Microsoft 365 is the backbone of business operations for over 2 million companies worldwide (Statista), making it a prime target for cyberattacks. Threat actors frequently exploit compromised credentials, privilege escalation, phishing emails, and brute-force attacks to gain unauthorized access to M365 environments. These identity-based threats can lead to data breaches, financial losses, and operational disruptions.
Meanwhile, IT and security teams often struggle to respond to M365 threats efficiently. Managing multiple security tools and platforms while context-switching throughout the day slows down response times and increases the risk of successful attacks.
There's a simple way to respond to Microsoft 365 threats through Blumira, with Microsoft 365 Threat Response, a powerful new feature that will help you protect your M365, Azure, and Entra environments directly within Blumira for faster remediation. We’ve built threat response into our platform with over 90 detections, including Impossible Travel Activity, Suspicious Email Sending Patterns, and New MFA Device Added.
Microsoft 365 response actions address identity management, isolation, and remediation, protecting your environment from compromised users until you can investigate further. Now you can disable users and revoke sessions in just a few clicks, without ever leaving the platform, helping you save time and improve your average time to respond.
How it Works:
Benefits:
All Direct and MSP accounts with SIEM+ or XDR licensing plans have access to Microsoft 365 Threat Response. Getting started is quick and straightforward. Follow these steps to set up a response action:
Before You Begin
To set up a response connector, ensure that you have the correct administrator access in both your Microsoft 365 account and in Blumira. Additionally, your Blumira account must have a Microsoft 365 Cloud Connector configured for logging, and supported detection rules must be enabled.
Set Up the Response Connector
To configure the Blumira connector for Microsoft 365 Threat Response, you'll need to gather and input specific credentials. This involves accessing Blumira's Cloud Connectors settings, retrieving the necessary Application and Directory IDs from the Microsoft Entra admin center, and granting required API permissions. Additionally, you'll create a client secret, ensuring it is stored securely and set to be updated before expiration.
Test Response Actions in a Finding
Once you've configured your response connector in the app, you can test the response actions by triggering a detection that generates a finding, allowing you to view and use the available response actions.
Respond to a Finding
Responding to a finding is the easiest step. To take action on the activity identified in the finding, navigate to Reporting > Findings, and open the specific finding. On the finding detail page, click Disable User & Revoke Sessions to take the necessary action.
With Microsoft 365 Threat Response, Blumira provides security teams a quicker and more efficient way to handle threats directly within the platform. This feature helps you better safeguard your environment from compromised users, saving time and improving your average response time.
“When a user is compromised, every second counts. It brings peace of mind to us and to our clients that Blumira’s M365 Threat Response can lock bad actors out in seconds, stopping them quicker than ever before!”
- Matt Timm, Network Operations Center Team Lead, TR Computer Sales
Ready to try it out? Microsoft 365 Threat Response is available now to Direct and MSP customers with SIEM+ or XDR licensing plans. Check out our virtual tour:
For more information, or if you have any questions, feel free to reach out to our Security Operations and Support team here. We’re here to help!