Versions Compared

Version Old Version 4 New Version Current
Changes made by

Virginia Camuñas Núñez

Virginia Camuñas Núñez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Purpose

An analyst wants to detect malicious behavior in Microsoft 365 related tools.  Using the Microsoft 365 API collector to send activity logs to Devo, the analyst will find unauthorized accesses to organization resources.  As a result, the analyst will detect and neutralize intruders access attempts, preventing them from disrupting private network services.

Prerequisites

  • Office 365 subscription

  • Azure subscription associated with your Office 365 subscription.

Data sources

Data source

Security Purpose

API endpoint

Collector service name

Example Tables

Devo table

Active Directory

Audit.AzureActiveDirectory

azure_active_directory

Description

cloud.office365.management.azure_active_directory

Sharepoint

Audit.Sharepoint

sharepoint

This table collects logs generated by the Microsoft Entra ID services.

cloud.office365.management.sharepoint

and cloud.office365.management.onedrive

Exchange

Audit.Exchange

exchange

This table collects logs generated by the Sharepoint tool.

cloud.office365.management.

exchange

General Audit

Audit.General

general_audit

cloud.office365.management.*

DLP

DLP.All

dlp

Any table listed above

URI Retry

Note

This service is mandatory for retrying any URI that failed from any service.

-

uri_retry

Any service above.

Example Tables

onedrive

This table collects logs generated by the OneDrive service.

cloud.office365.management.

aip

  • cloud.office365.management.airinvestigation

  • cloud.office365.management.azureactivedirectory

  • cloud.office365.management.cca

  • cloud.office365.management.compliance

  • cloud.office365.management.compliancemanager

  • cloud.office365.management.corereporting

  • cloud.office365.management.crm

  • cloud.office365.management.dlpsensitiveinformationtype

  • cloud.office365.management.endpoint

  • cloud.office365.management.exchange

    • cloud.office365.management.mcas

    exchange

    This table collects logs generated by the Exchange email service.

    cloud.office365.management.

    microsoftflow

  • cloud.office365.management.microsoftforms

  • cloud.office365.management.microsoftstream

  • cloud.office365.management.microsoftteams

  • cloud.office365.management.mip

  • cloud.office365.management.myanalytics

    • cloud.office365.management.officeapps

    • cloud.office365.management.onedrive

    • cloud.office365.management.onedriveforbusiness

    • cloud.office365.management.powerapps

    • cloud.office365.management.powerbi

    • cloud.office365.management.powerplatformadmin

    • cloud.office365.management.project

    • cloud.office365.management.publicendpoint

    • cloud.office365.management.quarantine

    • cloud.office365.management.rdl

    • cloud.office365.management.securitycompliancecenter

    • cloud.office365.management.sharepoint

    • cloud.office365.management.skypeforbusiness

    • cloud.office365.management.threatintelligence

    • cloud.office365.management.workplaceanalytics

    • cloud.office365.management.yammer

    • cloud.office365.oldmanagement

    *

    This union table allows perform general auditing over the tables whose 3 first levels fit with this one. Check the list of tables

    Authorize It

    Register your application in Microsoft Entra ID

    1. Register Devo application in Microsoft Entra ID from the Azure portal:

      1. Access Microsoft Entra ID(1) > App registration(2) > New registration(3). SCREENSHOT

        10_Microsoft 365 Management API Collector.pngImage Added

      2. On the Register an application page:

        1. Assign a name for the application. Ex: devo_integration

        2. Define application use and API access

        3. Redirect URI field can be left blank.

      3. Click “Register” button.

    Note

    Make note of the Client ID and Tenant ID generated during this registration process.

    SCREENSHOT

    Configure application properties in Microsoft Entra ID

    1. Configure the application properties in Microsoft Entra ID by defining:

      1. Client ID, generated during registration.

      2. Multi-tenant application (Tenant ID): Select YES to allow tenant admins to grant consent to your app to access their data.

      3. Reply URL: Define the URL for the tenant admins to be redirected after granting consent to the application, Azure will select the first URL defined (if multiple) to match the sign-on.

      4. Click “Save” button

    20_Microsoft 365 Management API Collector.pngImage Added

    Generate a new key for the application

    1. To exchange an authorization code for an access tokens you need to generate keys (client_secrets):

      1. Access Azure portal Microsoft Entra ID > App registrations > Application

      2. Upload certificates(1) and create a new key(2) by accessing Certificates & secrets(3)> New client secret(4)specifying the key description and duration(5).

