Having different use cases for SIEM is very interesting, and it is incredible to work with customers and partners on them. In one of my engagements, a customer asked about the possibility of ingesting Office 365 DLP into Azure Sentinel.
Before I dig into details, lets me explain where one can get Office 365 DLP events apart from Azure Sentinel.
This blog post describes a step by step guide on how to ingest Office 365 DLP events into Azure Sentinel, and how to use it.
Preparation
The following tasks describe the needed preparation steps:
Simulation and validation
Ones the DLP policies are configured and assigned to the users, and the required connectors are enabled, the simulation can be started to produce events for later usage.
How to search for events
Office 365 DLP has three types of events that are ingested into Log Analytics workspace and are available for search.
In my example, I looked for DLP events in SharePoint Online, and the "DLPRuleMatch" type.
Workbook for interactive reports
Azure Sentinel can use the ingested data with out of the box dashboards as well as for customized dashboards. For my purpose, I used the SharePoint & OneDrive dashboard, which is available as part of the Office 365 data connector. For Office 365, Azure Sentinel has two additional dashboards: "Office 365" and "Exchange Online".
To view the events, just open the SharePoint and OneDrive workbook and search for DLPRuleMatch events.
Summary
Azure Sentinel is limitless and can cover many use cases, for example, the one shown in this blog post.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.