SOC uses the Microsoft 365 Management Activity API and Filebeat Office 365 module to retrieve information about what users, admins, systems, and policies are doing in your Microsoft 365 and Microsoft Entra ID.
Monitoring, analysing, and visualising data from Microsoft 365 and Microsoft Entra ID allows SOC to look for and create alerts for security incidents. It also allows SOC to provide forensic evidence after an incident.
To enable SOC to fully monitor Microsoft 365, you’ll need to: