This post has been de-listed
It is no longer included in search results and normal feeds (front page, hot posts, subreddit posts, etc). It remains visible only via the author's post history.
Hi all,
We are being asked to export M365 (O365) unified audit logs to a SIEM solution so that SOC teams can monitor for suspicious or bad behaviour, etc. Generally making the connector to ingest data is no problem, but we are getting no guidance on "what to alert on".
SOC indicate they are NOT interested in an elevated admin making a change to configuration (in error or otherwise)... but they are not yet familiar with what type of activity SHOULD be monitored specifically on M365.
Is there "best practice" or "recommended monitoring" for suspicious or malicious behavior - a list of things recommended to monitor through M365 alerting? We would like to use this as a baseline for SOC which could be built upon as we progress.
There are plenty of sites talking about getting data, but not what to monitor...
Thanks
Subreddit
Post Details
- Posted
- 4 months ago
- Reddit URL
- View post on reddit.com
- External URL
- reddit.com/r/sysadmin/co...