Microsoft 365 Log Monitoring

Integration Overview

Microsoft 365 and Office 365 are cloud-based collaboration and communication tools designed to support an organization's needs for reliability, user productivity, and security. Panther can collect, normalize, and monitor Microsoft 365 audit logs to help you identify suspicious activity in real time. Your normalized data is then retained to power future security investigations in a data lake powered by the cloud-native data platform, Snowflake.

Use Cases for Microsoft 365 Audit Logs

Panther can pull audit logs from Microsoft's Office 365 Management Activity API, and will query the API every 5 minutes. Some common SIEM use cases for Microsoft 365 audit logs include:

  • Identifying any suspicious or brute force login attempt activity
  • Detecting any excessive or suspicious document creation, sharing, or deletion
  • Monitoring for disabled or modified MFA settings
  • Detecting the creation of email forwarding rules to external domains

Onboarding Microsoft 365 Logs in Panther

Panther’s integration for Microsoft 365 is fast and easy to configure, allowing you to onboard Microsoft 365 logs in just a few minutes. Simply select Microsoft 365 from the list of log sources in the Panther console, create a new Application in Azure Active Directory, and submit your credentials into the Panther setup menu.

For more details on onboarding Microsoft 365 logs or for supported log schema, you can view our Microsoft 365 documentation here.

Parsing, Normalizing, & Analyzing Logs

As Panther ingests Microsoft 365 logs, they are parsed, normalized, and stored in a Snowflake security data lake. This allows you to write detections, identify anomalies, and conduct investigations in the context of days, weeks, or months of data.

Panther applies normalization fields to log records, which standardizes names for attributes and empowers you to correlate data across all of your log sources. Panther’s intuitive search tools - such as Query Builder, Data Explorer, and Indicator Search - allow you to investigate your normalized logs for suspicious activity or vulnerabilities. For more information on searching logs, check out our documentation on Investigations & Search.

Built-in and Easily Customizable Detections

Pre-built detections for Microsoft 365 are available by default in Panther, offering users immediate value for monitoring common IoCs and threats. You can explore our built-in detection coverage for Microsoft 365 logs here.

With Panther, you aren’t confined to rigid detections as seen in most SIEM solutions. Panther is architected around detection-as-code principles, giving you the ability to write Python to define detection logic and to integrate external systems like version control and CI/CD pipelines into your detection engineering processes. This results in powerful, flexible, and reusable scripting of detections for your security team.

Configuring Alerts

Panther generates alerts when your detection rules or policies for Microsoft 365 are triggered, and integrates with a variety of alert destinations to allow for intuitive management of any alerts. Alerts can also be sent to alert context or SOAR platforms for more remediation options.

Alerts are categorized by five different severity levels: Info, Low, Medium, High, and Critical. Your security team has the ability to dynamically assign severity based on specific log event attributes.

Customer Support

If you have any questions about configuring or monitoring Microsoft 365 logs in Panther, our customer support team is here to help. All customers have access to support via a dedicated Slack channel, email, or in-app messenger.

You can view our documentation on configuring and monitoring Microsoft 365 logs here, or customers can sign up for the Panther Community to share best practices or custom detections for Microsoft 365 logs.

The Ideal SIEM for Microsoft 365

With Panther, your team doesn’t have to waste time and resources on operational overhead, pay excessive costs to keep up with the growth of cloud app data or struggle with restrictive detection logic. Panther was founded by a team of security engineers who struggled with other SIEM solutions first-hand, and built an intuitive, cloud-native platform to solve them.

Panther is a cloud-native SIEM built for security operations at scale, offering flexible detection-as-code, intuitive security workflows, and actionable real-time alerts. If you’re searching for a seamless SIEM platform for Microsoft 365, request a demo today.

Escape Cloud Noise. Detect Security Signal.
Request a Demo