filtering O365 logs into Sentinel by region?

David Broggy 5,701 Reputation points MVP
2022-11-17T15:38:00.473+00:00

Hi everyone,
I'd like to pull in O365 logs to sentinel for a specific region of users.
It's all for a single tenant but I have several geographical regions under that tenant.
For data privacy reasons I'd like to filter like I can for Defender for Endpoint Device Groups, but O365 would be a user group of sorts?
Any options for this?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,064 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Clive Watson 5,951 Reputation points MVP
    2022-11-18T11:22:07.213+00:00

    With Table RBAC you could send Country 1 to Table 1 etc...and lock the RBAC to a set of users to protect Privacy. However, you'd have to look at using the api/Logic App to do this - the native Connectors pushes everything to the OfficeActivity Table.

    Challenge #2 will be the filter, as there is no (AFAIK) region or country column (but again the api might have this). Then when you do have the Logs the data will be in Custom Tables (so rules, workbooks, playbooks will need amending).

    With transformation you may be able to group the Data (maybe create a DCR that looks at email names and put .com into a column called com_CL or put .co.uk into UK_CL (however there is no Column RBAC). You could drop have regional Sentinels all connected to O365 then have a DCR that uses this idea but to drop data from other regions (assuming you can identify/filter them) - it would be a lot of work.
    https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-workspace-transformations-portal

    I hope this helps or gives you an idea or two - please "accept" if its does.