Skip links and keyboard navigation

Implement the Microsoft 365 monitoring and response service

Learn how you can deploy Microsoft Sentinel using in-house services in your agency, or apply for additional support to onboard this service from our Cyber Security Unit (CSU).

The M365 Monitoring and Response service uses Microsoft Sentinel to provide insights into the Microsoft 365 ecosystem by tracing and analysing operations in SharePoint, OneDrive, Teams, and Exchange data.

After confirming you have the necessary prerequisite, the most important step is determining if your agency requires additional support to complete installation and configuration of M365.

Prerequisites

Confirm that your agency or organisation is a participant in the Queensland Government Microsoft E3/E5 Enterprise Licence Agreement before you apply to access this service.

Assisted Onboarding

We expect most Queensland Government agencies will have sufficient resources to implement Microsoft Sentinel to a minimum configuration within their own agency.

However, if your agency doesn’t have the capacity or capability to install and configure Microsoft Sentinel, you can make a request to the Queensland Government Chief Information Security Officer (QGCISO) who can authorise the provision of external resources to support your team.

Complete the Microsoft 365 monitoring and response service application form to make this request to the QGCISO.

In-house onboarding and configuring data sources

Refer to the Microsoft Quick-start guide for detailed instructions on how to deploy a local instance of Sentinel within your agency.

Follow the instructions in the Data Sources Setup Guide (PDF, 758.4 KB) on how to onboard Data or Log sources.


To enable this service with a whole of government view, a minimum configuration of Sentinel is required at the agency level. This means installing free-tier Microsoft data sources as detailed in the table below.

Free-Tier Data Sources

Name

Connector

License

Azure activity Logs

Azure Activity Connector

E5

Office 365 Audit Logs

Office 365 Connector

E3/E5

Alerts from Microsoft
Defender for Cloud

Microsoft Defender for Cloud Connector

E5

Alerts from
Microsoft 365 Defender

Microsoft 365 Defender (Preview) Connector

E5

Alerts from Microsoft
365 Defender for Office 365

Microsoft 365 Defender (Preview) Connector

E5

Alerts from Microsoft
Defender for Identity

Microsoft 365 Defender (Preview) Connector

E5

Alerts from Microsoft
Defender for Endpoint

Microsoft 365 Defender (Preview) Connector

E5

Alerts from Microsoft
Defender for Cloud Apps

Microsoft 365 Defender (Preview) Connector

E5

Other optional data sources of interest

Name

Connector

License

Message trace logs

Refer page 7 in Setup Guide

E3 or E5

Connect to Lighthouse (Sentinel of Sentinels)

Once Sentinel has been configured in your agency, follow the final steps below to connect to the Whole of Government Microsoft Lighthouse, also known as Sentinel of Sentinels (SoS).

  1. Complete the application form to request onboarding.
  2. The CITEC Service Desk team will action the application and provide you with a template and a parameter file that will be used in the next step.
  3. Visit the Microsoft PowerShell resource page and use the script detailed under heading "deploy a template with a separate parameter file" to execute the two configuration files provided by CITEC.

Once you have completed the above, contact the CITEC Service Desk at service@citec.com.au so they can confirm you have been successfully on-boarded to Sentinel of Sentinels.

The links below provide access to useful vendor documentation focused on implementing and configuring Microsoft Sentinel within the context of the Microsoft 365 Monitoring and Response service.

CITEC Service Desk

Contact the CITEC Service Desk at service@citec.com.au for technical support issues relating to the M365 Monitoring and Response service.

Cyber Security Unit

Contact the Cyber Security Unit (CSU) at CyberSecurityUnit@qld.gov.au should you require further information about the M365 Monitoring and Response service.

Join the Vulnerability Management Community of Practice

The CSU hosts a Vulnerability Management Community of Practice (CoP) which consists of ICT professionals from Queensland Government entities who meet on a regular basis to collaborate and share information, improve their cyber security skills, and actively work on advancing their general knowledge of cyber security. To join, email the Vulnerability Management CoP at cybersecurityunit@qld.gov.au.