Quick Links

Integrating with Microsoft 365 Government Cloud

Overview

Global Administrators of Microsoft Office 365 Government environments can configure their productivity suite to send Office 365 Unified Audit logs to Blumira for threat detection. Blumira then intelligently analyzes those logs to automatically detect suspected threats, notify you of those threats, and provide you with an actionable response.

The Microsoft 365 Government Cloud Connector collects Unified Audit logs, including logs from Microsoft Defender for Office 365 if your Microsoft license includes that service. Collection starts at the time of a successful configuration and may include data from up to 7 days before the setup date.

Note: Due to Microsoft performing daily refreshes in the back-end Microsoft 365 service, logs that Blumira collects can include delayed or replayed events from 5-8 days before the current date.

Before you begin

Before continuing with the configuration, verify that you meet the following requirements:

  • The Microsoft tenant is currently licensed with either a GCC or GCC High plan that includes Audit Standard or Audit Premium.
  • You have Global Administrator permissions in Microsoft 365.
  • You have the Administrator role in Blumira.

Verifying that audit logging is enabled in Microsoft

Before making any changes in Blumira, you must verify that audit logs (user and admin activity) are being generated in your Microsoft tenant and are ready to send to Blumira. To verify the status of logging, complete the following steps:

  1. Go here to verify that Unified Audit Logging is enabled for the Microsoft tenant.
  2. If it is off, follow the steps to turn on auditing and note that the "Start recording user and admin activity" button you must click is a large blue banner across the top of the page.Screenshot 2024-09-17 at 11.28.34 AM.png
Important: After enabling auditing, it can take 60 minutes for the change to take effect and then up to 72 hours before logs can be retrieved. Audit logs must be searchable before the integration can be configured. Blumira will continue to show an error while the Audit change is processing and if the audit log search options are inactive, like in the image below.
 
Screenshot 2024-09-17 at 10.50.44 AM.png

Client errors when enabling audit logging

If you receive a client error when attempting to enable audit logging within Purview, follow the steps below before continuing.

Example:

  1. Navigate to the main Admin center window.
  2. Click Help & support.
  3. Under "How can we help?" type EWS, and then press Enter.
  4. A result titled "Run Diagnostics" will be displayed.
  5. Click Run Tests:
  6. If the results show that the exchange web services are throttled, run the Enable-OrganizationCustomization command via Powershell, otherwise, select 30 days and Update It.
  7. Navigate back to your Purview Audit settings and try to enable audit logging again by clicking Start recording user and admin activity.
    Note: You will see the following message until Microsoft completes the diagnostic changes.
  8. After 24-48 hours, try enabling auditing again, if necessary.
  9. Once that completes successfully, it could take up to 72 hours for the auditing to be available for use with Blumira, and for you to be able to configure the Blumira Cloud Connector.

Gathering your credentials and configuring the Cloud Connector

To register the application and gather your credentials for configuring the Blumira Cloud Connector, complete these steps:

  1. Log in to Blumira and navigate to Ingestion > Cloud Connectors.
  2. Click Add Cloud Connector then select Microsoft 365 Government. Keep this window open so you can paste values in as you gather them from Microsoft.
  3. In a new browser window, log in to Microsoft Entra admin center as a Global Admin.
  4. On the left side menu, under Identity, expand Applications.
  5. Click App Registrations.
  6. Click Register an application or + New registration.
  7. Type a name for the app integration (e.g., Microsoft 365 Audit Logs to Blumira).
  8. Under Supported Account Types, select Accounts in this organizational directory only, and then click Register.
  9. Under Essentials, copy and paste the Application (client) ID and the Directory (tenant) ID into the Blumira Cloud Connector window.
    Screenshot 2024-04-30 at 2.28.34 PM.png     
  10. In the second-to-left panel in Entra, click API permissions.
  11. Click Add a Permission.
  12. Click Office 365 Management API.
  13. Grant both the Application Permissions and the Delegated Permissions for the API by doing the following:
    • At the top of the window, click Application Permissions, then expand ActivityFeed, and select the check boxes next to these permissions:
      • ActivityFeed.Read
      • ActivityFeed.ReadDlp
      • ServiceHealth.Read
    • At the top of the window, click Delegated Permissions, then expand ActivityFeed, and select the check boxes next to these permissions:
      • ActivityFeed.Read
      • ActivityFeed.ReadDlp
      • ServiceHealth.Read
  14. At the bottom of the window, click Add permissions, ensuring that you have selected all three permission types in the previous steps for both Application Permissions and Delegated Permissions.
    Screenshot 2024-05-15 at 4.54.43 PM.png
  15. In API permissions, click Microsoft Graph.
  16. Click Application Permissions.
  17. In the search box, type User.
  18. Click User to expand the options and select the check box next to User.Read.All.
  19. Click Add permissions.
    Screenshot 2023-09-05 at 1.31.41 PM.png
  20. Under "Configured permissions," click Grant admin consent.
    Greenshot 2024-05-22 12.53.13.png
  21. In the confirmation window that appears, click Yes to grant admin consent.
    Greenshot 2024-05-22 12.53.32.png
  22. Verify that the Status column shows consent is "Granted for [the integration]" and a green check mark appears.
    Greenshot 2024-05-22 12.53.50.png
  23. Click Certificates & secrets.
  24. Click New client secret.
  25. In the Description box, type a descriptive name (e.g., Blumira sensor).
  26. Next to Expires, select an expiration timeframe up to 24 months for this client secret. 

    Important: The integration will fail when the client secret expires, so ensure that you set a reminder to update it in Microsoft and in Blumira before the chosen expiration date.

    Screenshot 2024-04-30 at 3.06.07 PM.png

  27. Click Add.
  28. Under Client secrets, copy the client secret value and paste it into the Blumira Cloud Connector window.
    Important: Do not copy the “Secret ID,” which is only an object reference to the value and will not allow Blumira to collect logs.
    Screenshot 2024-05-03 at 3.59.52 PM.png
  29. In the Plan box, select the Office 365 Government plan [GCC | GCC High] your tenant is licensed with.
  30. Click Connect to complete the Cloud Connector configuration.

Verifying the integration is successful

In the Cloud Connectors table, under Current Status, you can view the configuration’s progress. A green dot appears when the integration is successful and indicates the connector is online and logging.

Note: It may take over 3 hours for Microsoft audit logging to fully function. In these instances, you will see this error in the Cloud Connector: "Error: Please make sure that Unified Audit Logging is enabled." If you are certain that auditing has been enabled, it is likely that a system delay in Microsoft is causing the error.

Screenshot 2024-05-03 at 4.53.47 PM.png

Testing detections

After your Cloud Connector is configured, wait at least 15 minutes for detection rules to automatically be deployed to your account, then use our testing procedures to trigger test detections that you can resolve in the app. See Testing Microsoft 365 detections for steps.