Microsoft Office 365

When connected with InsightIDR, Microsoft Office 365 data provides information about user services and locations. You can configure your chosen event source, Microsoft Office 365, GCC or GCC High to send Ingress activity and Microsoft Admin activity to InsightIDR. For detailed information about the specific data collected, you can read Microsoft's documentation here: https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c?ui=en-US&rs=en-US&ad=US#PickTab=Activities.

Before You Begin

In order to set up the Microsoft Office 365 event source, you'll need to do the following:

  • Configure the collector to reach these URLs in order to connect to the Office365 Cloud.
Event SourceURLs
Microsoft Office 365https://manage.office.com
GCChttps://manage-gcc.office.com
https://login.microsoftonline.com
GCC Highhttps://manage.office365.us
https://login.microsoftonline.us

You can only configure a single Office 365 event source per Microsoft 365 tenant ID

However, you can configure multiple event sources of this type.

Configure Microsoft Office 365

Microsoft Office 365 offers a line of subscription services. You can configure Microsoft Office 365 to send logs to InsightIDR. To configure the Microsoft Office365 Event source, follow the tasks below;

Task 1: Configure Microsoft Office 365 in InsightIDR
  1. In InsightIDR, select Data Collection from the left menu.
  2. Click the Setup Event Source dropdown and choose Add Event Source.
  3. From the Security Data section, click the Cloud Services icon. The Add Event Source panel appears.
  4. Select your collector and Office 365 from the event source dropdown.
  5. Name your event source.
  6. Optionally choose to send unparsed logs.
  7. Select your LDAP account attribution preference.
  8. Click Begin to set up OAUTH and start the authorization process.
  9. A new window or tab will open for you to perform an authorization grant with Microsoft.
Task 2: Grant InsightIDR authorization in Microsoft
  1. Log in to Microsoft and click Allow.
  2. Optionally provide a regex to filter out unwanted data.
  3. Click Save.

Make sure to enable popups in order to authenticate Office 365.

  1. Log in with your global admin credentials.
  2. Press Accept on the consent screen to grant InsightIDR the required permissions. A success message will appear. When it does, close this tab.
Task 3: Verify configuration in InsightIDR
  1. Return to InsightIDR. It may take a minute or two for the connection to register. During this time, you will see a waiting screen.

  2. When the connection is registered, a green check will appear. Click Save to finish setting up the Office 365 event source. Once the registration is complete, you will see the Office 365 logo in the bottom-left Cloud Services panel of the InsightIDR dashboard.

  3. On your homepage, click on the Cloud Service card and select Office 365. Ingress activity will appear.

  4. To view Microsoft Admin activity, go to Users & Accounts > Admin Accounts > Admin Activity and select Office 365 Admin Activity. You will see information on these types of activites:

    • Add user
    • Edit user
    • Delete user
    • Update group
    • Reset user password
    • Change user password
    • GroupAdded
    • GroupRemoved
    • SitePermissionsModified
    • SiteCollectionAdminAdded

You can also see this activity on the User Details page of the Office 365 Admin. Read more about Admin Accounts and activity.

You will not see Ingress Activity if using ADFS

If you use Microsoft ADFS to log into Office 365, this unfortunately jumps through international proxy servers, such as Akamai, which prevents InsightIDR from seeing the true source IP of the login. Therefore, ingress activity for Office 365 will not be available on the locations map.

GCC & GCC High

GCC and GCC High are Office 365 services offered by Microsoft that satisfy the requirements of United States Government entities. You can configure GCC and GCC High to send logs to InsightIDR. To configure the GCC & GCC High Event source, follow the tasks below;

Task 1: Create an Azure application to access the Microsoft management API

To configure this event source, you must create an application in Microsoft Azure. More specific instructions explaining the process can be found in the Microsoft documentation, here: https://docs.microsoft.com/en-us/office/office-365-management-api/get-started-with-office-365-management-apis

  1. In the Azure portal, navigate to Azure active directory. Click App registration.
  2. Select New Registration. Enter a name for your app for example, InsightIDR connector. Select Register leaving the other values as defaulted
  3. In the new app, select Certificates and Secrets, then New client secret.
  4. Enter a description and appropriate expiry date.

When the secret expires, you are required to reconfigure the event source. The latest expiry date is 24 months following its creation.

  1. Once the key is created, take note of the Value immediately. The Value expires within a time limit and can only be viewed once upon creation, so take note of it in a secure environment.
  2. Navigate to API permissions and select Add a permission.
  3. In the Microsoft API’s section, select Office 365 Management APIs.
  4. Select Application permissions. Then select ActivityFeed.Read. This will allow InsightIDR to read the Office 365 logs.
  5. Select Grant admin consent for Komand, then Yes. This check-box is only available for admin accounts.

After creating the application, make note of the following details from the App Registration Overview. You will need them to complete task 2.

  • Client ID: The Application (client) ID found in the App Registration overview.
  • Client Secret: The secret created in the app registration.
  • Tenant ID: The Directory (tenant) ID found in the App Registration overview.
Task 2: Configure Microsoft Office GCC/GCC high as an Event Source in InsightIDR
  1. In InsightIDR, select Data Collection from the left menu.
  2. On the Data Collection Management page, expand the Setup Event Source dropdown menu and click Add Event Source.
  3. On the Add Event Source page, go to the Security Data section, and click Cloud Service.
  4. Select Microsoft Office 365 GCC/GCC High as Event Source Type.
  5. Select your collector from the dropdown list.
  6. Name this event source configuration.
  7. Expand the Credential dropdown, and select Create new.
  8. Name your credential.
  9. Paste the Client ID, Secret and tenant ID in their respective fields.
  10. Click Save.

Troubleshooting

Enable Popups

Some of the above steps require a second window or tab to load during the process. If you do not enable popups, you will not be able to complete the authentication process.

Login Error Page

If you are logged in with a Microsoft account without admin credentials during setup, you will be presented with an error page.

However, if you have access to an admin account, select the link that says “Have an admin account? Sign in with that account.” Select the option to Use Another Account and continue the sign in process.

Debugging Tips

If you need to debug Office 365, you can do so in the Azure Admin console.

To review the state of the Office 365 connection in the Azure Admin Console:

  1. In the Azure Dashboard, select Enterprise Applications in the left menu.
  2. Select or Search for the InsightIDR Connector.
  3. Click InsightIDR Connection to open the application page.
  4. On the application page, select Permissions in the left menu. From here you can check audit logs and confirm that it has the appropriate permissions.