6.2 Microsoft First-Party Connectors

75 minutes · Module 6

Microsoft First-Party Connectors

By the end of this subsection, you will know every Microsoft connector available, which ones to enable, and how to verify each is working with diagnostic queries.

You enabled the two most critical connectors in Module 5. This subsection covers the remaining Microsoft connectors and teaches you to verify they are all healthy.

Complete connector inventory

Connector	Tables	Setup	Cost	Enable when
M365 Defender (done)	Device, Email, CloudApp, Identity, Alert*	One-click	Per-table	Always
Entra ID (done)	SigninLogs, AADNonInteractive*, AuditLogs	Diagnostic settings	Billable	Always
Azure Activity	AzureActivity	Diagnostic settings	Free	Always — zero cost
Office 365	OfficeActivity	One-click	Free	Always — zero cost
Microsoft Purview	PurviewAuditLog	Diagnostic settings	Billable	When DLP/insider risk monitoring needed
Azure Key Vault	AzureDiagnostics (KeyVault)	Diagnostic settings	Billable	When Key Vault is in scope
Azure Firewall	AzureDiagnostics (Firewall)	Diagnostic settings	Billable	When Azure Firewall deployed
Entra ID Protection	SecurityAlert (IPC)	Via M365 Defender	Free (alert data)	Usually flows via M365 Defender
Threat Intelligence	ThreatIntelligenceIndicator	API/TAXII	Free (table)	When TI feeds available

Azure Activity — enable now (free)

Navigate to Sentinel, Data connectors, Azure Activity, Open connector page, select subscription, Connect. Takes 30 seconds.

This sends all Azure management plane events: resource creation, deletion, modification, role assignments, policy changes. Cost: zero. Value: critical for detecting attackers who compromise Azure credentials and create resources (cryptomining VMs), modify security settings (disable logging), or escalate privileges (assign Global Admin).

1
2
3
4
AzureActivity
| where TimeGenerated > ago(24h)
| summarize EventCount = count() by CategoryValue
| sort by EventCount desc

Expected Output

CategoryValue	EventCount
Administrative	234
Policy	47
Security	8
Alert	2

What to look for: Administrative events are resource management operations. A spike in Administrative events could indicate an attacker creating resources or modifying configurations. Security events include role assignments — a new Global Admin assignment at 3am warrants immediate investigation.

Detection rule opportunity: Alert on Azure role assignments outside business hours or to users who have never held privileged roles:

1
2
3
4
5
6
7
AzureActivity
| where CategoryValue == "Administrative"
| where OperationNameValue has_any ("roleAssignments/write", "roleDefinitions/write")
| extend Hour = hourofday(TimeGenerated)
| where Hour < 7 or Hour > 20
| project TimeGenerated, Caller, OperationNameValue,
    tostring(Properties.requestbody)

Expected Output

TimeGenerated	Caller	OperationNameValue
03:14	compromised-admin@northgateeng.com	Microsoft.Authorization/roleAssignments/write

What to look for: Role assignment at 3:14 AM. Who assigned what role to whom? The Properties.requestbody contains the role definition and target principal. This is either a legitimate after-hours admin task (verify with the person) or an attacker escalating privileges. This query is a ready-made analytics rule for Module 10.

Office 365 — enable now (free)

Navigate to Sentinel, Data connectors, Office 365, enable Exchange, SharePoint, and Teams. Takes 30 seconds.

This populates OfficeActivity with detailed user activity across all M365 services. The table is distinct from what the M365 Defender connector provides.

OfficeActivity vs CloudAppEvents — they are not duplicates

CloudAppEvents (Defender connector) captures inbox rule creation, OAuth consents, and app-level events. OfficeActivity (Office 365 connector) captures granular mailbox operations including MailItemsAccessed — the audit event that tells you exactly which emails an attacker read. For the Module 13 post-compromise checklist (subsection 13.6), you need OfficeActivity. For inbox rule detection, you need CloudAppEvents. Both connectors are required for complete investigation coverage.

