Presentation is loading. Please wait.

Presentation is loading. Please wait.

Decoding audit events in Microsoft Office 365

Published byMalcolm Baker Modified over 5 years ago

Similar presentations

Presentation on theme: "Decoding audit events in Microsoft Office 365"— Presentation transcript:

1 Decoding audit events in Microsoft Office 365
7/1/2018 6:31 PM THR2095 Decoding audit events in Microsoft Office 365 Alan Byrne & Tony Redmond Office 365 MVPs © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 7/1/2018 6:31 PM The Past Auditing was enabled, configured and viewed on a workload by workload basis: Exchange Online Admin/Mailbox Auditing SharePoint Online Auditing Azure AD Auditing © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 One Office 365 auditing log to rule them all
7/1/2018 6:31 PM Unified Audit Log One Office 365 auditing log to rule them all © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 What is audited? Workload Admin Activity Recorded
7/1/2018 6:31 PM What is audited? Workload Admin Activity Recorded User Activity Recorded Azure AD Yes Exchange Online Yes (Exchange Admin Audit Logging) Yes (Mailbox Audit Logging) SharePoint Online Skype for Business No Sway PowerBI for Office 365 Microsoft Teams Yammer Security & Compliance Center (eDiscovery actions) N/A Flow Coming © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Audit Event Lag Times Office 365 Workload 30 Mins 24 Hours
7/1/2018 6:31 PM Audit Event Lag Times Office 365 Workload 30 Mins 24 Hours SharePoint Online and OneDrive for Business X Exchange Online Azure Active Directory (user login events) Azure Active Directory (admin events) Sway PowerBI Yammer Security & Compliance Center Teams Flow Coming © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 You need to turn auditing on!
7/1/2018 6:31 PM You need to turn auditing on! BEFORE you need to investigate something © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Accessing the Audit Logs
7/1/2018 6:31 PM Accessing the Audit Logs PowerShell (Search-UnifiedAuditLog) Audit Log Search in Security & Compliance Centre 3rd Party tools (Using the Management Activity API) Dashboards (Coming soon to Security & Compliance Centre) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Accessing the Audit Logs
7/1/2018 6:31 PM Accessing the Audit Logs © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 7/1/2018 6:31 PM An Audit Event © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 A look at individual audit events
7/1/2018 6:31 PM A look at individual audit events © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 7/1/2018 6:31 PM File Accessed © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Mailbox Delegate Permission Changes
7/1/2018 6:31 PM Mailbox Delegate Permission Changes © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Sharing Anonymous Links
7/1/2018 6:31 PM Sharing Anonymous Links © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 It’s not always obvious
7/1/2018 6:31 PM It’s not always obvious © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 7/1/2018 6:31 PM Limitations © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Audit data is only retained for 90 days
Audit events are normalized, but relevant workload specific properties are hard to identify Analyzing thousands of log lines of raw data is not for everyone

17 7/1/2018 6:31 PM Alternatives? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Quadrotech Radar Reporting
7/1/2018 6:31 PM Quadrotech Radar Reporting © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Please evaluate this session
Tech Ready 15 7/1/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 7/1/2018 6:31 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Decoding audit events in Microsoft Office 365"

Similar presentations

MIX 09 4/15/2017 11:14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

MIX 09 4/15/ :14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Session 1.

Session 1.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks.

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks.
Success through People with LinkedIn and O365

Success through People with LinkedIn and O365
Azure on Steroids: Full Automation with PowerShell

Azure on Steroids: Full Automation with PowerShell
5/29/2018 1:51 AM THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory Adam Steenwyk & Jeff Sakowicz Program Managers.

5/29/2018 1:51 AM THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory Adam Steenwyk & Jeff Sakowicz Program Managers.
Migrating home folders to OneDrive for Business

Migrating home folders to OneDrive for Business
6/5/2018 1:30 PM THR1029 Spend less time managing data and more time with customers: Quick tour of Outlook Customer Manager Welly Lee Welly.Lee@microsoft.com.

6/5/2018 1:30 PM THR1029 Spend less time managing data and more time with customers: Quick tour of Outlook Customer Manager Welly Lee
Azure Cloud Shell Magic of Modern Command-line Management

Azure Cloud Shell Magic of Modern Command-line Management
6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.

6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.
Optimizing Microsoft OneDrive for the enterprise

Optimizing Microsoft OneDrive for the enterprise
What a Real, Functioning DevOps Team Looks Like

What a Real, Functioning DevOps Team Looks Like
Understanding Multi-Geo Capabilities in Office 365

Understanding Multi-Geo Capabilities in Office 365
8/6/2018 3:21 AM THR2261 Groups, and Teams and Sites, Oh My! The Ultimate Office 365 Groups Teardown John Peluso SVP Product Strategy, AvePoint Inc. Microsoft.

8/6/2018 3:21 AM THR2261 Groups, and Teams and Sites, Oh My! The Ultimate Office 365 Groups Teardown John Peluso SVP Product Strategy, AvePoint Inc. Microsoft.
SQL Server on Linux on All-Flash Arrays

SQL Server on Linux on All-Flash Arrays
Excel and Power BI Better Together Democratization of data

Excel and Power BI Better Together Democratization of data
Workflow Orchestration with Adobe I/O

Workflow Orchestration with Adobe I/O

Similar presentations

Ads by Google