Office 365 Log Monitor

An overview of a valuable cloud security app

What

On your endpoint devices, the Suspicious Event Monitor and Active Directory Monitor apps can provide early warning of malicious actors.  These apps alert you to attempts to create new accounts, access existing accounts, or increase the permissions of existing accounts.

The Office 365 Log Monitor app provides similar protection for your cloud-based activities. This app pulls the Microsoft Azure Active Directory events for all your customers, and displays multi-tenant information in an aggregate fashion so you can see all your clients at once

What to Look For in Results

If you are looking at an app result for this app, you see a whole bunch of data.

First, look at what is happening and whether it was successful. An activity like Update Device is bound to happen in a real-life workplace. But if there are a string of failures to update devices, something is wrong. This could be a malicious actor trying to change settings without the proper credentials, or we may have just shown you a misconfiguration that would have cost a lot if you didn't notice.

Second, if there is a Target Resources section in this app result, look at what values were changed, and what they were changed to (i.e. "New Value").  If the new data looks suspicious, investigate immediately.

When to Be Scared

MSPs have different clients and each operate with a slightly different definition of "normal".

You may work with a temp agency whose accounts are constantly being created and deleted. Or you may work with a series of dentists' offices who never hire anyone new. In general, repeated failures in user accounts can be a sign that someone is trying to change things without the proper knowledge or credentials.

Make sure you keep track of which accounts are being changed. Any changes to admin accounts or accounts gaining privileges should be something you recognize, or there could be a problem.

When to Not Be Scared

This app monitors directory events. There will be events that make it onto this list from any operating business. Just because you have 20 app results the first day does not mean you are under attack.

Look at the results, if they were simply known employees using their Microsoft Office accounts, you don't need to be worried.