Microsoft 365 Security Monitoring SOP¶

Sub-procedure for Operate pillar managed services - M365 ongoing security monitoring

Service Pillar: Operate Service Category: Microsoft 365 Security Parent SOP: Managed SOC SOP Engagement Type: Ongoing Monthly Retainer

Overview¶

Continuous security monitoring of Microsoft 365 environments to detect threats, configuration drift, and security incidents. This procedure integrates with SBK's Managed SOC services to provide 24/7 visibility into M365 security events, enabling rapid detection and response to potential compromises.

Scope¶

Pillar: Operate (Managed Services) Service Area: Microsoft 365 Security Monitoring

In Scope¶

Azure AD sign-in and audit log monitoring
Microsoft 365 Defender alerts
Exchange Online security events
SharePoint/OneDrive access anomalies
Teams security monitoring
Compliance Center alerts
Secure Score drift detection

Out of Scope¶

Endpoint monitoring (covered in EDR SOP)
Network traffic analysis
Third-party application logs

Prerequisites¶

Completed M365 Security Hardening
SIEM integration configured (if applicable)
Alert notification channels established
Escalation contacts defined
Baseline activity patterns documented
Log retention policies configured
Monitoring SLA agreed with client

Procedure¶

Step 1: Monitoring Infrastructure Setup¶

Objective: Establish log collection and alerting infrastructure

Activities: 1. Configure unified audit logging 2. Set up Azure AD log export (if SIEM integration) 3. Configure Microsoft 365 Defender alert forwarding 4. Establish Sentinel workspace (if Microsoft SIEM) 5. Configure log retention (minimum 90 days) 6. Set up monitoring dashboards

Integration Options: | SIEM Platform | Integration Method | Log Types | |---------------|-------------------|-----------| | Microsoft Sentinel | Native connector | All M365 logs | | Splunk | M365 Add-on | Azure AD, O365 | | Other SIEM | API/Webhook | Selected alerts |

Duration: 4-6 hours (initial setup)

Step 2: Alert Configuration¶

Objective: Configure detection rules and alert thresholds

Priority Alert Categories:

Category	Alert Type	Severity	Response SLA
Account Compromise	Impossible travel, suspicious sign-in	Critical	15 minutes
Privilege Escalation	Admin role assignment	High	30 minutes
Data Exfiltration	Mass download, sharing spike	High	30 minutes
Malware/Phishing	Defender detections	High	30 minutes
Configuration Change	Security setting modified	Medium	4 hours
Policy Violation	DLP alert	Medium	4 hours

Default Alert Rules: - [ ] Failed sign-in threshold (5+ failures) - [ ] Sign-in from new location/device - [ ] Impossible travel detection - [ ] Admin consent granted - [ ] Global Admin role assigned - [ ] Mail forwarding rule created - [ ] Large file downloads (>1GB) - [ ] External sharing of sensitive files - [ ] Defender threat detection - [ ] Secure Score decrease (>5 points)

Duration: 3-4 hours

Step 3: Baseline Establishment¶

Objective: Document normal activity patterns for anomaly detection

Activities: 1. Analyze 30-day sign-in patterns 2. Document typical admin activity 3. Identify normal file sharing volumes 4. Map expected external collaboration 5. Document seasonal variations 6. Identify known-good IP ranges

Baseline Metrics: | Metric | Capture Period | Update Frequency | |--------|---------------|------------------| | Sign-in locations | 30 days | Monthly | | Admin activity volume | 30 days | Monthly | | File sharing patterns | 30 days | Monthly | | Application usage | 30 days | Quarterly |

Duration: 2-3 hours

Step 4: Daily Monitoring Operations¶

Objective: Execute daily security monitoring activities

Daily Checklist: - [ ] Review overnight alerts - [ ] Check Secure Score changes - [ ] Review risky sign-ins report - [ ] Check risky users report - [ ] Review admin activity log - [ ] Check external sharing report - [ ] Verify log collection health - [ ] Update threat intelligence

Monitoring Dashboard Elements: 1. Active alerts by severity 2. Sign-in risk trends 3. Secure Score trend 4. Admin activity summary 5. External sharing volume 6. Threat detection summary

Duration: 30-45 minutes daily

Step 5: Incident Detection & Triage¶

Objective: Identify and classify potential security incidents

Detection Workflow:

Alert Triggered
     │
     ▼
Initial Triage (5 min)
├── False Positive → Document & Close
├── Low Priority → Queue for review
└── Potential Incident → Escalate
     │
     ▼
Investigation (15-30 min)
├── Gather evidence
├── Assess impact
└── Determine scope
     │
     ▼
Classification
├── True Positive → Incident Response
└── False Positive → Tune detection

Triage Questions: 1. Is this expected behavior for this user/system? 2. Have we seen this pattern before? 3. Is there evidence of compromise? 4. What is the potential impact? 5. Does this require immediate action?

Duration: Varies per incident

Step 6: Weekly/Monthly Reviews¶

Objective: Conduct periodic security reviews and reporting

Weekly Activities: - [ ] Alert volume and trend analysis - [ ] False positive rate review - [ ] Secure Score trend review - [ ] User risk summary - [ ] Configuration drift check

Monthly Activities: - [ ] Monthly security report generation - [ ] Secure Score improvement tracking - [ ] Alert rule effectiveness review - [ ] Baseline refresh (if needed) - [ ] Client security review meeting - [ ] Detection coverage assessment

Duration: 2-3 hours weekly, 4-6 hours monthly

Deliverables¶

Deliverable	Format	Owner	Frequency
Daily Alert Summary	Email	SOC Analyst	Daily
Weekly Security Digest	Email/PDF	SOC Analyst	Weekly
Monthly Security Report	PDF	Engagement Manager	Monthly
Incident Reports	PDF	Lead Consultant	As needed
Secure Score Tracking	Dashboard	Technical Analyst	Continuous
Quarterly Trend Analysis	PDF	Engagement Manager	Quarterly

Quality Gates¶

All critical alerts triaged within SLA
Log collection functioning without gaps
False positive rate below 20%
Monthly reports delivered on schedule
Secure Score maintained or improved
Client communication SLAs met
Detection rules reviewed quarterly

Last Updated: February 2026