How to Configure Azure Sentinel to collect data from Office 365
What is Azure Sentinel:
How do you connect Office 365 to Azure Sentinel? By connecting Office 365 to Azure Sentinel you can view all events in a single console.
From your Azure Sentinel Dashboard, click on Data connectors
From the data connectors overview page click on Office 365.
From the connector page, you will see the following configuration settings.
Expand Configuration and click on “click here to install solution”
The solution will install, to continue expand connect tenant to Azure Sentinal.
Click on +Add tenant you will be prompted for your Global Admin credentials.
Login with your administrator credentials.
Once you have provided your login credentials, you will be promoted to accept the permission request for your Office 365 organization. Azure Sentinal will read health and activity data from your organization.
Now that your Microsoft 365 organization has been added to your Azure Sentinal, expand stream Office 365 activity logs. Click on select to select which logs you want to view in sentinel.
Select Exchange and Sharepoint.
Then click apply changes at the bottom
On the Next section you need to select which dashboard you want to install.
Click on “Recommended dashboards” and click on Exchange Online.
On the left-hand sider click on install.
Do the same for Office 365 Dashboard.
To view the newly installed dashboard, from the Azure Sentinel Home Dashboard click on Dashboards.
Then select the dashboard you want view. In this example I will select Office 365 Dashboard and then click on “view dashboard” from the right-hand slider.
From the Office 365 Dashabord, you can view the following:
- Activity by workload
- Admin Activity by Type
- Update, Create and delete activities
- Group activities
These are just some of the activities you can view from the Office 365 Dashboard in Azure Sentinel.