If you have a look inside your Azure Sentinel console you should some new options.
The first is a new option in the Office 365 Data connector to allow you to bring Teams data from the Office 365 Unified Audit Log into Sentinel. All you need to do to enable this is open the Office 365 connector and select the Teams check box as shown above.
Once the data starts flowing in, the you’ll be able to run Kusto queries on the log data as shown above. This query will produce a quick report of all the Teams sessions over the last day. The KQL for this is:
| where TimeGenerated >= ago(1d)
| where RecordType == “MicrosoftTeams”
| summarize count () by UserId
| sort by count_
With Teams data now flowing into Sentinel you can start creating all sorts of interesting reports.
The next new item is the Entity behavior as shown above. Here is what it does:
Basically, it is going to give you the ability to be more granular when looking at data as well as providing more AI (Artificial Intelligence) across that data looking for anomalies.
Just scroll down the page and Turn it on.
Now when you visit the link you’ll see:
and selecting an account will show you information like:
Which is a great summary for that user over the time period you selected.
The Threat intelligence option provides the above options, which to be honest, I haven’t fully figured out how to use effectively yet. I may not as yet have enough data in this tenant to make full use of it. I’ll have to wait and see.
Overall some really handy additions to Azure Sentinel that I’d be encouraging you to take advantage of to improve you security analysis. If you are looking to get started with Azure Sentinel, don’t forget my online course: