With cloud adoption rates continuing to rise, it would suggest that users are increasingly trusting cloud-based platforms. More and more organizations, including those in finance, healthcare, and education, are storing sensitive information in the cloud and trusting that it is secure. However, security controls and visibility into key changes aren’t always as effective as some comparable on-premise platforms and one way to resolve these issues is to check the Microsoft 365 audit logs on a regular basis.
In this article we will look at what audit logging is in relation to Microsoft 365, why it is important that it is monitored regularly and how it’s done. We will then offer an alternative solution to the native Microsoft 365 approach to make the whole process much easier.
Why Check Office 365 Audit Logs?
Office 365 comprises multiple services, including Microsoft Teams, Exchange Online, Azure AD, SharePoint Online, and OneDrive for Business. Monitoring these Office 365 services can be a challenging task for system administrators who are often managing multiple sub-admins and sometimes thousands of users.
Office 365 audit logs help to track admin and user activity, including who’s accessing, viewing, or moving specific documents and how resources are being used. To be able to investigate security incidents and demonstrate compliance, these logs are crucial. However, the native logs have several limitations, so additional services such as Lepide Auditor for Office 365 are usually needed to monitor activity effectively, keep systems secure, and ensure regulatory compliance.
Lepide Guide for Microsoft 365 CopilotThis guide will list the steps security teams can take to ensure organizational readiness for Copilot before and after deployment.
Download Whitepaper
How to Set Up Audit Logging using the Native Approach
Native log auditing is not enabled by default. To enable native log auditing:
- Go to the Microsoft 365 Security & Compliance Center
- Go to Search and then Audit log search.
- Click Turn on auditing by clicking the Start recording user and admin activity banner
How to Run an Office 365 Audit Log Search
Prerequisites
Before you can run an audit log search, an admin must assign the required permissions to your account. The permissions can be either View-Only Audit Logs or Audit Logs.
You may have to wait several hours from the time you enable log auditing before you can run an audit log search. A unified audit log search consolidates data from multiple Microsoft 365 services into a single log report, which requires anywhere from 30 minutes to 24 hours to complete.
To run an audit log search:
- Log In at https://protection.office.com.
- Start a New Search.
In the Security & Compliance Center, click Search, Audit log search. - Configure Your Search Criteria
The main criteria to specify are:- Activities — There are over 100 of these, so they have been grouped into related activities. You will need to narrow this down otherwise your audit report will include all activities performed during the time frame specified.
- Dates — The default time frame is the last seven days, but you can configure your search for any period within the last 90 days.
- Users — Specify which user or group of users you want to include in your report.
- Location — Use this option if you want to limit the search to a particular file, folder, or site. Enter a location or keyword.
- Filter the Search Results
Filtering the search results will help you analyze the data more effectively. You can enter keywords, specific dates, users, items, or other details.
You can also generate a report of raw data that meets your search criteria by exporting the data into CSV. This lets you download up to 50,000 events instead of the usual maximum of 5,000. To generate even more than 50,000 events, work in batches of smaller date ranges and combine the results manually.
- Save your Results.
To save your results, click Export results and choose to Save loaded results to generate a CSV file with your data. You can then use Microsoft Excel to access the file.
There is a column called AuditData, which consists of a JSON object that contains multiple properties from the audit log record. To enable sorting and filtering on those properties, use the JSON transform tool in Excel’s Power Query Editor to split up the AuditData column and give each property its own column.
Limitations of Native Searches in Microsoft 365 Audit Logging
Manually working through the Microsoft 365 audit logs is often complex and time-consuming. There are search tools that can be helpful, but still lack the functionality that would be available with a dedicated real-time auditing solution. Below are some of the most notable limitations of the Microsoft 365’s native searches:
- Microsoft’s default audit data retention policy is only 90 days. You can extend this to one year with E5 licenses or create custom policies for shorter or longer periods (up to 7 years). However, a separate license is required for a 10-year retention policy. Before changing retention settings, carefully consider your needs for audit data.
UPDATE: Following an Exchange Online breach between May and June 2023, Microsoft has increased the default log retention period from 90 days to 180 days.
- Accessing the audit logs now requires a premium license like Microsoft Purview Audit. This means essential events, such as Exchange Online email activities, are only available with the paid license.
- Microsoft 365 audit logs are not real-time. Data is collected from individual servers and processed by backend services, resulting in a delay of 60 to 90 minutes for core services like Exchange, SharePoint, OneDrive, and Teams. For other services, the delay may be even longer.
- Native searches don’t automatically enable the tracking of all actions. You need to explicitly enable specific audit events, such as those related to searches and Planner/To Do activities. Microsoft regularly releases new audit events, which require manual enabling for desired users.
- Inconsistencies in results may occur due to ongoing bugs or limitations. This means that a lack of results from one search method doesn’t guarantee the absence of the activity being sought. Therefore, relying solely on a single search method, especially Graph, might lead to false negatives, and further investigation is recommended.
- Putting together readable reports is very difficult and time-consuming. This makes it is harder to identify anomalous activity than it would be using a dedicated change auditing solution. Finally, exporting your audit data makes it easier to analyze, but it can be problematic keeping the exported data secure.
How Lepide Helps
All these limitations are removed when you use the Lepide Auditor for Office 365 to check Microsoft 365 Audit Logs.
Lepide Auditor stores audit trails for years with no limitations regarding how long the logs are retained, and they are easily searchable, sortable, and filterable so that you can get all the information you need whenever you need it.
Reports can be generated, and alerts configured giving answers in real-time to the who, what, when, and where auditing questions in a simple, friendly, easy-to-use dashboard.
Lepide’s Office 365 auditing software includes a large number of pre-defined reports to choose from, which can be generated at the click of a button. These reports include but are not limited to:
- External Data Sharing
- Permission Modification
- User Modification
- Document Modification
- Policy Modification
- Group Modification
Along with the reports, you can use our Office 365 auditing tool to set up real-time alerts to be activated when specific events take place, and these can be sent to your inbox or mobile app. In addition, automated threat responses can be triggered if immediate action is required. For example, an automated response might involve running a script to carry out remedial action like shutting down a server.
If you’d like to see how Lepide can help check your Microsoft 365 Audit Logs, schedule a demo with one of our engineers.
