Overview of Microsoft 365 security monitoring

Sami Lamppu

Sami Lamppu

Senior Consultant / Cloud Advisor

April 17, 2020 at 11:30

Some of the questions I often hear in my work are: which native Microsoft tools should my organization use for monitoring the security of the cloud environment? How can I manage alerts easily? Let's get started with a high-level overview of security monitoring possibilities in the Microsoft 365 ecosystem.

Setting up the scene

Cloud security monitoring is a huge topic in the Microsoft cloud ecosystem. For that reason, I will concentrate on this post to Microsoft 365 (M365) security monitoring and alerts, not the metrics in here. Also, I would like to highlight that this blog is on a very high level leaving the technical stuff on the later blog posts.

The questions I have heard quite often from the field are:

  • Which native Microsoft tools should I use for monitoring the security of the cloud environment?
  • How can/should I manage all the alerts in the ecosystem out of the box?
  • Should I use 3rd party tools for security monitoring?

Let's concentrate on the first question, "Which native Microsoft tools I should use for monitoring the security of the cloud environment?"

Unfortunately, I have to say that it depends on many things. It's a matter of licenses, which tools you have on your toolbox, how much the organization is utilizing Microsoft cloud workloads, the maturity of the organization or service provider, other cloud service provider tools in use, and so on. However, Microsoft offers a brilliant set of cloud security solutions. I will introduce you a few that can be useful to you:

  • Azure Security Center
  • Microsoft 365 Security Center
  • Azure AD Identity Protection
  • Microsoft Defender ATP
  • Azure ATP & O365 ATP
  • Cloud App Security
  • Azure Sentinel

 Microsoft 365 Security Center

With Microsoft 365 Security Center, you can get an overall view of organization security health across Microsoft 365 workloads. 

Cloud App Security (CASB)

Microsoft Cloud App Security (CASB) is a cloud access broker from Microsoft. It provides a comprehensive solution that gives visibility into cloud activities, controls data in transit, sophisticated analytics to identify and protect against threats.

Azure Sentinel

Azure Sentinel is a cloud-based SIEM with SOAR capabilities from Microsoft, and it has been built atop of Azure Log Analytics.

Microsoft cybersecurity architecture 

Microsoft's cybersecurity architecture document can be helpful when the organization is planning security in the Microsoft cloud. 

At first sight, it looks a bit crowded, but once you get familiar with it, it will be beneficial. Most of the security monitoring solutions (some of them covered later in this post) are inside the yellow circle of the picture below, the Security Operations Center (SOC) part.

Microsoft Cybersecurity Architecture with security monitoring solutions highlighted. Picture originally from https://gallery.technet.microsoft.com/Cybersecurity-Reference-883fb54c
Microsoft Cybersecurity Architecture with security monitoring solutions highlighted. Picture originally from Microsoft's site.

 

Internal cloud integrations

When planning security monitoring in the Microsoft cloud, the internal cloud integrations between security products (+ licenses) play a vital role in getting most out of the solutions. Some integrations are already in place by default, but the administrator needs to create most of them. 

Security solutions integration example

The picture below doesn't cover all possible security solutions and integration scenarios, it instead gives an overall understanding of which solutions help to investigate alerts and suspicious activity found in the cloud or on-premises.

Azure Sentinel presents a SIEM solution in the picture. It raises the alerts, and investigation typically starts from here. If you are wondering why the investigation doesn't start from Azure Security Center or M365 Security Center, the reason is that alerts from these solutions can be found or send to SIEM. In this example case, the SIEM product is Sentinel, but it can be any other SIEM solution such as Splunk or QRadar.

The best synergy advantages of security solutions come with the integrations. In the top category are the solutions which, in my opinion, are the best ones to start the investigation. 

Both Sentinel and Cloud App Security have a rich set of capabilities for investigation, and both can have data ingested from the different sources. The security solutions in the lower part of the picture act as a provider for top-level security solutions, Sentinel & Cloud App Security. A provider, such as Azure ATP alert, is being forwarded to the top-level security solutions if the integrations are appropriately configured.  

Integrating multiple solutions ​​​help you to investigate security alerts. Illustration by Sami Lamppu and Markus Pitkäranta.
Integrating multiple solutions ​​​help you to investigate security alerts. Illustration by Sami Lamppu and Markus Pitkäranta.

Microsoft cloud has several security portals and admin centers available, and the list can be found here.

Conclusion

The best synergy advantages from the security solutions in Microsoft cloud comes with the integrations between the products. Even though your organization would use 3rd party SIEM, the internal cloud integrations between the systems are very beneficial to get much better visibility to the environment. 

Integration benefits between security solutions in the cloud are one of the topics covered later in a more technical post.

 

Are you concerned about the state of your cloud monitoring and visibility? There’s a lot you can do to improve your cloud security and minimize risks. Download our whitepaper, Your to do list for a secure cloud, and learn how to secure your cloud environments.