Monitoring Microsoft 365 with Azure Sentinel (From a Hammock)

It’s finally summertime and I’m writing the final part of this blog post from my newly installed hammock, sitting between two tall trees beside our weekend cottage. And it’s not a coincidence that I’m writing from a hammock because the message of this post is that you can save time with Azure Sentinel and do other stuff than manually monitoring logs in Microsoft 365.

I’ve been doing a lot of work around security in Microsoft 365 lately, helping customers to get a better overview of their logs and alerts. My goal is to provide easy to understand, custom made, dashboards for Azure Sentinel consolidating logs and alerts from all over Microsoft 365. This is a work in progress.

As you know, Microsoft 365 is a collection of products and services and they don’t all log to the same place or even in the same way. The table below shows some important places to keep an eye on. The table also gives you a hint if there is native Sentinel support, native Azure dashboard support and native email alert support for a particular service.

Please note that there are more logs which I haven’t listed here for now. Also, you most probably can integrate each and everyone of these services with Sentinel with some custom scripting/graph magic.

Microsoft 365 Logs and Alerts

Service/Log URL Sentinel Dashboard Email
Azure AD Sign-ins Log https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/SignIns Yes Yes No
Azure AD Audit Log https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Audit Yes Yes No
Azure AD Connect Health https://portal.azure.com/#blade/Microsoft_Azure_ADHybridHealth/AadHealthMenuBlade No Yes Yes
Azure AD Privileged Identity Management Alerts https://portal.azure.com/#blade/Microsoft_Azure_PIM/DirectoryRoleManagementMenuBlade/alerts/CallFromExternal//RoleId//RoleName/ No No Yes
Azure AD Privileged Identity Management Audit Log https://portal.azure.com/#blade/Microsoft_Azure_PIM/DirectoryRoleManagementMenuBlade/audit/CallFromExternal//RoleId//RoleName/ No No No
Microsoft 365 Technical contact https://admin.microsoft.com/Adminportal/Home#/companyprofile No No Yes
Microsoft 365 Audit Log https://security.microsoft.com/alerts

https://protection.office.com/viewalerts

Yes Yes Yes
Microsoft 365 Cloud App Security https://portal.cloudappsecurity.com Yes Yes Yes
Exchange Online Malware Filter https://outlook.office365.com/ecp > Protection > Malware filter No No Yes
Exchange Online Outbound Spam Preferences https://outlook.office365.com/ecp > Protection > Outbound spam No No Yes
Office 365 Security & Compliance Reports https://protection.office.com/insightdashboard No No Yes

Activate Azure AD Sign-ins Log Connector in Azure Sentinel

If you haven’t tried Sentinel yet, please do so right away!! It’s very easy to get started and activate the data connectors for Microsoft 365 mentioned in the table above. I will show you how to activate the Azure AD connectors here as an example.

Go to the Azure Portal and search for Sentinel under All services. Create a new Log Analytics workspace (which is the engine that drives Sentinel). Now, inside the Azure Sentinel blade, click on Data connectors and click Configure under Azure Active Directory.

Sentinel

You will get some info about the connector and some statistics.

Sentinel2

Under Connect Azure Active Directory logs to Azure Sentinel, Click on Connect on the Sign-ins logs and the Audit logs. That’s it to start collecting logs. It usually takes a couple of minutes for the logs to show up in Sentinel but ones that’s in place they update almost in real-time.

Sentinel3

Also, install the dashboards under Recommended dashboards to get a nice view of the Azure AD logs. Most connectors have native dashboards that you can install for free.

Sentinel4

And this is how it will look in the Azure Portal dashboards section when you click on Azure AD Sign-ins.

SentinelDashboard

Of course, this is just a quick guide for you to get started with Microsoft 365 log management in Azure Sentinel. The next step is to customize your dashboards and create alert rules when something looks out of the ordinary.

Summary

I hope this will get you started with Microsoft 365 monitoring in Azure Sentinel.

Since this is a very powerful tool and there seams to be a need for it out there I will put some energy into building some cool dashboards in the coming months. I will share my progress in upcoming posts. But for now, I’m heading back to my hammock.

More info about Sentinel here.

Please follow me here, on LinkedIn and on Twitter!

@DanielChronlund

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s