Light Dark
May 26, 2017 By J.O. Leger 2 min read
Intelligence & Analytics
Cloud Security
Data Protection
Identity & Access

Microsoft Office 365 is popular — very popular. In 2016, Gartner reported that 78 percent of enterprises surveyed used or planned to use Office 365. With access to a range of user activity events from a variety of sources, including Exchange Online, SharePoint Online and Azure Directory, how can Office 365 administrators correlate all this valuable data with other security events across their enterprises?

Applying Security Intelligence to Office 365 Audit Logs

Office 365 provides application program interfaces (APIs) that work in tandem with security intelligence platforms to deduce what’s occurring in your cloud installation and alert you to potential issues. It also includes forensic analysis features and, of course, event logging. However, security information and event management (SIEM) isn’t a core concept for Microsoft, so you’ll need to enlist a dedicated third-party offering such as IBM QRadar for the analytics you need.

The benefit of ingesting Office 365 audit logs into your IBM QRadar security intelligence platform is that you can perform powerful use cases. This integration enables you to:

  • Augment your enterprise’s security compliance posture by including Office 365 events into existing regulatory compliance reports and correlation rules.
  • Detect potential system breaches.
  • Identify possible data leaks.
  • Track user and admin activities for Exchange Online and Sharepoint Online. Activities include file and folder actions such as view, create, edit, upload, delete and download, in addition to file sharing and collaboration.
  • Report on Azure Active Directory authentications by users, and IPs for all of your Microsoft cloud apps such as Skype, Yammer, Exchange Online and others.

Join the webinar

Investigating Insider Threats With UBA

But IBM QRadar doesn’t stop there. In addition to correlating and analyzing cloud-based application logs with security analytics, it can be used within IBM QRadar User Behavior Analytics (UBA) to take user profiling to the next level. This process can help you:

  • Discover risky user behaviors and fraudulent activity.
  • Identify at-risk users, calculate risk scores and place users on a watchlist.
  • Understand the risk profile of the environment and the total of all user scores at a particular time.
  • Drill down into potential threats and gain insights for taking corrective action.

If you don’t think you need UBA as part of your security intelligence infrastructure, consider this: Insider threats account for roughly 60 percent of cyberattacks, many of which leverage phished or otherwise stolen credentials. By cross-referencing a baseline of normal activity, IBM QRadar UBA can alert analysts when anomalous behavior occurs and stop insider threats in their tracks.

To learn more about how QRadar can help you defend your network against insider threats, watch the webinar, “The Human Element: Surfacing Insider Threats with UBA.”

 |  |  |  |  |  |  |  |  |  | 
J.O. Leger
Offering Manager for QRadar Integrations, IBM

More from Intelligence & Analytics
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 12, 2023

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature