Microsoft’s Office 365 adoption continues among larger enterprises with small and medium size businesses adopting at lower rates.
With this market share comes increasing needs for administrators and analysts to further understand the activities taking place in their cloud environments.
Office 365 offers several different business license types. Currently, these types offer different capabilities in the security and auditing area, in addition to main differentiators such as mailbox size and Office application availability.
As features are always being updated, referencing Microsoft’s offering for Small Business and Enterprise is always a good idea, but key security features available in at least one of the offerings or add-ons are:
It is important to know that auditing may not be enabled currently in the Office 365 environment you manage.
While this setting may change in future O365 updates, if you are unsure on your Office 365 auditing status, you can check it in the Security & Compliance admin center > Search & investigations > Audit log search.
Below you can see that there is a notification that auditing needs to be enabled – and this was the default config for an Enterprise trial.
Step 1:To enable auditing, follow the directions seen in the yellow banner.
If you don’t see the banner, auditing at this level has already been turned on and you should be able to search.
Alternatively, you can connect via PowerShell and run the following command to accomplish the same task: Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Step 2: Additionally, given that Exchange and email activities are often the first line in understanding the scope of an incident and performing forensic analysis, you’ll also want to ensure that mailbox audit logging is enabled by following these PowerShell steps outlined by Microsoft.
This will allow you to see Exchange results in the above audit log, if not already enabled – and currently it is not enabled by default in all instances – but but Microsoft is changing this.
What does auditing enable for you? As you can see in the above screenshot, you’ll be able to run searches from the Admin Center on logs for the past 90 days (or longer, as Microsoft appears to be making steps toward extending this to a year for some subscription types).
The actions you can search on are grouped into these activity categories:
Listed below are some examples of the logging that we have found helpful in our Digital Forensics and Incident Response practice.
Note that these logs were pulled via the Hawk tool, but many others exist to help you collect and gather the information necessary to help reconstruct activities.
This report shows suspected malware sent into and out of the Office 365 environment.
Note that some columns are hidden for readability (total bytes, message ID, network id, etc.) and other details have been generalized for simplicity.
Logs for a particular user, as obtained from the Hawk tool, showing a pattern of potentially unusual login attempts. As above, columns have been hidden for readability and information has been simplified.
We use our expertise to implement a practical strategy for incident response preparation and management, intrusion hunting/compromise assessment, and prevention and remediation recommendations. Find calm during the storm via our broad range of DFIR expertise.
Learn More →