Microsoft Office 365
When connected with InsightIDR, Microsoft Office 365 data provides information about user services and locations. For detailed information about the specific data collected, you can read Microsoft's documentation here: https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c?ui=en-US&rs=en-US&ad=US#PickTab=Activities.
'Unspecified' Ingress Authentications
Events sent by Microsoft Office 365 appear on the Ingress Locations map as “Unspecified.” The unspecified label is applied when an event source doesn’t provide InsightIDR with enough information to determine whether an authentication attempt was a success or failure.
Before You Begin
In order to set up the Microsoft Office 365 event source, you'll need to do the following:
- Configure the collector to reach https://manage.office.com in order to connect to the Office365 Cloud.
- Make sure you have a Microsoft Office Global Administrator account for the one-time setup.
- Optional: Enable audit logging in the Office 365 Security & Compliance Center. For instructions on how to do this, see Microsoft's documentation: https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off
- Enabling audit logging will allow InsightIDR to collect audit logs, but it is not required to set up this event source.
You can only configure a single Office 365 event source per Microsoft 365 tenant ID
However, you can configure multiple event sources of this type.
How to Configure This Event Source
To configure Microsoft 365 and InsightIDR:
- From your dashboard, select Data Collection on the left hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Security Data” section, click the Cloud Service icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- Optionally choose to send unfiltered logs.
- Click the "Begin" button to start the OAUTH authorization process.
- A new window or tab will open for you to perform an authorization grant with Microsoft.
- Login to Microsoft and click Allow.
Make sure to enable popups in order to authenticate Office365.
- Log in with your global admin credentials.
- Press Accept on the consent screen to grant InsightIDR the required permissions. A success message will appear.
- Close this tab and return to InsightIDR. It may take a minute or two for the connection to register. During this time, you will see a waiting screen.
- When the connection is registered, a green check will appear. Click Save to finish setting up the Office 365 event source.
Once the registration is complete, you will see the Office 365 logo in the bottom-left Cloud Services panel of the InsightIDR dashboard.
- On your homepage, click on the Cloud Service card and select Office 365. Ingress activity will appear.
- To view Microsoft Admin activity, go to Users & Accounts > Admin Accounts > Admin Activity and select Office 365 Admin Activity. You will see information and activity such as the following:
- Add user
- Edit user
- Delete user
- Update group
- Reset user password
- Change user password
You can also see this activity on the User Details page of the Office 365 Admin.
Read more about Admin Accounts and activity.
You will not see Ingress Activity if Using ADFS
If you use Microsoft ADFS to log into Office 365, this unfortunately jumps through international proxy servers, such as Akamai, which prevents InsightIDR from seeing the true source IP of the login. Therefore, ingress activity for Office 365 will not be available on the locations map.
Some of the above steps require a second window or tab to load during the process. If you do not enable popups, you will not be able to complete the authentication process.
Login Error Page
If you are logged in with a Microsoft account without admin credentials during setup, you will be presented with the following error page:
However, if you have access to an admin account, select the link that says “Have an admin account? Sign in with that account.” Select the option to "Use Another Account" and continue the sign in process.
If you need to debug O365, you can do so in the Azure Admin console.
To review the state of the O365 connection in the Azure Admin Console:
- From the Azure Dashboard, go to Enterprise Applications on the left menu.
- Select or Search for the “InsightIDR Connector."
- Click InsightIDR Connection to open the application page.
- From the application page, select Permissions on the left menu. From here you can check audit logs and confirm that it has the appropriate permissions.