Special thanks to “Clive Watson” and “Ofer Shezaf” that collaborating with me on this blog post.
Due to the COVID-19 crisis, the usage of Office 365 has increased which introduces new security monitoring challenges for SOC teams. Increase usage means that the service should be more focal for defenders.
Over the past few mounts I have been working with my customers, on approaches to onboard Office 365 and related services into Azure Sentinel and the benefit of built-in solutions that a Cloud based Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) bring, such as these use cases.
This blog post is built as a checklist and covers the following topics:
- Required data sources for Office 365 and related workloads
- Onboarding of data sources
- Visualizing data
- Using of out of the box Analytics Rules templates
- Hunting with Azure Sentinel
- Integration of 3rd party Threat Intelligence (TI)
- Data enrichment capabilities
- Automation with SOAR capabilities
- Integration with Ticketing Systems
- Integration with 3rd party SIEMs
Required data sources for Office 365 and related workloads
Choosing the right telemetry for Office 365 and related workloads depends on the enterprise’s security model. For instance, if an enterprise which follow the Zero Trust approach from Microsoft would focus on different telemetry than an enterprise with a classical security approach.
The following data sources should be the minimum onboarded to monitor Office 365:
- Audit and Sign-In Logs from Azure Active Directory
- Activity Logs from Office 365 workloads
- Alerts generated in Office 365 Security and Compliance Center
- Message Trace logs available for Exchange Online
- Microsoft Secure Score recommendations
In addition, the sources below are optional as they depend on additional licenses. Azure Sentinel can benefit from these expert systems and it is recommended to onboard if licensed or consider adding these to aid with detection and use cases.
- Azure Activity Directory Identity Protection alerts
- Office 365 Advanced Threat Protection and Threat Investigation and Response alerts
- Microsoft Cloud App Security alerts
Lastly, the following data sources are optional and would unlock more value by correlating different data sources using SIEM and SOAR capabilities.
- Logs from Domain Controllers and Azure Advanced Threat Protection alerts
- Telemetry from client devices
- Logs and alerts from Proxies and Firewalls
- 3rd Party Threat Intelligence feeds
Onboarding of data sources
Azure Sentinel comes with a several built-in and custom connectors to onboard Office 365 and related workloads.
|
Data Source |
Default Connector |
Custom Connector |
|
Azure Active Directory Sign-In and Audit Logs |
n/a |
|
|
Office 365 / Exchange Online Logs Office 365 / SharePoint Online Logs Office 365 / Microsoft Teams Logs |
n/a |
|
|
Office 365 Audit.General Logs |
n/a |
|
|
Office 365 – DLP.All Logs |
n/a |
|
|
Office 365 Security and Compliance Alerts |
n/a |
|
|
Office 365 Message Trace Logs |
n/a |
|
|
Microsoft Secure Score Recommendations |
n/a |
GIFT Demonstration – Enable the Office 365 data connector:
For a full list, please see, the Azure Sentinel Grand List.
Visualizing data
Azure Sentinel has many built-in workbooks that provide extensive reporting capabilities analyzing your connected data sources to let you quickly and easily deep dive into the data generated by those services. The built-in workbooks can be changed and customized as needed. The Workbooks are provided by Microsoft, our data connector partners and the community.
These built-in Workbooks are available in Azure Sentinel for Office 365 and related workloads.
For more information and instructions on how to use Azure Sentinel Workbooks, please see:
Visualize your data using Azure Monitor Workbooks in Azure Sentinel | Microsoft Docs
In case you prefer to use Power BI for analytics and visualization:
Import Azure Monitor log data into PowerBI:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/powerbi
GIFT Demonstration – How to enable and use the Office 365 Workbook:
Using out of the box Analytics Rule Templates
Once you have connected your required data sources, you can use the Analytics Rule templates available in Azure Sentinel to generate incidents when certain criteria are matched. The Analytics Rules can be changed and customized as needed.
These Analytics Rule templates are available in Azure Sentinel for Office 365 and related workloads.
|
Workload |
Analytics Rules Templates |
|
Azure Active Directory |
Azure Active Directory Sign-In Logs
Azure Active Directory Audit-Logs
|
|
Office 365 |
|
|
Azure Active Directory Identity Protection Microsoft Cloud App Security Azure Advanced Threat Protection |
Tip: You see the related Analytics Rules (and required data) that match the connector on the “Next Steps” page of the “Add Connector” wizard.
