Microsoft Office 365

Microsoft Office 365 or Microsoft 365 is a cloud-based suite of productivity and collaboration software. Microsoft 365 audit logs contain information about user services and locations. When you configure Microsoft 365 to send data to InsightIDR, you can start to monitor user, ingress, and admin activity. InsightIDR supports Microsoft 365, Microsoft 365 Government Community Cloud (GCC), and Microsoft 365 GCC High.

The event types that InsightIDR can parse from this event source are:

  • Audit.AzureActiveDirectory
  • Audit.Exchange
  • Audit.General
  • Audit.SharePoint

There are two ways to send data from your Microsoft 365 account to InsightIDR: event collection through the Cloud or through an on-premises Rapid7 Collector.

To set up Microsoft Office 365:

  1. Read the requirements and complete any prerequisite steps.
  2. Configure Microsoft Office 365 to send data to InsightIDR.
  3. Configure InsightIDR to collect data from the event source.
  4. Test the configuration.

You can also:

Requirements

Before you start the configuration, you'll need:

  • An administrator account for Microsoft Azure.
    • This is only required if you are configuring Microsoft Office 365 GCC, Microsoft Office 365 GCC High, or the cloud collection method for Microsoft Office 365.
  • Permissions to turn Microsoft Office 365 audit logging on or off.
  • Audit logging turned on in the Office 365 Security & Compliance Center. For detailed instructions, explore Microsoft's compliance documentation.
  • For collectors, the correct URL added:
    • Microsoft Office 365 - https://manage.office.com
    • Microsoft Office 365 GCC - https://manage-gcc.office.com and https://login.microsoftonline.com
    • Microsoft Office 365 GCC High - https://manage.office365.us and https://login.microsoftonline.us

Configure Microsoft Office 365 to send data to InsightIDR

Your Microsoft Office 365 configuration experience differs depending on which collector method and version of Microsoft Office 365 you need to set up (Office 365, Office 365 GCC, or Office 365 GCC High).

Single tenant support

The Microsoft Office 365 Event Source currently only supports a single tenant, so if you have additional tenants within Microsoft Azure, you will need separate Event Sources for each tenant.

Microsoft Office 365 (Cloud)

Before you can send events to InsightIDR from Microsoft Office 365, you'll first need to set up a Microsoft Azure application to access the Office 365 Management APIs.

The application needs a client secret attached to it, in addition to the ActivityFeed.Read application permission applied to the Office 365 Management API. During setup, make sure to copy the following values to a secure location as they are used in the next section:

  • Client ID: The Application (client) ID found in the App Registration overview.
  • Client Secret: The secret created in the App registration.
    • When the secret expires, you are required to reconfigure the event source.
    • You are only able to view and copy this value immediately after creating the client secret. If you log out or leave this page, you will not be able to copy the client secret value and will need to create another one.
  • Tenant ID: The Directory (tenant) ID found in the App Registration overview.

Visit the third-party vendor's documentation

For the most accurate information on setting up an application, we recommend that you visit Microsoft Office 365's documentation.

Microsoft Office 365 (Collector)

If you are using an existing collector, no additional configuration is required. However, make sure the collector recognizes the proper URL from Microsoft Office 365: https://manage.office.com. If you'd like to install a collector, refer to the InsightIDR documentation for Collector Installation and Deployment instructions.

Microsoft Office 365 GCC and Microsoft Office 365 GCC High

Before you can send events to InsightIDR from Microsoft Office 365 GCC or Microsoft Office 365 GCC High, you'll first need to set up a collector. If you are using an existing collector, no additional configuration is required. However, make sure the collector recognizes the correct URL from Microsoft Office 365 GCC or Microsoft Office 365 GCC High:

  • Microsoft Office 365 GCC - https://manage-gcc.office.com and https://login.microsoftonline.com
  • Microsoft Office 365 GCC High - https://manage.office365.us and https://login.microsoftonline.us

If you'd like to install a collector, refer to the InsightIDR documentation for Collector Installation and Deployment instructions.

