Securing Microsoft 365 with Elastic

Overview

In this blog, we’ll walk through the custom Microsoft 365 dashboards we’re sharing with the community as a complement to our Securing Microsoft 365 with Elastic talk at ElasticON Global 2021.

So, you recently checked out our Securing Microsoft 365 with Elastic talk at ElasticON Global 2021 and got excited about securing your own environment. This led you to configure audit logging on both your Microsoft 365 and Azure environments for capture via Filebeat. Setting up Microsoft 365 wasn’t too difficult, but you found the Azure setup a bit more challenging.

But you kept at it and now you’ve got logs flowing into your Elasticsearch cluster. Next, you enabled all the built-in SIEM rules and investigated a few alerts. You even tried a few of the simple Kibana queries and Kibana Lens visualizations from the talk. You’re quickly seeing the power of leveraging Elastic to help secure your Microsoft cloud environments and you’re hungry for more.

Then you remembered that Iron Vine shared a collection of free custom Microsoft 365 dashboards. You downloaded them and imported them into your Kibana instance. You’re impressed with what you see but aren’t quite sure what each search and visualization panel in the dashboards means and how to use them in your own workflow. Fortunately for you, Iron Vine just published this blog to walkthrough each of the dashboards and how best to use them.

Let’s get started!

Dashboards

These dashboards won’t cover every use case but should be a great starting point—and perhaps inspiration—to create more advanced dashboards on your own.

Currently, there are three dashboards focused on different areas of Microsoft 365:

  • M365 Authentication Activity
  • M365 File Activity
  • M365 Suspicious Mail Activity

Note that each dashboard has a Dashboard Navigation panel at the top to enable you to easily access each of them regardless of which dashboard you’re currently in.

M365 Authentication Activity Dashboard

This dashboard tracks authentication activity using both Microsoft 365 and Azure AD logs. When it comes to authentication details, these logs complement each other and leveraging both will provide the most context. These searches and visualizations can tell you where in the world users are logging in, risky sign-ins, who invited/added a guest, and more. You can use this information to investigate login anomalies and tune your conditional access policies.
Note that some of the searches include an additional custom “runtime field” named “m365-azure.event.id.” You must add this field manually and, while optional, is highly recommended to enable direct correlation between M365 logs and Azure logs. The README on GitHub includes instructions for adding this field in Kibana. Filtering or running searches using this field will display both the M365 log and its relevant Azure AD, since it is often useful to see the log activity from both perspectives.

Authentication Map

This chart provides a map of where authentication attempts are being made using geolocation data.  Both Azure AD and M365 logins are displayed, but these are essentially the same data. The reason for doing this is, if you were to filter/drilldown exclusively on Azure AD or M365 fields elsewhere within the dashboard, this will keep the map correctly populated.

Authentication Status over Time Chart

This chart shows user login successes and failures over time. You can easily use this to observer any abnormal spikes in either.

Application Usage over Time Chart

This chart shows what Microsoft 365 application was in use in each timeframe. This can help determine which applications are most commonly in use and quickly surface any anomalous spikes in application usage.

User Logins over Time Chart

This chart shows what user was logged in during each timeframe. You can correlate it with the Application Usage over Time visualization to determine which application was in use by which user.

Authentication Status by Country / Authentication Status by Region / Authentication Status by OS / Authentication Status by User Agent Charts

These four pie charts break down authentication activity by country, region, operating system, and user agent. Viewing these charts regularly can help build a baseline of normal login locations and client systems and more quickly identify anomalous attempts.

Authentication Failures Table

These are raw authentication failure logs. You can launch an Investigation either by filtering logs through this view or these logs can aid in drilldowns when conducting broader investigations. If there’s a notable log warranting further investigation, we recommend you filter on the custom m365-azure.event.id runtime field to show both the M365 and relevant Azure AD log.

Authentication Status by User ID Table

This table shows authentication successes and failures by user ID. Extremely high success or failure rates might be cause for concern and further investigation.

Azure AD Risky Sign-ins Table

Azure AD has determined that these logins are “risky sign-ins.” You may sometimes receive alerts from Microsoft 365 regarding “risky sign-ins” or “risky users” without much context. So, these logs will give you that context and enable you to drill down on a particular user to determine if the logins are truly risky. If there’s a notable log warranting further investigation, we recommend you filter on the custom m365-azure.event.id runtime field to show both the M365 and relevant Azure AD log.

