ASD's Blueprint for Secure Cloud

Microsoft 365 Monitoring

Design decisions associated with monitoring of Microsoft 365 activities for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 2 minutes

Microsoft 365 activities are logged to the Microsoft 365 Unified Log as detailed in Audit and Logging. Integration with Microsoft Sentinel SIEM is managed via the Sentinel Microsoft 365 Data Connector. This connector writes information to the following Log Analytics tables :

Table nameEvents type
OfficeActivityProvides insights into ongoing user activities, including details of operations such as file downloads, access requests sent, changes to group events, set-mailbox and details of the user who performed the actions.

Additional security is provided by Microsoft Defender for Office 365.

Microsoft Defender for Office 365 is part of the Microsoft 365 Defender stack. Integration with Azure Sentinel SIEM is managed via the Sentinel Microsoft 365 Defender Data Connector. This connector writes Microsoft Defender for Office 365 information to the following Sentinel Log Analytics tables :

Sentinel Table nameEvents type
EmailAttachmentInfoInformation about files attached to emails
EmailEventsMicrosoft 365 email events, including email delivery and blocking events
EmailPostDeliveryEventsSecurity events that occur post-delivery, after Microsoft 365 has delivered the emails to the recipient mailbox
EmailUrlInfoInformation about URLs on emails

Security & Governance




Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra