert is triggered when there are 2,000 messages or more that have been queued for more than an hour.
Security Microsoft 365 - Phish delivered due to tenant or user override This alert will trigger when Microsoft detects an admin or user override allows the delivery of a phishing message to a mailbox. Examples of overrides include an inbox or mail flow rule that allows messages from a specific sender or domain or an anti-spam policy that allows messages from specific senders or domains.
Security Microsoft 365 - Suspicious email sending patterns detected This alert will trigger when someone in your organization has sent a suspicious email and is at risk of being restricted from sending an email. This is an early warning for behavior that may indicate that the account is compromised, but not severe enough to restrict the user.
Security Microsoft 365 - Tenant restricted from sending an email This alert will trigger when most of the email traffic from your organization has been detected as suspicious and Microsoft has restricted your organization from sending an email. Investigate any potentially compromised user and admin accounts, new connectors, or open relays, and then contact Microsoft support to unblock your organization.
Security Microsoft 365 - Unusual external user file activity This alert will trigger when an unusually large number of activities are performed on files in SharePoint or OneDrive by the users outside of your organization. This includes activities such as accessing files, downloading files, and deleting files.
Security Microsoft 365 - Unusual increase in an email reported as phish This alert will trigger when there is a significant increase in the number of people in your organization using the report message add-in in Outlook to report messages as phishing mail.
Security Microsoft 365 - Unusual volume of external file sharing This alert will trigger when an unusually large number of files in SharePoint or OneDrive are shared with the users outside of your organization.
Security Microsoft 365 - Unusual volume of file deletion This alert will trigger when an unusually large number of files are deleted in SharePoint or OneDrive within a short time frame.
Security Microsoft 365 - User impersonation phish delivered to inbox/folder This alert will trigger when Microsoft detects that an admin or user override has allowed the delivery of a user impersonation phishing message to the inbox (or another user-accessible folder) of a mailbox. Examples of overrides include an inbox or mail flow rule that allows the messages from a specific sender or domain or an anti-spam policy that allows messages from specific senders or domains.
Security Microsoft 365 - User restricted from sending an email This alert will trigger when someone in your organization is restricted from sending the outbound mail. This typically results when an account is compromised, and the user is listed on the restricted users page in the security & compliance center.
Security Microsoft 365 - User login failed due to MFA This alert is triggered when the user fails to satisfy the strong authentication requirement to login into Microsoft 365.
Security Microsoft 365 - User MFA disabled This alert is triggered when MFA is disabled to a user.
Security Microsoft 365 - CAS alerts have been triggered This alert is triggered when Cloud App Security generates alerts like unusual addition of credentials to an OAuth app, block downloads on non-domain joined devices, etc.
Compliance Microsoft 365 - Azure active directory login failure This alert will trigger whenever an Azure AD user tries to login but fails.
Compliance Microsoft 365 - Exchange Mailbox login failure This alert will trigger whenever a mailbox user tries to login but fails.
Compliance Microsoft 365 - Sensitive information detected in Mail This alert is triggered when sensitive information matches with DLP Rule in Exchange.
Compliance Microsoft 365 - Sensitive information detected in SharePoint This alert is triggered when sensitive information matches with DLP Rule in SharePoint.