      3. Click “Add” button(6).

    2. Go to Client secrets(7-8) to copy the client secret value to the clipboard(9).

    Microsoft 365 - Generate a new key.pngImage Removed

    Configure X.509 certificate to enable service-to-service calls

    Configure an X.509 certificate to be used as client credentials when requesting app-only access tokens from Microsoft Entra ID:

  • Use a self-signed certificate or certificated issued publicly trusted certifcate authority.

    • Modify your application manifest to include the thumbprint and public key of your certificate (export the public key to a base64-enconded file and update the manifest App registrations > All applications > Manifest)30_Microsoft 365 Management API Collector.pngImage Added

    Specify the permissions required to access the Office 365 Management APIs

    1. From Azure portal, go to App registrations>All applications select the application and the API permissions>Add a permission to display the Request API permission.

    2. On the Microsoft APIs tab, select Office 365 Management APIs.

    3. Select the Application permissions type.

    4. Enable permissions:

      1. Read activity data from your organization.

      2. Read service health information from your organization.

      3. Read DLP policy events including detected sensitive data (only if pulling DLP.All from Management Activity).

    5. Select

    Grant admin consent for “tenant name“.

    1. Add permissions.

    40_Microsoft 365 Management API Collector.pngImage Added

    Get Office 365 tenant admin consent

    1. The tenant admin must sign in to Microsoft Entra ID by using the following specially constructed URL, to review the application's requested permissions. This step is not required when using the APIs to access data from your own tenant.

      HTTP

      Code Block
      https://login.windows.net/common/oauth2/authorize?response_type=code&resource=https%3A%2F%2Fmanage.office.com&client_id={your_client_id}&redirect_uri={your_redirect_url }

    2. The redirect URL must match or be a sub-path under one of the Reply URLs configured for your application in Microsoft Entra ID.

    3. Accept and use the authorization code from the page to access and store the Tenant ID.

    Code Block
    http://www.mycompany.com/myapp/?code=AAABAAAAvPM1KaPlrEqdFSB...

    Request access tokens from Microsoft Entra ID

    1. After admin grants consent, the application receives an authorization code as a query string parameter and redirects to the designated URL.

    2. The application will make an HTTP REST POST to Entra ID to exchange the authorization code for an access token.

    3. The access token return a JWT token. Extract the tenant ID “tid“ fromt the token an store to be used ro request additional access tokens.

    Request an access token by using client credentials

    1. Now, you can make service-to-service calls which require using an X.509 certificate to create client assertion in the form of a base64-encoded, SHA256 signed JWT bearer token (See JSON example).

    Code Block
    HEADER:

{
  "alg": "RS256",
  "x5t": "{thumbprint of your X.509 certificate used to sign the token",
}

PAYLOAD:

{
  "aud": "https://login.windows.net/{tenantid}/oauth2/token",
  "iss": "{your app client ID}",
  "sub": "{your app client ID}",
  "jti": "{random GUID}",
  "nbf": "{epoch time, before which the token is not valid}",
  "exp": "{epoch time, after which the token is not valid}"
}

    Run It

    In the Cloud Collector App, create a Microsoft 365 collector instance using this parameters template, replacing the values enclosed in < >.

    Code Block
      {
  "inputs": {
    "office365": {
      "id": "<short_unique_id",
      "enabled": true,
      "credentials": {
        "client_id": "<client_id_value>",
        "tenant_id": "<tenant_id_value>",
        "client_secret": "<secret_value>"
      },
    "services": {
      "azure_active_directory": {
          "start_time_in_utc": "<start_time_in_utc_value>",
          "override_tag": "<override_tag_value>",
          "override_bloom_filter_size": "<override_bloom_filter_size_value>",
          "override_bloom_filter_buffer_size": "<override_bloom_filter_buffer_size_value>"
        },
    }
   } 
  }
 }  
}

    Secure It

    Microsoft 365 logs work with these Exchange Activeboards:

    Devo provides compatible Alert packs:

    Monitor It

    Create an inactivity each alert to detect interruptions of transfer of data from the source to the Microsoft 365 Management API using the query

    Code Block
    from devo.collectors.out 
where isnotnull toktains(msg,"collector failed Connection closed by server."), 
toktains(collector_name)
whereimage,"office365") 
group every 5m by collector_name != "", job_id 
select count() as messages_unsuccessfully_processed

    Set the inactivity each alert to keep track of the collector_namew for more than 30 messages_unsuccessfully_processed ever 5n minutes.