With cloud adoption rates continuing to rise, it would suggest that users are increasingly trusting cloud-based platforms. More and more organizations, including those in finance, healthcare, and education, are storing sensitive information in the cloud and trusting that it is secure. However, security controls and visibility into key changes aren’t always as effective as some comparable on-premise platforms and one way to resolve these issues is to check the Microsoft 365 audit logs on a regular basis.
In this article we will look at what audit logging is in relation to Microsoft 365, why it is important that it is monitored regularly and how it’s done. We will then offer an alternative solution to the native Microsoft 365 approach to make the whole process much easier.
Why Check Office 365 Audit Logs?
Office 365 comprises multiple services, including Microsoft Teams, Exchange Online, Azure AD, SharePoint Online, and OneDrive for Business. Monitoring these Office 365 services can be a challenging task for system administrators who are often managing multiple sub-admins and sometimes thousands of users.
Office 365 audit logs help to track admin and user activity, including who’s accessing, viewing, or moving specific documents and how resources are being used. To be able to investigate security incidents and demonstrate compliance, these logs are crucial. However, the native logs have several limitations, so additional services such as Lepide Auditor for Office 365 are usually needed to monitor activity effectively, keep systems secure, and ensure regulatory compliance.
How to Set Up Audit Logging using the Native Approach
Native log auditing is not enabled by default. To enable native log auditing:
- Go to the Microsoft 365 Security & Compliance Center
- Go to Search and then Audit log search.
- Click Turn on auditing by clicking the Start recording user and admin activity banner
How to Run an Office 365 Audit Log Search
Before you can run an audit log search, an admin must assign the required permissions to your account. The permissions can be either View-Only Audit Logs or Audit Logs.
You may have to wait several hours from the time you enable log auditing before you can run an audit log search. A unified audit log search consolidates data from multiple Microsoft 365 services into a single log report, which requires anywhere from 30 minutes to 24 hours to complete.
To run an audit log search:
- Log In at https://protection.office.com.
- Start a New Search.
In the Security & Compliance Center, click Search, Audit log search.
- Configure Your Search Criteria
The main criteria to specify are:
- Activities — There are over 100 of these, so they have been grouped into related activities. You will need to narrow this down otherwise your audit report will include all activities performed during the time frame specified.
- Dates — The default time frame is the last seven days, but you can configure your search for any period within the last 90 days.
- Users — Specify which user or group of users you want to include in your report.
- Location — Use this option if you want to limit the search to a particular file, folder, or site. Enter a location or keyword.
- Filter the Search Results
Filtering the search results will help you analyze the data more effectively. You can enter keywords, specific dates, users, items, or other details.
You can also generate a report of raw data that meets your search criteria by exporting the data into CSV. This lets you download up to 50,000 events instead of the usual maximum of 5,000. To generate even more than 50,000 events, work in batches of smaller date ranges and combine the results manually.
- Save your Results.
To save your results, click Export results and choose to Save loaded results to generate a CSV file with your data. You can then use Microsoft Excel to access the file.
There is a column called AuditData, which consists of a JSON object that contains multiple properties from the audit log record. To enable sorting and filtering on those properties, use the JSON transform tool in Excel’s Power Query Editor to split up the AuditData column and give each property its own column.
Limitations of Native Searches in Microsoft 365 Audit Logging
Manually working through the Microsoft 365 audit logs is often complex and time-consuming. There are search tools that can be helpful but among the limitations are:
- It is difficult to spot anomalous activity
- Exporting your audit data makes it easier to analyze but it can be problematic keeping the exported data secure
- Putting together readable reports is very difficult and time-consuming
- Audit data is stored for only 90 days which means that a constant manual review of the logs is necessary and any investigation into historic incidents is not possible.
How Lepide Helps
Lepide Auditor stores audit trails for years with no limitations regarding how long the logs are retained, and they are easily searchable, sortable, and filterable so that you can get all the information you need whenever you need it.
Reports can be generated, and alerts configured giving answers in real-time to the who, what, when, and where auditing questions in a simple, friendly, easy-to-use dashboard.
Lepide’s Office 365 auditing software includes a large number of pre-defined reports to choose from, which can be generated at the click of a button. These reports include but are not limited to:
- External Data Sharing
- Permission Modification
- User Modification
- Document Modification
- Policy Modification
- Group Modification
Along with the reports, you can use our Office 365 auditing tool to set up real-time alerts to be activated when specific events take place, and these can be sent to your inbox or mobile app. In addition, automated threat responses can be triggered if immediate action is required. For example, an automated response might involve running a script to carry out remedial action like shutting down a server.