Reports

Type Name Description
Security *Microsoft 365 - Exchange Spam Mail Traffic Details This report will provide detailed information on spam mail received by the Exchange user.
Security Microsoft 365 - Exchange Malware Traffic Details This report will provide detailed information related to the threats detected by the Microsoft 365 ATP/Defender.
Security Microsoft 365 - User login failed due to MFA activities This report will provide information related to user failure to satisfy strong authentication requirement to login which contains information about Username, application, and Source IP address, etc.
Security Microsoft 365 - User MFA activities This report will provide information related to MFA enable and Disable activities for the user which contains information about Username, Target Username, and Action, etc.
Security Microsoft 365 - CAS alert triggered This report will provide information related to the Cloud App Security (CAS) alert activities like unusual addition of credential to an OAuth app, block downloads on non-domain joined devices, etc. It will contain filed information username, reason, category, log type, message, etc.
Operations Microsoft 365 - Activated user detail This report will provide information related to the Microsoft 365 activated user and Operating System (OS) in use.
Operations Microsoft 365 - Activation counts This report will provide an overall summary of the Microsoft 365 activated license and Operating System (OS) in use.
Operations Microsoft 365 - Active user counts This report will provide an overall summary of users active on Exchange, OneDrive, SharePoint, Teams, and Yammer.
Operations Microsoft 365 - Email activity user counts This report will provide an overall summary of email activities in the Microsoft 365 Exchange server. (receive, send, read)
Operations Microsoft 365 - Email app usage user counts This report will provide an overall summary of the application and user using mail for sending/receiving. (Outlook, IMAP, POP3, etc.)
Operations Microsoft 365 - Email app usage user detail This report will provide information related to the user using the application for sending/receiving the mail.
Operations Microsoft 365 - Email app usage version user counts This report will provide an overall summary for version usage of email clients by the user. (Outlook 2016, Outlook 2013, etc.)
Operations *Microsoft 365 - Exchange Mail Traffic Details This report will provide an overall summary related to mail matching transport rules (BCL0, BCL1, bad mail, good mail, spam mail, etc.) of Exchange.
Operations *Microsoft 365 - Exchange Message Trace Details This report will provide detailed information on receiving/sending mail by Exchange users. If mails fail, then this report will provide a reason for failure.
Operations Microsoft 365 - Mailbox storage usage This report will provide an overall summary of storage used by the Microsoft 365 Exchange mailbox.
Operations Microsoft 365 - Mailbox usage detail This report will provide information for storage used by Microsoft 365 Exchange mailbox for each user.
Operations Microsoft 365 - Mailbox usage mailbox counts This report will provide information for active mailbox count.
Operations Microsoft 365 - Mailbox usage quota status mailbox counts This report will provide an overall summary for the mailbox when they reach the usage quota.
Operations Microsoft 365 - Microsoft 365 activation user counts This report will provide a summary of Microsoft 365 license usage.
Operations Microsoft 365 - OneDrive activity file counts This report will provide a count of OneDrive activities (viewed or edited, shared externally, synced, shared internally) done on files.
Operations Microsoft 365 - OneDrive activity user counts This report will provide a count of OneDrive activities (viewed or edited, shared externally, synced, shared internally) done by the user.
Operations Microsoft 365 - OneDrive usage account counts This report will provide a summary of users actively using OneDrive.
Operations Microsoft 365 - OneDrive usage account detail This report will provide a summary of users using OneDrive and a count of activities.
Operations Microsoft 365 - OneDrive usage file counts This report will provide the total file used by the user on OneDrive.
Operations Microsoft 365 - OneDrive usage storage This report will provide a summary of storage used by OneDrive.
Operations Microsoft 365 - SharePoint activity user details This report will provide user activity count in Microsoft 365 SharePoint.
Operations Microsoft 365 - SharePoint site storage usage This report will provide a summary of storage used by SharePoint sites.
Compliance Microsoft 365 - Azure active directory admin activities This report will provide information related to Azure active directory admin activities like user management, group management, permission assigning, etc.
Compliance Microsoft 365 - Azure active directory login activities This report will provide information for user login activities from various Microsoft 365 applications using the Azure active directory as an authentication server.
Compliance Microsoft 365 - Exchange admin activities This report will provide detailed information about admin activities for Microsoft 365 Exchange like permission changes on the mailbox, mailbox creation, deletion, or modification, etc.
Compliance Microsoft 365 - Exchange Mailbox login activities This report will provide detailed information related to the mailbox login activities.
Compliance Microsoft 365 - SharePoint site operations This report will provide detailed information on activities on Microsoft 365 SharePoint.
Compliance Microsoft 365 - OneDrive file operations This report will provide detailed information of activities on OneDrive like file uploaded, downloaded, edited, accessed, shared, etc.
Compliance Microsoft 365 - DLP activities This report will provide information related to DLP activities which contains information about rule name, application, and severity, etc.

Documentation

The configuration details are consistent with Netsurion's Open XDR platform version 9.3 or later, and Microsoft 365.

*The DSI items related to message trace are not supported in case of Microsoft 365 GCC, GCC High and Dod Subscriptions.

Download Integration Guide, Microsoft 365 Integrator v1.0.0, and How-to Guide for more information and to configuration instructions.