In this article, you will learn about the M365 end-user security component of the Threat-hunting & Action Center (TAC).
1. Description
2. How does M365 User Security work?
3. Views
4. Settings
DESCRIPTION
M365 User Security collects data on user logins in an Azure AD environment. Before explaining this, we would like to introduce you to Login Anomaly Detection (LAD), which is an essential part of the M365 User Security. Using the Login Anomaly Detection module, a customer/reseller can monitor suspicious activity at the network level, as the module offers relevant telemetry for AAD-joined users in terms of multiple failed login attempts, users that are logged in from another country, or both: failed login attempts of a user that is trying to log in from another country.
HOW DOES M365 USER SECURITY WORK?
M365 User Security uses an Azure AD enterprise application that gets created during setup to collect the user login data (through the Microsoft Graph API), analyze them, and report them in the HEIMDAL Dashboard under Threat-hunting & Action Center (M365 tab). The M365 User Security checks the user login data and prompts for anomalies that are found in the environment. In case a user login attempt is noticed from a place that is not a known place of the user, M365 will flag this as an anomaly, and, depending on the configuration, the affected user can be logged out on detection. Post the setup process, the M365 User Security module will provide info about three types of detections:
- Unusual login - a login from another country;
- Failed consecutive logins - multiple failed login attempts;
- Failed login from unknown location - failed login attempts from another country.
VIEWS
Reseller view
The Reseller can visualize all its Enterprise/Corp customers grouped geographically with a pin on the globe, and also their highest risk score. Pins are displayed on the map ONLY if there is data registered within the selected timeframe.
On the left side of the page, there is an overview containing the total number of customers pertaining to that reseller, with a M365 User Security licensing option activated and the correlated list sorted in descending order based on M365 User Security average risk score (the sorting is customizable and the reseller can opt to sort their customers based on LAD, ESEC or REP for Cloud detections).

The reseller can also visualize the number of Login Anomaly Detections (LAD), REP for Cloud and Email Security detections, as well as the customer M365 User Security average risk score and the total number of end users/customers. Clicking on a customer will impersonate that specific customer, displaying data related to said customer’s end users. When clicking a pin (node) on the globe, a panel opens in the top-right corner of the page, displaying a list of customers that have their location data positioned in the same geographical region as the selected pin (node), sorted in descending order based on the M365 User Security average risk score.
Clicking on a customer name from the panel will impersonate that specific customer.
Customer view
In M365 User Security (using the designated toggle), a customer can view all of their end users, grouped geographically with a pin on the globe, and their corresponding risk score. Pins are displayed on the map ONLY if there is data registered within the selected timeframe.
On the left side of the page, we display the total number of end users under the impersonated customer and the list of users, sorted in descending order by the Risk Score. On top of the earlier mentioned info, we’re also displaying, at the user level, the number of Login Anomaly Detections (LAD), REP for Cloud and Email Security detections (the HEIMDAL Dashboard users also have the option to switch from the default sorting on risk score, to a custom sorting based on either LAD, REP for Cloud or ESEC detections).

When clicking a pin (node) on the globe, a panel opens in the top-right corner of the page, displaying a list of users that have their location data positioned in the same geographical region as the selected pin (node), sorted in descending order based on the user’s risk score.
Post selecting an end user from the list, the panel will switch to displaying user-related details. The details displayed in the panel comprise the most recent five LAD, REP, and ESEC detections, as follows:
- LAD - red color;
- ESEC - orange color;
- REP - grey color.
Pressing the three dots menu from the top-right corner of the panel displays two options:
- Threat Telemetry Details - redirects the customer to the M365 User Details view;
- Action Center - opens the M365 User Security Action Center modal window.
When a user who registers detections of LAD or ESEC selects them, the detections are displayed on the globe with their corresponding colors.
Clicking on an ESEC detection will open the “Email Detection specifics” view in the right-side panel and the route of the email will be graphically displayed on the globe, from the originating email server (Envelope icon), through all the “hoops” email servers, until the recipient’s latest location (User icon).
IMPORTANT
LAD detection pins are generated based on unusual login activity IP addresses. ESEC detection pins are generated based on the location of the email server where the detections are originating from.
M365 Users Security specifics
The M365 User Security user details/specifics view (clicking on an end-user/email address from the left-hand side vertical menu) is based on 3 modules: ESEC (Email Security and Email Fraud Prevention), REP (Ransomware Encryption Protection for Cloud), and LAD (Login Anomaly Detection). In the M365 specifics, you get dedicated tabs for each type of detection registered by the product and you can perform the same actions as from the corresponding product pages, but only for the email, REP for Cloud, and LAD detections about the end user that you clicked on (pre-filtering is applied). This view displays the username and last login info of the selected user.

