Jan 13 2020 02:27 AM
Hi Guys,
We have configured the Azure Sentinel by using Office365 connector and selected the O365 and Exchange Online logs to stream to it. But after configuring it what we can see is few dashboards which are really not helpful for us. Actually our intension to configure the azure sentinel was to monitor our email service for below metrics;
How many mac users connected
How many Outlook users connected
How many mobile device connected
How many OWA users
Number of mails sent through
Number of mails received by
Number of mail sent to internet
Number of mail received from Internet
Can some one please tell me if any of these above metrics can be viewed or monitored using Azure Sentinel? If yes please give me the link to go through it.
Jan 13 2020 06:30 AM - edited Jan 13 2020 06:38 AM
@roopesh_shetty
Some of the use-case can be seen using Kusto query with the Office365 logs.
But for instance for mac users currently connected, I don't see the security purpose of it in general.
Same for how many Outlook users connected or mobile devices connected.
Do you have a purpose related to find suspicious activity for those use-case ?
Using the Fusion technology or Analytics rules such as:
And if you have Threat Intelligence:
There is also Hunting Query and Jupyter Notebooks
King Regards,
Thomas
Jan 13 2020 12:48 PM
@roopesh_shetty To the best of my knowledge Office 365 connector on Azure Sentinel only pulls in audit logs (update, create, add, and delete activities), not mail flow logs. You might be able to pull in message tracking logs some other way, however I have not seen any Microsoft articles on it.
You can try looking through Azure AD Sign-in logs for connection endpoint informations. For all the mail flow related metrics I think you would still need to use Security & Compliance Center.
Example: Connections to Exchange Online based on device type