This post has been de-listed

It is no longer included in search results and normal feeds (front page, hot posts, subreddit posts, etc). It remains visible only via the author's post history.

1
M365 - SOC Alert recommendations
General Discussion
Author Summary
iscreamconstantly is a male age 36
Post Body

Hi all,

We are being asked to export M365 (O365) unified audit logs to a SIEM solution so that SOC teams can monitor for suspicious or bad behaviour, etc. Generally making the connector to ingest data is no problem, but we are getting no guidance on "what to alert on".

SOC indicate they are NOT interested in an elevated admin making a change to configuration (in error or otherwise)... but they are not yet familiar with what type of activity SHOULD be monitored specifically on M365.

Is there "best practice" or "recommended monitoring" for suspicious or malicious behavior - a list of things recommended to monitor through M365 alerting? We would like to use this as a baseline for SOC which could be built upon as we progress.

There are plenty of sites talking about getting data, but not what to monitor...

Thanks

Author
Account Strength
80%
Account Age
5 years
Verified Email
Yes
Verified Flair
No
Total Karma
267
Link Karma
25
Comment Karma
242
Profile updated: 3 days ago
Posts updated: 2 days ago
iscreamconstantly

Subreddit

r/sysadmin

Post Details

They Are
a male
Age
36
We try to extract some basic information from the post title. This is not always successful or accurate, please use your best judgement and compare these values to the post title and body for confirmation.
Posted
4 months ago
Reddit URL
View post on reddit.com
External URL
reddit.com/r/sysadmin/co...