Selecting a SIEM for your Microsoft 365 environment can be a difficult task. With so many options available, it’s difficult to differentiate fact from fiction. Many SIEM vendors integrate with Microsoft 365 (formerly Office 365), but not every integration is seamless or easy.
Meanwhile, you may be eyeing Microsoft Sentinel, thinking that a native security information and event management (SIEM) platform will always be the best option for your Microsoft 365 environment. But Microsoft Sentinel isn’t a silver bullet, either.
Let’s discuss how to select the right SIEM for Microsoft 365.
Why Do You Need a SIEM For Microsoft 365?
Microsoft 365 environments generate large volumes of data. Since Microsoft 365 is such a robust product suite with many different components, a user or admin can perform millions of actions within it, and every action produces logs. For example, an organization with 1,000 users generates 15,000 Azure audit logs per day, according to Microsoft.
The increasing volume of critical data stored within Microsoft 365 — combined with its rising popularity — makes it a prime target for cyberattacks. Microsoft Office is the most commonly exploited software in malware attacks, according to an Atlas VPN report.
Without continuous monitoring through logs, admins could miss potential security risks. For example, a user that sets up an email forwarding rule to forward email to an external address could be benign, or it could be a threat actor’s attempt to maintain persistence in an environment.
Continuous monitoring is nearly impossible without a centralized repository for those logs. Without a SIEM for Microsoft 365, IT and security teams would need to sift through and interpret hundreds of thousands of raw logs. Sending those logs to a centralized location like a SIEM helps to maintain visibility.
Is Microsoft 365’s Built-In Security Enough?
All Microsoft 365 plans come with security settings out-of-the-box that can provide basic security protection at no extra cost. Any Microsoft 365 admin can:
- Enforce Azure MFA
- Block legacy authentication protocols such as IMAP/SMTP/POP3
- Require all users to perform MFA when necessary
- Protect privilege access
You can get more protection with certain add-on features, such as Microsoft Advanced Threat Protection, which includes malware protection via Microsoft Defender Antivirus, information rights management, remote wipe via Intune, and more.
Advanced Threat Protection also includes Microsoft Defender for Office 365, which helps protect against more sophisticated attacks such as zero-day threats, advanced malware, and ransomware.
While Microsoft Defender is a solid and ever-improving product, it is insufficient to protect against Microsoft 365 cyberattacks. Its malware detection rates fall behind many third-party competitors, and the user interface can be clunky. Furthermore, it struggles to protect against emerging threats like zero-day vulnerabilities.
No single security product can offer complete protection; a layered security approach utilizing various products and technologies is crucial to minimize the risk of successful cyberattacks. Third-party security products may provide advanced features like sandboxing or behavior-based detection to help identify and stop sophisticated attacks—capabilities that Microsoft Defender might not have or may not be as robust.
As Microsoft Defender is developed by the same company that creates the software it protects, some users might worry about potential conflicts of interest or a lack of independent oversight. Solely relying on Microsoft Defender can lead to a false sense of security, causing users to overlook other vital aspects of cybersecurity, such as user education, strong password policies, and regular software updates.
Cybersecurity experts recommend a layered approach, which means that relying on Microsoft’s built-in features is simply not enough for today’s emerging security threats. A SIEM correlates and alerts on all of the data from disparate data sources — including firewalls, cloud apps, on-premises apps, identity management, and an endpoint detection and response (EDR) platform such as Microsoft Defender — to provide a holistic view of your environment.
The True Cost of Microsoft Sentinel
As organizations tighten their IT and security budgets to prepare for the recession, it may make sense on paper to stay within Microsoft’s ecosystem. In theory, vendor consolidation should equate to cost-effectiveness.
Microsoft Sentinel is the company’s cloud-native SIEM offering that runs in the Microsoft Azure cloud and provides attack detection, threat visibility, proactive hunting, and threat response.
