Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home SIEM

How to Protect Office 365 with Azure Sentinel

Azure Sentinel News Editor by Azure Sentinel News Editor
December 24, 2020
in SIEM, SOAR, SOC
0
Azure Stack and Azure Arc for data services from Blog Posts – SQLServerCentral
2.9kViews
634 Shares Share on Facebook Share on Twitter

Special thanks to “Clive Watson” and “Ofer Shezaf” that collaborating with me on this blog post.

Due to the COVID-19 crisis, the usage of Office 365 has increased which introduces new security monitoring challenges for SOC teams. Increase usage means that the service should be more focal for defenders.

Over the past few mounts I have been working with my customers, on approaches to onboard Office 365 and related services into Azure Sentinel and the benefit of built-in solutions that a Cloud based Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) bring, such as these use cases.

This blog post is built as a checklist and covers the following topics:

  • Required data sources for Office 365 and related workloads
  • Onboarding of data sources
  • Visualizing data
  • Using of out of the box Analytics Rules templates
  • Hunting with Azure Sentinel
  • Integration of 3rd party Threat Intelligence (TI)
  • Data enrichment capabilities
  • Automation with SOAR capabilities
  • Integration with Ticketing Systems
  • Integration with 3rd party SIEMs

Required data sources for Office 365 and related workloads

Choosing the right telemetry for Office 365 and related workloads depends on the enterprise’s security model. For instance, if an enterprise which follow the Zero Trust approach from Microsoft would focus on different telemetry than an enterprise with a classical security approach.

The following data sources should be the minimum onboarded to monitor Office 365:

  • Audit and Sign-In Logs from Azure Active Directory
  • Activity Logs from Office 365 workloads
  • Alerts generated in Office 365 Security and Compliance Center
  • Message Trace logs available for Exchange Online
  • Microsoft Secure Score recommendations

In addition, the sources below are optional as they depend on additional licenses. Azure Sentinel can benefit from these expert systems and it is recommended to onboard if licensed or consider adding these to aid with detection and use cases.

  • Azure Activity Directory Identity Protection alerts
  • Office 365 Advanced Threat Protection and Threat Investigation and Response alerts
  • Microsoft Cloud App Security alerts

Lastly, the following data sources are optional and would unlock more value by correlating different data sources using SIEM and SOAR capabilities.

  • Logs from Domain Controllers and Azure Advanced Threat Protection alerts
  • Telemetry from client devices
  • Logs and alerts from Proxies and Firewalls
  • 3rd Party Threat Intelligence feeds           

Onboarding of data sources

Azure Sentinel comes with a several built-in and custom connectors to onboard Office 365 and related workloads.

Data Source

Default Connector

Custom Connector

Azure Active Directory Sign-In and Audit Logs

Reference URL

n/a

Office 365 / Exchange Online Logs

Office 365 / SharePoint Online Logs

Office 365 / Microsoft Teams Logs

Reference URL

n/a

Office 365 Audit.General Logs

n/a

Azure Function App connector

Office 365 – DLP.All Logs

n/a

Azure Function App connector

Office 365 Security and Compliance Alerts

n/a

Azure Logic App connector

Office 365 Message Trace Logs

n/a

Azure Function App connector

Microsoft Secure Score Recommendations

n/a

Azure Logic App connector

GIFT Demonstration – Enable the Office 365 data connector:

For a full list, please see, the Azure Sentinel Grand List.

Visualizing data

Azure Sentinel has many built-in workbooks that provide extensive reporting capabilities analyzing your connected data sources to let you quickly and easily deep dive into the data generated by those services. The built-in workbooks can be changed and customized as needed.  The Workbooks are provided by Microsoft, our data connector partners and the community.

These built-in Workbooks are available in Azure Sentinel for Office 365 and related workloads.

