Well, it's been 6 months since I posted this, so I thought to update it with what has been happening recently.
- A lot of Microsoft reps touted Azure Sentinel as being a silver bullet, so I deployed Azure Sentinel and set up whatever alert policies seemed useful. So far little more than a lot of noise and false positives.
- The Azure AD Identity Protection has been the only thing so far that has produced actionable intel. Some alerts lit up and we were able to reset a few compromised user passwords.
- In terms of the celebrated ML capabilities of Azure Sentinel, I have yet to see any substantial benefit.
- Our best approach has been to pull the data in from the management API and whatever we can get our hands on with the Graph API into our own SIEM. For what we can get however, the data, queries, keywords are not consistent.
- These APIs are not as available as you would think they should be for being supported by a major tech company.
The main issue now: a lot of lookup and remediation actions for Microsoft365 are mysteriously absent from any API (and many APIs seem to be in a weird deprecation limbo), but are mostly offered in PowerShell, which is a major hurdle for our infrastructure paradigm which focuses on event-driven containerized applications. In this I recognize my bias: coming from a Linux background I find Powershell abhorrent, but I digress...