惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Vercel News
Vercel News
The GitHub Blog
The GitHub Blog
博客园 - 【当耐特】
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Recent Announcements
Recent Announcements
D
Docker
GbyAI
GbyAI
酷 壳 – CoolShell
酷 壳 – CoolShell
WordPress大学
WordPress大学
The Cloudflare Blog
雷峰网
雷峰网
A
About on SuperTechFans
小众软件
小众软件
博客园 - Franky
博客园 - 聂微东
F
Full Disclosure
大猫的无限游戏
大猫的无限游戏
C
Check Point Blog
MongoDB | Blog
MongoDB | Blog
G
Google Developers Blog
Microsoft Azure Blog
Microsoft Azure Blog
U
Unit 42
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
V
V2EX
Engineering at Meta
Engineering at Meta
宝玉的分享
宝玉的分享
aimingoo的专栏
aimingoo的专栏
量子位
P
Proofpoint News Feed
Hugging Face - Blog
Hugging Face - Blog
博客园_首页
罗磊的独立博客
Martin Fowler
Martin Fowler
D
DataBreaches.Net
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
S
Secure Thoughts
Project Zero
Project Zero
L
LangChain Blog
阮一峰的网络日志
阮一峰的网络日志
C
Cybersecurity and Infrastructure Security Agency CISA
T
Tailwind CSS Blog
S
Schneier on Security
Blog — PlanetScale
Blog — PlanetScale
The Hacker News
The Hacker News
Spread Privacy
Spread Privacy
Security Latest
Security Latest
NISL@THU
NISL@THU
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
C
CXSECURITY Database RSS Feed - CXSecurity.com
J
Java Code Geeks

Datadog | The Monitor blog

Introducing our open source AI-native SAST Instrument and monitor Boomi integration flows with OpenTelemetry and Datadog Not all index scans are equal: How we cut query latency by over 99% Platform engineering metrics: What to measure and what to ignore Integrate Recorded Future threat intelligence with Datadog Cloud SIEM CI/CD security: threat modeling using a MITRE-style threat matrix CI/CD security: How to secure your GitHub ecosystem Ingress NGINX is EOL: A practical guide for migrating to Kubernetes Gateway API Operating agentic AI with Amazon Bedrock AgentCore and Datadog LLM Observability: Lessons from NTT DATA Introducing the Datadog Code Security MCP Capture and analyze custom heatmaps in Session Replay Understand session replays faster with AI summaries and smart chapters Monitor ClickHouse query performance with Datadog Database Monitoring How we designed empathetic alert sounds for on-call engineers Search and act across Datadog to resolve issues faster with Bits Assistant Measure the business impact of every product change with Datadog Experiments Analyzing round trip query latency Configuring JavaScript caches for better performance Introducing Bits AI Dev Agent for Code Security Datadog achieves ISO 42001 certification for responsible AI Monitor Nutanix clusters, hosts, and VMs with Datadog Monitor Juniper Mist in Datadog A new Host Map for modern infrastructure Annotate traces to improve LLM quality with Datadog LLM Observability What’s new in Cloud SIEM: AI-powered investigations, enhanced threat intelligence, and scalable security operations Explore Kubernetes with native OpenTelemetry data Monitor Oracle Fusion Cloud Applications with Datadog Announcing the Datadog Terraform provider v4.0.0 Scaling Kubernetes workloads on custom metrics How to design cloud environments for AI-powered threat analysis Monitor Aruba Central in Datadog How we centralize and remediate risks with Datadog Case Management Accelerate incident response with Datadog and ServiceNow Monitor your application and network load balancer logs Understanding Karpenter architecture for Kubernetes autoscaling Tools for collecting metrics and logs from Karpenter Monitor Karpenter with Datadog What your product data is actually saying Key metrics for monitoring Karpenter Securing Datadog’s platform in the AI age: The role of observability data Four ways engineering teams use the Datadog MCP Server to power AI agents Approaching your observability migration with the right mindset Meet the new Bits AI SRE: Deeper reasoning, twice as fast Key learnings from the 2026 State of DevSecOps study Use plain English to query your multi-cloud infrastructure in Resource Catalog Simplifying troubleshooting across the user journey with Datadog Synthetic Monitoring Protect your OCI resources with Datadog Cloud Security This Month in Datadog - February 2026 Amazon EC2 security: How misconfigured and public AMIs expand your cloud attack surface Enable end-to-end visibility into your Java apps with a single command Measure and improve mobile app startup performance with Datadog RUM Evaluating our AI Guard application to improve quality and control cost Identify untested code across every level of your codebase Make use of guardrail metrics and stop babysitting your releases Monitor Versa Networks SD-WAN performance in Datadog Improve performance and reliability with APM Recommendations Remediate transitive vulnerabilities faster with Datadog Software Composition Analysis Generate audit-ready vulnerability and compliance reports with Datadog Sheets Monitor Fortinet FortiManager performance in Datadog Improve test coverage across codebases with Datadog Code Coverage Move fast, don’t break things: Consistent testing standards at scale Enrich logs with ServiceNow CMDB context before routing to any SIEM or logging tool Monitor Lustre with Datadog Make faster, better product decisions with Datadog Product Analytics Surface and remediate runtime posture issues with Workload Protection Findings Protect agentic AI applications with Datadog AI Guard How to optimize JavaScript code with CSS Trace Google Pub/Sub workloads in Cloud Run with Datadog Detect human names in logs with ML in Sensitive Data Scanner How we cut our NLQ agent debugging time from hours to minutes with LLM Observability Debug PostgreSQL query latency faster with EXPLAIN ANALYZE in Datadog Database Monitoring Datadog acquires Propolis Unify and correlate frontend and backend data with retention filters Scale compliance across global frameworks with Datadog Cloud Security Monitor Arista VeloCloud SD-WAN performance with Datadog Building reliable dashboard agents with Datadog LLM Observability Simplify log collection and aggregation for MSSPs with Datadog Observability Pipelines Mitigation for Node.js denial-of-service vulnerability affecting Datadog APM Automate flaky test fixes with the Bits AI Dev Agent and Test Optimization How we built an AI SRE agent that investigates like a team of engineers Datadog integrations 2025 recap: Observability for AI, security, and hybrid cloud Design effective executive dashboards with Datadog Implement dbt data quality checks with dbt-expectations Bring faster visibility into AWS Lambda functions with remote instrumentation Troubleshoot faster with the GitLab Source Code integration in Datadog How Cambia Health Solutions saved $30,000 monthly with Cloud Cost Management and the Datadog Resource Catalog Normalize any logs for Cloud SIEM with Datadog's OCSF processor Optimizing Datadog at scale: Cost-efficient observability at Zendesk Detect, diagnose, and resolve network issues easily with CNM Network Health Connect engineering errors to user impact in early-stage products Cilium configuration for Kubernetes operations at scale Designing feedback loops for progressive delivery Ship features faster and safer with Datadog Feature Flags Choosing the right OpenTelemetry Collector distribution Route your monitor alerts with Datadog monitor notification rules Automate Cloud SIEM investigations with Bits AI Security Analyst Cloud threat detection: How to identify risky activity across control and data planes Collecting Kafka performance metrics Monitoring Kafka with Datadog Monitoring Kafka performance metrics
Collect and monitor Microsoft 365 audit logs with Datadog
Jonathan Epstein · 2020-12-21 · via Datadog | The Monitor blog

Microsoft 365 is a suite of cloud-based productivity and communication services that includes Microsoft Office applications (including OneNote and OneDrive) as well as other popular Microsoft tools like Skype and Teams. Microsoft 365 tools and services are at the core of many organizations’ data management and day-to-day workflows, so monitoring activity across your environment is key to making sure that these services remain secure and meet compliance standards.

To gain a deeper level of insight into the security of your Microsoft services and monitor usage across your organization, you can ingest all of your Microsoft 365 audit logs directly into Datadog. Audit logs contain rich information about actions that occur within your Microsoft 365 environment, and are invaluable when discerning the compliance status of your services, applications, and files. With Datadog, you can analyze and alert on these logs in real time for security threats, centralize your monitoring and eliminate friction across your teams.

Monitor activity across all of your Microsoft 365 services

Microsoft 365 audit logs tell you the who, what, and when of the actions performed across your Microsoft 365 cloud services, like logins, file edits, and more. Audit logs record key data that includes the name of the operation that was performed, the user that performed the action, the type of user calling the action, and the status of the operation, as well as other useful identifying parameters.

Datadog enriches your Microsoft 365 audit logs with contextual metadata.

Datadog automatically processes your logs and enriches them with tags and metadata, which lets you easily filter, sort, and group your logs to surface and visualize key information and patterns within your audit logs, such as which users generate spikes in failed requests, or which services are experiencing the most activity.

You can sort your Microsoft 365 logs by service and create visualizations to more easily see the big picture.

Once you enable the integration, you can use Datadog to monitor important activity across your Microsoft 365 audit logs, including:

Monitor service activity and file access

Microsoft 365 audit logs can help you track the types of operations performed within and by your Office services and give you a better picture of the most common activities across your environment. Datadog tracks your most active Microsoft 365 services, as well as the most common actions performed within or by those services. If you notice unusual activity on a service, you can quickly pivot to relevant logs to dive deep into the specifics of its usage.

The Microsoft 365 default dashboard contains a widget that tracks the top user activity across your Microsoft 365 services.

Similarly, you can easily track anonymous user activities across your Microsoft 365 services to check for security threats. Datadog tracks anonymous user operations across your environment; you can also use the following query in the Log Explorer to inspect each anonymous user log individually.

source:microsoft-365 usr.id:urn\:spo\:anon*

Microsoft 365 audit logs can also help you track file activity across OneDrive and SharePoint, including content edits and sharing settings changes; this is especially useful for determining which users have accessed or altered sensitive information. The following query will filter the Log Explorer’s Live Tail to all OneNote file edit events.

source:microsoft-365 service:OneNote evt.name:FileModified

Logs for file activity describe the name and type of the user who interacted with the file, the type of action performed, the IP address from which the user accessed the file, and more. You can use this information to visualize trends across your file activity; for instance, you can use Log Analytics to quickly create a visualization of the most frequently accessed files in your OneDrive system.