Microsoft markets affordability as one of Sentinel’s differentiators, claiming that it reduces costs by as much as 48% in comparison to legacy SIEM solutions. Microsoft often bundles many products into a single subscription, leading to the common misconception that Sentinel is low-cost or even free.
But Microsoft Sentinel is rarely affordable for the average small to midsize business (SMB). First of all, it’s not bundled into a Microsoft 365 subscription but rather a premium E5 plan, which starts at $57 per user per month.
Additionally, Microsoft Sentinel pricing depends on how much data your environment consumes. An ingestion-based pricing model can make the decision of which logs to ingest one that’s based on budget rather than true security needs, leading to gaps in coverage.
Microsoft includes certain log types for free — namely, Office 365 audit log, Microsoft Defender alerts, Azure activity logs, and Azure AD Identity Protection. But to achieve true security visibility, organizations should ingest log types beyond that. Some essential logs for consideration are:
- Perimeter device logs, which record network perimeter traffic and events from routers, switches, firewalls, and VPNs, helping to identify malicious or unauthorized access attempts, network anomalies, and policy violations.
- Windows event logs, which contain activities on Windows-based systems, can assist in pinpointing compromised accounts, malicious software, configuration errors, and system vulnerabilities.
- Endpoint logs that capture activities on devices like laptops, desktops, and mobile devices and aid in the identification of malware infections, data exfiltration, and user behavior anomalies.
- Application logs that track activities within applications such as web servers like Apache, SQL databases, and Microsoft email servers help to detect application errors, performance issues, security incidents, and user interactions.
- Proxy logs, containing user web traffic and requests passing through proxy servers, help identify web-based attacks, malicious domains, user browsing habits, and bandwidth usage.
- IoT logs, which record activities on IoT devices, helping to detect device malfunctions, unauthorized access attempts, data leakage, and network anomalies.
- Third-party provider logs (e.g., CrowdStrike) offer endpoint protection, threat intelligence, and incident response services, helping to identify advanced threats, malware, and indicators of compromise that Microsoft security solutions might not detect.
- Cloud platform logs (e.g., AWS) can log activities and events within the cloud infrastructure, assisting in detecting unauthorized access, policy violations, and potential misconfigurations.
As you can see, the log types included with Azure Sentinel are a very small piece of the puzzle when it comes to security visibility. When ingesting many different types of logs, costs can quickly increase in Microsoft’s SIEM.
Log retention costs can significantly impact organizations, particularly smaller ones without a security operations center (SOC). Although Microsoft offers a free 90-day retention period when Sentinel is enabled on Azure Monitor Log Analytics, retaining security data beyond that comes at a cost per GB. For instance, healthcare organizations required to retain logs for six years to comply with HIPAA may find Sentinel log retention costs rapidly escalating.
Additionally, operational costs associated with Microsoft Sentinel can be burdensome, especially for smaller IT or security teams. To fully utilize Sentinel, these teams must either learn the complex Kusto Query Language (KQL) to build custom parsers or hire third-party consultants. Integrating unsupported third-party solutions also necessitates learning the Advanced Security Information Model (ASIM) to create parsers.
While Sentinel is a valid option for large enterprises deeply invested in Microsoft’s ecosystem with extensive technical resources and expertise, smaller teams and organizations may not experience a strong return on investment (ROI) when using Sentinel.
This is due to several reasons:
- Limited budgets and resources make it difficult for smaller organizations to effectively configure and manage Sentinel, potentially resulting in suboptimal security coverage and increased vulnerability to cyber threats.
- The complexity of Sentinel’s interface and features can be overwhelming for smaller teams lacking extensive cybersecurity expertise, leading to a steep learning curve and delays in threat detection and response.
- Smaller organizations may find alternative security solutions that better cater to their needs and budget constraints, offering more streamlined and user-friendly interfaces and simplified deployment and management processes.