Workload / Purpose

Sample Workbooks

General

Azure Sentinel Workbooks 101 (with sample Workbook)

 

Usage Reporting for Azure Sentinel

 

Security Alerts

Azure Active Directory

Azure Active Directory Sign-In Logs

 

Azure Active Directory Audit Logs

 

Additional Azure Monitor Workbooks for Azure AD

 

How to use Azure Sentinel to follow users travel and map their location

Office 365

Office 365 General

Office 365 Exchange Online

 

Office 365 SharePoint Online

 

Office 365 Exchange, SharePoint and Teams DLP Workbooks

 

Graph Visualization of External MS Teams Collaborations in Azure Sentinel

 

Office 365 Message Trace

For more information and instructions on how to use Azure Sentinel Workbooks, please see:

Visualize your data using Azure Monitor Workbooks in Azure Sentinel | Microsoft Docs

In case you prefer to use Power BI for analytics and visualization:

Import Azure Monitor log data into PowerBI:

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/powerbi

GIFT Demonstration – How to enable and use the Office 365 Workbook:

Using out of the box Analytics Rule Templates

Once you have connected your required data sources, you can use the Analytics Rule templates available in Azure Sentinel to generate incidents when certain criteria are matched. The Analytics Rules can be changed and customized as needed.

These Analytics Rule templates are available in Azure Sentinel for Office 365 and related workloads.

Workload

Analytics Rules Templates

Azure Active Directory

Azure Active Directory Sign-In Logs

 

Azure Active Directory Audit-Logs

 

Correlation Rules for Azure Active Directory

Office 365

Office 365 Activity

 

Microsoft Teams

 

Office 365 DLP

 

Message Trace

Azure Active Directory Identity Protection

Microsoft Cloud App Security

Azure Advanced Threat Protection

Microsoft Security alert templates


Tip:
 You see the related Analytics Rules (and required data) that match the connector on the “Next Steps” page of the “Add Connector” wizard.

Hunting with Azure Sentinel

Azure Sentinel has built-in Hunting Queries to look proactively for new anomalies that you are not yet detecting with your Analytics Rules.  You can use these Hunting Queries and Live Stream  to create interactive sessions that let you test newly created queries as events occur, get notifications from the sessions when a match is found, and launch investigations if necessary. You can quickly create a livestream session using any Log Analytics query.

  • Test newly created queries as events occur
  • You can test and adjust queries without any conflicts to current rules that are being actively applied to events. After you confirm these new queries work as expected, it’s easy to promote them to custom alert rules by selecting an option that elevates the session to an alert.

These Hunting Queries are available in Azure Sentinel for Office 365 and related workloads.

Workload

Hunting Queries

Azure Active Directory

Azure Active Directory Sign-In Logs

 

Azure Active Directory Audit-Logs

Office 365

Office 365 Activity

 

Microsoft Teams

 

Message Trace

GIFT Demonstration – Using the Built-In Hunting Queries for Office 365:

Integration with 3rd Party Threat Intelligence

Azure Sentinel lets you import you own threat intelligence indicators, which can enhance your security analysts’ ability to detect and prioritize known threats.

You can stream threat indicators to Azure Sentinel by using one of the integrated threat intelligence platform (TIP) products listed in the next section, connecting to TAXII servers, or by using direct integration with the Microsoft Graph Security tiIndicators API.

The Threat Intelligence data connector includes out of the box Analytics Rules and Hunting Query templates for Office 365 and related workloads.

Threat Intelligence Analytics Rules

Threat Intelligence Hunting Queries

Data enrichment capabilities

Data enrichment is key to associating data in context of enterprises. For instance, data enrichment would add additional information or context to the ingested logs to make it more valuable.

