A collection of custom dashboards to give you a holistc view of your Microsoft 365 environment. These dashboards can help you answer the following questions and more:
- What files are users sharing internally and externally and with who? Are there users uploading or downloading an unusually large amount of data?
- Who invited or added a guest user? Were they invited through a shared file or added directly through Active Directory?
- Where in the world are users logging in from? Are there suspicious user agents attempting to login?
- Which users receive the most suspicious mail? Where is this mail coming from?
- What users does Azure AD consider to be risky and why?
Check out our blog for an in-depth walkthrough of these dashboards. Enjoy!
- Elastic Stack v7.14 or higher
- Elastic Agent
First, we'll import the .ndjson file into Kibana.
- In Kibana, click on Stack Management in the left navigation menu.
- Next, click on Saved Objects in the left menu.
- In the top right, click on Import.
- In the window that opens, select the Microsoft 365 Dashboards.ndjson file and click Import.
Next, we'll add a custom runtime field called m365-azure.event.id that enables us to correlate Microsoft 365 and Azure logs relating to the same activity.
- Still in the Stack Management window, click on Data Views in the left menu.
- Click on logs-*.
- In the top right, click on Add field.
- In the window that opens, set the following:
- Name: m365-azure.event.id
- Type: Keyword
- Enable Set value and copy and paste the m365-azure.event.id source code into the Define script field.
- Click Save when done.
- Open the Kibana navigation menu again and click on Dashboard.
- Search for M365 and click on one of the three newly imported Microsoft 365 dashboards to start using them.
Note: This guide assumes you're already capturing Microsoft 365 and Azure logs into Elasticsearch via Elastic Agent.
- Enable and configure Elastic Agent - O365 integration.
- Enable and configure Elastic Agent - Azure integration.
If you are collecting logs via Filebeat, you will need to edit each of the panels in the dashboard and replace the logs-* index pattern with filebeat-*.
- Enable and configure Filebeat - O365 module.
- Enable and configure Filebeat - Azure module.