Microsoft 365 Monitoring
Design decisions associated with monitoring of Microsoft 365 activities for system(s) built using ASD's Blueprint for Secure Cloud.
Estimated reading time: 2 minutes
Microsoft 365 activities are logged to the Microsoft 365 Unified Log as detailed in Audit and Logging. Integration with Microsoft Sentinel SIEM is managed via the Sentinel Microsoft 365 Data Connector. This connector writes information to the following Log Analytics tables :
| Table name | Events type |
|---|---|
| OfficeActivity | Provides insights into ongoing user activities, including details of operations such as file downloads, access requests sent, changes to group events, set-mailbox and details of the user who performed the actions. |
Additional security is provided by Microsoft Defender for Office 365.
Microsoft Defender for Office 365 is part of the Microsoft 365 Defender stack. Integration with Azure Sentinel SIEM is managed via the Sentinel Microsoft 365 Defender Data Connector. This connector writes Microsoft Defender for Office 365 information to the following Sentinel Log Analytics tables :
| Sentinel Table name | Events type |
|---|---|
| EmailAttachmentInfo | Information about files attached to emails |
| EmailEvents | Microsoft 365 email events, including email delivery and blocking events |
| EmailPostDeliveryEvents | Security events that occur post-delivery, after Microsoft 365 has delivered the emails to the recipient mailbox |
| EmailUrlInfo | Information about URLs on emails |
Design Decisions
| Decision Point | Design Decision | Justification |
|---|---|---|
| Microsoft 365 Unified Log Routing | Microsoft Sentinel via Microsoft Microsoft 365 Data Connector | Archive and audit solution downstream from log analytics workspace |
| Microsoft Defender for Microsoft 365 Log routing | Microsoft Sentinel via Microsoft 365 Defender 365 Data Connector | Archive and audit solution downstream from log analytics workspace |