Blumira’s cloud-based SIEM with threat detection and response is built for small and under-resourced teams. We do things differently than Microsoft by providing more value for better security outcomes, including:
Integrate easily with your tech stack. We work particularly well with Windows environments and integrate with a wide variety of Microsoft services, including Microsoft 365, Windows Server, Azure Active Directory, Intune, Microsoft Teams, and Microsoft 365 Defender for Cloud Apps, just to name a few. But we also offer a lot of integrations outside of the Microsoft ecosystem, which means that you won’t experience vendor lock-in. If your tech stack includes a variety of different vendors, we’ll work with you to achieve security success with your existing resources and technology.
Predictable pricing. Blumira’s flat fee, subscription-based pricing model ensures that you can make decisions based on your security needs, not your budget. Ingest as much data as you need without cost consequences. Blumira also retains one year of data by default in our Cloud and Advanced editions, so there’s no need to export logs every three months and store them in a different location. Access and review all of your current and past findings with our convenient portal and meet cyber insurance and compliance easily and quickly with the team you have today.
Easy setup and maintenance. We do all the heavy lifting for your team to save them time, including parsing, threat hunting, creating native third-party integrations, and testing and tuning detection rules to reduce noisy alerts and false positives. Designed for non-security experts to easily use, our platform doesn’t require your team to learn complex query languages or spend all day sifting through thousands of alerts. Deployment takes a matter of hours; our free edition integrates directly with Microsoft 365 tenant to detect suspicious activity within your environment.
How Blumira’s SIEM Integrates With Microsoft 365
Blumira’s cloud-based SIEM includes a wide range of pre-tuned detections to defend against Microsoft 365 threats, and our Incident Detection Engineering team is constantly working to develop more as new threats emerge.
Integrating Blumira’s SIEM with Microsoft 365 is an easy process that only takes a few minutes. Blumira’s Cloud Connectors automate the configuration of your integrations without requiring you to use a sensor.
- In the Blumira app, go to the Cloud Connectors page (Settings > Cloud Connectors) and click Add Cloud Connector.
- In the Available Cloud Connectors window, click the connector that you want to add.
- Enter the necessary API credentials and click Connect.
- On the Cloud Connectors screen, under Current Status, you can view the configuration’s progress. When the configuration completes, the status changes to Online (green dot).
Read the full instructions on our Support page.
Then, Blumira will begin receiving your Microsoft 365 logs. Here are just some of our detections for Microsoft 365:
- Impossible Travel Activity. Impossible travel detections track information such as GPS address, IP address, or user’s device to pinpoint users’ location and determine whether a behavior was physically possible. If not, it could indicate that an adversary is attempting to infiltrate an environment.
- Suspicious inbox rule creation. Suspicious inbox rules can be a sign of a business email compromise (BEC) attack. Once an attacker gains access to a victim’s email, they will often create inbox rules, like email forwarding, to copy in- and outgoing emails, with the goal of guaranteeing access even if the credentials are changed.
- Suspicious email sending patterns detected. Suspicious email sending patterns, like sending out massive amounts of email, can be an early indicator of a compromised account. When this alert is triggered, the user is at risk of Microsoft restricting them from sending email.
- Activity from infrequent country. Similar to impossible travel, this detection uses machine learning and behavioral analytics to generate a profile of your organization, and then alerts when activity occurs from a location that users within the organization didn’t recently visit, or never visited.
Detect Microsoft 365 Threats For Free With Blumira
These detections are just a sliver of what you’ll get when you sign up for Blumira’s Free SIEM — the industry’s only free threat detection and response platform for Microsoft 365 environments.
Here’s the value of what you get for free:
- Security monitoring for Microsoft 365, with unlimited users and data (no special licensing required)
- Easy, guided setup with Cloud Connectors that takes only minutes
- Detection rules automatically rolled out to your account, fine-tuned to filter out the noise
- Real-time alerts that increase your response time
- Summary dashboard of key findings and security reports
- Playbooks and workflows with each finding to guide you through response steps
- 14 days of log data retention – upgrade for up to one year
Sign up for your free account today.