Azure Sentinel: integration with Office 365

Microsoft Azure Sentinel

In this article, we’ll look at how to set up Azure Sentinel to collect data from Office 365, to know what’s going on within our cloud platform, both for internal monitoring but also to comply with certain regulations like GDPR, which provides for the fact that a trace of the activities related to documents containing sensitive information is made.

If you don’t yet know what Azure Sentinel is, and how you set it up, I’ll refer you to the following this article.

Configuration

Select Office 365 connector – figure 1.

The requirements for activating the connector are as follows:

Unlike log Analytics, you can now add more Office 365 tenants, and this is very useful for all those companies that, for one reason or another, end up with multiple tenants that they can’t dismantle.

Clicking on the Add Tenant button – figure 2 – will display a window asking for the credentials of the Global Admin and confirming that you want to enable the transfer of logging data – figure 3.

Within the Stream Office 365 Data Analytics section, select both the SharePoint and Exchange portions; this will allow you to have logs of both platforms.

The last step, optional, is to activate the dashboards – figure 4 and 5. These give you the ability to view the status of your users’ activities, but not only, quickly and easily. Being already packaged, it is strongly suggested to activate them.

Once you’ve added the dashboard, and you’ve spent some time collecting data, you’ll be able to see the results right within the various dashboards – figure 6.

For those who want to try something more advanced, run manual queries directly, where you can build more detailed searches, such as how many documents deleted a specific user:

OfficeActivity | where EventSource == "SharePoint" and Operation == "FileDeleted" | summarize AggregatedValue = count() by UserId 

Summary

In a few steps we connected Office 365 to Azure Sentinel, going to save all the logs produced by the platform, putting our infrastructure in security from the point of view of operational control.

Office 365 monitoring is free for all businesses that have already purchased a subscription, which is one more reason to implement it right away within your infrastructure. This will remain the same even when Azure Sentinel exits the Preview phase and therefore has a defined pricing.

#DBS