Purpose

An analyst wants to detect malicious information sharing in Microsoft 365 office applications.  Using the Microsoft 365 API, the analyst will find data exfiltration.  As a result, the analyst will deactivate harmful users, preventing them from sharing more sensitive data.

You may also need:

• Microsoft 365 Exchange Reports: obtain usage reports of Microsoft 365 services and tools.

• Microsoft 365 Exchange Online: monitor 365 users' emails.

Prerequisites

• Office 365 subscription

• Azure subscription associated with your Office 365 subscription

• Azure Tenant Admin access

Example Tables

Authorize It

Register your application in Microsoft Entra ID

1. Register Devo application in Microsoft Entra ID from the Azure portal:

   1. Access Microsoft Entra ID > App registration > New registration.

      

   2. On the Register an application page:

      1. Assign a name for the application. Ex: devo_integration

      2. Define application use and API access

      3. Redirect URI field can be left blank.

   3. Click “Register” button.

Generate a new secret

2. To exchange an authorization code for an access tokens you need to generate keys (client_secrets):

   1. Access Azure portal Microsoft Entra ID > App registrations > Application

   2. Select Certificates & secrets > New client secret specifying the key description and expiration.

3. Click Add.

4. Go to Client secrets to copy the client secret value to the clipboard.

Specify the permissions required to access the Office 365 Management APIs

5. From Azure portal, go to App registrations > All applications select the application and the API permissions > Add a permission to display the Request API permission.

6. On the Microsoft APIs tab, select Office 365 Management APIs.

7. Select the Application permissions type.

8. Enable permissions:

   1. Read activity data from your organization.

   2. Read service health information from your organization.

   3. Read DLP policy events including detected sensitive data (only if pulling DLP.All from Management Activity).

9. Select Add permissions.

Get Office 365 tenant admin consent

10. The Tenant Admin will need to grant authorization and authentication permissions by using SAML (Security Assertion Markup Language) standard:

    1. Enable Devo as a service provider.

    2. Enable O365/Entra ID as an identity provider.

11. The Permissions status will change from “Not granted“ to “Granted“, once the previous authorization process has been completed by the tenant Admin.

Run It

In the Cloud Collector App, create a Microsoft 365 collector instance using this parameters template, replacing the values enclosed in < >. The unique ID should be a five digit number.

 {
  "inputs": {
    "office365": {
      "credentials": {
        "client_id": "<CLIENT_ID>",
        "client_secret": "<CLIENT_SECRET>",
        "tenant_id": "<TENANT_ID>"
      },
      "enabled": true,
      "id": "<UNIQUE ID>",
      "services": {
        "azure_active_directory": {}
        "general_audit": {},
        "exchange": {},
        "sharepoint": {},
        "dlp": {}
      }
    }
  }
}

Secure It

Microsoft 365 logs work with these Exchange Activeboards:

Devo provides compatible Alert packs:

Authentication

An analyst wants to identify who logged in to determine if any malicious users accessed the system.

from cloud.office365.management
where Operation = "UserLoggedIn" or Operation = "UserLoginFailed"
group by Operation, ActorIpAddress, UserId, split(hostchain,"-",1) as collector_id

Email Attachments

A machine has been infected with malware. An analyst wants to determine if the malware was spread using an email attachment. Using this query, the analyst will improve email filtering.

from cloud.office365.management.exchange
where eq(Operation,"AttachmentDownload")
group by UserId, jsonparse(message)["AttachmentName"]

Exchange Auditing Disabled

A malicious user has hidden their activity by disabling audit logging. An analyst wants to identify the malicious user.

from cloud.office365.management.exchange
where eq(Operation,"Remove-AuditConfigurationPolicy")

Insider Risk Policies

A user has been deactivated. The user did not trigger any data theft alerts. An analyst wants to check the history of insider risk policies to see if data theft was being monitored around the time of the deactivation.

from cloud.office365.management.securitycompliancecenter
where has(Operation,"InsiderRiskPolicy"), not has(Operation,"Get")

OneDrive Exfiltration

An analyst wants to determine which accounts are sharing strategic information. If information is being shared with an unauthorized recipient, the compromised UserId should be disabled.

from cloud.office365.management.onedrive
where Operation = "SharingSet"
select str(jsonparse(message)["ObjectId"]) as file
where weakhas(file,"strategic")
select str(jsonparse(message)["ClientIP"]) as ip,
str(jsonparse(message)["TargetUserOrGroupName"]) as recipient

Teams Exfiltration

It was revealed that a foreign tenant received confidential information. An analyst wants to find which Teams activity was available to foreign tenants in order to find out what other information was disclosed.

from cloud.office365.management.microsoftteams
select jqeval(jqcompile(".ParticipantInfo.HasForeignTenantUsers"),jsonparse(message)) as foreign
where isnotnull(foreign)

Sharepoint Data Destruction

A malicious user has destroyed data. An analyst wants to determine which data is lost so that service can be restored.

from cloud.office365.management.sharepoint
  where Operation = "FileVersionsAllDeleted"

Monitor It

Create an inactivity alert to detect interruptions of transfer of data from popular Microsoft products to the Microsoft 365 Management API using the query

from cloud.office365.management 
where toktains(hostchain,"collector-") 
select split(hostchain,"-",1) as collector_id
where eq(Workload,"Exchange") or eq(Workload,"AzureActiveDirectory") or eq(Workload,"MicrosoftTeams")

Set the inactivity alert to keep track of the collector_id and Workload.