Implement the Microsoft 365 monitoring and response service
Learn how you can deploy Microsoft Sentinel using in-house services in your agency, or apply for additional support to onboard this service from our Cyber Security Unit (CSU).
The M365 Monitoring and Response service uses Microsoft Sentinel to provide insights into the Microsoft 365 ecosystem by tracing and analysing operations in SharePoint, OneDrive, Teams, and Exchange data.
After confirming you have the necessary prerequisite, the most important step is determining if your agency requires additional support to complete installation and configuration of M365.
Prerequisites
Confirm that your agency or organisation is a participant in the Queensland Government Microsoft E3/E5 Enterprise Licence Agreement before you apply to access this service.
Assisted Onboarding
We expect most Queensland Government agencies will have sufficient resources to implement Microsoft Sentinel to a minimum configuration within their own agency.
However, if your agency doesn’t have the capacity or capability to install and configure Microsoft Sentinel, you can make a request to the Queensland Government Chief Information Security Officer (QGCISO) who can authorise the provision of external resources to support your team.
Complete the Microsoft 365 monitoring and response service application form to make this request to the QGCISO.
In-house onboarding and configuring data sources
Refer to the Microsoft Quick-start guide for detailed instructions on how to deploy a local instance of Sentinel within your agency.
Follow the instructions in the Data Sources Setup Guide on how to onboard Data or Log sources.
To enable this service with a whole of government view, a minimum configuration of Sentinel is required at the agency level. This means installing free-tier Microsoft data sources as detailed in the table below.
Free-Tier Data Sources
Name | Connector | License |
|---|---|---|
Azure activity Logs | Azure Activity Connector | E5 |
Office 365 Audit Logs | Office 365 Connector | E3/E5 |
Alerts from Microsoft | Microsoft Defender for Cloud Connector | E5 |
Alerts from | Microsoft 365 Defender (Preview) Connector | E5 |
Alerts from Microsoft | Microsoft 365 Defender (Preview) Connector | E5 |
Alerts from Microsoft | Microsoft 365 Defender (Preview) Connector | E5 |
Alerts from Microsoft | Microsoft 365 Defender (Preview) Connector | E5 |
Alerts from Microsoft | Microsoft 365 Defender (Preview) Connector | E5 |
Other optional data sources of interest | ||
Name | Connector | License |
Message trace logs | Refer page 7 in Setup Guide | E3 or E5 |
Connect to Lighthouse (Sentinel of Sentinels)
Once Sentinel has been configured in your agency, follow the final steps below to connect to the Whole of Government Microsoft Lighthouse, also known as Sentinel of Sentinels (SoS).
- Complete the application form to request onboarding.
- The CITEC Service Desk team will action the application and provide you with a template and a parameter file that will be used in the next step.
- Visit the Microsoft PowerShell resource page and use the script detailed under heading "deploy a template with a separate parameter file" to execute the two configuration files provided by CITEC.
Once you have completed the above, contact the CITEC Service Desk at service@citec.com.au so they can confirm you have been successfully on-boarded to Sentinel of Sentinels.
The links below provide access to useful vendor documentation focused on implementing and configuring Microsoft Sentinel within the context of the Microsoft 365 Monitoring and Response service.
- What is Microsoft Sentinel?
- Quick-start Guide: On-board Microsoft Sentinel
- Permissions in Microsoft Sentinel
- Data collection best practices
- Detect threats out-of-the-box
- Threat intelligence integration in Microsoft Sentinel
CITEC Service Desk
Contact the CITEC Service Desk at service@citec.com.au for technical support issues relating to the M365 Monitoring and Response service.
Cyber Security Unit
Contact the Cyber Security Unit (CSU) at CyberSecurityUnit@qld.gov.au should you require further information about the M365 Monitoring and Response service.
Join the Vulnerability Management Community of Practice
The CSU hosts a Vulnerability Management Community of Practice (CoP) which consists of ICT professionals from Queensland Government entities who meet on a regular basis to collaborate and share information, improve their cyber security skills, and actively work on advancing their general knowledge of cyber security. To join, email the Vulnerability Management CoP at cybersecurityunit@qld.gov.au.