1. Blumira Support
  2. Deploying Blumira
  3. Blumira Cloud Connectors

Quick Links

Integrating with Microsoft 365

Overview

Global Administrators of Microsoft 365 can configure the productivity suite to send Office 365 Unified Audit logs to Blumira’s security operations platform. Blumira then detects cybersecurity threats across your environment, combining SIEM log analysis, endpoint detection, and AI-powered investigation to provide automated and actionable response options.

The Microsoft 365 Cloud Connector in Blumira collects Unified Audit logs, including logs from Microsoft Defender for Office 365 if your Microsoft license includes that service. Collection starts at the time of a successful configuration and may include data from up to 7 days before the setup date.

Note: Due to Microsoft performing daily refreshes in the back-end Microsoft 365 service, logs that Blumira collects can include delayed or replayed events from 5-8 days before the current date.

Before you begin

Before continuing with the configuration, verify that you meet the following requirements:

  • The Microsoft tenant has an active Microsoft license that includes Audit Standard or Audit Premium. In general, this is a license for Microsoft Business Basic or higher, or Office 365 E1 or higher.

    Tip: You can verify licensing and subscriptions from the Microsoft Admin Center and then refer to this feature matrix to see if Audit is included. Audit Premium provides the most event data with higher bandwidth access to the data.
  • You have Global Administrator permissions in Microsoft 365.
  • You have the Administrator role in Blumira.

Verifying that audit logging is enabled in Microsoft

Before making any changes in Blumira, you must verify that audit logs (user and admin activity) are being generated in your Microsoft tenant and are ready to send to Blumira. To verify the status of logging, complete the following steps:

  1. Go here to verify that Unified Audit Logging is enabled for the Microsoft tenant.
  2. If it is off, follow the steps to turn on auditing and note that the "Start recording user and admin activity" button you must click is a large blue banner across the top of the page.

Screenshot 2024-09-17 at 11.28.34 AM.png

Important: After enabling auditing, it can take 60 minutes for the change to take effect and then up to 72 hours before logs can be retrieved. Audit logs must be searchable before the integration can be configured. Blumira will continue to show an error while the Audit change is processing and if the audit log search options are inactive, like in the image below.
 
Screenshot 2024-09-17 at 10.50.44 AM.png

Client errors when enabling audit logging

If you receive a client error when attempting to enable audit logging within Purview, follow the steps below before continuing.

Example:

  1. Navigate to the main Admin center window.
  2. Click Help & support.
  3. Under "How can we help?" type EWS, and then press Enter.
  4. A result titled "Run Diagnostics" will be displayed.
  5. Click Run Tests:
  6. If the results show that the exchange web services are throttled, run the Enable-OrganizationCustomization command via Powershell, otherwise, select 30 days and Update It.
  7. Navigate back to your Purview Audit settings and try to enable audit logging again by clicking Start recording user and admin activity.
    Note: You will see the following message until Microsoft completes the diagnostic changes.
  8. After 24-48 hours, try enabling auditing again, if necessary.
  9. Once that completes successfully, it could take up to 72 hours for the auditing to be available for use with Blumira, and for you to be able to configure the Blumira Cloud Connector.

Gathering your credentials and configuring the Cloud Connector

To register the application and gather your credentials for configuring the Blumira Cloud Connector, complete these steps:

  1. Log in to Blumira and navigate to Ingestion > Cloud Connectors > Add Cloud Connector > Microsoft 365. Keep this window open so you can paste values in as you gather them from Microsoft.
  2. In a new browser window, log in to Microsoft Entra admin center as a Global Admin.
  3. On the left side menu, under Identity, expand Applications.
  4. Click App Registrations.
  5. Click Register an application or + New registration.
  6. Type a name for the app integration (e.g., Microsoft 365 Audit Logs to Blumira).
  7. Under Supported Account Types, select Accounts in this organizational directory only, and then click Register.
  8. Under Essentials, copy and paste the Application (client) ID and the Directory (tenant) ID into the Blumira Cloud Connector window.
    Screenshot 2024-04-30 at 2.28.34 PM.png     
  9. In the second-to-left panel in Entra, click API permissions.
  10. Click Add a Permission.
  11. Click Office 365 Management API.
  12. Grant both the Application Permissions and the Delegated Permissions for the API by doing the following:
    • At the top of the window, click Application Permissions, then expand ActivityFeed, and select the check boxes next to these permissions:
      • ActivityFeed.Read
      • ActivityFeed.ReadDlp
      • ServiceHealth.Read
    • At the top of the window, click Delegated Permissions, then expand ActivityFeed, and select the check boxes next to these permissions:
      • ActivityFeed.Read
      • ActivityFeed.ReadDlp
      • ServiceHealth.Read
  13. At the bottom of the window, click Add permissions, ensuring that you have selected all three permission types in the previous steps for both Application Permissions and Delegated Permissions.
    Screenshot 2024-05-15 at 4.54.43 PM.png
  14. In API permissions, click Microsoft Graph.
  15. Click Application Permissions.
  16. In the search box, type User.
  17. Click User to expand the options and select the check box next to User.Read.All.
  18. Click Add permissions.
    Screenshot 2023-09-05 at 1.31.41 PM.png
  19. Under "Configured permissions," click Grant admin consent.
    Greenshot 2024-05-22 12.53.13.png
  20. In the confirmation window that appears, click Yes.
    Greenshot 2024-05-22 12.53.32.png
  21. Verify that the Status shows consent was successfully granted (a green check mark appears in the column).
    Greenshot 2024-05-22 12.53.50.png
  22. Click Certificates & secrets.
  23. Click New client secret.
  24. In the Description box, type a descriptive name (e.g., Blumira sensor).

  25. Next to Expires, select an expiration timeframe up to 24 months for this client secret. 

    Important: The integration will fail when the client secret expires, so ensure that you set a reminder to update it in Microsoft and in Blumira before the chosen expiration date.

    Screenshot 2024-04-30 at 3.06.07 PM.png

  26. Click Add.
  27. Under Client secrets, copy the client secret value and paste it into the Blumira Cloud Connector window.
    Important: Do not copy the “Secret ID,” which is only an object reference to the value and will not allow Blumira to collect logs.
    Screenshot 2024-05-03 at 3.59.52 PM.png
  28. Click Connect to complete the Cloud Connector configuration.

Verifying the integration is successful

In the Cloud Connectors table, under Current Status, you can view the configuration’s progress. A green dot appears when the integration is successful and indicates the connector is online and logging.

Note: It may take over 3 hours for Microsoft audit logging to fully function. In these instances, you will see this error in the Cloud Connector: "Error: Please make sure that Unified Audit Logging is enabled." If you are certain that auditing has been enabled, it is likely that a system delay in Microsoft is causing the error.

Screenshot 2024-05-03 at 4.53.47 PM.png

Testing detections

After your Cloud Connector is configured, wait at least 15 minutes for detection rules to automatically be deployed to your account, then use our testing procedures to trigger test detections that you can resolve in the app. See Testing Microsoft 365 detections for steps.

Related Articles