Microsoft security solution detection story continues. This time with Office 365 Advanced Threat Protection (O365 ATP). I haven’t touched much to O365 collaboration workload protection in my earlier posts. But now, this post is about O365 ATP alerts, and especially O365 ATP Safe Link alerts, in Microsoft Cloud App Security and Threat Protection suite.
After the recent Microsoft Cloud App Security release, the activity filtering doesn’t work as expected at the time of writing blog in May 2020. For this reason, I updated this blog to contain a workaround until the issue is fixed. The workaround can be found from the “Example – Safe Links policy (Updated version)” chapter.
What’s O365 Advanced Threat Protection (O365 ATP)?
In a nutshell, Office 365 Advanced Threat Protection (ATP) safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools.
It has Plan 1 and Plan 2 versions in terms of licenses, more information from here.
O365 ATP Policies
Following categories are available when configuring policies for O365 ATP. Descriptions from docs.microsoft.com.
ATP Safe Attachments
Provides zero-day protection to safeguard messaging system, by checking email attachments for malicious content. It routes all messages and attachments that do not have a virus/malware signature to a special environment, and then uses machine learning and analysis techniques to detect malicious intent. If no suspicious activity is found, the message is forwarded to the mailbox.
ATP Safe Links
Provides time-of-click verification of URLs, for example, in emails messages and Office files. Protection is ongoing and applies across your messaging and Office environment. Links are scanned for each click: safe links remain accessible and malicious links are dynamically blocked.
ATP for SPO, ODfB and Teams
Protects organization when users collaborate and share files, by identifying and blocking malicious files in team sites and document libraries.
ATP anti-phishing protection
Detects attempts to impersonate your users and internal or custom domains. It applies machine learning models and advanced impersonation-detection algorithms to avert phishing attacks.
When O365 ATP is activated from M365 Security & Compliance Center the default set of alert policies is activated (descriptions found from here). Here is an example of an alert based on a safe attachment policy.
This default policy should do a trick but in my environment, I didn’t receive any alerts based on the default policy.
But, I can see activities and detections based on Safe Links policy in the new report template that was rolled out in March 2020.
O365 Management Activity API
O365 ATP events are found from O365 Management Activity API. If you would like to send events and alerts to 3rd party SIEM you should create audit.general subscription to pull the O365 ATP events to the SIEM.
Following values of AuditLogRecordTyp are relevant fo O365 ATP events:
Cloud App Security
In case there is a need for alert customization (or you want to centralize alert policy management), you can find O365 ATP detections in the Cloud App Security activity log. This means that you can create custom policies based on the activity log data.
Example – Safe Links policy (Updated version)
As said, there seems to be an issue in the MCAS platform that prevents using some of the activities as a filter (most probably it’s going to be fixed quite soon but the schedule is unknown).
In meanwhile when waiting for it to be fixed, there still is a workaround available. You can use the following command/URL to achieve the same result than before (replace fetanet with own domain name):
Every TIUrlClickData has an activity ID “11161” that can be used as a filter when making searches in the Activity Log or creating new policy.
When the issue in the platform has been fixed earlier method presented in the next chapter should work as expected.
Example – Safe Links policy
You need to create a custom policy that detects “TIUrlClickData” from ThreatIntel provider which does the magic in here. The reason I did this one is that Security & Compliance Center default policies didn’t work as expected.
When MCAS receives the audit logs from O365 API you can see something like this in the alert page and the activity logs
The same event data is found from the O365 Unified Audit Log (UAL) and as mentioned above, from the O365 Management Activity API audit.general category. But, for some reason nothing in O365 Security & Compliance center alerts.
Just to highlight that there are events about malware detection. Alert about this activity is created by default policy as expected and MCAS activity log has events based on this activity available.
Microsoft Threat Protection suite
The new Microsoft Threat Protection suite in M365 Security Center is a brilliant tool for incident management in M365 workloads. In my example case, the activity event is first identified in ThreatIntel workload (O365 ATP engine) and actual alert is raised in Cloud App Security. For that reason, the alert is found from MTP where it can be managed.
If alert is raised in O365 based on default policies it’s found from MTP.
What has been surprising, in a positive way, to see is that when incident/alert status is changed in the source the status is synced immediately back to MTP, awesome work from Microsoft!!
Happy monitoring, until next time!