Ingest Logs from Microsoft Office 365 - Administrator Guide - Cortex XDR - Cortex

Ingest Logs from Microsoft Office 365 - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product

Cortex XDR

License

Pro

Creation date

2023-03-22

Last date published

2023-09-27

Note

Ingesting logs from Microsoft Office 365 requires a Cortex XDR Pro per GB license.
Ingesting Azure AD authentication and audit events from Microsoft Graph API requires a Microsoft Azure Premium 1 or Premium 2 license. Alternatively if the directory type is Azure AD B2C, the sign-in reports are accessible through the API without any additional license requirement.

Cortex XDR can ingest the following logs and data from Microsoft Office 365 Management Activity API and Microsoft Graph API using the Office 365 data collector.

Microsoft Office 365 audit events from Management Activity API, which provides information about various user, administrator, system, and policy actions and events from Office 365, Azure AD and MDO activity logs.
Note
When auditing is turned off from the default setting, you need to first turn on auditing for your organization to collect Microsoft Office 365 audit events from the Management Activity API.
Microsoft Office 365 emails via Microsoft’s Graph API, which requires a compliance mailbox to ingest email.
- All message details except the body, bodyPreview, and subject.
- Attachment details include file name, file type, file hash, size, and id.
Prerequisite Step—Before you can collect Microsoft Office 365 emails, you need to setup a compliance email account, and then configure an Email Flow Rule. This rule ensures to Blind carbon copy (Bcc) every message sent to, from, and within the organization to a defined compliance mailbox. After the Office 365 data collector ingests the emails, they are deleted from the compliance mailbox to prevent email from building up over time (nothing touches the actual users’ mailboxes).
Note
- The Bcc field always returns an empty value from Microsoft’s Graph API.
- Junk emails from the compliance email account are collected. All other junk emails from the other monitored email accounts are not collected.
- Any draft emails written in the compliance email account are collected by the Office 365 data collector, and are then deleted even if the email was never sent.
Azure AD authentication and audit events from Microsoft Graph API.
When collecting Azure AD Authentication Logs, Cortex XDR also collects by default all sign-in event types from a beta version of Microsoft Graph API, which is still subject to change. In addition to classic interactive user sign-ins, selecting this option allows you to collect.
- Non-interactive user sign-ins.
- Service principal sign-ins.
- Managed Identities for Azure resource sign-ins.
Note
To address Azure reporting latency, there is a 10-minute latency period for Cortex XDR to receive Azure AD logs.

Microsoft 365 alerts from Microsoft Graph Security API are available for different products.

Microsoft Graph Security API v1—Alerts from the following products are available via the Microsoft Graph Security API v1:
- Microsoft Defender for Cloud, Azure Active Directory Identity Protection, Microsoft Defender for Cloud Apps, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft 365, Azure Information Protection, and Azure Sentinel.
Microsoft Graph Security API v2—Alerts (alerts_v2) from the following products are available via the Microsoft Graph Security API v2 beta version, which is still subject to change:
- Microsoft 365 Defender unified alerts API, which serves alerts from Microsoft 365 Defender, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Purview Data Loss Prevention (including any future new signals integrated into M365D).

To view alerts from the various products via the Microsoft Graph Security API versions, you need to ensure that you've set up the applicable licenses in Office 365. The table below lists the various licenses required for the different Microsoft Defender products. For more information on other Microsoft product licenses, see the Microsoft documentation.

Product	Standalone License	E3 License	E3 + Security Add-on License	E5 License	E5 Security License	E5 Compliance Lisence
Microsoft Defender for Endpoint Plan 1	✓	✓	✓	—	—	—
Microsoft Defender for Endpoint Plan 2	—	—	✓	✓	✓	—
Microsoft Defender for Identity	—	—	✓	✓	✓	—
Microsoft Defender for Office 365 Plan 1	✓	—	—	—	—	—
Microsoft Defender for Office 365 Plan 2	✓	—	✓	✓	✓	—
Microsoft Defender for Cloud Apps	—	—	✓	✓	✓	✓

Note

For more information, see the Office 365 Management Activity API schema.

To receive logs from Microsoft Office 365, you must first configure the Collection Integrations settings in Cortex XDR. After you set up data collection, Cortex XDR begins receiving new logs and data from the source.

When Cortex XDR begins receiving logs, the app creates a new dataset for the different types of logs and data that you are collecting, which you can use to initiate XQL Search queries. For example queries, refer to the in-app XQL Library. For all Microsoft Office 365 logs, Cortex XDR can also raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from Office 365 logs. While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC, and BIOC alerts are only raised on normalized logs.

For the different types of data you can collect using the Office 365 data collector, the following table lists the different datasets, vendors, and products automatically configured, and whether the data is normalized.

