![]() ![]() What's important to note in the above table are the SIEM inputs. We also provide the Graph Security API, which you can use to consume alerts from and execute actions on (other) connected security solutions. You could say the additional security solutions in the table above function as "detectors" that produce alerts/detections which you can then bring to your SIEM - you would likely no longer use this SIEM for the initial analysis but you may want to maintain the centralized system/dashboarding and corresponding workflow(s). The following table lists several Microsoft 365 services and applications along with SIEM server inputs: There's a reference for what can be consumed via this API in the documentation but primarily you can conclude this API exposes access to audit logs and alerts and there are additional entries for logs and alerts from Microsoft 365 security solutions if you have purchased and implemented these. That's a very generic description but the key takeaway is that you can access information coming from activity logs. Customers and partners can use this information to create new or enhance existing operations, security, and compliance-monitoring solutions for the enterprise." "The Office 365 Management Activity API provides information about various user, admin, system, and policy actions and events from Office 365 and Azure Active Directory activity logs. The connection point for any SIEM to pull audit log data from Office 365 is currently the Office 365 Management Activity API: But most organizations will look for a way to get these types of logs to their SIEM for further analysis. If you "just" want to search across all audit logs to determine what a specific user or administrator has been up to, you can use the unified audit log search. The length of time that an audit record is retained (and searchable in the audit log) depends on your Office 365 subscription, and specifically the type of the license that is assigned to a specific user ( either 90 days or 365 days). When an audited activity is performed by a user or admin, an audit record is generated and stored in the Office 365 audit log for your organization. ![]() "Tomorrow’s SOC will employ a hybrid approach by performing analytics as close to the data mass as possible, and then rolling up insights, as needed, to a larger central SOC repository for additional analysis and insight across different gravity wells." What's being logged for me in Office 365 and where?Īs a SaaS platform, the majority of (customer) logging in Office 365 is focused on activities on an application level - auditing of actions performed by users and admins, resulting in audit logs. Please also take a look at Building the security operations center of tomorrow-harnessing the law of data gravity for some additional perspective on such a strategy: This is pretty much a blanket statement for any cloud application where you have little or no access to the underlying infrastructure and it makes sense to think about a strategy that takes this into account whenever a new SaaS service is introduced into the organization. ![]() This also means you may have to reconsider your security approach when it comes to bringing data into a central location for analysis, as this data may either not be available, too much to ingest and process, or additional technology running on the platform is required that provides increased logging, analysis, alerting and/or investigation functionality. Since Azure Sentinel is a SIEM(-like) solution, very quickly we envision pulling data from Office 365 into such a system for analysis as a generic approach.īut what's important to realize is that not all data in the platform is available externally (since we're running a multi-tenant SaaS environment there are various technical and non-technical reasons for this). Now that Azure Sentinel and its Office 365 Connector are available in public preview, I'm getting more questions around what options there are to perform security monitoring on the Office 365 platform.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |