2024 Global Cyber Confidence Index

Arrow pointing right
ExtraHop Logo
  • Productschevron right
  • Solutionschevron right
  • Why ExtraHopchevron right
  • Blogchevron right
  • Resourceschevron right

Arrow pointing leftBlog

Secure Microsoft 365 with Reveal(x) 360 Network Detection and Response

Chase Snyder

October 13, 2021

You asked. We delivered. You can now view Microsoft 365 detections and investigate threats directly in the Reveal(x) 360 console.

Security tool sprawl introduces friction into your investigations, slows down your threat response time, and wears out your analysts. By bringing Microsoft 365 security events into Reveal(x) 360, you can reduce this friction and help your security team detect advanced threats faster so you can respond quickly and effectively.

This integration enables your security team to detect and respond to Microsoft 365 risky user activities and advanced threats across your hybrid enterprise with:

  • One-click investigation workflows
  • 90 days of transaction records
  • Rich network context and comprehensive visibility in a single, streamlined interface

Risks and Challenges in SaaS Security Monitoring

Using SaaS offerings such as Microsoft 365 to conduct important business carries risk. User identities can be compromised through phishing, brute force, or simple abuse by malicious insiders. Once an identity or set of credentials is compromised, any data they have access to is at risk and the identity can be used as part of a social engineering or spear-phishing attack to access more privileged credentials. Early detection of identity compromise can prevent a small-scale compromise from becoming a large-scale data breach.

Monitoring the security of SaaS services is more challenging than monitoring self-hosted applications and services. SaaS services, including Microsoft 365, are hosted and operated on infrastructure that an enterprise security team cannot access or monitor. Teams are often forced to use default security tools with unfamiliar interfaces to monitor this one small slice of their environment. On top of that, you can't count on a SaaS service provider to secure your environment. The shared responsibility model indicates that your service provider is responsible for securing the infrastructure and software of the SaaS service, but how you use that software and what your users do with it is your own responsibility to monitor and secure.

Finally, in a dynamic, hybrid enterprise environment, detecting threats within an individual SaaS solution such as Microsoft 365 is only part of the picture. Successful security operations teams need to correlate risky behaviors across all of the applications and assets in their environment. It is challenging and frustrating to visit multiple consoles or user interfaces to analyze threats, then manually correlate detections and evidence to cobble together a view of an advanced adversary's behavior.

Simplicity and Visibility: Using Reveal(x) 360 to Monitor Microsoft 365

With Microsoft 365 integration, Reveal(x) 360 adds the ability to view Microsoft 365 detections in context with other network insights and forensic details. This helps accelerate and simplify the investigation of known threats and increase the chances of detecting new, subtle threat behaviors and more attacker techniques from the MITRE ATT&CK framework. Detections and contextual data available to analysts includes:

  • Risky user behaviors identified by Microsoft Azure machine learning
  • Indications of compromised or leaked credentials discovered by Azure AD Identity Protection
  • Password spraying attacks
  • Risky logins sorted by service, user agent, or user
  • Many other potential threat signals extracted from network traffic by ExtraHop machine learning

Beyond Microsoft 365: Monitor and Decrypt Microsoft Protocols For Greater Security

Additionally, Reveal(x) 360 already monitors Active Directory traffic to detect privilege escalation attacks and catch adversaries abusing legitimate credentials. Reveal(x) 360 is the only NDR solution that can decrypt authentication protocols such as Kerberos, as well as other Microsoft protocols, such as SMBv3, where attackers attempt to hide the signals of their malicious behavior. By leveraging NDR against Microsoft 365 and common enterprise Microsoft protocols, security analysts gain more comprehensive visibility into threat behaviors in their environment.

To learn more, watch the video, read our Microsoft 365 monitoring web page or solution brief, or visit your Reveal(x) 360 console admin panel to activate the integration and get started today.

Explore related articles

Experience RevealX NDR for Yourself

Schedule a demo