On Day 16 of Cybersecurity awareness month, learn to monitor your organization’s activities using unified audit logs. Stay tuned for more blogs in the Cybersecurity blog series.
A small ignorance from our side can cause a big security impact on our organization. Yes, you get what I say, we must track the activities happening in our organization to prevent security flaws. You can use a unified audit log to track these activities.
Unified Audit logs are an added layer of surveillance that provides deeper insight into activities happening in the office 365 organization. It provides details about all the activities with who performed them and when. Collectively speaking, audit logs help us to pinpoint the cause of the issue. The unified audit log is not enabled by default. You must enable it to record Office 365 activities
“A Regular Check can protect you from data leaks.”
How to Enable the Unified Audit Logs?
The audit logs can be enabled in the organization using two methods, such as
- Microsoft Portal
- PowerShell cmdlets
Enable Unified Audit Log from Microsoft Portal:
- Go to Microsoft Purview.
- Under the Solution category, select Audit.
- If auditing is not turned on for your organization, a banner will be displayed prompting you to start recording user and admin activity.
- You can click on the tab to enable audit.
Enable Unified Audit Log using PowerShell Cmdlets:
Make sure you connect the Exchange module using the Connect-ExchangeOnline cmdlets as the cmdlets used in this case come under the Exchange PowerShell module.
To enable the audit log, run the below cmdlet.
Set-AdminAuditLog -UnifiedAuditLogInvestigationEnabled $true
If you want to disable unified audit logging (not recommended), execute the following cmdlet.
Set-AdminAuditLog -UnifiedAuditLogInvestigationEnabled $false
Generally, a time of 60 minutes is taken to reflect the change you make.
Search Criteria available with Unified Audit Logs:
When you navigate to the audit window you can narrow down your search using the following search criteria.
Start and End Date: The time range for the search can be mentioned here, the maximum time range you can specify is 90 days.
Activities: The activities based on different workloads are mentioned in the drop-down, you can select the desired activities from the list.
Users: to track the specific user activities you can mention the user in the Users column.
Files, folders, or sites: You can monitor the activities related to the SharePoint site or a confidential file by mentioning it here.
Checklist of Activities to be Monitored in Unified Audit Logs
Audit logs list all the activities performed in the Office 365 environment. There are lots of activities happening in the organization, but not all the activity affects the organization’s security. To improve security, you can check workload-specific activities. Let us see the widely used workloads and their actions to be monitored.
Get Audit Reports in SharePoint:
We use SharePoint to store, share and access all the organizational details from any device. So, the data in it must be safeguarded, and the user’s access and permission changes must be watched. Check the mentioned activities to make your SharePoint site data leakproof.
- User or group added to SharePoint site: The addition of participants to a SharePoint site must be supervised by the admin to prevent data leaks.
- Site permissions modification: Site access is restricted to users for security reasons. So, site permission changes must be tracked by the admin.
- Sharing settings changes: Sharing setting defines how and with whom your organization’s data shared. Monitor these activities to ensure no critical sharing setting changes unnoticed.
- File accesses: The unauthorized and anonymous file access must be tracked.
- File, folder, or site sharing: Files shared with external users may contain sensitive data. To prevent sensitive data leakage, admins should monitor external file-sharing activities.
Get Audit Reports in Teams:
Microsoft Teams is the communicative hub of the organization nowadays. Through Teams, information can easily be shared both internally and externally. So, you need to monitor Teams activities. The below-mentioned activities must be audited to keep your organization safe.
Membership changes: Team and channel members can access their data. Hence membership changes should be monitored.
Files shared with external users: Track files shared with external users to make sure none of the sensitive data is shared with external members.
Sent invitation for shared channel: A shared channel can even include an external user to it. Such a channel creation must be limited.
Get Audit Reports in Exchange:
Mailboxes contain valuable information. So, it’s important to safeguard the content, which requires constant monitoring. You can check the below-mentioned activities to secure sensitive mailbox content.
- Purged messages from the mailbox: Purging of emails delete them permanently, what if important emails are purged? So, these activities must be audited to prevent unwanted deletion of emails.
- Mailbox permission changes: Delegated access can let the user read, manage, and send emails. Assigning such privileged activities must be audited.
- Folder permission changes: Permission is set to folders to limit the user’s access to those folders. So, if any change is made to that permission must be audited.
- Non-owner mailbox access: Through delegation, non-owners can access the mailbox. To secure mailbox content, non-owner activities are monitored.
Get Audit Reports in Power BI:
The insight into the organization’s data can be obtained from power BI reports, so the reports in power bi must be safeguarded, and the sharing and access to these reports must be tracked. So regular checking on these mentioned activities will help you in this case.
- Power BI dashboard and report sharing: The essential data related to the organization is available with the dashboards and reports. Hence, sharing of dashboards/reports must be audited.
- Power BI reports download: Downloading is a common activity, but there is no need for everyone to download the Report in Power BI, so the user who downloads it must be monitored.
- Power BI folder access grant: Allowing the user access to the power BI folder must be noted, as it can lead to data leaks.
How Long does Office 365 Store Audit Data?
The audit data can only be retrieved for 90 days. To retrieve data for more than 90 days, you need to have a higher license such as E5, A5, or G5 license, but that may cost you high. Is it possible to get an audit log older than 90 days without an E5 license? Yes. You can use PowerShell.
Search-UnifiedAuditLog -Startdate “mm\dd\yyyy” -Enddate “mm\dd\yyyy”
With ‘Search-UnifiedAuditLog’, you can retrieve the audit data for up to one year for all license types. There is no official announcement regarding this long-term audit log capability. But most tenant has the ability to retrieve audit data for 365 days.
It is better to notice the issue before it gets out of our hands. So monitor your tenant activities at regular intervals using a unified audit log. Hope we have fulfilled your requirements regarding the unified audit logs f you have any further queries, feel free to reach us through social media. We would be glad to assist you!