Hunting with Azure Sentinel
Azure Sentinel has built-in Hunting Queries to look proactively for new anomalies that you are not yet detecting with your Analytics Rules. You can use these Hunting Queries and Live Stream to create interactive sessions that let you test newly created queries as events occur, get notifications from the sessions when a match is found, and launch investigations if necessary. You can quickly create a livestream session using any Log Analytics query.
- Test newly created queries as events occur
- You can test and adjust queries without any conflicts to current rules that are being actively applied to events. After you confirm these new queries work as expected, it’s easy to promote them to custom alert rules by selecting an option that elevates the session to an alert.
These Hunting Queries are available in Azure Sentinel for Office 365 and related workloads.
|
Workload |
Hunting Queries |
|
Azure Active Directory |
Azure Active Directory Sign-In Logs
|
|
Office 365 |
|
GIFT Demonstration – Using the Built-In Hunting Queries for Office 365:
Integration with 3rd Party Threat Intelligence
Azure Sentinel lets you import you own threat intelligence indicators, which can enhance your security analysts’ ability to detect and prioritize known threats.
You can stream threat indicators to Azure Sentinel by using one of the integrated threat intelligence platform (TIP) products listed in the next section, connecting to TAXII servers, or by using direct integration with the Microsoft Graph Security tiIndicators API.
The Threat Intelligence data connector includes out of the box Analytics Rules and Hunting Query templates for Office 365 and related workloads.
Threat Intelligence Analytics Rules
Threat Intelligence Hunting Queries
Data enrichment capabilities
Data enrichment is key to associating data in context of enterprises. For instance, data enrichment would add additional information or context to the ingested logs to make it more valuable.
For Office 365 and related workloads Azure Sentinel provides these enrichment use cases:
|
Purpose |
Source |
|
Enrich User Entities with Azure Active Directory information |
|
|
Enrich IP Entities with GeoIP information |
|
|
Enrich IP Entities with VirusTotal information |
|
|
Enrich URL Entities with VirusTotal information |
|
|
Sentinel Alert Evidence |
Automation with SOAR capabilities
Azure Sentinel has built-in SOAR capabilities to orchestrate and automate common and complex tasks. Azure Sentinel uses Azure Logic App and Azure Function Apps for automation. Both services are built-in in Azure. The SOAR use cases are published here: GitHub, and can be deployment via ARM-Templates.
Using automation can save time, improve efficiency and help you improve your SOC (Security Operations Center) metrics and reduce the workload for the Securtity analyts.
https://docs.microsoft.com/en-us/azure/sentinel/manage-soc-with-incident-metrics
Azure Sentinel includes these automation solutions for Office 365 and related workloads:
|
Purpose |
Source |
|
Block Azure Active Directory User |
|
|
Confirm an Azure Active Directory User |
|
|
Dismiss an Azure Active Directory User |
|
|
Reset Azure Active Directory User Password |
|
|
Revoke Azure Active Directory Sign-In Session |
|
|
Delete Email for User Mailbox |
|
|
Assign Incident to Specific Owner |
|
|
Involve the User into Incident Process |
|
|
Post Incident Details to Microsoft Teams |
|
|
Post Incident Details to Slack |
GIFT Demonstration – How to enable the “Block Azure Active Directory User” Playbook:
Integration with Ticketing Systems
As part of the SOAR capabilities, Azure Sentinel support integration with ticketing systems. You can also just send a simple email or Teams message with the same data if you prefer (or do this in parallel with your Ticket).
|
Ticketing System |
Source |
|
ServiceNow |
|
|
Jira |
|
|
IBM Resilient (OnPrem) |
|
|
Zendesk |
Integration with 3rd Party SIEM
In case you are approaching Side-by-Side along with your exiting SIEM.
|
Exiting SIEM |
Source |
|
Splunk |
|
|
QRadar |
|
|
Other 3rd Party SIEMs |
Summary
Ingesting of Office 365 alert logs are free, Azure Sentinel comes with a lot of use cases which help organizations to monitor and protect Office 365 workload, as well allows easy integration into existing SOC environment.
In this post we have covered the basics, looking at the data required, how to on-board connectors, how to manage Alerts, how to Hunt and automate responses to the results, and also connecting to 3rd party ticketing or SIEM solutions.
