Saturday, March 28, 2020

Office 365 and Azure Sentinel

I have been working with some customers on how to do analysis on their Office 365 audit logs.  Here are some quick things to think about.

Here is a reference to the Office 365 audit logs.  Remember, Office 365 logs are generally only stored for 90 days.

You can additionally purchase Advanced Audit logging, which gives you the ability to retina logs for a year.

The Office 365 Management API provides rest services you can use to download data.

It is possible to sent the Office 365 Management API logs to a SIEM solution.  This allows you to retain the logs for longer.

Here is the schema to all the data in the Office 365 Management API.

Here is information on Azure AD Audit logs.

Also there is Azure Sentinel; it is a SEIM solution in the cloud.

Here is how to connect Office 365 to Sentinel.

Here is how to connect Azure AD to Sentinel.