Overview
Global Administrators of Microsoft 365, including those with tenancy in Government Community Cloud (GCC) High environments, can configure their productivity suite to send Office 365 Unified Audit logs to Blumira for threat detection. Blumira then intelligently analyzes those logs to automatically detect suspected threats, notify you of those threats, and provide you with an actionable response.
The Microsoft 365 Cloud Connector in Blumira collects Unified Audit logs, including logs from Microsoft Defender for Office 365 if your Microsoft license includes that service. Collection starts at the time of a successful configuration and may include data from up to 7 days before the setup date.
Note: Due to Microsoft performing daily refreshes in the back-end Microsoft 365 service, logs that Blumira collects can include delayed or replayed events from 5-8 days before the current date.
Before you begin
Before continuing with the configuration, verify that you meet the following requirements:
- The Microsoft tenant has an active Microsoft license that includes Audit Standard or Audit Premium. In general, this is a license for Microsoft Business Basic or higher, or Office 365 E1 or higher.
Tip: You can verify licensing and subscriptions from the Microsoft Admin Center and then refer to this feature matrix to see if Audit is included. Audit Premium provides the most event data with higher bandwidth access to the data. - You have Global Administrator permissions in Microsoft 365.
- You have the Administrator role in Blumira.
To successfully configure the Microsoft 365 Cloud Connector integration, you will complete the following:
Step | Procedure |
1 |
Verify that audit logging is enabled in Microsoft
Note: Audit must be enabled and actively logging before you continue or you will see failures in the Cloud Connector configuration.
|
2 |
Create and gather the required app integration credentials from Microsoft |
3 | Configure the Blumira Cloud Connector |
Verifying that audit logging is enabled in Microsoft
Before making any changes in Blumira, you must verify that audit logs (user and admin activity) are being generated in your Microsoft tenant and are ready to send to Blumira. To verify the status of logging, complete the following steps:
- Go here to verify that Unified Audit Logging is enabled for the Microsoft tenant.
- If it is off, follow the steps to turn on auditing and note that the "Start recording user and admin activity" button that you must click is a large blue banner across the top of the page.
Gathering your Microsoft credentials
To register the application and gather your credentials for configuring the Blumira Cloud Connector, complete these steps:
- Log in to Blumira and navigate to Settings > Cloud Connectors > Add Cloud Connector > Microsoft 365. Keep this window open for later steps.
- In a new browser window, log in to Microsoft Entra admin center as a Global Admin.
- On the left side menu, under Identity, expand Applications.
- Click App Registrations.
- Click Register an application or + New registration.
- Type a name for the app integration (e.g., Microsoft 365 Audit Logs to Blumira).
- Under Supported Account Types, select Accounts in this organizational directory only, and then click Register.
- Under Essentials, copy and paste the Application (client) ID and the Directory (tenant) ID into the Blumira Cloud Connector window.
- In the second-to-left panel in Entra, click API permissions.
- Click Add a Permission.
- Click Office 365 Management API.
- Grant both the Application Permissions and the Delegated Permissions for the API by doing the following:
- At the top of the window, click Application Permissions, and then expand ActivityFeed, and select the check boxes next to these permissions:
- ActivityFeed.Read
- ActivityFeed.ReadDlp
- ServiceHealth.Read
- At the top of the window, click Delegated Permissions, and then expand ActivityFeed, and select the check boxes next to these permissions:
- ActivityFeed.Read
- ActivityFeed.ReadDlp
- ServiceHealth.Read
- At the top of the window, click Application Permissions, and then expand ActivityFeed, and select the check boxes next to these permissions:
- At the bottom of the window, click Add permissions, ensuring that you have selected all three permission types in the previous steps for both Application Permissions and Delegated Permissions.
- In API permissions, click Microsoft Graph.
- Click Application Permissions.
- In the search box, type User.
- Click User to expand the options and select the check box next to User.Read.All.
- Click Add permissions.
- Under "Configured permissions," click Grant admin consent.
- In the confirmation window that appears, click Yes.
- Verify that the Status shows consent was successfully granted (a green check mark appears in the column).
- Click Certificates & secrets.
- Click New client secret.
- In the Description box, type a descriptive name (e.g., Blumira sensor).
- Next to Expires, select an expiration timeframe up to 24 months for this client secret.
Important: The integration will fail when the client secret expires, so ensure that you set a reminder to update it in Microsoft and in Blumira before the chosen expiration date. - Click Add.
- Under Client secrets, copy the client secret value and paste it into the Blumira Cloud Connector window.
Important: Do not copy the “Secret ID,” which is only an object reference to the value and will not allow Blumira to collect logs.
- If the data from Microsoft 365 is hosted in the GCC High environment, click the check box next to My version of M365 is GCC High.
- Click Connect.
Configuring the Microsoft 365 Cloud Connector
Note: There can be approximately one minute of latency between when Microsoft generates a client secret and when it successfully works in an API request. Wait at least one minute after generating the client secret before proceeding with the steps below in Blumira.
Cloud Connectors automate the configuration of your integrations without requiring you to use a sensor. After you obtain your integration's configuration parameters, you can then enable Blumira to collect your logs.
To configure the Blumira Cloud Connector:
- In the Blumira app, navigate to Settings > Cloud Connectors.
- Click + Add Cloud Connector.
- In the Available Cloud Connectors window, click the connector you want to add.
- In the Cloud Connector Name box, type a name to help identify the specific integration.
- Enter the credentials that you collected in the previous steps.
- Click Connect.
Important: If your logs are in the Government Community Cloud High environment, you must click the check box next to "My version of M365 is GCC High" to ensure the correct API endpoint is used for logging. Do not check this box if your tenant is not hosted in the government cloud.
Verifying the integration is successful
In the Cloud Connectors table, under Current Status, you can view the configuration’s progress. A green dot appears when the integration is successful and indicates the connector is online and logging.
Note: It can take over 3 hours before Microsoft audit logging fully functions. In these instances, you will see an error in the Cloud Connector in Blumira: "Error: Please make sure that Unified Audit Logging is enabled." If you are certain that auditing has been enabled, it is likely that a system delay in Microsoft is causing the error.
Running a log test with Microsoft 365
Verify that Blumira is successfully receiving your Microsoft 365 logs by running a simple test: create a new rule in Outlook 365 to forward mail to an external address. Blumira will generate a new finding in your account and trigger an alert.
Follow these steps to run the test:
- Log in to Microsoft 365.
- Navigate to Outlook 365.
- Click Settings in the left sidebar.
- Click Add New Rule.
- Create a new rule that forwards mail outside of the organization.
Note: Rule behaviors that keep mail internal to your organization will not generate a finding. - Refresh your Blumira Summary Dashboard.
- Locate and work the finding.