Hello Maarten,
I would suggest to follow the following steps:
- Connect data from Azure Active Directory
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory - Connect data from Office 365 Logs
https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365 - Connect data from Azure Activity log
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-activity - Connect data from Azure AD Identity Protection (If deployed too)
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-ad-identity-protection - Connect alerts from Microsoft Defender Advanced Threat Protection
https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-defender-advanced-threat-protectio... - Connect data from Azure Security Center
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-security-center
Once that is done, Azure Sentinel will be able to get all the data that you listed above.
Then, I would suggest you to go the the "Analytics" blade (Azure Sentinel > Configuration > Analytics) and make sure that the Fusion rule is enabled as you have both Office 365 and MCAS and Fusion is a very advanced engine that correlate incidents from both Office 365 and MCAS to find incidents that are high fidelity, and high severity.
(https://docs.microsoft.com/en-us/azure/sentinel/fusion)
Then I would suggest to go to the Rule Templates and select and create the "Microsoft Security" rules, you should find what you are looking for.
(below on the right you can click on "Create"
Kind Regards,
Thomas
Accepted Solutions