Microsoft 365 monitoring and response

We’ve adopted Microsoft 365 (M365) to enhance productivity and collaboration. As a cloud service, M365 has been deployed outside most of the traditional security controls. Due to a growing remote workforce a need has been identified to reduce risk by employing security controls specifically targeted to cloud hosted systems.

The Microsoft Azure Sentinel platform enables security alerts to be consolidated and monitored by cyber security analysts.

Watch a video-overview for more detailed information about this service.

The Whole of Government M365 Monitoring and Response Service is comprised of the two key components.

Microsoft Sentinel hosted in agency Azure tenancy

Sentinel is a scalable, cloud-native solution delivering security analytics and threat intelligence in a single solution for alert detection, threat visibility, proactive hunting, and threat response. As part of the Whole of Government M365 monitoring and response service, agencies will be required to configure Sentinel in their Office 365 tenancy to at least a base level configuration. Configuration to a base level incurs no additional charges.

Microsoft Lighthouse hosted in a Cyber Security Unit managed Azure tenancy

Azure Lighthouse enables the centralised visibility of the security status of multiple agency M365 environments. QGCDG will work with agencies to connect their individual Sentinel implementations to the Queensland Government Sentinel of Sentinels (SoS). When threats are detected, QGCDG will notify agency security teams and advise what action to take to ensure the threat is neutralised. The intent is to provide actionable advice on the highest priority threats to protect QG organisations.

Using this service enables our organisations to meet their obligations as specified under the Information security policy (IS18:2018) and improve cyber security maturity.

Business benefits

• Using shared process and threat intelligence we can have better confidence that risks and threats detected against one M365 tenancy can be identified and protections deployed to manage all other M365 tenancies.
• Reduces the likelihood of unauthorised access to private, personal and confidential information resulting in disruption of business operations and potential reputational damage to an organisation by increasing phishing attack detection.
• Enhance in-house ICT resources by leveraging a centralised set of cyber security people, processes, technologies and guidance to enhance protection of all M365 tenancies.
• Low barrier to entry—minimise costs by utilising Sentinels free data ingestion facility (limited to M365 data) and free data retention period of 90 days.

Technical capabilities

• Security event data used by Sentinel doesn’t include message content, this ensures agency data remains private, protected and confidential.
• Central access to agency M365 tenancy message logs enable early warning of malicious email activity, even prior to recipient’s interaction with the email.
• Increased visibility of Microsoft Office threats such as phishing and business email compromise without impacting in-house support capacity / capability.
• Scalable, cloud-native solution delivering intelligent security analytics and threat intelligence across the enterprise and providing a single solution for
  alert detection, threat visibility, proactive hunting, and threat response.
• QGCDG can support the installation and configuration of Sentinel if required.

This service is available to all organisations covered by the Queensland Government Microsoft Enterprise Licence Agreement (ELA).

Visit Implement the Microsoft 365 monitoring and response service page for instructions on how to start onboarding this service or contact our Cyber Security Unit at CyberSecurityUnit@qld.gov.au to discuss the service and how we can assist you.

Learn more about Microsoft Sentinel and Microsoft Lighthouse.