SOC uses the Microsoft 365 Management Activity API and Filebeat Office 365 module to retrieve information about what users, admins, systems, and policies are doing in your Microsoft 365 and Azure Active Directory.
Monitoring, analysing, and visualising data from Microsoft 365 and Azure AD allows SOC to look for and create alerts for security incidents. It also allows SOC to provide forensic evidence after an incident.
To enable SOC to fully monitor Microsoft 365, you’ll need to: