Saturday, March 28, 2020

Office 365 and Azure Sentinel

I have been working with some customers on how to do analysis on their Office 365 audit logs.  Here are some quick things to think about.

Here is a reference to the Office 365 audit logs.  Remember, Office 365 logs are generally only stored for 90 days.
https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide

You can additionally purchase Advanced Audit logging, which gives you the ability to retina logs for a year.
https://docs.microsoft.com/en-us/microsoft-365/compliance/advanced-audit?view=o365-worldwide

The Office 365 Management API provides rest services you can use to download data.
https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-apis-overview

It is possible to sent the Office 365 Management API logs to a SIEM solution.  This allows you to retain the logs for longer.
https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference

Here is the schema to all the data in the Office 365 Management API.
https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema

Here is information on Azure AD Audit logs.
https://docs.microsoft.com/en-us/azure/security/fundamentals/log-audit

Also there is Azure Sentinel; it is a SEIM solution in the cloud.
https://docs.microsoft.com/en-us/azure/sentinel/overview

Here is how to connect Office 365 to Sentinel.
https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365

Here is how to connect Azure AD to Sentinel.
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-activity