M365 Monitoring and Response Service - Implementation and Support

Deployment Resources

Deployment Workflow

Deployment Overview

Onboarding the Office 365 Monitoring and Response service can be achieved in 4 easy steps. The diagram below details pathways to deploying Sentinel using in-house services from your own agency, or alternatively utilising assisted onboarding services in order to meet your resourcing and capability requirements.

O365 Onboarding Process

Detailed Deployments Steps

1. Prerequisites

Microsoft Sentinel is available to all Queensland Government (QG) organisations who participate in the QG Microsoft E3/E5 Enterprise Licence Agreement.

2. Assisted Onboarding - Determine Resource and Capability

It is envisaged most Queensland Government agencies will have sufficient resources to easily implement Microsoft Sentinel to a minimum configuration within their own agency. However, should your agency have insufficient capacity or capability to undertake this activity in-house, requests can be made to the Queensland Government Chief Information Security Officer (QGCISO) who can authorise the provision of external resources to perform this activity.

Please complete the Microsoft 365 Monitoring and Response service application form should you wish to request assistance with the installation and configuration of Sentinel.

3. In-house Onboarding - Install Microsoft Sentinel and Configure Data Sources
  1. Please refer to the Microsoft Quick-start guide for detailed instructions on how to deploy a local instance of Sentinel within your agency.
  2. Follow the instructions in the Data Sources Setup Guide on how to onboard Data / Log sources.

In order to enable this service to have a whole of government view, a minimum configuration of Sentinel is required at the agency level. This entails installation of free-tier Microsoft data sources as detailed in the table below.

Free-Tier Data Sources




Azure activity Logs

Azure Activity Connector


Office 365 Audit Logs

Office 365 Connector


Alerts from Microsoft Defender for Cloud

Microsoft Defender for Cloud Connector


Alerts from Microsoft 365 Defender

Microsoft 365 Defender (Preview) Connector


Alerts from Microsoft 365 Defender for Office 365

Microsoft 365 Defender (Preview) Connector


Alerts from Microsoft Defender for Identity

Microsoft 365 Defender (Preview) Connector


Alerts from Microsoft Defender for Endpoint

Microsoft 365 Defender (Preview) Connector


Alerts from Microsoft Defender for Cloud Apps

Microsoft 365 Defender (Preview) Connector


Other Optional Data Sources of Interest

Message trace logsRefer page 7 in Setup GuideE3 or E5

4. Connect to Lighthouse (Sentinel of Sentinels)

Once Sentinel has been configured in your agency, the final step involves connecting to the Whole of Government (WofG) Microsoft Lighthouse, also known as Sentinel of Sentinels (SoS). This is a quick process which involves the following steps:

  1. Complete the application form and request to be onboarded to the WofG Sentinel of Sentinels.
  2. The CITEC Service Desk team will action the application and provide you with a template and a parameter file that will be utlised in the following step.
  3. Visit the Microsoft PowerShell resource page and utilise the script detailed under heading "deploy a template with a separate parameter file" to execute the two configuration files provided by CITEC.
  4. Once you have completed the above, contact the CITEC Service Desk at service@citec.com.au so they can confirm that you have been successfully on-boarded to Sentinel of Sentinels.

Support Resources


The M365 Monitoring and Response service utilises Microsoft Sentinel to provide insights into the Microsoft 365 ecosystem by tracing and analysing operations in SharePoint, OneDrive, Teams, and Exchange data.

The links below provide access to useful vendor documentation focused on implementing and configuring Microsoft Sentinel within the context of the Microsoft 365 Monitoring and Response service.

What is Microsoft Sentinel?
Quick-start Guide: On-board Microsoft Sentinel
Permissions in Microsoft Sentinel
Data collection best practices
Detect threats out-of-the-box
Threat intelligence integration in Microsoft Sentinel


Join the Vulnerability Management Community of Practice

The CSU hosts a Vulnerability Management Community of Practice (CoP) which consists of ICT professionals from Queensland Government entities who meet on a regular basis to collaborate and share information, improve their cyber security skills, and actively work on advancing their general knowledge of cyber security. Please sign in to the Cyber Security Unit website and request to be added to the Vulnerability Management CoP.

CITEC Service Desk

Contact the CITEC Service Desk at service@citec.com.au for technical support issues relating to the M365 Monitoring and Response service.

Cyber Security Unit

Contact the Cyber Security Unit at CyberSecurityUnit@qld.gov.au should you require further information about the M365 Monitoring and Response service.

Last Reviewed: 20 May 2022