// Office 365 Protection

Office 365 security.

Powered by+UPX

Continuous monitoring for sign-ins, mailboxes, SharePoint, OneDrive, Teams and identities, powered by Chronicle SIEM with managed detections and cases investigated by the UPX team.

Office 365 Protection ingests Microsoft 365 and Azure AD signals, correlates them with threat intelligence and delivers actionable cases inside the USS Platform. No generic dashboards: you get what matters, ready to act on.

Audit-ready compliance
SOC 2 Type IIISO 27001PCI DSS Compliant
Office 365 Protection

Office 365 Protection

Managed detection and response for Microsoft 365 and Azure AD.

Start the 60-day trial

No credit card required. Cancel anytime.

60-day trial with guided setup. Billed via Stripe on monthly or annual cycles.

// At a glance

Essential coverage for your Microsoft 365.

4 feeds
Microsoft 365 audit, Azure AD sign-in, message trace and mailbox activity continuously monitored.
60 days
Full trial with assisted onboarding and detections pre-tuned for your tenant.
MDR
Managed detection and response: cases investigated, classified and prioritized by UPX.
Chronicle
Google Chronicle SIEM and YARA-L rule engine as the detection backbone.
// The problem

Microsoft 365 is a critical attack surface, yet rarely monitored properly.

The logs are there, scattered across Defender, Purview, Entra ID and the Microsoft 365 portal. Without a dedicated team, evidence of compromise stays unnoticed until it becomes an incident.

Quiet account takeover

MFA-bypass logins, stolen tokens and persistent sessions are usually only spotted after data has already been exfiltrated.

Internal phishing and BEC

Compromised accounts are used to send phishing from legitimate domains, slipping past native filters.

Malicious mailbox rules

Attackers set up forwarding and deletion rules to hide their tracks and keep persistence for months.

Excessive Entra ID privileges

Admin roles, OAuth consents and unreviewed applications quietly increase the blast radius of every breach.

Public sharing exposure

Sensitive files in SharePoint and OneDrive end up shared with 'anyone with the link' and no one is alerted.

Compliance without evidence

LGPD, SOC 2 and ISO 27001 audits ask for an event trail and response evidence, and native Microsoft 365 does not deliver that consolidated view.

// The solution

Managed detection with Chronicle as the SIEM engine.

UPX ingests your tenant signals, applies detection rules maintained by security engineers and delivers investigated cases inside the USS Platform. You keep visibility and control, without building an in-house SOC.

Standardized collection via Microsoft Graph

Official connector through an application registered in Entra ID. You grant read access to the relevant events and stay in control of the permissions.

Living YARA-L rule set

Detections for account takeover, OAuth abuse, SharePoint exfiltration and patterns observed in real incidents, kept up to date by the UPX team.

Cases ready to act on

Every alert becomes a case enriched with context, evidence and next steps, assigned to your team or handled by UPX.

Identity coverage in Entra ID

Risky sign-ins, non-compliant devices, role changes and OAuth consents on the same timeline as productivity telemetry.

// Data sources

Four essential feeds from Microsoft 365 and Azure AD.

Collection runs through Microsoft Graph using a dedicated Entra ID application. You keep full visibility over the permissions granted.

Microsoft 365 audit logs

Admin activities, configuration changes, SharePoint and OneDrive sharing events, Teams and Exchange Online operations.

Azure AD sign-in logs

Interactive and non-interactive sign-ins, MFA, devices, geolocation, risk events and OAuth authentications.

Exchange message trace

Trail of inbound and outbound messages with origin, destination, delivery status and classification to investigate phishing and BEC.

Mailbox activity

Mailbox operations: rule creation, delegated reads, automatic forwarding and suspicious exports.

// How it works

From contract to first investigated case in a few days.

Onboarding is guided by the UPX implementation team. Within 5 to 7 business days your tenant is being actively monitored.

01

Contract and trial activation

You sign up via Stripe and get access to the USS Platform. The 60-day trial starts with assisted setup at no charge.

02

Entra ID application registration

Together with the UPX team, you create a dedicated application registration and grant the minimum permissions through Microsoft Graph.

03

Collection validation

UPX confirms that the four feeds reach Chronicle, validates event normalization and baselines your tenant.

04

Detection tuning

Rules are tuned for your environment: VIP users, allowed countries, known OAuth applications and maintenance windows.

05

Continuous operation

Investigated cases land in the USS Platform with evidence, severity and next steps. Notifications via email and webhook.

06

Periodic reviews

Recurring review meetings to discuss observed threats, applied tunings, new risks and hardening opportunities.

// Prerequisites

Microsoft 365 Enterprise E3 or E5 is required.

Prerequisites

Office 365 Protection depends on audit logs and sign-in logs at retention windows and granularity that only Enterprise plans expose through Microsoft Graph.

  • Microsoft 365 tenant with at least one active Enterprise E3 or E5 plan.
  • Ability to create an application registration in Entra ID with read permissions.
  • Microsoft 365 audit log enabled in Microsoft Purview.
  • Azure AD sign-in logs enabled (included with Entra ID P1 or P2, present in E3 and E5).

Microsoft 365 Business and Apps for Business plans do not meet the scope. When in doubt, the UPX team validates the plan before contracting.

// Scope

Transparent about what is in and what is out.

Included

  • Continuous ingestion of the four Microsoft 365 and Azure AD feeds.
  • Detection catalog managed by UPX with periodic tunings.
  • Cases investigated by the UPX team with classification and context.
  • Access to the USS Platform for tracking, search and reporting.
  • Email and webhook notifications to your internal channels.
  • Guided onboarding and recurring reviews with the technical team.
  • Event retention in Chronicle as defined by the contracted policy.
  • Business-hours support for operational and configuration questions.

Not included

  • Incident response on endpoint, identity or network outside Microsoft 365.
  • Policy configuration in Microsoft Defender, Purview or Conditional Access.
  • Provisioning, licensing or administration of the Microsoft 365 tenant.
  • Deep forensics, physical containment or on-site IR services.
  • End-user training and phishing simulations.
  • Custom integration with third-party SIEMs or SOARs without a defined scope.
  • Coverage of workloads outside Microsoft 365 and Azure AD.
// Contracting

Predictable billing and centralized operation.

Contracting happens through the USS Platform with billing via Stripe. You choose the cycle, activate the trial and keep contract control.

60-day trial

A full window to validate collection, detections and case operations on your tenant at no cost during the trial.

Stripe billing

Monthly or annual cycles, invoices and receipts issued by Stripe. Cancel at the end of each cycle with no lock-in.

Operation in the USS Platform

Cases, dashboards, settings and contracts live inside the UPX USS Platform. Access via SSO or direct login.

Role-based access

Invite your team with read, operation or admin roles, keeping segregation of duties and access auditing.

// Frequently asked

Everything you need to know before the trial.

// Ready to start

Activate the 60-day trial and bring your Microsoft 365 under control.

We collect the signals, tune the detections and investigate the cases on your tenant. You decide whether to keep going after the trial.

Start the 60-day trialTalk to a specialist

Setup guided by the UPX team. Stripe billing kicks in at the end of the trial, monthly or annually.