Forum Discussion
roopesh_shetty
Jan 13, 2020Copper Contributor
email service monitor
Hi Guys,
We have configured the Azure Sentinel by using Office365 connector and selected the O365 and Exchange Online logs to stream to it. But after configuring it what we can see is few dashboards which are really not helpful for us. Actually our intension to configure the azure sentinel was to monitor our email service for below metrics;
How many mac users connected
How many Outlook users connected
How many mobile device connected
How many OWA users
Number of mails sent through
Number of mails received by
Number of mail sent to internet
Number of mail received from Internet
Can some one please tell me if any of these above metrics can be viewed or monitored using Azure Sentinel? If yes please give me the link to go through it.
- ehloworldioBrass Contributor
roopesh_shetty To the best of my knowledge Office 365 connector on Azure Sentinel only pulls in audit logs (update, create, add, and delete activities), not mail flow logs. You might be able to pull in message tracking logs some other way, however I have not seen any Microsoft articles on it.
You can try looking through Azure AD Sign-in logs for connection endpoint informations. For all the mail flow related metrics I think you would still need to use Security & Compliance Center.
Example: Connections to Exchange Online based on device type
SigninLogs| where AppDisplayName == "Office 365 Exchange Online"| extend operatingSystem = parse_json(tostring(DeviceDetail.['operatingSystem']))| summarize count() by tostring(operatingSystem) | render piechart - thomasdefiseBrass Contributor
roopesh_shetty
Some of the use-case can be seen using Kusto query with the Office365 logs.
But for instance for mac users currently connected, I don't see the security purpose of it in general.
Same for how many Outlook users connected or mobile devices connected.
Do you have a purpose related to find suspicious activity for those use-case ?
Using the Fusion technology or Analytics rules such as:- Office Policy Tampering
- Multiple users email forwarded to same destination
- Exchange AuditLog disabled
And if you have Threat Intelligence:
- TI map URL entity to OfficeActivity data
- TI map Email entity to OfficeActity
There is also Hunting Query and Jupyter Notebooks
King Regards,
Thomas