email service monitor

Contributor

Hi Guys,

 

We have configured the Azure Sentinel by using Office365 connector and selected the O365 and Exchange Online logs to stream to it. But after configuring it what we can see is few dashboards which are really not helpful for us. Actually our intension to configure the azure sentinel was to monitor our email service for below metrics;

 

How many mac users connected

How many Outlook users connected

How many mobile device connected

How many OWA users

Number of mails sent through

Number of mails received by

Number of mail sent to internet

Number of mail received from Internet

 

Can some one please tell me if any of these above metrics can be viewed or monitored using Azure Sentinel? If yes please give me the link to go through it.

2 Replies

@roopesh_shetty 

Some of the use-case can be seen using Kusto query with the Office365 logs.
But for instance for mac users currently connected, I don't see the security purpose of it in general.
Same for how many Outlook users connected or mobile devices connected. 

Do you have a purpose related to find suspicious activity for those use-case ?

Using the Fusion technology or Analytics rules such as:

  •  Office Policy Tampering
  •  Multiple users email forwarded to same destination
  •  Exchange AuditLog disabled

And if you have Threat Intelligence:

  •  TI map URL entity to OfficeActivity data
  •  TI map Email entity to OfficeActity

There is also Hunting Query and Jupyter Notebooks

 

King Regards,

Thomas

@roopesh_shetty To the best of my knowledge Office 365 connector on Azure Sentinel only pulls in audit logs (update, create, add, and delete activities), not mail flow logs. You might be able to pull in message tracking logs some other way, however I have not seen any Microsoft articles on it.

 

You can try looking through Azure AD Sign-in logs for connection endpoint informations. For all the mail flow related metrics I think you would still need to use Security & Compliance Center.

 

Example: Connections to Exchange Online based on device type

 

SigninLogs
| where AppDisplayName == "Office 365 Exchange Online"
| extend operatingSystem = parse_json(tostring(DeviceDetail.['operatingSystem']))
| summarize count() by tostring(operatingSystem) | render piechart