Overview
Blumira integrates with various products contained within Microsoft 365, and this article provides an overview to prepare you to successfully integrate Blumira with the specific products that your organization uses.
Microsoft requires separate licensing for many of its products. If you are unsure what license and features your organization has, consult Microsoft's documentation or support.
Planning your integrations
Each of the procedures for the integrations outlined below takes between 5 and 10 minutes to complete. For the best outcomes, complete the integrations in the order shown below:
- Microsoft 365, which includes logs from Microsoft Defender for Office 365
- Microsoft Defender for Cloud Apps
- Microsoft Azure Event Hubs
- Products that rely on the Event Hubs integration to send logs:
Microsoft 365
Procedure: Integrating with Microsoft 365
You can configure Microsoft 365 logging via App Registration inside of Azure Active Directory (AD) to send audit, compliance, and activity logs to Blumira. This integration is not dependent on other Microsoft and Blumira integrations. This is a native API integration from which you will be able to log, report, and detect security threats using Blumira.
This integration requires you to have Basic Purview licenses which are generally included in Business Premium subscriptions and above. If you wish to have your users included in this integration, they must have a compatible license or they will be excluded from logging. Advanced Purview licensing will provide greater visibility. Additionally, Microsoft has different versioning per tenant which can result in some logs being categorized differently, e.g.: security logs being categorized as compliance logs.
Note: The Microsoft 365 Cloud Connector collects logs for Microsoft Defender for Office 365 if your organization's Microsoft license includes that additional product.
Microsoft Azure Event Hubs
Requirement: Requires an Azure subscription.
Procedure: Integrating with Microsoft Azure Event Hubs
Blumira integrates with Azure Event Hubs to stream logs from various services within Azure to the Blumira platform. By using Blumira with this integration you have the benefit of a log retention period of 1 year, pre-built parsing for all Azure-related sources, and detection capabilities. Combined, these features get you logging, detection, and response capabilities for Azure and related products faster within the Microsoft cloud technology stack.
You can manually configure the integration with Event Hubs or use our provided Azure CLI script to automate the process. You may need to configure each service's diagnostic settings individually to stream the related logs through Event Hubs to Blumira.
Azure Monitor
After setting up the Event Hubs integration, you can send Azure platform logs from Azure Monitor through the event hub to Blumira. There are two types of Azure platform logs collected with this integration: Activity logs and Resource logs. These logs give you insight into the actions taken within your subscription, such as the creation, modification, and deletion of resources, as well as the actions taken by Azure CLI and Azure Powershell users. Resource logs can take a few different forms and are not supported on all Azure resources; for example, some Compute resources and Managed Disks do not have the ability to provide audit logs and security logs.
Procedure: Sending logs from Azure Monitor
Pre-requisite: Completion of the Azure Event Hubs integration.
Microsoft Entra ID
Microsoft Entra ID (formerly called Active Directory) logs are critical to organizations that use Defender products or have active resources within Azure, such as a subscription. These logs are also recommended if your organization uses Conditional Access and manages Active Directory from portal.azure.com or other Azure Entra resources. Sign-in logs, Azure Entra alerts, and more are available from this integration.
Procedure: Sending logs from Azure Entra
Pre-requisite: Completion of the Azure Event Hubs integration.
Microsoft Intune
For organizations that use Microsoft Intune (formerly Endpoint Management), this integration is critical for device compliance logs, device logs, and audit logs. These logs can be useful for reporting and investigations. If the organization does not utilize Microsoft Intune products, then this integration is not needed.
Procedure: Integrating with Microsoft Intune
Pre-requisite: Completion of the Azure Event Hubs integration.
Microsoft Defender Products
Defender is a collection of products that utilize Azure for backend services. In most cases, these products are add-ons for your environment and should be configured if your organization has purchased these licenses and products. If your organization does not use these products the integration are not needed and logs are not collected by Blumira.
Microsoft Defender for Endpoint
Defender for Endpoint is an add-on license that extends the security capabilities of Microsoft 365. This product was also known as Advanced Threat Protection. This provides organizations with the ability to create policies to protect users, email attachment sandboxing, advanced threat block capabilities, and more.
Note: There are a few log types that do not require the Microsoft 365 Defender product, these are related to the standard AIR events and Threat Intelligence events that are found in our Microsoft 365 integration.
Procedure: Integrating with Defender for Endpoint
Pre-requisite: Completion of the Azure Event Hubs integration
Microsoft Defender for Identity
Microsoft Defender for Identity is an Azure product that is designed to help detect and investigate potential threats in hybrid environments. This toolset extends visibility into user behavior, provides additional details surrounding potential attacks, and can help secure and protect Active Directory credentials for your organization. This integration should be configured if your organization has these licenses.
Note: The procedure for integrating with Defender for Identity is exactly the same as in Defender for Endpoint. You do not need to repeat the procedure if you have already integrated with Defender for Endpoint.
Procedure: Integrating with Microsoft Defender for Identity
Pre-requisite: Completion of the Azure Event Hubs integration
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps is a Cloud Access Security Broker that provides visibility and insights into how data travels across your organization’s cloud-based applications. This product restricts access to cloud resources based on security policies that look for potentially anomalous behavior and other factors to either grant or deny access.
Defender for Cloud Apps does not generate new Microsoft 365 event data; instead, it enriches existing logs from other Microsoft 365 services (e.g., Exchange) with additional context and threat intelligence for more sophisticated threat detection and analysis of user behavior within the Microsoft 365 environment. As a result, Defender for Cloud Apps logs provide deeper insights into potential security issues in your environment than using the Microsoft 365 integration alone. Blumira customers will benefit from using the Microsoft Defender for Cloud Apps log integration alongside the Microsoft 365 integration.
Procedure: Integrating with Microsoft Defender for Cloud Apps