Data Type	Dataset	Vendor	Product	Normalized Data
Microsoft Office 365 audit events from Management Activity API
Azure AD	`msft_o365_azure_ad_raw`	`msft`	`O365 Azure AD`	—
Exchange Online	`msft_o365_exchange_online_raw`	`msft`	`O365 Exchange Online`	Cortex XDR supports normalizing Exchange Online audit logs into stories, which are collected in a dataset called *`saas_audit_logs`**.
SharePoint Online	`msft_o365_sharepoint_online_raw`	`msft`	`O365 Sharepoint Online`	Cortex XDR supports normalizing SharePoint Online audit logs into stories, which are collected in a dataset called *`saas_audit_logs`**.
DLP	`msft_o365_dlp_raw`	`msft`	`O365 DLP`	—
General	`msft_o365_general_raw`	`msft`	`O365 General`	Cortex XDR supports normalizing General audit logs into stories, which are collected in a dataset called *`saas_audit_logs`**.
Microsoft Office 365 emails via Microsoft’s Graph API	`msft_o365_emails_raw`	`msft`	`o365_emails`	—
Azure AD authentication events from Microsoft Graph API	`msft_azure_ad_raw`	`msft`	`Azure AD`	When relevant, Cortex XDR normalizes Azure AD authentication logs and Azure AD Sign-in logs to authentication stories.
Azure AD audit events from Microsoft Graph API	`msft_azure_ad_audit_raw`	`msft`	`Azure AD Audit`	When relevant, Cortex XDR normalizes Azure AD audit logs to cloud audit logs stories.
Alerts from Microsoft Graph Security API v1 and v2	`msft_graph_security_alerts_raw`	`msft`	`Security Alerts`	—

*Note: For the saas_audit_logs dataset, the Vendor is saas and Product is Audit Logs.

To set up the Office 365 integration:

From the Microsoft Azure Console, create an app for Cortex XDR with the applicable API permissions for the logs and data you want to collect as detailed in the following table.

Log Type and Data	API/Permission Name
Microsoft Office 365 audit events from Management Activity API
-Azure AD	Office 365 Management APIs → ActivityFeed.Read
-Exchange Online	Office 365 Management APIs → ActivityFeed.Read
-Sharepoint Online	Office 365 Management APIs → ActivityFeed.Read
-DLP	Office 365 Management APIs → ActivityFeed.ReadDlp
-General	Office 365 Management APIs → ActivityFeed.Read
Microsoft Office 365 emails via Microsoft’s Graph API	Microsoft Graph → Mail.ReadWrite
Azure AD authentication and audit events from Microsoft Graph API	Microsoft Graph → AuditLog.Read.All Microsoft Graph → Directory.Read.All
Alerts from Microsoft Graph Security API v1 and v2	Microsoft Graph → SecurityAlert.Read.All Microsoft Graph → SecurityEvents.Read.All

For more information on Microsoft Azure, see the following instructions in the Microsoft documentation portal.

In Cortex XDR, select Settings → Configurations → Data Collection → Collection Integrations.
In the Office 365 configuration, click Add Instance to begin a new configuration.
Integrate the applicable Microsoft Azure service with Cortex XDR .
1. Specify the Tenant Domain of your Microsoft Azure AD tenant.
2. Obtain the Application Client ID and Secret for your Azure AD service from the Microsoft Azure Console and specify the values in Cortex XDR .
  These values enable Cortex XDR to authenticate with your Azure AD service.
3. Select the types of logs that you want to receive from Office 365.
  The following options are available.
  - Office 365 Management Activity API
    Azure AD—Includes subset of Azure AD audit events and Azure AD authentication events. There can be significant overlap between these and the Azure AD Authentication Logs originating from Microsoft Graph API.
    Note
    Use this option when you don’t want to grant permissions for Azure AD Authentication and Azure AD Audit.
    Exchange Online—Includes audit logs on Azure Exchange mailboxes and Exchange admin activities on the Office 365 Exchange.
    Sharepoint Online—Includes audit events on Sharepoint and OneDrive activities.
    DLP—Includes Microsoft 365 DLP events for Exchange, Sharepoint, and OneDrive.
    General—Includes audit logs for various Microsoft 365 applications, such as Power BI and Microsoft Forms.
  - Microsoft Graph API
    Azure AD Authentication Logs and Collect all sign-in event types—Azure AD Sign-in logs includes by default all sign-in event types from a beta version of Microsoft Graph API, which is still subject to change. In addition to classic interactive user sign-ins, selecting the Collect all sign-in event types allows you to collect.
    -Non-interactive user sign-ins.
    -Service principal sign-ins.
    -Managed Identities for Azure resource sign-ins.
    Azure AD Audit Logs—Azure AD Audit logs includes different categories, such as User Management, Group Management and Application Management.
    Alerts—When this checkbox is selected, alerts from the following products are collected via the Microsoft Graph Security API v1:
    Microsoft Defender for Cloud, Azure Active Directory Identity Protection, Microsoft Defender for Cloud Apps, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft 365, Azure Information Protection, and Azure Sentinel.
    Use Microsoft Graph API v2—When this checkbox is also selected, alerts (alerts_v2) from the following products are only collected via the Microsoft Graph Security API v2 beta version, which is still subject to change:
    Microsoft 365 Defender unified alerts API, which serves alerts from Microsoft 365 Defender, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Purview Data Loss Prevention (including any future new signals integrated into M365D).
    Emails—Includes the raw email events from Office 365. To collect Microsoft Office 365 emails with a compliance mailbox to ingest email, configure the following.
    -Audit Email Account—Specify the email address for the compliance mailbox.
    -Get Attachment Info from the ingested email.
4. Test the connection settings.
  To test the connection, you must select one or more log types. Cortex XDR then tests the connection settings for the selected log types.
5. If successful, Enable Office 365 log collection.