Have you checked your Microsoft 365 Audit logs lately?
Hi everyone, this is Akkiy. (Translated by Tuna) The original article in Japanese is here.
Year after year, we have seen increases in new SaaS models. With this, we have also seen a rise in unauthorized access to these services. Key reasons attributed to this are that SaaS can be directly accessed from the internet, users are using passwords that are too vulnerable, and many users are not using MFA (Multi-Factor Authentication).
In the case of a security incident, audit logs become a vital part of the investigation process. Simply put, audit logs are the logs of “Who did what and when did they do it.” Audit logs can also be used when there is an information leak incident or even if you just want to make sure your employees are using the right programs in the intended ways. When an incident happens, we can use the audit logs to determine which IP address was used to log in to which account, we can even check what actions were taken.
With the recent increase in security incidents, audit logs have become an increasingly important component of the security stack. In today’s blog, I will be focusing on Microsoft 365 Audit logs. In the case of an incident, as I mentioned before, it will be important to know how to use and read these logs. Below are some examples of audit logs.
“Exchange mailbox activities” can be used to check logs and details for mailboxes.
Please see below for Record Types and the list of services and features.
Now let's see how we can search the Audit Logs from the Microsoft 365 Admin center.
As of now, there are two different user interfaces for audit logs.
・「Microsoft 365 admin center」→ 「Compliance 」→「Audit」
・「Office 365 admin center」 → 「Security & Compliance」→ 「Search」→「Audit log search」
This is an old screen, and might not be accessible from the Microsoft365 admin center, but can be accessed from the link below as of the date this blog has been translated. (4/6/2022)
(I prefer this site because the search options are easy to navigate, but I am not sure when this will be taken down so I recommend learning the newer site.)
Both interfaces I showed above output the same data.
From the search results, you can see the Date, IP address, User, Activity, Item, and Details which can be used to determine “Who did what, using which item, and when this occurred.”
It is hard to monitor and check everything from the admin center, so I usually export the search results as a CSV file. Exported CSV files will have the following categories. (CreationDate, UserIds, Operations, AuditData)
With this format, the Audit Data is bunched together making it hard to check. You can expand this by transferring the CSV File data to Excel format, then using the transform function.
By doing this, you can filter each category, making it easier to view and analyze the data. You can check out how to export the CSV, and make adjustments in Excel from the link below so please use this as a reference.
Finally, here are some precautions for using Microsoft 365 Audit Logs.
・All of the functions I mentioned above should be enabled as default, but users using Office 365 Plan1 have detected some cases where this has been disabled. Please check if these functions are enabled.
・If this function had been disabled and you then enable it, you will not be able to access logs from before you enabled it. Audit logs for Exchange mailbox activities have been automatically enabled for mailboxes created after January 2019.
・The log retention is 90 days except for E5 license users. E5 licenses users retention is 1 year. You can extend the retention beyond 90 days and 1 year. Please check below for details.
Microsoft continuously updates its admin center, please check the latest information for the most accurate information.
Even though it might be a little tedious, this is how you can check your audit logs by yourself. Unfortunately, this can lead to you finding out that there has been unauthorized access you didn’t know about. This is because the attackers are using various methods to achieve their goals. This could include adding policies or rules to the mailbox and blinding the user to any malicious activity. Users should periodically check their audit logs with the assumption that there could be some malicious activity that is undetected. This will lead to early detection of any unauthorized access or activity.
Want to get in touch? Please submit a contact form and one of our team members will contact you ASAP.