You'll also need to set up a Microsoft Azure application to access the Office 365 Management APIs. The application needs a client secret attached to it in addition to the ActivityFeed.Read application permission applied to the Office 365 Management API. During setup, make sure to copy the following values to a secure location as they are used in the next section:

  • Client ID: The Application (client) ID found in the App Registration overview.
  • Client Secret: The secret created in the App registration.
    • When the secret expires, you are required to reconfigure the event source.
    • You are only able to view and copy this value immediately after creating the client secret. If you log out or leave this page, you will not be able to copy the client secret value and will need to create another one.
  • Tenant ID: The Directory (tenant) ID found in the App Registration overview.

Visit the third-party vendor's documentation

For the most accurate information on setting up an application, we recommend that you visit Microsoft Office 365's documentation.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR. Your InsightIDR configuration experience differs depending on which collector method and version of Microsoft Office 365 you need to set up (Office 365, Office 365 GCC, or Office 365 GCC High).

Microsoft Office 365 (Cloud)
  1. Go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Office 365 in the event sources search bar.
    • In the Product Type filter, select Cloud Service.
  3. Select the Office 365 event source tile.
  4. In the Add Event Source panel, select Run On Cloud.
  5. Name the event source. This will become the name of the log that contains the event data in Log Search.
  6. Optionally, select the option to send unparsed data.
  7. Select your LDAP Account Attribution preference:
    • Use short name attribution: Applies the short name of the user without the domain suffix in the username field. For example, if the username was jsmith@myorg.example.com, the short name would be jsmith.
    • Use fully qualified domain name attribution: If you have a multi-domain environment, this option works best to attribute users and assets.
  8. Optionally, in a multi-domain environment, use the dropdown menu to select your main Active Directory domain. See Deploy in Multi-domain Environments and Advanced Event Source Settings.
  9. Click Add a New Connection.
  10. In the Create a Cloud Connection screen, enter a name for the new connection.
  11. In the Tenant ID field, enter the Tenant ID you obtained in the previous section, Configure Microsoft Office 365 to send data to InsightIDR.
  12. In the Client ID field, enter the Client ID you obtained in the previous section, Configure Microsoft Office 365 to send data to InsightIDR.
  13. In the Client Secret field, select an existing credential or add a new one.
    1. If you decided to add a new credential:
      1. Click the field to display a drop-down menu.
      2. Click Add Credential.
      3. Name your credential.
      4. Describe your credential.
      5. Enter the Secret Key that you obtained in the previous section to send data to InsightIDR.
      6. Select which other Rapid7 solutions are able to use the credential.
    2. Click Save Connection.
  14. Click Save.

Connection test subscription activation

When you save a new connection, InsightIDR checks if the necessary Office 365 subscriptions are turned on. If they are not turned on, InsightIDR attempts to activate them to ensure that data is collected from all available sources. When a subscription is created, it can take up to 12 hours for the first content blobs to become available for that subscription. There may be a delay in data collection if a subscription is turned on for the first time. For more information on subscription delays, view Microsoft Office 365's documentation.

Microsoft Office 365 (Collector)

  1. Go to Data Collection and click Setup Event Source > Add Event Source.

  2. Do one of the following:

    • Search for Office 365 in the event sources search bar.
    • In the Product Type filter, select Cloud Service.

  3. Select the Office 365 event source tile.

  4. In the Add Event Source panel, select Run On Collector.

  5. Name your event source. This will become the name of the log that contains the event data in Log Search.

  6. Select your collector from the drop-down menu.

  7. Optionally, select the option to send unparsed data.

  8. Select your LDAP Account Attribution preference:

    • Use short name attribution: Applies the short name of the user without the domain suffix in the Username field. For example, if the username was jsmith@myorg.example.com, the short name would be jsmith.
    • Use fully qualified domain name attribution: If you have a multi-domain environment, this option works best to attribute users and assets.

  9. Optionally, in a multi-domain environment, use the dropdown menu to select your main Active Directory domain. See Deploy in Multi-domain Environments and Advanced Event Source Settings.

  10. Click Begin to start the authorization process. A new window or tab opens for you to perform an authorization grant with Microsoft.

    Pop ups must be turned on to finish authentication

    After clicking Begin, a pop-up window appears so you can finish the OAuth process. If pop-ups are turned off, you cannot finish the authorization process and cannot save the event source.

  11. Log in to Microsoft and click Allow.

  12. Click Save.

  13. Log in with your credentials.

  14. Click Accept on the consent screen to grant InsightIDR the required permissions. A success message appears. When it does, close this tab.

