Microsoft Defender for Office 365 Integration

Microsoft Defender for Office 365 is a cloud-based email filtering service that helps protect your organization against advanced threats delivered via email and collaboration tools, like phishing, business email compromise, and malware attacks. In Cisco XDR, we enable Defender for Office 365 users to include Defender for Office 365 detections in overall incident detection, and leverage email intelligence and detections while performing incident investigations and threat hunting.

Integration with Microsoft Defender for Office 365 allows you to incorporate Microsoft Defender for Office 365 detections into XDR's overall incident detection and correlation capabilities.

Use the Microsoft Defender for Office 365 integration to search for security detections and associated indicators, reputations, and references, involving specified email addresses, URLs, email subjects, message IDs, IPs, domains, or file hashes. It also creates a target automatically in Automation for out-of-box workflows.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Third-Party tab and navigate to the Microsoft Cloud integration.

  3. Click the plus sign (+) in the lower-right corner of the card. The Microsoft Cloud integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Microsoft Defender for Office 365 integration in Cisco XDR.

Incidents are groups of correlated events generated using data ingested from your integrated products. By correlating events which could be part of a larger threat into an incident, it reduces the time typically required to investigate individual security alerts or detections. For more information about Cisco XDR Incidents feature, see Incidents.

When you enable the Microsoft Defender for Office 365 integration, Cisco XDR ingests the security alerts that are sent by Microsoft Defender for Office 365 and uses them for incident correlation.

To view incidents with Microsoft Defender for Office 365 data:

  1. In the Cisco XDR navigation menu, choose Incidents.

  2. Look for Microsoft Defender for Office 365 in the Source column to find incidents generated with Microsoft Defender for Office 365 data.

  3. Select an incident and open the Incident Detail page.

  4. Click on the Detection page to see events from Microsoft Defender for Office 365 and other sources.

You can perform the following tasks after you integrate Microsoft Defender for Office 365 with Cisco XDR:

  • Investigations - Start a new investigation into email addresses, URLs, email subjects, message IDs, IPs, domains, or file hashes, and the results will include any records of them found in your Microsoft Defender for Office 365. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know Microsoft Defender for Office 365 has recent information. For details, see Investigate.

  • Automation:

    • Atomic Actions -The Mail atomic actions for Microsoft Graph Security API can be used as building blocks in custom workflows for Microsoft Defender for Office 365. These can be found as available Actions in the left menu of the Workflow Editor. See Atomic Actions and Workflows.

    • Target - The Microsoft Defender for Office 365 target is automatically created for out-of-box and custom workflows. See Targets Created From Integrations.

    • Playbooks - An Automation system workflow that uses Microsoft Defender for Office 365 and is included in the Cisco Managed Incident Playbook can be used to quarantine, delete, or move email messages. See Containment, Eradication, and Recovery on the Response page.