Closed Captioning Closed captioning available on our YouTube channel

How to enable and configure Office 365 logging and auditing

CSO Online | Jan 10, 2019

Make sure Microsoft Office 365 logging and auditing is set up properly so forensic data is available when needed.

Copyright © 2019 IDG Communications, Inc.

This is Susan Bradley for CSOnline. Today I'm going to talk about something that I think is a little bit overlooked. And honestly I think it should be default in all Office 365 deployments. And that's Office 365 auditing and logging. I think it should be on by default. And it's going to be in the future. But right now you want to make sure that it's turned on and check your settings. What reminded me of this was an upcoming announcement in the Office 365 Admin Center that reminded me that mailbox audit is going to add mail reads by default in the coming week. This is actually something that's been asked for in the forensic investigations. It's called the mail items access action. It offers comprehensive forensic coverage and mailbox accesses sync operations and will really help any kind of forensic analysis of what went on in an investigation.
In early February 2019 Microsoft is going to turn this on. Initially these logs will not be in the unified audit log and will only be available from the mailbox audit log. Bottom line for those of you in office 365 you want to take a look at this. See if you do any additional steps in order to turn on this logging. And if you're currently doing any logging you may want to re-evaluate some of the settings you've done. Now of course if you've never turned on auditing in the first place when things on want you to do is go look and especially in the search and investigation area of your Microsoft 365 or Office 365 console. Click on the audit logs search section. And if you notice up here where it says turn on auditing if it is already enabled then perfect you're set to go. But if it says turn on auditing then I want you to go ahead and turn on that auditing. This is an example in a sample 365 such subscription that I have. And you can see even in the time that it's been on it showcases the number of times I've logged in and which IP address I've logged in from. You can set up new alerts and actually set up alerts of actions and accesses and again review this section if you've not already set these things up. The second step steps suggest that you do is check to see if you've turned on mailbox auditing. Now to do that you'll need PowerShell and if you haven't connected to exchange online PowerShell. I'm sure if you've done that by now but just in case there are instructions on how to do that. And once you've connected online then you want to enable mailbox auditing. And here you can see in power show a sample of the mailbox I've turned on. I've got logging enabled for 90 days. And you can see the commands there. If you use the audit command you can actually see if auditing is turned on in your environment. Now I recommend ato enable mailbox auditing for all mailboxes in your organization. You want to set it up ahead of time because if you come to a situation where you ask a question about access or who deleted something and you look at your environment and you think gee I didn't set up the mailbox auditing it's too late you need to set it up ahead of time. So that's why I suggest that you do this now while you don't need it because you never know when you might need to turn on mailbox auditing and investigate what's going on. For more information I've got some additional resources that I've linked to in the article including a YouTube video from. Randy Franklin Smith who's a guru on Windows security auditing. I’ve also linked to a white paper from the SANS infosec reading room about extracting timely signing data from Office 365 logs. Bottom line I want you to take the time now to enable auditing because you'll need it sooner versus later. Until next time this is Susan Bradley for CSOnline.
Featured videos from