Integrate a Microsoft Office 365 Cloud Device

Configure a Microsoft Office 365 cloud device.

The following table shows device-specific integration characteristics:

Device-specific integration characteristics table

To integrate the device and receive IOCs, perform these steps (described in the following sections):

1. Configure an application in Azure Active Directory.
2. Create an anti-spam policy in Microsoft 365 Defender.
3. Add the device to Threat Command.
4. Configure an IOC group whose IOCs will be pushed to the device.

Configure an application in Azure Active Directory

The application enables pushing IOCs from TIP to a Microsoft Office 365 Defender anti-spam policy.

Prerequisites:

• Access to the company Azure Active Directory. Any user can do this process, but a Privileged Administrator will need to give approval for adding permissions.
• Access to a Windows physical or virtual machine.

To configure an application:

1. From the Azure Portal, open Azure Active Directory.
2. Register a new application:
   1. From Azure Active Directory, click App registrations then click New registration.
   2. Enter a user-defined name for the app.
      Leave the rest of the fields at default.
   3. Click Register.
      The new application details are displayed.
   4. Copy the Application (client) ID for later use.
3. Set permissions for the new application:
   1. From the application details screen, click API permissions.
      In the Configured permissions section, permissions have been granted for Microsoft Graph only.
   2. Click Add a permission.
      The Request API permissions section is displayed in the right-panel.
   3. Select APIs my organization uses.
   4. In the search field, enter office 365, then select Office 365 Exchange Online.
   5. Choose Application permissions.
   6. In the Select permissions section, expand the Exchange option and select Exchange.ManageAsApp
   7. Click Add permissions.
      Office 365 Exchange Online has been added to the Configured permissions section and now permissions can be added.
   8. Approve the user to add the permissions by clicking Grant admin consent for <organization> and then confirm the consent.
      
      If this option is not displayed, you will need to ask an Admin user to grant consent. For more information, contact the Azure AD administrator.
4. From a Windows machine, create and export CER and PFX certificates: Sample script to create certificates:
   $PfxPassword = 'yourpassword'
   $Organization = 'your.organization.com'
   $AppId = 'your-app-ip-string'

 
1
$mycert = New-SelfSignedCertificate -DnsName $Organization -CertStoreLocation "cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(3) -KeySpec KeyExchange
2
$mycert | Export-Certificate -FilePath certificate_file.cer
3
$mycert | Export-PfxCertificate -Password $(ConvertTo-SecureString -String $PfxPassword -AsPlainText -Force) -FilePath 'ExoCertificateFile.pfx'

5. Upload the CER certificate:
   1. From the application details screen, click Certificates & secrets.
   2. Click Upload certificate.
   3. Upload the CER certificate.
      The certificate is displayed in the Certificates section. (The PFX certificate and password are used later in the process.)
6. Assign a role to the new application:
   1. From Azure Active Directory, click Roles and administrators.
      The Assignments screen is displayed.
   2. Search for the Exchange Administrator, then click it.
   3. Click Add assignments.
      Apps that can be assigned are displayed in the right panel.
   4. Search for the user-defined name of the new application.
   5. Select the new application and click Add.
      The application is configured.

Create an anti-spam policy in Microsoft 365 Defender

Prerequisites :

• You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.
• You have the Microsoft 365 Defender username and password.

Before you can integrate an Office 365 device with Threat Command, you need to create an anti-spam policy. This policy is where IOCs are displayed after the integration is running.

To create an anti-spam policy in Microsoft 365 Defender:

1. From Microsoft 365 Defender, choose Policies & rules > Threat Policies > Anti-spam policies.
2. Create a new Inbound policy.
   The name that you enter will be the name that you use in Threat Command. In our example, we used the name "Intsights."
3. Configure users, groups, and domains, as well as spam policies, actions, etc. according to your company policy. 
   The new anti-spam policy is displayed:
   

Add an Office 365 cloud device to Threat Command

Create an Office 365 cloud device in Threat Command.

To add an Office 365 device:

1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
2. From the main menu, select Automation > Integrations.
   
3. From the Integrations page, click Cloud.
4. Click Add new device.
5. In the Add New Cloud Device  dialog, type a user-defined name for the device.
   The name can contain a maximum of 50 letters, spaces, numbers, and underscores.
6. For the Device type, select Office 365.
   The default device limit is displayed.
7. (Optional) You can change the IOCs limit. 
8. Enter details about the Azure Directory app:
   1. Type the PFX certificate file password.
   2. Type the Application (client) ID.
   3. Type the AD organization name.
   4. In Spam Filter Identity, type the name of the anti-spam policy created in the previous procedure.
9. Upload the PFX certificate file.
10. It is recommended to click Test Credentials to ensure that the credentials are valid. If the credentials are not valid, a message is displayed.
11. Click Add.
12. (Optional) To verify that the new device is displayed in Threat Command, select Automation > Integrations.
    If this window is already open, refresh it by selecting Automation > Integrations from the menu.

The new device is added to the cloud integrations device list. Next to the device name, there is a red dot, indicating that communication has not yet been established. The dot will change to green when the device is synchronized. If the device cannot synchronize for more than 48 hours, an email warning is sent to the account administrator.

Configure an IOC group to push IOCs to the device 

Once the Office 365 device has been added and is synching with Threat Command , it is ready to receive IOCs that are pushed from Threat Command. IOCs are pushed by creating an IOC group for this device in Threat Command.

Creating IOC groups is described briefly at Create IOC Groups

Viewing IOCs via Office 365

You can see pushed IOCs in Microsoft 365 Defender.

To view IOCs:

1. From Microsoft 365 Defender, choose Policies & rules > Threat Policies > Anti-spam policies.
2. Select the anti-spam policy created for Threat Command IOCs.
   The pushed IOCs are shown in the Blocked senders and Blocked domains sections: