By configuring the Reveal(x) 360 beta integration with Microsoft 365, users can review Microsoft 365 events that might indicate compromised accounts or identities.
- You must have your Reveal(x) 360 system connected to an ExtraHop sensor with firmware version 8.6 or later
- You must have Microsoft 365 and Microsoft Graph API. Only the Microsoft Graph
Global Service at https://graph.microsoft.com/ is supported for the beta
Note: To call Microsoft Graph, your app must acquire an access token from the Microsoft identity platform. The access token contains information about your app and the permissions it has for the resources and APIs available through Microsoft Graph. To create an access token, your app must be registered with the Microsoft identity platform and be authorized by either a user or an administrator to access the Microsoft Graph resources.
- You must have a registered application in Azure with the following
- You must have an account with the following Standard Azure AD permissions:
- Directory Audit for Azure AD
- Azure AD P1 or P2 License Endpoints
P1 provides you with the list of service account sign-ins from the audit log. P2 includes P1 and additionally provides you with risk detections and risky users.
Before you beginYou must have your Microsoft Azure AD tenant ID, application (client) ID, and application secret key value.
- Log in to the Reveal(x) 360 system with an account that has OktaAdmin or ApplianceAdmin (cloud setup) privileges.
- Click the System Settings icon and then click Administration.
- Click Integrations.
- Click the Microsoft 365 tile.
Add your Microsoft 365 credentials.
Tenant ID: Enter your tenant ID. Your Microsoft 365 tenant ID can be found in the Azure AD admin center.
Access Key: Enter your Microsoft Application (client) ID. You can view and copy your account access keys with the Azure portal, PowerShell, or Azure CLI.
Secret Key: Enter the client secret value for the application. You can view and copy the client secret value on the Certificates & secrets page in the Azure portal.
ExtraHop Sensor: From the drop-down list, select the sensor that you want to forward data to.
- Click Test Connection to ensure that the ExtraHop system can communicate with Microsoft 365.
- Click Connect.
After completing the Microsoft 365 integration procedure, several ExtraHop Reveal(x) features include Microsoft 365 and Azure Active Directory events so that you can view metrics, records, and detections for those events.
View metrics for Microsoft 365 events on the following built-in dashboards:
- Azure Active Directory, which displays event metrics such as transaction attempts, identity and password management, and user activity.
- Microsoft 365, which displays event metrics such as risky user activity, sign-in attempts, and risk detection.
View Microsoft 365 events in records by searching for the following record types:
- Azure Activity Log
- Microsoft 365 Directory Audit
- Microsoft 365 Risky Event
- Microsoft 365 Risky User
- Microsoft 365 Sign-ins
View Microsoft 365 risk events that are retrieved through the Microsoft Graph API and displayed in the following Reveal(x) detections:
- Risky User Activities
- Suspicious Sign-ins
The following examples describe some of the risky user events and suspicious actions that are detected through the integration service.
- Impossible Travel
- A user signs in from two geographically different locations. The two sign-in events occurred within a shorter time than it would take for the user to travel between locations. This activity might indicate that an attacker signed in with user credentials.
- Password Spray
- A password spray attack is a type of brute force attack, where numerous sign-ins for multiple usernames and common passwords are attempted to gain unauthorized access to an account.
- Suspicious Inbox Forwarding
- The Microsoft Cloud App Security (MCAS) service identifies suspicious email forwarding rules, such as a user-created inbox rule that forwards a copy of all emails to an external address.
- Admin Confirmed User Compromised
- An administrator selected Confirm user compromised in the Risky Users UI or riskyUsers API of the Identity Protection service.
View a complete list of suspicious actions and risky user activity events provided by the integrated Microsoft Azure AD Identity Protection service.