Download PDF

View Table of Contents

Product Requirements

RevealX 360 only

Thank you! We will contact you soon to ask how we can improve our documentation. We appreciate your feedback.

Was this topic helpful?

Yes No

Thank you for your feedback. Can we contact you to ask follow up questions?

How can we improve?

Need more help?

Ask the Community

Integrate RevealX 360 with Microsoft 365

By configuring the RevealX 360 integration with Microsoft 365, users can review Microsoft 365 events that might indicate compromised accounts or identities.

System requirements

ExtraHop RevealX

You must have your RevealX 360 system connected to an ExtraHop sensor with firmware version 8.6 or later.
The ExtraHop sensor must be licensed and configured to receive packets.

Microsoft

You must have Microsoft 365 and Microsoft Graph API. Only the Microsoft Graph Global Service at https://graph.microsoft.com/ is supported for the integration.

Note:

To call Microsoft Graph, your app must acquire an access token from the Microsoft identity platform. The access token contains information about your app and the permissions it has for the resources and APIs available through Microsoft Graph. To create an access token, your app must be registered with the Microsoft identity platform and be authorized by either a user or an administrator to access the Microsoft Graph resources.

You must have a registered application in Azure with the following permissions:

API / Permissions Name	Type
AuditLog.Read.All	Application
AuditLog.Read.All	Delegated
Directory.Read.All	Application
Directory.Read.All	Delegated
IdentityRiskEvent.Read.All	Application
IdentityRiskEvent.Read.All	Delegated
IdentityRiskyUser.Read.All	Application
IdentityRiskyUser.Read.All	Delegated
User.Read	Delegated

Your Azure subscription must have following Standard Microsoft Entra ID features:
- Directory Audit for Microsoft Entra ID
- Microsoft Entra ID P1 or P2 License Endpoints
  P1 provides you with the list of service account sign-ins from the audit log. P2 includes P1 and additionally provides you with risk detections and risky users.

Configure the integration

Before you begin

You must have your Microsoft Entra ID tenant ID, application (client) ID, and application secret key value.

Log in to the RevealX 360 system with an account that has System and Access Administration privileges.
Click the System Settings icon and then click All Administration.
Click Integrations.
Click the Microsoft 365 tile.
Add your Microsoft 365 credentials.

Tenant ID: Enter your tenant ID. Your Microsoft 365 tenant ID can be found in the Microsoft Entra ID admin center.

Access Key: Enter your Microsoft Application (client) ID. You can view and copy your account access keys with the Azure portal, PowerShell, or Azure CLI.

Secret Key: Enter the client secret value for the application. You can view and copy the client secret value on the Certificates & secrets page in the Azure portal.

ExtraHop Sensor: From the drop-down list, select the sensor that you want to forward data to.
Click Test Connection to ensure that the ExtraHop system can communicate with Microsoft 365.
Click Connect.

Next steps

You can now view Microsoft 365 events on built-in dashboards, in records, and in detections.

Integration features

After completing the Microsoft 365 integration procedure, several ExtraHop RevealX features include Microsoft 365 and Microsoft Entra ID events so that you can view metrics, records, and detections for those events.

Dashboards

View metrics for Microsoft 365 events on the following built-in dashboards:

Microsoft Entra ID, which displays event metrics such as transaction attempts, identity and password management, and user activity.
Microsoft 365, which displays event metrics such as risky user activity, sign-in attempts, and risk detection.

Record types

View Microsoft 365 events in records by searching for the following record types:

Azure Activity Log
Microsoft 365 Directory Audit
Microsoft 365 Risky Event
Microsoft 365 Risky User
Microsoft 365 Sign-ins

Detections

View Microsoft 365 risk events that are retrieved through the Microsoft Graph API and displayed in the following RevealX detections:

Risky User Activities
Suspicious Sign-ins

The following examples describe some of the risky user events and suspicious actions that are detected through the integration service.

Impossible Travel: A user signs in from two geographically different locations. The two sign-in events occurred within a shorter time than it would take for the user to travel between locations. This activity might indicate that an attacker signed in with user credentials.
Password Spray: A password spray attack is a type of brute force attack, where numerous sign-ins for multiple usernames and common passwords are attempted to gain unauthorized access to an account.
Suspicious Inbox Forwarding: The Microsoft Cloud App Security (MCAS) service identifies suspicious email forwarding rules, such as a user-created inbox rule that forwards a copy of all emails to an external address.
Admin Confirmed User Compromised: An administrator selected Confirm user compromised in the Risky Users UI or riskyUsers API of the Identity Protection service.

View a complete list of suspicious actions and risky user activity events provided by the integrated Microsoft Entra ID Identity Protection service.

Last modified 2024-08-07

Documentation

Products

Differentiation

Solutions

Security Operations

Cloud-Native Security

Application Analytics

Network Performance

Customers

Community

Partners

Support

Training

Resources

More Resources

Company

Events and Information