Microsoft Azure and O365 Integrations Overview
Microsoft O365 and Azure are extensive platforms with many different products and functionality. Moreover, the APIs behind them (especially the Microsoft Graph API) are vast and do not fit under one integration.
Review this document to determine the Microsoft integrations you need for your use case.
Azure Active Directory#
Use Cases#
- Create users and groups.
- Remove a member from a group.
- Remove a pre-approved application.
Playbooks#
- Get Manager Details.
- Active Directory Investigation playbook.
Azure Active Directory Users#
Manage users in Azure Active Directory and O365.
- List, create, and update users.
- Terminate sessions.
- Block users, etc.
Azure Active Directory Groups#
Manage groups in Azure Active Directory and O365.
- List, create, and update groups.
- List, add, and remove members.
Azure Active Directory Identity And Access#
Manage Active Directory roles and role members.
Azure Active Directory Applications / Service Principals#
Manage applications and service principals.
O365#
Use Cases#
- Download a file from OneDrive.
- Send a message via Microsoft Teams.
- Add a member to an existing team.
- Schedule an event in the calendar.
O365 File Management (Onedrive/Sharepoint/Teams)#
Manage files in O365 (OneDrive/SharePoint/Teams).
- Upload and download files.
- List drive and folder content.
- List SharePoint sites.
Microsoft Teams#
Enable communicating and mirroring via Microsoft Teams.
- Create and update channels.
- Add users to channel
- Message users.
- Ring user.
- Message mirroring.
Microsoft Teams Management#
Manage teams and team members.
- Create and update teams.
- Add and remove team members.
O365 Outlook Calendar#
Manage calendar events.
Microsoft Graph API#
This is a generic integration that supports running any endpoint of MS Graph API. Since the API is very vast and not all of the endpoints are implemented, this integration can be used.
Audit Logs#
Use Cases:#
- Find failed login events.
- Find publicly shared files events.
- Find security events.
Playbooks#
- Office 365 and Azure Hunting.
- Office 365 and Azure Configuration Analysis.
Microsoft Management Activity#
Ingest events from O365 (Azure AD, SharePoint, EWS, etc) as incidents.
Exchange and EWS#
Use Cases#
- Find an email message.
- Move an email message to a different folder.
- Send an email.
- Delete Email.
- Modify your Outlook recipient list.
- Process Emails.
- Retrieve and update Tenant Allow/Block List items.
- Search mailboxes
- Compliance search - Start, Remove, Check Status, Get Results
| Integration | Cloud/On-Prem | Usage | Limitations | Auth Method |
|---|---|---|---|---|
| EWS O365 | Cloud/Hybrid | Manage and search mailboxes | For O365 - Supports OAuth2. Only supports admin accounts that have access to all mailboxes. | client_credentials Using Oproxy/Self-deployed. |
| EWS v2 | On-Prem + Cloud | Manage and search mailboxes. Manage compliance searches. | Basic Auth + NTLM | |
| EWS Extension | Manage junk rules and search the message trace. | Uses different APIs than EWSv2 | ||
| EWS Extension Online Powershell v2 | On-Prem | Manage mailboxes and permissions. Edit Tenant Allow/Block lists. | ||
| O365 Outlook Mail (Using Graph API) | Cloud | Manage and send email on behalf of a different user that was configured | client_credentials Using Oproxy/Self-deployed. | |
| O365 Outlook Mail Single User (Using Graph API) | Cloud | Can manage the mailbox of the configured user only | auth_code (on behalf of a user) Using Oproxy/Self-deployed. | |
| O365 - Security And Compliance - Content Search v2 | Cloud | Search across mailboxes and execute actions on the results. | Known limitation in the README Restart authentication process on | device-code (on behalf of a user). |
Azure Cloud#
Use Cases#
- Spin up a VM in Azure.
- Block traffic from Azure to a certain IP address.
- Search for Sentinel events in Log Analytics.
Azure Compute#
Create and manage Azure VMs.
Azure Network Security Groups#
Manage security groups to filter network traffic to and from Azure resource
Azure Log Analytics#
Enable querying data generated from Azure resources.
Security-focused Integrations#
Use Cases#
- Ingest security alerts.
- Search files in Box.
- Isolate an endpoint.
- Wipe a mobile device that has suspicious activity.
- Run a critical Windows update on all the endpoints in the organization.
- Threat Hunting.
- Add/Search for indicators.
- Add indicators to allow list / block list.
- Trigger scans on specified hosts.
- Get information for a specified host.
Azure Security Center#
Unified Azure security management.
- Fetch alerts.
- Manage auto-provisioning.
Azure Sentinel#
Manage the SIEM by Microsoft.
- Fetch and manage incidents.
- List entities.
Azure WAF#
Manage the Azure web application firewall.
List, create, and update policies.
Microsoft Cloud App Security#
Microsoft CASB solution.
- Fetch and manage alerts.
- Search activity and files in cloud applications.
| Integration | Use Cases |
|---|---|
| Microsoft 365 Defender | Fetch incidents on email, collaboration, identity, and device threats. Advanced hunting - querying 30 days of raw data |
| Microsoft Defender for Endpoint (Defender ATP) | Microsoft’s endpoint, detection, and response (EDR). Fetch alerts, run a scan on an endpoint, remediate an endpoint, manage indicators, get machine action status. Advanced Hunting - open query and OOTB ready to use queries for malware investigation. Live-Response - instantaneous access to a machines using a remote shell connection. |
| Microsoft Graph Security | Unified gateway to security insights. Fetch alerts from various Microsoft security sources: Azure ATP/Azure Security Center/Microsoft CAS/Azure Active Directory Identity Protection/Azure Sentinel/Microsoft Defender for Endpoint (ATP) |
| O365 Defender SafeLinks | SafeLinks policy and rule management. Retrieve reports. |
Microsoft Endpoint Configuration Manager (SCCM)#
Enable execution of scripts on multiple endpoints.
Microsoft Graph Device Management (Intune)#
Manage devices.
- Lock a device.
- Wipe a device.
- Locate a device, etc.
Feeds#
Use Cases:#
Fetch Indicators from Microsoft Defender.
Office 365 Feed#
Office 365 IP Address and URL feed.
Microsoft Intune Indicator Feed#
Indicator feed from Microsoft Intune (Defender for Endpoint).