CLOUD CONNECTOR

Microsoft Office 365

Microsoft Office 365 is a suite of cloud-based software as a service products for business environments, including security, productivity, and collaboration tools.

Securonix integrates with the Microsoft Office 365 Management API to ingest overall Office 365 advanced threat protection (ATP) relevant threat alerts, as well as alerts across a wide range of Office 365 applications to identify threats such as privilege escalation, data exfiltration, malicious file activity (malware), phishing, and unusual account behavior, as well as insider threats.

Events Included Endpoint/API Notes Minimum Subscription Required
Azure AD Graph Directory Audit Logs (same as deprecated sign-in events) Graph Directory Audit Logs See https://docs.microsoft.com/en-us/graph/api/resources/directoryaudit?view=graph-rest-1.0
Azure AD Graph Sign-In Logs (same as deprecated audit events), Security Alerts on Suspicious Sign-Ins Graph Sign-In Logs See https://docs.microsoft.com/en-us/graph/api/resources/signin?view=graph-rest-1.0
Azure AD
Deprecated Endpoints
Sign-In Events (e.g. login success/failed) Deprecated - Sign-In Event See https://docs.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-beta AAD Premium P2
Azure AD
Deprecated Endpoints
General Audit Events as Group/Users Management Deprecated - Audit Events See https://docs.microsoft.com/en-us/graph/api/resources/directoryaudit?view=graph-rest-beta
Azure AD Identity Protection Risk and Anomaly Detection in Azure AD graph-identity-protection https://docs.microsoft.com/en-us/graph/api/resources/identityprotection-root?view=graph-rest-beta For more information on the Azure AD Identity Protection API please refer to:
https://docs.microsoft.com/en-us/graph/api/resources/identityprotection-root?view=graph-rest-beta
Share Point SharePoint Administrative and File Management operations management-activity-api
Exchange Exchange Administrative Operation management-activity-api Events from the Exchange admin audit log. Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message. Events from an Exchange mailbox audit log for actions that can be performed on multiple items, such as moving or deleting one or more email messages.
Exchange Message Trace activity-report-api https://docs.microsoft.com/en-us/microsoft-365/admin/activity-reports/activity-reports?view=o365-worldwide Email Send/Receive Trace
DLP Compliance DLP SharePoint, Compliance DLP Exchange management-activity-api Data loss protection (DLP) events in SharePoint and OneDrive for Business. Data loss protection (DLP) events in Exchange, when configured via Unified DLP Policy. DLP events based on Exchange Transport Rules are not supported.
Microsoft Cloud App Security (MCAS) Cloud Services Anomalies, Suspicious Activities and Violations Detected by the Microsoft CASB Service mcas-activities, mcas-alerts E5 or other enterprise edition
Advanced Threat Protection (ATP) Spoof Mail,
Spoof Mail Report
activity-report-api https://docs.microsoft.com/en-us/microsoft-365/admin/activity-reports/activity-reports?view=o365-worldwide View information about insider spoofing in your cloud-based organization. Insider spoofing is where the sender’s email address in an inbound message appears to represent your organization, but the actual identity of the sender is different. E3
Advanced Threat Protection (ATP) DLP Policy,
Mail Detail DLP Policy
activity-report-api https://docs.microsoft.com/en-us/microsoft-365/admin/activity-reports/activity-reports?view=o365-worldwide Provides details about the Exchange mail data loss prevention (DLP) policies and rules used in processing email messages. E3
Advanced Threat Protection (ATP) Malware Report,
Mail Detail Malware
activity-report-api https://docs.microsoft.com/en-us/microsoft-365/admin/activity-reports/activity-reports?view=o365-worldwide View the details of messages that contained malware. E3
Advanced Threat Protection (ATP) Spam Report, Mail Detail Spam activity-report-api https://docs.microsoft.com/en-us/microsoft-365/admin/activity-reports/activity-reports?view=o365-worldwide Provides details about the processing steps taken on email messages identified as containing spam while the message was being processed. E3
Audit Events General Audit Events audit-events Office 365 Audit Events
Yammer Yammer Schema microsoft-graph-api https://docs.microsoft.com/en-us/graph/overview Yammer Events
Sway Sway Schema microsoft-graph-api https://docs.microsoft.com/en-us/graph/overview Sway Events
Microsoft Teams Microsoft Teams, Microsoft Teams Add Ons, Microsoft Teams Settings Operation microsoft-graph-api https://docs.microsoft.com/en-us/graph/overview Events from Microsoft Teams.
Office 365 Threat Detection Risky Users,
Risky Sign-Ins,
Risk Detections
risk detection graph API https://docs.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-beta Azure AD Premium P1 or P2