By configuring the Reveal(x) 360 beta integration with Microsoft 365, users can review Microsoft 365 events that might indicate compromised accounts or identities. Risky user activity events are retrieved through the Microsoft Graph API and displayed in Reveal(x) detections.
- You must have your Reveal(x) 360 system connected to an ExtraHop sensor with firmware version 8.6 or later
- You must have Microsoft 365 and Microsoft Graph API. Only the Microsoft Graph
Global Service at https://graph.microsoft.com/ is supported for the beta
Note: To call Microsoft Graph, your app must acquire an access token from the Microsoft identity platform. The access token contains information about your app and the permissions it has for the resources and APIs available through Microsoft Graph. To create an access token, your app must be registered with the Microsoft identity platform and be authorized by either a user or an administrator to access the Microsoft Graph resources.
- You must have an account with the following Standard Azure AD privileges:
- Directory Audit for Azure AD
- Azure AD P1 or P2 License Endpoints
P1 provides you with the list of service account sign-ins from the audit log. P2 includes P1 and additionally provides you with risk detections and risky users.
Before you beginYou must have your Microsoft Azure AD tenant ID, application (client) ID, and application secret key value.
- Log in to the Reveal(x) 360 system with an account that has OktaAdmin or ApplianceAdmin (cloud setup) privileges.
- Click the System Settings icon and then click Administration.
- Click Integrations.
- Click the Microsoft 365 tile.
Add your Microsoft 365 credentials.
Tenant ID: Enter your tenant ID. Your Microsoft 365 tenant ID can be found in the Azure AD admin center.
Access Key: Enter your Microsoft Application (client) ID. You can view and copy your account access keys with the Azure portal, PowerShell, or Azure CLI.
Secret Key: Enter the client secret value for the application. You can view and copy the client secret value on the Certificates & secrets page in the Azure portal.
ExtraHop Sensor: From the drop-down list, select the sensor that you want to forward data to.
- Click Test Connection to ensure that the ExtraHop system can communicate with Microsoft 365.
- Click Connect.
The following examples describe some of the suspicious actions that are detected through the integration service.
A user signs in from two geographically different locations. The two sign-in events occurred within a shorter time than it would take for the user to travel between locations. This activity might indicate that an attacker signed in with user credentials.
A password spray attack is a type of brute force attack, where numerous sign-ins for multiple usernames and common passwords are attempted to gain unauthorized access to an account.
The Microsoft Cloud App Security (MCAS) service identifies suspicious email forwarding rules, such as a user-created inbox rule that forwards a copy of all emails to an external address.
An administrator selected Confirm user compromised in the Risky Users UI or riskyUsers API of the Identity Protection service.
View a complete list of suspicious actions and risky user activity events provided by the integrated Microsoft Azure AD Identity Protection service.