Analyzing Audit Logs on Microsoft 365

Compliance

[<Audit Logs> + <Microsoft 365>]

[Description – < Microsoft 365 – Analyzing Audit Logs>]


Concept

Audit log search is functionality is turned on by default for Microsoft 365/ Office 365.

Basic

The Basic Audit is available for all non-E5 licenses or guest users in your organization, being that audit records are retained for 90 days.

Advanced

Add functionality to retention policy for all organizations. There is a default policy that retains all Exchange Oline, Sharepoint Online, OneDrive for Business, and Azure Active Directory audit records for one year.

The Advanced Audit required Office 365 E5 or Microsoft 365 E5 license, or Microsoft 365 E5 Compliance or E5 eDiscovery and Audit add-on license.

Permission needs to search the audit log.

  • “Compliance Management Administrators” – to assign role to user need access https://security.microsoft.com/ -> Permission & role -> Email & collaboration role -> roles.
  • “Organization Management” – to assign role to user need access https://security.microsoft.com/ -> Permission & role -> Email & collaboration role -> roles.

Or create a custom role to search and view Audit Logs on Exchange Admin Center (least privilege concept):

  • View-Only Audit Logs role (Exchange admin center Portal)
  • Audit Log (Exchange admin center Portal)

Creating a custom role, access Exchange Admin Center (https://admin.exchange.microsoft.com/) -> Roles -> Admin roles -> Add role group.

We are verifying if the audit log search is turned on using Powershell.

Example:

{

#Connect to Exchange Online PowerShell

Install-Module
-Name
ExchangeOnlineManagement

#Connect with user MFA

Import-Module
ExchangeOnlineManagement

Connect-ExchangeOnline
-UserPrincipalName
nestorw@demosmfreitas365.online
-ShowProgress
$true

#Check if Audit Log is turn on

Get-AdminAuditLogConfig
|
FL
UnifiedAuditLogIngestionEnabled

}

{

#Turn on Audit Log

Get-AdminAuditLogConfig
|
FL
UnifiedAuditLogIngestionEnabled

#Turn off Audit Log

Set-AdminAuditLogConfig
-UnifiedAuditLogIngestionEnabled
$false

{

How to use Audit Log search

I am visualizing user and administrator activities. Below are types in Microsoft 365.

Activities Logs from Users and Admins in Microsoft 365

Admin activity

User activity

SharePoint Online and OneDrive for Business

X

Exchange Online (Exchange mailbox audit logging)

X

SharePoint Online

X

Azure Active Directory (the directory service for Microsoft 365)

X

Exchange Online (Exchange admin audit logging)

X

eDiscovery activities in the security and compliance center

X

Power BI

X

X

Microsoft Teams

X

X

Dynamics 365

X

X

Yammer

X

X

Microsoft Power Automate

X

X

Microsoft Stream

X

X

Microsoft Workplace Analytics

X

Microsoft Power Apps

X

X

Microsoft Forms

X

X

Sensitivity labels for sites that use SharePoint Online or Microsoft Teams

X

X

Briefing email and MyAnalytics

X

X

To searching the Audit Log, access Microsoft 365 Compliance (https://protection.office.com) -> Audit -> Search

REFERENCE:

Search the audit log in the compliance center

https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide

Get-AdminAuditLogConfig

https://docs.microsoft.com/en-us/powershell/module/exchange/get-adminauditlogconfig?view=exchange-ps

Share

Leave a Reply

Your email address will not be published. Required fields are marked *