Comments on: How to Use Office 365 Audit Data with Microsoft Sentinel https://practical365.com/use-office-365-audit-data-with-microsoft-sentinel/ Practical Office 365 News, Tips, and Tutorials Mon, 31 Jul 2023 14:19:34 +0000 hourly 1 https://wordpress.org/?v=6.3.2 By: Andre++ https://practical365.com/use-office-365-audit-data-with-microsoft-sentinel/#comment-266753 Wed, 21 Jun 2023 12:17:57 +0000 https://practical365.com/?p=54440#comment-266753 In reply to Ana.

You would need Azure Lighthouse for that.

]]>
By: Andre++ https://practical365.com/use-office-365-audit-data-with-microsoft-sentinel/#comment-266752 Wed, 21 Jun 2023 12:16:41 +0000 https://practical365.com/?p=54440#comment-266752 To designate Sentinel as “log aggregator” is a bit shortsighted if I may say so. It is a full-blown SIEM/SOAR solution with (a.o.) UEBA and Machine Learning capabilities.

]]>
By: Tony Redmond https://practical365.com/use-office-365-audit-data-with-microsoft-sentinel/#comment-263334 Wed, 17 May 2023 11:06:13 +0000 https://practical365.com/?p=54440#comment-263334 In reply to Alex.

I imagine that you can, but I have never done it. If I was to, I would start by investigating how to ingest data into whatever tool you want to use for analysis and then figure out how to extract the data from the unified audit log (probably with PowerShell) for ingestion and processing.

]]>
By: Alex https://practical365.com/use-office-365-audit-data-with-microsoft-sentinel/#comment-263320 Wed, 17 May 2023 08:50:49 +0000 https://practical365.com/?p=54440#comment-263320 Hi Tony,
Can we use this office activity data for further machine learning use cases like abnormal behavior or anomaly detection may be azure ml or sentinel notebook? If yes can you guide me how?

]]>
By: Tony Redmond https://practical365.com/use-office-365-audit-data-with-microsoft-sentinel/#comment-262582 Wed, 10 May 2023 09:01:00 +0000 https://practical365.com/?p=54440#comment-262582 In reply to Ana.

Looks like you need a separate workspace per tenant: https://learn.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants

]]>
By: Ana https://practical365.com/use-office-365-audit-data-with-microsoft-sentinel/#comment-262580 Wed, 10 May 2023 08:16:38 +0000 https://practical365.com/?p=54440#comment-262580 In reply to Tony Redmond.

How? Only single-tenant connection is allowed. You cannot use data from other tenants:

2. Previously connected tenants
Microsoft Sentinel now enables Office 365 single-tenant connection. You can modify your previously connected tenants and click Save.

]]>
By: Tony Redmond https://practical365.com/use-office-365-audit-data-with-microsoft-sentinel/#comment-257958 Thu, 30 Mar 2023 14:28:27 +0000 https://practical365.com/?p=54440#comment-257958 In reply to Ana.

I imagine that a Sentinel connector would be the right way: https://learn.microsoft.com/en-us/azure/sentinel/connect-data-sources

]]>
By: Ana https://practical365.com/use-office-365-audit-data-with-microsoft-sentinel/#comment-257955 Thu, 30 Mar 2023 14:11:58 +0000 https://practical365.com/?p=54440#comment-257955 Hi Tony,

Great article.

If I have 2 tenants, can I ingest data from Tenant A into Sentinel of Tenant B? I cannot find such an option in the Data Connector. Is there a way to customize it?

]]>
By: Tony Redmond https://practical365.com/use-office-365-audit-data-with-microsoft-sentinel/#comment-248038 Thu, 08 Dec 2022 11:07:29 +0000 https://practical365.com/?p=54440#comment-248038 In reply to Rakesh Kapoor.

Here’s an example of using the audit log to track SharePoint file deletions: https://office365itpros.com/2021/12/16/sharepoint-online-deletion/

]]>
By: Tony Redmond https://practical365.com/use-office-365-audit-data-with-microsoft-sentinel/#comment-248037 Thu, 08 Dec 2022 11:06:09 +0000 https://practical365.com/?p=54440#comment-248037 In reply to Rakesh Kapoor.

I don’t think you can customize the set of operations ingested from SharePoint into Sentinel. It seems like the connector takes what it can.

As to the KQL query, check out https://learn.microsoft.com/en-us/azure/sentinel/audit-sentinel-data to find out how to build KQL queries. And this article from Thijs, of course: https://practical365.com/use-kql-to-master-sentinel-data/

Another way to attack the problem is to use the events in the unified audit log to detect when people create, update, or delete a SharePoint file. Sentinel gets its data from the audit log, so I would go there in the first instance.

]]>