Red Canary monitors your Office 365 environment by integrating with the Office 365 Management API, which sources data from the Microsoft Unified Audit Log. The Unified Audit Log (UAL) is an aggregation of audited activities that occur within your Microsoft 365 environment. By connecting your Unified Audit Log to Red Canary as an external service, Red Canary will have the enhanced ability to analyze and detect threats related to email events, user sign-ins, and more, supplementing the investigation of your Microsoft email- and identity-based alerts. Supporting artifacts from the Unified Audit Log will appear alongside endpoint activity in your threat timeline where applicable.

Note: This setup only needs to be completed once and will not include historical data.

Step 1: Turn on auditing for your organization

Make sure audit logging is turned on for your organization by following the steps in Turn auditing on or off.

Step 2: Give Red Canary Office 365 permissions

Red Canary needs permission from a global administrator to ingest audit logs from your Microsoft 365 account.

1. Go to this URL, and then log in to your global administrator account.
2. Approve the permissions requested by Red Canary + Office365.

Step 3: Connect Red Canary to Office 365

1. From your Red Canary homepage, click Integrations.
   
2. From the Integrations section, locate and click the security product you want to integrate with Red Canary.
   Note: If you do not see your security product listed, click See all integrations.
   
3. In the search bar, type and then select Microsoft Office 365.
   
4. Continue onto the next step by configuring your third-party security source in Red Canary.
   Note: Your third-party security source may require that you contact Red Canary to configure.
   
5. Ensure that you’ve completed all the steps above, and then check the box indicating that auditing is turned on and Red Canary has access to your Office 365 account.
6. Paste your tenant ID in the box labeled Microsoft Office 365 Tenant ID. To find your ID, follow the steps in How to find your Azure Active Directory tenant ID.
7. Click Save.

How do I know Red Canary is connected to Office 365?

It can take some time before Red Canary starts ingesting your audit logs. Confirmed threats from Office 365 will appear alongside endpoint activity in your threat timeline.

Check the status of the integration:

1. In Red Canary, click your profile icon.
2. Under Integrations, click Microsoft Office 365. If the integration was successful, you’ll see Audit.Exchange enabled in the Office 365 Subscriptions table.
   If you don’t see any subscriptions, wait a few minutes, and then refresh the page.