What this integration is
Office 365 (Microsoft 365) telemetry is typically API-collected audit/sign-in activity that becomes part of your tenant’s SIEM dataset.Data path (how it flows)
Typical flow:- Microsoft 365 → External Service integration (API collector)
- Events → SIEM storage (Wazuh Indexer / OpenSearch-backed)
- Optional: events → Graylog alert definitions
- Alerts →
gl-events*→ CoPilot Incident Management → Alerts - Operator workflow → Cases
What data you get (high level)
- Audit activity (user/admin activity)
- Authentication/sign-in related events (depending on collector scope)
Setup (wireframe)
- Configure Office 365 under External Services / 3rd Party Integrations.
- Ensure events are tenant-aware (associated with the correct customer).
Success criteria
- You can locate at least one recent Office 365 event in CoPilot
- The event is associated with the expected customer
Dashboards
After provisioning, CoPilot can deploy templated dashboards for supported integrations.- Confirm relevant Grafana dashboards for this customer are populated (not empty panels)
Alerts (starter set)
- Suspicious sign-ins (impossible travel / unfamiliar location, if available)
- Admin role changes
- Mailbox forwarding / inbox rule changes
- OAuth consent / suspicious app registrations (if available)
Troubleshooting
- Verify the external service/integration is connected and healthy
- Confirm customer code / tenant routing assumptions
- Validate the ingestion pipeline (collector → storage → CoPilot view)