Office365 Management API pulls good information about various user, admin, system, and policy actions from following resources
- Azure AD
- Exchange Audit
- SharePoint Audit
- Audit General
- DLP logs for all workloads
- Security and Compliance Center
This helps in general operations, security, and compliance monitoring. However, this is not enough. We are still missing many valuable analytical information that could be of much interest to analyst and can help in creating many analytics.
I believe, the next step will be to integrate Microsoft Graph Security API.
This API provides unified integration with security solutions from Microsoft and ecosystem partners. It will enable to pull logs from many of the azure resources that includes
- consolidated and correlated security alerts, and
- contextual data that aid in investigations
- Azure Advanced Threat Protection
- Azure AD Identity Protection
- Azure Security Center
- Azure Sentinel
- Azure Information Protection
- Microsoft Cloud App Security
- Office Advanced Threat Protection
- Defender Advanced Threat Protection
- Risky IP address
- Login failures
- Admin activity
- Inactive accounts
- Infrequent location
- Impossible travel
- Activity rate
- Lateral movement paths
- Domain dominance
- Compromised credentials
- Exfiltrations
- Ransomware activity
- Suspicious inbox forwarding
No comments:
Post a Comment