For Office 365 and related workloads Azure Sentinel provides these enrichment use cases:

Purpose

Source

Enrich User Entities with Azure Active Directory information

Reference URL

Enrich IP Entities with GeoIP information

Reference URL

Enrich IP Entities with VirusTotal information

Reference URL

Enrich URL Entities with VirusTotal information

Reference URL

Sentinel Alert Evidence

Reference URL

Automation with SOAR capabilities

Azure Sentinel has built-in SOAR capabilities to orchestrate and automate common and complex tasks. Azure Sentinel uses Azure Logic App and Azure Function Apps for automation. Both services are built-in in Azure. The SOAR use cases are published here: GitHub, and can be deployment via ARM-Templates.

Using automation can save time, improve efficiency and help you improve your SOC (Security Operations Center) metrics and reduce the workload for the Securtity analyts.

https://docs.microsoft.com/en-us/azure/sentinel/manage-soc-with-incident-metrics

Azure Sentinel includes these automation solutions for Office 365 and related workloads:

Purpose

Source

Block Azure Active Directory User

Reference URL

Confirm an Azure Active Directory User

Reference URL

Dismiss an Azure Active Directory User

Reference URL

Reset Azure Active Directory User Password

Reference URL

Revoke Azure Active Directory Sign-In Session

Reference URL

Delete Email for User Mailbox

Reference URL

Assign Incident to Specific Owner

Reference URL

Involve the User into Incident Process

Reference URL

Post Incident Details to Microsoft Teams

Reference URL

Post Incident Details to Slack

Reference URL

GIFT Demonstration – How to enable the “Block Azure Active Directory User” Playbook:

Integration with Ticketing Systems

As part of the SOAR capabilities, Azure Sentinel support integration with ticketing systems.  You can also just send a simple email or Teams message with the same data if you prefer (or do this in parallel with your Ticket).

Ticketing System

Source

ServiceNow

Open a Service Now Ticket

 

Aggregate Service Now Ticket

 

Close an Incident from Service Now

Jira

Open a Jira Ticket

IBM Resilient (OnPrem)

Create an IBM Resilient Incident

Zendesk

Open a Zendesk Ticket

Integration with 3rd Party SIEM

In case you are approaching Side-by-Side along with your exiting SIEM.

Exiting SIEM

Source

Splunk

Reference URL

QRadar

Reference URL

Other 3rd Party SIEMs

Reference URL

Summary

Ingesting of Office 365 alert logs are free, Azure Sentinel comes with a lot of use cases which help organizations to monitor and protect Office 365 workload, as well allows easy integration into existing SOC environment.

In this post we have covered the basics, looking at the data required, how to on-board connectors, how to manage Alerts, how to Hunt and automate responses to the results, and also connecting to 3rd party ticketing or SIEM solutions.

Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-protect-office-365-with-azure-sentinel/ba-p/1656939

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

What’s new: Microsoft Teams connector in Public Preview
SIEM

Changes in How Running Hunting Queries Works in Azure Sentinel

February 11, 2021
Microsoft suspends 18 Azure accounts tied to China-based hackers
SIEM

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

February 8, 2021
With new release, CrowdStrike targets Google Cloud, Azure and container adopters
SIEM

How to Setup a Managed Identity for the Azure Sentinel Logic App Connector

January 21, 2021
Next Post
Vectra AI and Microsoft partner on security integration

Azure Sentinel Learning Path Now Available

What’s new: Microsoft Teams connector in Public Preview

Beginning in 2021 Shared Reports is Your Only Save Option for Azure Sentinel Workbooks

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Incident Settings Tab in Analytics Rules Wizard Comes out of Preview in Azure Sentinel

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Microsoft brings endpoint & Azure security under Microsoft Defender

What’s new: Office 365 Advanced Threat Protection connector in Public Preview

3 months ago
BT launches first in a series of managed security services for Microsoft cloud

BT launches first in a series of managed security services for Microsoft cloud

4 months ago
New Azure VMware Solution becomes generally available

New Azure VMware Solution becomes generally available

3 months ago
Wipro launches advanced cloud SOC services using Microsoft Azure Sentinel

Wipro launches advanced cloud SOC services using Microsoft Azure Sentinel

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News