It’s important to understand all of the Office 365 administration tools available to you, especially as they relate to security.
Administrators in charge of Microsoft Office 365 services rely on the centralized management console to get details about user activities and events in the system. An additional layer of monitoring in the form of a unified audit log, which provides deeper insight into events occurring in the Office 365 tenant, including admin activity. At a time when more and more businesses are using Office 365, thereby attracting more attention from threat actors, IT professionals need to be more proactive and use the unified audit log to check for any suspicious activity.
The Unified Audit Log is a valuable component of Office 365 because it helps administrators manage a wide range of requests from different user-related services. Here are some examples of such requests:
- review file deletions or access;
- review of user activities regarding sensitive data;
- review of user login behaviors in the context of a security incident;
- review of any recent changes to administrative permissions in the system;
- review file deletions; and
- review recent file downloads or checkouts to external devices.
When managing on-premises systems, administrators had to log into multiple areas, such as the Exchange Administration Console, Central Administration in SharePoint, Active Directory, and file servers, to satisfy these information requests. But on Office 365, Microsoft has centralized administrative activities under a single management portal for Exchange Online, Yammer, Microsoft Teams, OneDrive, Power BI, Dynamics 365, Power Automate (formerly Microsoft Flow), Power Apps, Microsoft Forms, SharePoint Online , Azure Active Directory (AD), Sway, and the Security & Compliance Center.
The majority of audit requests for these services can be satisfied using Office 365 Unified Audit Logs from the Security Admin Portal through the protection.office.com/unifiedauditlog URLs. The audit log search feature allows IT professionals to narrow down results using multiple criteria, such as activity and time period.
How to search the Office 365 Unified Audit Log
Officer 365 administrators should be vigilant for signs of a data breach or hack. The Office 365 Unified Audit Log enables auditing of events to identify suspicious activity in Microsoft services. For example, to reveal activity related to file deletions, administrators can set the date range and select to erase of Activities menu.
Exchange administrators can use the Unified Audit Log for email-related audits to uncover suspicious activity, such as large amounts of deleted emails. These actions could be a sign of foul play on the part of an employee or an attempt by a hacker to hide their activity after hijacking a user’s credentials.
Administrators can export audit records to a comma-separated values (CSV) file for review in Microsoft Excel or Power BI.
How to Use PowerShell to Find the Unified Audit Log
Administrators who prefer to use PowerShell can also use the ExchangeOnlineManagement module, also known as the Exchange Online PowerShell V2 module, which includes the Search-UnifiedAuditLog cmdlet. Despite its name, the ExchangeOnlineManagement module discovers events in other Office 365 services, similar to the GUI version of the admin portal.
The cmdlet provides several parameters, including date range, user ID, and text strings to set the criteria to narrow down the results. The following example will find the activities of a specific user between the beginning of January and the end of March.
Search-UnifiedAuditLog -StartDate 1/1/2022 -EndDate 3/31/2022 -UserIds”[email protected]”
The default results setting of the Search-UnifiedAuditLog cmdlet is 100 but can be adjusted using the -ResultSize parameter, with a maximum of 5000. For more information on this cmdlet, see the documentation at this link.
How to configure alerts to receive notifications about suspicious activity
Administrators can configure alert policies to receive notifications for specific user activities. The example in the screenshot sends email notifications when a user purges messages from a mailbox or deletes emails from the Deleted Items folder. IT professionals can configure alerts for other system activities and for all users or for specific users.
How to Change the Unified Audit Log Retention Policy
Despite the ability to access information about multiple Office 365 services, a key limitation is the length of time the unified audit log is available. Microsoft allows access to the last 90 days of audit data.
Customers subscribing to Office 365 E5, Microsoft 365 E5 License, Microsoft 365 E5 Compliance, or Microsoft 365 E5 eDiscovery with Audit Add-on License have a one-year default setting for Exchange Online, SharePoint Online and Azure Active Directory. For other customers, administrators have the option to use the audit retention policy to retain data for up to one year, but this requires the administrator to manually configure these settings.
For organizations using a Security Information and Event Management (SIEM) product, the Office 365 Management Activity API allows third-party vendors to query the contents of the unified audit log. Products such as Sumo Logic Cloud SIEM can capture information about Office 365 user activity and details about network traffic, servers, and system events.
The Unified Audit Log is designed to provide some visibility into what end users are doing in Office 365. Although it tracks several critical user activities, Unified Audit Log alerts should not be used as a tool primary to protect the organization from attackers. Rather, the Unified Audit Log is intended to show the timeline of user activities and where they originated to aid in investigations.