Episode Details

Ever wonder why your SIEM dashboards are telling only half the story on Microsoft 365 activity? You're not alone. The truth is, most out-of-the-box configurations miss critical M365 audit logs—leaving risky blind spots. Today, I'll show you exactly which logs Sentinel, Splunk, and others are skipping, why that matters, and how to truly close the gap.Stick around if you want your security monitoring to move beyond check-the-box compliance toward real, data-driven protection. Let’s make sure your SIEM finally sees what actually matters.Why Your SIEM Still Misses the Big PictureIf you’ve ever pulled up Sentinel or Splunk expecting to see who accessed a critical file in SharePoint, you’re probably familiar with that sinking feeling when the dashboard has nothing. It’s not just you—almost every admin I’ve talked to assumes that once they connect Microsoft 365 to their SIEM, they’re set. The checklists in the documentation say the connector is active, you get a handful of logs starting to trickle in, and it’s easy to feel like the hard part’s over. The reality? That first integration barely covers the basics, and a pile of your most important events never makes it into your SIEM at all.Let’s say you’re asked to produce a timeline of mailbox activity for a sensitive user. Or your boss wants to know who shared a confidential folder in Teams two weeks ago. The expectation is your SIEM should have this, right? Nine times out of ten, you’re left scrambling when your own dashboards come up blank. That moment when you realize you’re missing key info—especially when leadership is watching—doesn’t get less painful with experience.Here’s why this happens. Those default connectors, the ones marketed as “plug-and-play” for Microsoft 365, turn out to be a lot more limited than most people realize. Out of the box, most SIEM integrations grab a thin layer of generic activity, but miss entire categories of logs that matter most during an incident. Think about Exchange mailbox auditing—actions like “mailbox accessed by someone other than the owner” or “mail forwarding rule created” are bread-and-butter audit events for any real investigation. Yet, unless you’ve explicitly enabled mailbox auditing (and shelled out for premium licenses), those events just don’t show up.And it isn’t just email. SharePoint file access, Teams chat deletions, and especially Power Platform activity—the stuff that attackers target when they move laterally—often stay in the dark. You might see user logins or “file modified” totals, but not the details. The difference? One tells you something suspicious happened. The other gives you enough facts to actually respond.Let’s get concrete. I’ve worked with a security team that was dead certain their SIEM would help during a potential data leak investigation in Teams. Someone had shared a sensitive financial document externally. Everyone felt confident until the SIEM had nothing more than a “file shared” record, missing details like who the recipient was, whether the link required authentication, or if additional downloads occurred. Only by logging directly into the Compliance Center—separately from their SIEM—could they reconstruct any kind of useful story. That lag cost them hours and made their report look amateur. Unfortunately, it wasn’t a one-off. These kinds of gaps crop up everywhere, especially if you’re not checking connector documentation week after week.So, what actually governs which logs appear in your SIEM? A lot of it depends on Microsoft’s own auditing defaults and the version of Microsoft 365 you own. Basic audit logging, which is included with most subscriptions, captures only a slice of workload activity. Need mailbox details or sensitivity label events? Get ready to talk to finance about E5 or at least buy an advanced compliance add-on. Even then, not everything’s covered—some logs only flow via special APIs or need extra configuration. On top of that, Microsoft throttles API requests or batches logs, introduci