Ingest logs and data from Microsoft 365 - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-11-12
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

The Microsoft 365 email collector fetches emails through Microsoft Graph API, using an authorized app. A compliance mailbox is not required.

The Microsoft 365 email collector fetches emails through Microsoft Graph API, using an authorized app. A compliance mailbox is not required.

Danger

  • A user account with the Microsoft Azure Account Administrator role is required to set up a new Microsoft 365 email collector.

  • The following Microsoft Graph API permissions are required:

    • Mailbox access (read-write)

      • Read and write mail in all mailboxes

      • Read contacts in all mailboxes

      • Read all user mailbox settings

    • User information, groups, and directory data (read-only)

      • Read directory data

      • Read all groups

      • Read all users' full profiles

The Microsoft 365 collector ingests emails and attachment metadata, including email subject and body. Attachment metadata includes data such as name, type, size, and hash. The actual attached files are not saved.

You can narrow down the scope of ingested mailboxes by:

  • Microsoft 365 Group

  • Distribution List

  • Mail-enabled Security Group

  • Mail-enabled Users

Datasets

The Microsoft 365 collector ingests data into the following datasets:

  • msft_o365_emails_raw

  • msft_o365_directory_raw

  • msft_o365_org_raw

  • msft_o365_apps_raw

  • msft_o365_users_raw

  • msft_o365_groups_raw

  • msft_o365_roles_raw

  • msft_o365_devices_raw

  • msft_o365_mailboxes_raw

  • msft_o365_rules_raw

Encryption

Cortex XDR stores email metadata as plain text, and encrypts emails' subject and body. The email body is saved for 48 hours, and then deleted. Analytical detectors analyze raw and encrypted email data, and when necessary, create alerts. When an alert is created for a malicious email, the raw email, include its subject and body (decrypted), is attached to the alert as an artifact. Therefore, you will not be able to perform threat hunting based on email subject and body. Only email metadata such as date, From, or To, are available for threat hunting purposes.

Configure ingestion into Cortex XDR
  1. On the Collection Integrations page, locate Microsoft 365, and select Add Instance to begin a new connection.

  2. In the wizard that opens, ensure that you have configured the items listed on the Permissions page, and then click Next.

  3. To confirm that you know that API authorization consent is required, click OK.

  4. Select the Microsoft account from which you want to collect email data.

  5. Click Next.

  6. Enter your password for the Microsoft account, and click Sign in.

  7. If you are asked to perform authentication using your organization's authentication tools, do so.

  8. For the list of of permissions that Cortex Email Security requires, click Accept.

  9. On the Scope page, select one of the following:

    • Entire organization: Emails will be collected from all mailboxes in your organization.

    • Specific groups: Enter the email addresses of group names, such as Microsoft 365 Groups, Mail-enabled Security Groups, Distribution Lists, or Mail-enabled Users.

  10. Click Next.

  11. On the Details page, enter a meaningful instance name, and click Next.

  12. On the Summary page, check your configurations, and then click Create.

After data starts to come in, a green check mark appears below the Microsoft 365 configuration, along with the amount of data received.