Microsoft Safe Links

Connect the Microsoft Safe Links data feed.

In this guide, you'll configure the integration between Radiant and Microsoft Safe Links. Safe Links scans and rewrites URLs in inbound emails and performs time-of-click verification to protect users from malicious links. To learn more, see Safe Links in Microsoft Defender for Office 365.

Integrating the Microsoft Safe Links data feed into Radiant gives your organization visibility into phishing emails accessed from unmanaged devices. With this data, Radiant can identify users who clicked on malicious links from personal devices, arming you with the data necessary to perform deeper investigations and reveal the full scope of an incident.

Additionally, we guide analysts to block access to URLs leveraging Safe Links when Microsoft has not already blocked them.

Prerequisites

Administrator of the O365 account
This configuration assumes that the permissions for message trace were already granted as part of the Microsoft O365 onboarding

Enable Safe Links

Log in to the Security portal of Microsoft 365.
From the left side menu, navigate to Email & collaboration > Policies & Rules.
Click Threat policies, then select Safe Links.
Click + Create to add a new policy.
- Add all users, groups, or domains that will be monitored.
- The following screenshot details the mandatory and preferred configuration settings.
  - Mandatory configuration is outlined in red. It includes:
    On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default.
    Apply Safe Links to email messages sent within the organization
  - Preferred configuration is outlined in blue. It includes:
    Track user clicks
    Let users click through to the original URL

Leave all other settings unchanged and click Submit.

Note: Once enabled, Microsoft will begin replacing all email links with Safe Links.

The standard prefix is: https://nam01.safelinks.protection.outlook.com

Add the data connector in Radiant Security

Log in to Radiant Security.
From the navigation menu, click Settings > Data Connectors.
From the list of enabled connectors, find Microsoft O365 and click View Details.
Click the Actions drop-down and select Edit Data Feeds.
Select the SafeLinks data feed, click Credentials and select the current credential used for the other O365 connectors.
Click Add Connector to complete the setup.

PreviousMicrosoft O365 NextMimecast API 2.0

Last updated 11 days ago