Introduction
The integration of Microsoft Defender with Right-Hand's Human Risk Management (HRM) platform represents a powerful alliance in your cybersecurity arsenal. This integration allows you to leverage Microsoft Defender's advanced threat detection capabilities alongside Right-Hand HRM's focus on human-centric security risks, creating a real-time coach which is able to send nudges and help you create targeted campaigns for employees.
By connecting these two platforms, you can:
1. Gain deeper insights into potential behavior gaps in your workforce
2. Automate responses to security events in form of nudges and trainings
This guide will walk you through the process of integrating Microsoft Defender with Right-Hand HRM using Right-hand MS Defender app Authentication, ensuring a secure and efficient connection between these two security tools.
Prerequisites
Before beginning the integration process, ensure you have:
1. Ms Defender for Office 365, CloudApps plan 1 or plan 2
2. Admin access to your Right-Hand HRM platform
3. Necessary permissions to create and manage app registrations in Azure portal. Preferably global admin OR Security Admin+Exchange Admin
Integration Steps
Step 1: Go to Right-hand integrations page and locate MS defender for O365 or MS Defender for CloudApps
Both the integrations(O365 and CloudApps) are managed with the same Right-hand app in azure portal. If you integrate through one both integrations are made live.
In case you want to not receive events from any of the portals you can disable events in the Detection Rules section.
View Configurations --> Detection Rules --> Enable event (Disable all the events for such an integration)
Step 2: Click on Configure and then click on Connect to MS defender App
Step 3: Follow through the MS authentication and Authorization flow to successfully complete the integration.
You will then land into the following screen.
The events will be enabled by default for data ingestion and you can start to analyse your dashboard before deciding on actions on particular events.
Conclusion
By successfully integrating Microsoft Defender with Right-Hand HRM using App Authentication. This integration allows for seamless information flow between the two platforms, enabling more effective human risk management.
Remember to regularly review and update your integration settings to ensure optimal performance and security. For any additional assistance or questions, please contact Right-Hand HRM support. <[email protected]>
Events Supported with MS defender
MS Defender for Office 365
Employee Clicked a potentially malicious URL
This event is considered by Right hand when following conditions are met in the received alerts
title: A potentially malicious URL click was detected
Employee Clicked a potentially malicious URL and overrode the safelinks warning
This event is considered by Right hand when following conditions are met in the received alerts
title: A user clicked through to a potentially malicious URL
An email with a malicious file was directed to the employee
This event is considered by Right hand when following conditions are met in the received alerts
title: Email messages containing malicious file removed after delivery
A malicious email campaign was directed at the workforce
This event is considered by Right hand when following conditions are met in the received alerts
title: Email messages from a campaign removed after delivery
Scam, BEC, Spearphishing attack directed at the employee
This event is considered by Right hand when following conditions are met in the received alerts
title: Email messages removed after delivery
Employee reported a email as a Phish or Malware
This event is considered by Right hand when following conditions are met in the received alerts
title: Email reported by user as malware or phish
Account Compromise: Employee sent bulk outbound emails
This event is considered by Right hand when following conditions are met in the received alerts
title: Email sending limit exceeded
Account Compromise: Employee used MS forms to phish others
This event is considered by Right hand when following conditions are met in the received alerts
title: Form blocked due to potential phishing attempt
A Malicious attack directed at employees via MS forms
This event is considered by Right hand when following conditions are met in the received alerts
title: Form flagged and confirmed as phishing
Campaign with emails containing malware directed at employees
This event is considered by Right hand when following conditions are met in the received alerts
title: Malware campaign detected after delivery
OR
title: Malware campaign detected and blocked
Account Compromise: Potential nation-state attack directed at employee
This event is considered by Right hand when following conditions are met in the received alerts
title: Potential nation-state activity
Account Compromise: Suspicious email forwarding rules create by employees
This event is considered by Right hand when following conditions are met in the received alerts
title: Suspicious email forwarding activity
Account Compromise: Suspicious emails forwarded by employee
This event is considered by Right hand when following conditions are met in the received alerts
title: Suspicious email sending patterns detected
Account Compromise: Employee restricted from sending emails due to suspicious activity
This event is considered by Right hand when following conditions are met in the received alerts
title: User restricted from sending email
MS Defender for CloudApps
Malware detected in employee’s cloud storage
This event is considered by Right hand when following conditions are met in the received alerts
title: Malware detection
Ransomware activity detected in relation to employee
This event is considered by Right hand when following conditions are met in the received alerts
title: Ransomware activity
Employee account might be compromised due to a CNC, password spray attack
This event is considered by Right hand when following conditions are met in the received alerts
title: Activity from suspicious IP addresses
Employee might be accessing their system via a proxy
This event is considered by Right hand when following conditions are met in the received alerts
title: Activity from anonymous IP addresses
Suspicious email forwarding rules were created in employee’s email account
This event is considered by Right hand when following conditions are met in the received alerts
title: Suspicious inbox forwarding
Suspicious email manipulation rules were created in employee’s email account
This event is considered by Right hand when following conditions are met in the received alerts
title: Suspicious inbox manipulation rules
Suspicious downloads from Connected apps used by employee
This event is considered by Right hand when following conditions are met in the received alerts
title: Suspicious OAuth app file download activities
Unusual multiple file download activities detected from an employee
This event is considered by Right hand when following conditions are met in the received alerts
title: Unusual multiple file download activities
Unusual file share activities detected from an employee
This event is considered by Right hand when following conditions are met in the received alerts
title: Unusual file share activities
Account Compromise: Unusual file deletions done by employee
This event is considered by Right hand when following conditions are met in the received alerts
title: Unusual file deletion activities
Account Compromise: Unusual impersonation activities detected in relation to an employee
This event is considered by Right hand when following conditions are met in the received alerts
title: Unusual impersonated activities
Account Compromise: Unusual Power BI report sharing done by an employee
This event is considered by Right hand when following conditions are met in the received alerts
title: Unusual Power BI report sharing activities
Account Compromise: Unusual multiple VM creation activities
This event is considered by Right hand when following conditions are met in the received alerts
title: Unusual multiple VM creation activities
Account Compromise: Unusual multiple storage deletion activities
This event is considered by Right hand when following conditions are met in the received alerts
title: Unusual multiple storage deletion activities
Account Compromise: Unusual region for cloud resource
This event is considered by Right hand when following conditions are met in the received alerts
title: User restricted from sending email
Account Compromise: Suspicious file access detected
This event is considered by Right hand when following conditions are met in the received alerts
title: Unusual file access
Brute-force attack detected in relation to an employee
This event is considered by Right hand when following conditions are met in the received alerts
title: Multiple failed login attempts
Employee potentially shared data to or with unsanctioned apps
This event is considered by Right hand when following conditions are met in the received alerts
title: Data exfiltration to unsanctioned apps
Employee shared a file externally that has a sensitive file extension
This event is considered by Right hand when following conditions are met in the received alerts
title: Sensitive file extension
Unused files made publicly available by an employee
This event is considered by Right hand when following conditions are met in the received alerts
title: Stale externally shared files
Employee shared source code to an external domain
This event is considered by Right hand when following conditions are met in the received alerts
title: Externally shared source code
Access to a S3 bucket made public
This event is considered by Right hand when following conditions are met in the received alerts
title: Publicly accessible S3 buckets (AWS)