Last updated at Tue, 21 Mar 2023 16:23:13 GMT

If you are at the RSA Conference this week, you may have seen Microsoft's keynote announcing the new Office 365 Activity Feed API this morning. In case you missed it, Microsoft summarized the announcement in q blog post. The new Management Activity API is a RESTful API that provides an unprecedented level of visibility into all user and admin transactions within Office 365.

Rapid7 got early access to this technology through Microsoft Technology Adoption Program and is one of the first companies to integrate with Microsoft's new Office 365 Management Activity API. As a result, Rapid7 UserInsight already fully integrates with Microsoft Office 365, enabling incident response professionals to detect and investigate incidents from endpoint to cloud, providing security and transparency for cloud services such as Office 365.

Unlike the monitoring solutions that look exclusively at network data for malicious traffic, UserInsight monitors endpoints, networks, cloud services, and mobile devices, setting traps for intruders, detecting attacks automatically and enabling fast investigation to mitigate the risks posed by compromised accounts. Integration with the new Microsoft API, allows Rapid7 to automatically collect data from Office 365, SharePoint, Azure Active Directory, and OneDrive and add to its comprehensive view of network and user behavior, giving organizations the ability to detect attacks across network, cloud, and mobile environments.

Lateral Movement Extends Beyond the Perimeter and Into the Cloud

Research shows that the use of stolen credentials is still the most common threat action. What's most concerning is that intrusions often go undetected for more than six months because they move laterally across company systems, collecting more and more credentials to gain persistence.

A common misconception is that lateral movement ends with the perimeter. However, with modern enterprise systems extending to cloud services, defenders need to think broader and include cloud services. Once they have compromised the credentials, attackers no longer have to be connected to the corporate network to access documents or email services.

Organizations need to understand user behavior across multiple environments in order to discover and investigate security incidents quickly. The new Microsoft API is a big step forward to arm security professionals with the tools they need to protect their environments and detect malicious behavior as ecosystems expand to the cloud. In enables UserInsight customers to run analytics across their entire ecosystem, within the perimeter and in the cloud.

How UserInsight leverages Microsoft's new Office 365 API

UserInsight builds a baseline understanding of a user's behavior in order to identify changes that would indicate suspicious activity and help security professionals detect an attack. Because UserInsight uniquely collects, correlates and analyzes data across all users and assets, including cloud applications, it can identify suspicious behavior other solutions can't. Examples of potential threats detected within Office 365 include:

  • Advanced Attacks: UserInsight automatically correlates user activity across network, cloud and mobile environments.  UserInsight can detect advanced attacks such as lateral movement from the endpoint to the cloud, including Office365.
  • Privileged user monitoring: Privileged users are often the ultimate target for intruders. UserInsight monitors Office 365 administrator accounts and alerts the security team of suspicious activity.
  • Geographically impossible access: The key to protecting the environment is to be able to unify the network, mobile, and cloud environments. For example, a customer would receive an alert if an employee's cell phone synchronizes email via Office 365 from Brazil within an hour of the same user connecting to the corporate VPN from Paris -- clearly one of the connections cannot be legitimate.
  • Account use after termination: UserInsight detects when a suspended or terminated employee accesses their Office 365 account, helping to stop stolen intellectual property and other business-critical information.
  • Access to Office 365 from an anonymization service: UserInsight correlates a constantly-updated list of proxy sites and TOR nodes with an organization's Office 365 activity, detecting attackers that are trying to mask their identity and location.

Once suspicious behavior is detected, security teams and incident responders can investigate the users and assets involved in context of various activity from the endpoint to the cloud, now including Microsoft Office 365 activity, and determine the magnitude and impact of the attack. Due to UserInsight's visual investigation capabilities, customers can combine asset and user data on a timeline to rapidly investigate and contain the incident.