In addition to the 3 earlier-mentioned tabs plus the M365 one, you can log out the selected user using the Force User Logout button.

-
Email Security
The Inbound view and Outbound view display all the emails that are being filtered by the Email Security engines. You can filter by From, Header From, Type, Status, Spam Classification, Minimum Spam Score, Maximum Spam Score, and EFP Rule Category.

-
Email Fraud Prevention
The Inbound view and Outbound view display all the emails that are being filtered by the Email Security engines. You can filter by From, Header From, Status, Spam Classification, Minimum Spam Score, Maximum Spam Score, and EFP Rule Category.
-
REP
The REP (Ransomware Encryption Protection for Cloud grid provides the following details about the REP for Cloud detections made at the user level: email address, AD Group, number of affected files, user's session revoked, and the Timestamp. The search field allows you to search by AD Groups.

-
LAD
The LAD (Login Anomaly Detection) grid provides info at the end-user level about the alert name (unusual login or failed login), its description (user logged in from the specific country or user had 5 failed login attempts within 60 minutes), and the timestamp (when the alert has been generated).
You can use the search field to search an event view Alert description, you can download the data in a CSV file and you can filter the data using the Filters button. If one or multiple unusual login notifications are selected, you can take the Acknowledge action, which means that, for the next 30 days, this type of notification will not be displayed anymore.
-
M365
The M365 grid provides info at the end-user level about the overall risk score as well as relevant end-user Info. End user info data is populated from the Azure Active Directory when synchronized:
- User Score - displays a circular progress bar with the user risk score and severity level;
- User Info - displays Azure AD information about the user (User Principal Name, Display Name, Last IP, and Country);
The Risk Chart container displays a visual representation of the user risk score derived from the three modules (ESEC, LAD, REP for Cloud). When clicking on either of them, in the spider web chart, the right-hand side will populate the risk score for that particular module and a preview of relevant info, with the option to navigate towards the respective tab, by clicking on the Investigate View button.

The M365 User Security bottom widget (expanded by pressing the blue arrow at the bottom of the page) displays details about the end users’ risk score and notifications (count + quick access to the M365 Action Center), in a very similar way to the TAC bottom widget.
The M365 User Security Action Center is made of 2 tabs (similar to the TAC Action Center), namely the Aggregated Notifications one (containing identical M365 User Security notifications grouped under one notification with multiple hits), and the Notifications tab (displaying a grid with all M365 User Security notifications generated by LAD and REP for Cloud).

IMPORTANT
ESEC notifications are not available in the M365 Action Center but are taken into consideration for the M365 User Security risk score calculation.
The functionalities of both M365 User Security tabs/views are the same as the ones of the Threat-hunting & Action Center (searching, filtering, sorting, pagination, actionability, actions history, default action definition etc.), the only difference being the source of the notifications (the 2 formerly mentioned product modules) and some of the actions that can be taken on said notifications.
Leverage advanced filtering by Unusual, Consecutive Failed, Failed from unknown location type of alerts (green Filters button);
IMPORTANT
The Force User Logout action button is enabled only if the customer tenant ID is synchronized, and consent is granted for the HEIMDAL LAD application.
SETTINGS
M365 User Security is based on the Login Anomaly Detection engine that can be activated from Network Settings -> Login Anomaly Detection tab. Once you enable Login Anomaly Detection, you can set up the Azure AD LAD application by pressing the Grant consent link, which will direct you to the Microsoft 365 login page to grant permissions.

IMPORTANT
Granting consent to the Azure AD LAD application can be done ONLY if a tenant ID is specified and synchronized in the Guide -> Customer settings -> Login setup -> Azure login section. If you don't have the Azure AD LAD application configured and the tenant ID synchronized, the HEIMDAL Dashboard will display a toast message: A tenant ID needs to be configured to be able to grant consent.

Logout user on detection - if an unusual login is detected, the user that generated it will be disconnected from all Microsoft web sessions where the user is logged in;
Exclusions - displays a grid with the list of countries that are excluded from the detection of login anomalies, with the following options. You can add a country to the dropdown menu or delete a country from the list.