  15. Return to InsightIDR. It may take a minute or two for the connection to register. During this time, you will see a waiting screen. When the connection is registered, a green check will appear.

  16. Click Save.

Microsoft Office 365 GCC and Microsoft Office 365 GCC High
  1. Go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Office 365 in the event sources search bar.
    • In the Product Type filter, select Cloud Service.
  3. Select the Office 365 GCC or Office 365 GCC High event source tile.
  4. Name your event source. This will become the name of the log that contains the event data in Log Search.
  5. Select your collector from the drop-down menu.
  6. Optionally, select the option to send unparsed data.
  7. Select your LDAP Account Attribution preference:
    • Use short name attribution: Applies the short name of the user without the domain suffix in the username field. For example, if the username was jsmith@myorg.example.com, the short name would be jsmith.
    • Use fully qualified domain name attribution: If you have a multi-domain environment, this option works best to attribute users and assets.
  8. Optionally, in a multi-domain environment, use the dropdown menu to select your main Active Directory domain. See Deploy in Multi-domain Environments and Advanced Event Source Settings.
  9. In the Credential field, select an existing credential or select Create new... to add a new one.
    1. If you decided to add a new credential:
      1. Name your credential.
      2. In the Client ID field, enter the Client ID you obtained in the previous section, Configure Microsoft Office 365 to send data to InsightIDR.
      3. Enter the Client Secret that you obtained in the previous section to send data to InsightIDR.
      4. In the Tenant ID field, enter the Tenant ID you obtained in the previous section, Configure Microsoft Office 365 to send data to InsightIDR.
  10. Click Save.

Test the configuration

The event types that InsightIDR parses for this event source are:

  • Audit.AzureActiveDirectory
  • Audit.Exchange
  • Audit.General
  • Audit.SharePoint

To test that event data is flowing into InsightIDR:

  1. From the Data Collection Management page, open the Event Sources tab.
  2. Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
  3. Wait approximately 7 minutes, then open Log Search.

If event data is coming into InsightIDR, you'll also want to ensure that log entries are appearing in Log Search.

To verify log entries are appearing in Log Search:

  1. Open Log Search.
  2. In the Log Search filter panel, search for the event source you created. Microsoft Office 365 logs should flow into these log sets:
    • Cloud Service
    • Ingress Authentication
  3. Select the log sets and the logs within them.
  4. Set the time range to Last 10 minutes and click Run.

The Results table displays all log entries that flowed into InsightIDR in the last 10 mins. The keys and values that are displayed are helpful to know when you want to build a query and search your logs.

Ingress and admin activity will also begin collecting. The Office 365 logo will appear in the Cloud Services card on the InsightIDR dashboard.

To verify that ingress activity is available:

  1. On the InsightIDR home page, click the Cloud Service card and select Office 365.

Microsoft Active Directory Federation Services (ADFS) users

If you use Microsoft ADFS to log into Office 365, traffic navigates through international proxy servers first, which prevents InsightIDR from seeing the true source IP of the login, so ingress activity will not be available on the locations map.

To verify that admin activity is available:

  1. Go to Users & Accounts > Admin Accounts > Admin Activity.
  2. Click Office 365 Admin Activity. The following activities will be available:
    • Add user
    • Edit user
    • Delete user
    • Update group
    • Reset user password
    • Change user password
    • GroupAdded
    • GroupRemoved
    • SitePermissionsModified
    • SiteCollectionAdminAdded

This activity is also available on the user details page for the Office 365 admin. For more information on Admin accounts and activity, explore the Admin Accounts documentation.

Troubleshooting

Turn on popups

Some of the above steps require a second window or tab to load during the process. If you do not turn on popup support, you cannot complete the authentication process.

Login error page

If you are logged in with a Microsoft account that does not have permission to turn audit logging on and off, you will be presented with an error page. Verify your Microsoft permissions to ensure that you have the level of access required to complete the setup.

Debugging tips

If you need to debug Office 365, you can do so in the Azure Admin console.

To review the state of the Office 365 connection in the Azure Admin Console:

  1. In the Azure Dashboard, select Enterprise Applications in the left menu.
  2. Select or Search for the InsightIDR Connector.
  3. Click InsightIDR Connection to open the application page.
  4. On the application page, select Permissions in the left menu. From here you can check audit logs and confirm that it has the appropriate permissions.