M365 Add New Users / Azure AD Add New Users Table

These visualizations display new users added to your environment. We include both Microsoft 365 and Azure AD logs because each includes slightly different—but useful—information. If a new user appears suspicious or is performing anomalous activities, it is often useful to see how the user was created and who created it. If there’s a notable log warranting further investigation, we recommend you filter on the custom m365-azure.event.id runtime field to show both the M365 and relevant Azure AD log.

M365 Add Guests / Azure AD Add Guests Table

These tables display guests that were added to your environment. Guests can be added directly into Azure AD, via a file share, or even a Teams invite.  Regardless of method, these will be shown in the logs. Again, we include both Microsoft 365 and Azure AD logs because they each include slightly different but useful information. Since guests should have limited access to system resources, it is often useful to see how they were added/invited and by who, if they perform unauthorized actions. If there’s a notable log warranting further investigation, we recommend you filter on the custom m365-azure.event.id runtime field to show both the M365 and relevant Azure AD log.

M365 + Azure AD Authentications Table

The events in this table are the raw M365 and Azure AD authentication logs to aid in investigations. Again, if there’s a notable log warranting further investigation, we recommend you filter on the custom m365-azure.event.id runtime field to show both the M365 and relevant Azure AD log.

M365 File Activity Dashboard

This dashboard tracks file activity across your environment, including SharePoint and OneDrive. These searches and visualizations give you a great view of the file activity in your environment as well as any file sharing (internally and externally) and any data loss prevention violations. You can use this information to tune your file sharing and data loss prevention policies.

File Activity Map

This chart shows where file activity is occurring using geolocation data. Depending on the zoom level of the map, file activity may display as clusters.

File Activity over Time Chart

This chart shows file activity over time. It will easily surface any abnormal spikes in activity during the displayed timeframes (e.g., file deletions or downloads at odd hours).

File Activity by User Chart

This chart shows file activity by user. An unexpected user or one with a high volume of file activity, especially an external or guest user, may be reason for further investigation.

File Activity by Extension Chart

This chart shows file activity by file extension (e.g., .pdf, .docx, .xlsx), which is useful in baselining usage and spotting any anomalous or malicious file extensions.

File Activity by User Agent Chart

This chart shows file activity by user agent, which is useful in baselining usage and spotting any anomalous user agents.

File Activity by Storage Chart

This chart shows file activity by storage location (e.g., SharePoint or OneDrive) and associated file activity.  You can use this information to baseline usage and spotting any anomalous usage.

Data Loss Prevention Table

This table displays any configured DLP alerts, including the impacted file, the matched sensitive information type, and the user that triggered the alert. You can use these alerts to investigate what triggered the alert and any necessary corrective actions.

File Sharing Internally Table

This table shows internal file sharing exclusively between users in your environment, which is useful in baselining usage and ensuring proper enforcement of your internal sharing policies.

File Sharing Externally Table

This table shows external file sharing between users in your environment and external users outside of your domain, which helps identify unauthorized sharing and ensuring proper enforcement of external sharing policies.

File Activity Table

This  table contains the raw file activity logs to aid in investigations.

M365 Suspicious Mail Activity Dashboard

This dashboard tracks suspicious mail activity across your environment. These searches and visualizations can tell you which users are receiving the most suspicious mail and the origin of these emails. You can use this information to tune your mail filtering policies.

Suspicious Mail Policy over Time Chart

This chart shows mail volume over time by policy type, which can help determine when you receive the most suspicious mail and its type (Phishing, Malware, etc.). With this information, you can determine if you have properly tuned your mail security policies or if they require modification.

Top Recipients by Policy Action Chart

This chart shows the top recipients of suspicious mail and the M365 actions taken. You should review heavily targeted users to determine if your current policies are sufficiently protecting them.

Top Recipients by Sender Chart

This chart shows the top senders of suspicious mail, broken down by recipient. You may consider blocking repeat offenders to multiple users at the domain level.

Suspicious Mail by Sender Table

This table shows the top senders of suspicious mail, including number of messages sent and the percentage of mail that it comprises. This information can help you tune you mail security policies to stop high volume spammers.

Suspicious Mail Activity Table

This table includes the raw suspicious mail logs to aid in investigations.

Conclusion

We hope this walkthrough has provided you a comprehensive overview of our custom dashboards and enables you to secure your Microsoft 365 environment with your Elastic Stack. We encourage you to consider your own unique use cases and build on what we’ve shared with you today. Finally, we welcome any feedback and suggestions for how to make these dashboards more useful for you and others. Enjoy!