1
2
3
4
5
6
OfficeActivity
| where TimeGenerated > ago(24h)
| summarize EventCount = count(), Users = dcount(UserId) by OfficeWorkload, Operation
| where EventCount > 100
| sort by EventCount desc
| take 15

Expected Output

OfficeWorkload	Operation	EventCount	Users
Exchange	MailItemsAccessed	12,847	342
Exchange	Send	4,521	298
SharePoint	FileAccessed	8,234	187
SharePoint	FileDownloaded	1,247	89
MicrosoftTeams	MessageSent	3,421	234

What to look for: This is your organization's normal activity profile. 342 users accessing email is normal for a 500-person org. Bookmark this baseline — during an investigation, compare the affected user's activity against this norm. A user with 500 MailItemsAccessed events in 30 minutes is not normal.

Connector health dashboard — run at every shift start

After enabling all Microsoft connectors, this single query confirms your entire data pipeline:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
union withsource=TableName
    AzureActivity,
    OfficeActivity,
    SigninLogs,
    AADNonInteractiveUserSignInLogs,
    DeviceProcessEvents,
    EmailEvents,
    CloudAppEvents,
    AuditLogs
| where TimeGenerated > ago(24h)
| summarize
    EventCount = count(),
    LastEvent = max(TimeGenerated),
    HoursAgo = round(datetime_diff('minute', now(), max(TimeGenerated)) / 60.0, 1)
    by TableName
| sort by HoursAgo desc

Expected Output — Healthy Pipeline

TableName	EventCount	LastEvent	HoursAgo
AuditLogs	142	14:28	0.1
CloudAppEvents	3,421	14:31	0.0
DeviceProcessEvents	12,847	14:32	0.0
EmailEvents	2,892	14:30	0.0
SigninLogs	1,234	14:29	0.0
AADNonInteractiveUserSignInLogs	8,742	14:32	0.0
AzureActivity	234	14:15	0.3
OfficeActivity	5,672	14:25	0.1

What to look for: Every table should show HoursAgo < 1 during business hours. Any table with HoursAgo > 4 during business hours indicates a connector problem. This query takes 5 seconds and confirms your entire data pipeline is healthy. Save it as a favorite in your workspace.

Check your understanding

1. Azure Activity and Office 365 connectors are free. Is there any reason not to enable them?

No. Free connectors with investigation-critical data should be enabled in every Sentinel workspace. If they are not enabled, it is an oversight, not a decision.

They generate too much noise

They conflict with the Defender connector

Free data with investigation value is always worth enabling. Azure Activity catches Azure-level privilege escalation. OfficeActivity provides MailItemsAccessed for BEC investigation. Zero cost, significant capability.

2. You need to determine which specific emails an attacker read during a compromise. Which connector and table provide this?

M365 Defender connector — CloudAppEvents

Office 365 connector — OfficeActivity table, Operation == "MailItemsAccessed"

Entra ID connector — AuditLogs

MailItemsAccessed is in OfficeActivity (Office 365 connector). CloudAppEvents captures inbox rule creation and app-level events, not individual email access. This distinction is critical for the post-compromise analysis in Module 13.6.

3. A role assignment event appears in AzureActivity at 3:14 AM. What is the appropriate response?

Investigate immediately — after-hours privilege escalation is a high-priority indicator. Determine who made the assignment, what role was assigned, and to whom. Verify with the account owner. If unauthorized, this is likely an attacker who compromised an admin account.

Log it for the morning shift

It is probably a scheduled task

Role assignments at 3 AM are not normal in most organizations. This is exactly the type of event that an Azure Activity analytics rule should fire on — off-hours administrative actions involving privileged roles. Verify legitimacy before dismissing.

← 6.1 Building an Ingestion Strategy 6.3 Third-Party Connectors: Syslog and CEF →