A simple query in the Datadog Log Explorer lets you visualize the most commonly accessed files in your Microsoft 365 environment.

Monitor user activity

Each Microsoft 365 audit log records information on the user or service that performed the action, including their IP address and geographic location. You can use this data to track users across your environment and spot usage patterns that could indicate a compromised or malicious user. You can use Datadog to visualize and track the most active users and user types in your environment, giving you immediate access to your Microsoft 365 user information.

Datadog’s out-of-the-box Microsoft 365 dashboard includes a User and Authentication Activity section that displays important user activity information from a single pane of glass.

Once you spot an inconsistency in user activity, you can quickly pivot to the related logs in the Log Explorer for a closer look. For example, if your organization is entirely based in the United States and you spot logs originating in Ireland, you can zoom in on the anomalous logs using the following query.

source:microsoft-365 @network.client.geoip.country.name:Ireland

Using those logs, you can determine what those users have already done, and take the necessary actions to lock them out. Similarly, in order to track individual login attempts, you might want to filter your logs based on authentication request type. The following query returns all logs for user logins.

source:microsoft-365 @evt.name:UserLoggedIn

Monitor authentication and authorization actions

Microsoft 365 audit logs record every instance of login activity across your suite of services, including failed login attempts. Each log details the circumstances of the attempt, including the IP address that made the attempt, the time it occurred, the service the user attempted to use, the outcome of the attempt, and more.

You can query on these attributes in Datadog to discover how many login failures have occurred over a given time window, and use Log Analytics to build data visualizations and spot failure patterns.

You can explore login failure logs in Log Analytics to spot potential brute force attacks.

To monitor and alert on trends in login activity over time, you can generate metrics based on any log attribute. Then, use Datadog’s anomaly detection monitor to detect unusual trends. For example, you might spot an abnormal spike in login attempts coming from a certain geographic area: using key attributes from the related logs, you can correlate the failed login attempts with other API activity coming from that region.

And using Datadog’s integrations with popular collaboration tools like Slack and Jira, you can set up automated alerts for any sort of user or system behavior and detect threats before they can cause serious harm.

Monitor and alert on changes to user credentials

Microsoft Entra ID manages the identity and access credentials of every user in your Microsoft 365 environment. It’s important to be aware of any changes to Entra ID user authentication or authorization protocols, which could represent an attacker attempting to gain admin persistence. You can use your Microsoft 365 audit logs to track and notify on user account modifications. For example, you might want to see all instances of password changes across your user base with the following query:

source:microsoft-365 service:AzureActiveDirectory evt.name: Change user password

You could then inspect the returned logs to determine which credential changes are expected and which are potentially malicious.

Security monitoring and auditing

In order to determine if any actions in your Microsoft 365 environment pose a security threat, you can create custom Threat Detection Rules to look for potentially malicious activity. You can export any of the previously mentioned Log Explorer queries into a Threat Detection Rule, making it easy to get notified immediately when issues occur. For example, in the screenshot below we’re creating a rule that gets triggered if there are more than five failed login attempts from a single user, possibly indicating a brute-force attack.

You can create custom Detection Rules in Datadog using the same syntax as Log Explorer queries.

When Datadog ingests an audit log that matches the circumstances defined by a rule, it creates a Security Signal, a record of the infraction that, depending on the rule broken, might contain incident metadata (e.g., the geographic location from which the call was made, the type of agent, if any, attached to the calling instance, etc.) and determine the relative severity of the threat. You can inspect all of the Security Signals generated in your account in Datadog’s Security Signals Explorer, where you can triage signals and correlate them with logs taken from across your stack to determine their potential causes.

Datadog’s Microsoft 365 integration includes an out-of-the-box dashboard that gives you a full-picture perspective of the security and performance of your 365 services and infrastructure. The dashboard includes widgets that track the most common user activities (by username and IP address) in your environment, your most accessed files, anonymous user actions, and more. You can also customize the dashboard to include widgets based on the most relevant Microsoft 365 metrics for your monitoring scope.

The default Microsoft 365 integration dashboard gives you a big-picture perspective of the activity in your Microsoft 365 environment.

24/7 monitoring for Microsoft 365

Datadog offers integration with numerous Microsoft 365 log sources for comprehensive monitoring of your environment. Some supported sources include:

  • Exchange: Mailbox audit logs, Admin activity logs

  • SharePoint: Site collection activity logs, Admin activity logs

  • Microsoft Entra ID: Sign-in logs, Audit logs

  • OneDrive: User activity logs, Admin activity logs

  • Microsoft Teams: User activity logs, Call records, Meeting records

This is only a partial list. For the full list and further details on each log source, please see our documentation.

Datadog’s Microsoft 365 integration gives you deep visibility into the security and compliance status of your Microsoft cloud applications. If you’re already a Datadog user, you can start using the new integration now. If not, get started today with a 14-day free trial.