Auditing and Monitoring User Activities in Microsoft 365

Auditing and Monitoring User Activities in Microsoft 365

06/08/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in configuring, using, and monitoring user activity in Microsoft 365. The ability to audit and monitor user actions is critical for security, regulatory compliance, and incident detection and response, enabling organizations to identify suspicious activity, investigate violations, and keep a detailed record of what happens in their environment [1].

Introduction

In the modern workplace, where data is accessed and shared across multiple platforms and devices, visibility into user activities is more critical than ever. Microsoft 365 offers a robust set of auditing capabilities that record a wide range of actions taken by users and administrators across services such as Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, and Azure AD. These audit logs are an invaluable source of information for forensic investigations, compliance checks, and understanding how data is being used within the organization [2].

This how-to guide will cover enabling unified audit logging, searching audit logs in the Microsoft Purview compliance portal, creating custom alerts, and best practices for continuous monitoring. Step-by-step instructions, example PowerShell commands, and descriptions will be provided so that the reader can implement an effective auditing and monitoring strategy, strengthening the security posture and ensuring compliance in their Microsoft 365 environment.

Why are Auditing and Monitoring crucial in Microsoft 365?

  • Threat Detection: Identifies suspicious activities, such as unauthorized access attempts, improper data sharing or changes to critical settings.
  • Regulatory Compliance: Helps meet auditing and compliance requirements of various regulations (e.g. GDPR, LGPD, HIPAA, ISO 27001) by providing an immutable record of actions.
  • Incident Investigation: Provides the data needed to investigate security breaches, data leaks or malicious activities, enabling a quick and effective response.
  • Operational Visibility: Enables administrators to understand how users are interacting with Microsoft 365 services, optimizing usage and identifying training needs.

Prerequisites

  1. Licensing: Basic auditing is available on most Microsoft 365 licenses. For features such as long-term retention and higher-value events (Advanced Auditing), a Microsoft 365 E5 license or compliance add-on [3] is required.
  2. Administrative Access: An account with the role of Global Administrator, Compliance Administrator or Audit Logs permissions on the Microsoft Purview compliance portal (https://compliance.microsoft.com).
  3. Audit Logging Enabled: Unified audit logging must be enabled.

Step by Step: Configuring and Monitoring User Activities

1. Checking and Activating the Audit Log

By default, auditing is already enabled in most organizations. To check:

  1. Access the Microsoft Purview compliance portal: https://compliance.microsoft.com.
  2. From the menu, select Audit.
  3. If the audit is not active, you will see a banner to start recording. Click on it.

2. Searching the Audit Log

The audit log search tool is your main resource for investigations.

  1. On the Audit page of the Purview portal, configure your search:
    • Date and time range (UTC): Period of the investigation.
    • Activities: Filter by specific actions (e.g. Accessed file, User logged in).
    • Users: Specify one or more users.
    • File, folder or website: Refine the search to a specific resource.
  2. Click Search. Results can be exported for analysis.

Using PowerShell to Search Audit Logs

For automation and complex searches, PowerShell is ideal.

  1. Connect to Exchange Online PowerShell. powershell Connect-ExchangeOnline
  2. Use the Search cmdlet-UnifiedAuditLog. Example to search for file deletion activities by a user in the last 7 days: powershell Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -UserIds "[email protected]" -Operations FileDeleted -ResultSize 1000 | Format-Table CreationDate, UserIds, Operations, AuditData

3. Creating Alerts on Audit Activities

Get proactively notified when critical activities occur.

  1. In the Microsoft Purview compliance portal, go to Policies > Alert Policies.
  2. Click New Alert Policy.
  3. Name the policy: Give it a descriptive name (ex: Alert - Bulk File Deletion).
  4. Activities: Select the activities that should trigger the alert (ex: Deleted file).
  5. Conditions: Define triggers, such as the number of occurrences in a given period of time for a single user.
  6. Recipients: Specify who should receive the email notification.
  7. Review and create the policy.

Advanced Auditing (Microsoft 365 E5)

For organizations with stringent compliance and security requirements, Advanced Audit offers enhanced capabilities:

  • Long Term Retention: Retain audit logs for up to 1 year by default, with the option to extend to 10 years. Essential for long-term forensic investigations.
  • High Value Events: Access to more detailed events such as MailItemsAccessed (when an email was read) and SearchQueryInitiated (what users are searching for in SharePoint and Exchange). These events are crucial for investigating data breaches and reconnaissance activities.
  • Higher API Bandwidth: Faster, higher-volume access to audit logs through the Office 365 Management Activity API, facilitating integration with SIEM systems.

Best Practices for Auditing and Monitoring

  • Review Logs Regularly: Don't wait for an incident. Schedule weekly or monthly log reviews to identify anomalies.
  • Focus on High-Risk Activities: Prioritize monitoring activities such as non-owner mailbox access, external file sharing, and administrator permissions changes.
  • Integrate with a SIEM: Send audit logs to a SIEM solution like Microsoft Sentinel for correlation with other data sources and advanced detection.
  • Use the Principle of Least Privilege: Limit the number of administrators with access to audit logs to prevent tampering.
  • Document your Strategy: Keep a document that describes which activities are monitored, why, and what the response procedure is for each alert.

Conclusion

Auditing and monitoring user activity in Microsoft 365 is not just a compliance formality, but an active and essential component of an organization's defense. By leveraging the tools available in the Microsoft Purview compliance portal, automating searches with PowerShell, and configuring proactive alerts, administrators can gain the visibility they need to effectively detect, investigate, and respond to threats while protecting valuable company data.

References

[1] Microsoft. (2023). Microsoft Purview Audit Overview. [2] Microsoft. (2023). Search the audit log in the compliance portal. [3] Microsoft. (2023). Microsoft Purview Advanced Auditing.