Office 365 and Azure Sentinel

I have been working with some customers on how to do analysis on their Office 365 audit logs.  Here are some quick things to think about.

Here is a reference to the Office 365 audit logs.  Remember, Office 365 logs are generally only stored for 90 days.
https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide

You can additionally purchase Advanced Audit logging, which gives you the ability to retina logs for a year.
https://docs.microsoft.com/en-us/microsoft-365/compliance/advanced-audit?view=o365-worldwide

The Office 365 Management API provides rest services you can use to download data.
https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-apis-overview

It is possible to sent the Office 365 Management API logs to a SIEM solution.  This allows you to retain the logs for longer.
https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference

Here is the schema to all the data in the Office 365 Management API.
https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema

Here is information on Azure AD Audit logs.
https://docs.microsoft.com/en-us/azure/security/fundamentals/log-audit

Also there is Azure Sentinel; it is a SEIM solution in the cloud.
https://docs.microsoft.com/en-us/azure/sentinel/overview

Here is how to connect Office 365 to Sentinel.
https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365

Here is how to connect Azure AD to Sentinel.
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-activity

Office 365 Advanced Audit

Another announcement which customers have asked a lot about.  There is a new E5 feature called Advanced Audit.

First - Depending on your license level, audit log retention can be increased from 90 days to 1 year.  Prior to this, if customers needed retain logs for longer, customers would have to export logs to another location for retention.

Second - Previously customers will get throttled when pulling logs off the Office 365 Management Activity API.  Now, there are options for bandwidth allocation if they are pulling large volumes of logs.

https://techcommunity.microsoft.com/t5/security-privacy-and-compliance/power-faster-and-more-effective-forensic-and-compliance/ba-p/1183488 

Office 365 Insider Risk Management going GA

There was a recent announcement that the Office 365 Insider Risk Management is transitioning out of “preview” to “generally available”.


This is a really interesting solution that brings several Office 365 offerings for data protection and monitoring against risky end-user behavior.  Insider Risk Management introduces the ability to create policy, create alerts, and then utilize a case management solution that will allow you to triage, investigate and action on events that you deem to be an issue.  This can help you with monitoring every day challenges with departing employee data theft, data leaks and offensive/abusive behavior by individuals.


Announcement - https://techcommunity.microsoft.com/t5/security-privacy-and-compliance/announcing-the-general-availability-of-insider-risk-management/ba-p/1180914


Overview - https://docs.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management


Getting Started - https://docs.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management-configure

Microsoft To Do

Some of you know I am an advanced user of Wunderlist.  It the only way to stay on top of the things.  As you know, Wunderlist is end of life on May 6, 2020.  Microsoft To Do is really awesome.  Some features to think about:

• In Microsoft To Doy ou get tons of additional features integrated with O365.  Any email flagged or task in Exchange Online appears in Microsoft To Do.  Awesome!
• In Microsoft To Do when you create sub steps, it shows you a count of how many you completed.
• Create groups and then lists in each group around work areas.
• I live and die by the My Day and Planned views.
• In Microsoft To Do tasks assigned to you from Planner are shown.
• Use both the mobile and desktop app.

If you have not become a power user of Microsoft To Do, you are missing out.


Microsoft To Do- https://todo.microsoft.com/tasks/en-us/

Import Wunderlist to Microsoft To Do- https://support.office.com/en-us/article/Import-your-Wunderlist-account-to-Microsoft-To-Do-1ccb85b5-32d7-4623-87ef-99764699ac0e

Microsoft Teams Linux Desktop App Now Available

If you have not heard, Microsoft Teams is now available in public preview for Linux users and is the first Microsoft Office 365 app that actually runs on a Linux desktop.  There is a separate down for this build using the link below.


https://techcommunity.microsoft.com/t5/microsoft-teams-blog/microsoft-teams-is-now-available-on-linux/ba-p/1056267

Microsoft Teams Now Deploying with Office 365 ProPlus

We have received a lot of feedback to have the Microsoft Teams client to be incorporated with Office 365 ProPlus such that organizations can deploy Teams and ProPlus in a single process.


Starting in Jan 2020, you will have the ability to start receiving Teams through ProPlus through the semi-annual channel.


More information can be found here.

https://techcommunity.microsoft.com/t5/office-365-blog/streamline-deployment-and-management-of-microsoft-teams-with/ba-p/1100293

https://techcommunity.microsoft.com/t5/microsoft-365-blog/teams-is-coming-to-office-365-business-amp-office-365-proplus/ba-p/725481

Office 365 Identity Posters

I have been getting tons of questions on Office 365 identity.  I definitely recommend people refresh themselves using these new posters.


https://techcommunity.microsoft.com/t5/Microsoft-365-Blog/Get-the-new-Identity-infrastructure-for-Microsoft-365-Enterprise/ba-p/874941

https://docs.microsoft.com/en-us/office365/enterprise/microsoft-cloud-it-architecture-resources#identity

https://docs.microsoft.com/en-us/office365/enterprise/microsoft-cloud-it-architecture-resources#BKMK_O365IDP