Integrate Microsoft Office 365 with Red Canary
    • 09 Oct 2024
    • 1 Minute to read
    • PDF

    Integrate Microsoft Office 365 with Red Canary

    • PDF

    Article summary

    Note: This setup only needs to be completed once and will not include historical data.

    Step 1: Turn on auditing for your organization

    Make sure audit logging is turned on for your organization by following the steps in Turn auditing on or off.

    Note: We recommend that you have the following operations turned on in your mailbox audit log section in Office 365 in addition to the operations enabled by default.

    • Move

    • SearchQueryInitiated

    For more information, see Manage mailbox auditing.

    Step 2: Give Red Canary Office 365 permissions

    Red Canary needs permission from a global administrator to ingest audit logs from your Microsoft 365 account.

    1. Navigate to this URL, and then log in to your global administrator account.

    2. Approve the permissions requested by Red Canary + Office365.

    Step 3: Connect Red Canary to Office 365

    1. From your Red Canary homepage, click Integrations.

    2. From the Integrations section, select Microsoft Office 365.

    3. Click Configure.

    4. Check the box indicating that auditing is turned on and Red Canary has access to your Office 365 account.

    5. Paste your tenant ID in the box labeled Microsoft Office 365 Tenant ID. To find your ID, follow the steps in How to find your Azure Active Directory tenant ID.

    6. Click Save.

    FAQ

    How do I know Red Canary is connected to Office 365?

    It can take some time before Red Canary starts ingesting your audit logs. Confirmed threats from Office 365 will appear alongside endpoint activity in your threat timeline.

    Check the status of the integration:

    1. In Red Canary, click your profile icon.

    2. Under Integrations, click Microsoft Office 365. If the integration was successful, you’ll see Audit.Exchange enabled in the Office 365 Subscriptions table.

      image2.png

    If you don’t see any subscriptions, wait a few minutes, and then refresh the page.

    Ingest Details

    Red Canary monitors your Office 365 environment by integrating with the Office 365 Management API, which sources data from the Microsoft Unified Audit Log. The Unified Audit Log (UAL) is an aggregation of audited activities that occur within your Microsoft 365 environment. By connecting your Unified Audit Log to Red Canary as an external service, Red Canary will have the enhanced ability to analyze and detect threats related to email events, user sign-ins, and more, supplementing the investigation of your Microsoft email- and identity-based alerts. Supporting artifacts from the Unified Audit Log will appear alongside endpoint activity in your threat timeline where applicable.

    Red Canary collects and stores all event types from the Unified Audit log for investigations and hunting, and we pay special attention to the following logs for detection purposes:

    • EmailRuleModification

    • MailboxSettingsModification

    • LogonAttempt

    • MailboxAccessDelegated

    • MailboxFolderPermissions


    Was this article helpful?