Login
      Contents x
      Integrate Microsoft Office 365 with Red Canary
      • 23 Jul 2024
      • 2 Minutes to read
      • PDF
      Contents

      Integrate Microsoft Office 365 with Red Canary

      • Updated on 23 Jul 2024
      • 2 Minutes to read
      • PDF
      Article summary

      Red Canary monitors your Office 365 environment by integrating with the Office 365 Management API, which sources data from the Microsoft Unified Audit Log. The Unified Audit Log (UAL) is an aggregation of audited activities that occur within your Microsoft 365 environment. By connecting your Unified Audit Log to Red Canary as an external service, Red Canary will have the enhanced ability to analyze and detect threats related to email events, user sign-ins, and more, supplementing the investigation of your Microsoft email- and identity-based alerts. Supporting artifacts from the Unified Audit Log will appear alongside endpoint activity in your threat timeline where applicable.

      Note: This setup only needs to be completed once and will not include historical data.

      Step 1: Turn on auditing for your organization

      Make sure audit logging is turned on for your organization by following the steps in Turn auditing on or off.

      Note: We recommend that you have the following operations turned on in your mailbox audit log section in Office 365 in addition to the operations enabled by default.

      • Move

      • SearchQueryInitiated

      For more information, see Manage mailbox auditing.

      Step 2: Give Red Canary Office 365 permissions

      Red Canary needs permission from a global administrator to ingest audit logs from your Microsoft 365 account.

      1. Navigate to this URL, and then log in to your global administrator account.

      2. Approve the permissions requested by Red Canary + Office365.

      Step 3: Connect Red Canary to Office 365

      1. From your Red Canary homepage, click Integrations.

      2. From the Integrations section, select Microsoft Office 365.

      3. Click Configure.

      4. Check the box indicating that auditing is turned on and Red Canary has access to your Office 365 account.

      5. Paste your tenant ID in the box labeled Microsoft Office 365 Tenant ID. To find your ID, follow the steps in How to find your Azure Active Directory tenant ID.

      6. Click Save.

      FAQ

      How do I know Red Canary is connected to Office 365?

      It can take some time before Red Canary starts ingesting your audit logs. Confirmed threats from Office 365 will appear alongside endpoint activity in your threat timeline.

      Check the status of the integration:

      1. In Red Canary, click your profile icon.

      2. Under Integrations, click Microsoft Office 365. If the integration was successful, you’ll see Audit.Exchange enabled in the Office 365 Subscriptions table.

        image2.png

      If you don’t see any subscriptions, wait a few minutes, and then refresh the page.

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout