Create an Office 365 Connector to permit ThreatLocker to access specified logs within an Office 365 Tenant. With the connector in place, Cloud Detect can leverage the collected logs to alert and/or lock out accounts based on customizable critera and thresholds.
Please Note: Although audit logging should be enabled in 365 by default, it is possible you will need to enable it in the 365 tenant.
Navigate to the ThreatLocker Integrations page.
Search for "Office" or "365" in the search bar and then select Office 365 Connector.
Input the Microsoft Entra Tenant ID into the "Tenant ID" textbox.
The Tenant ID is located in the Tenant ID box on the Microsoft Entra admin center Overview page.
Next, select the API Consent Type: Microsoft Graph or Office 365 Management. (Each API Consent Type must be added separately), and then click the "Open Consent Window" button.
Once the API Consent Type is selected, you will be prompted to log into Microsoft and accept the list of permissions being requested by ThreatLocker. Each API will require separate consent.
Once permission request is accepted, the granted permissions will be listed in the Office 365 Connector sidebar, outlined in green.
In the future, if new permissions are needed, they will be listed, outlined in red and the "Open Consent Window" button will be visible again.
To add another tenant and/or API Consent, select the blue "+" button.
To remove a tenant, select the red "Remove Tenant" button.
Once all tenants and APIs have been configured, select the blue "Save" button at the bottom left of the sidebar to finish the Office 365 Connector setup process.
The connector will begin gathering audit logs from 365. The last log ingestion time and a count of the number of logs ingested within the last hour will be listed at the top of the sidebar.
Cloud Detect policies can now be set to monitor, alert, and respond to events in 365.
For more information or assistance, please reach out to the Cyber Heroes who are always available to help.