Part 2: Audit
This is the second blog in a multi part series helping admins, service providers, consultants and security admins to check and achieve a level of security control in Office 365. Part 1 of this series covered the basic PowerShell commands for Authentication through CIS, here we will talk about ‘Audit’.
Need for Office 365 Automation
Many of the above are technical people, who require some amount of automation here because
- May be frustrated with the myriad UIs from Microsoft,
- Have multiple tenants to secure
- Consider this a repeating task (which it should be)
To this end we will show you how to complete these tasks in PowerShell, which will allow you to script these checks and remediations. Alternately, you can skip laborious manual Office 365 PowerShell configurations by using advanced automation solutions like Octiga for achieving same results in a few clicks.
Connect to Remote PowerShell
The following connections are required to run scripts in this blog
Enable Org Customisations
If you have never run PowerShell against a tenant before then you will have to enable organisation customisations via PowerShell
Unified Audit Log (UAL)
Reason: Microsoft funnel many different log sources into one unified log for easy triage and investigation.
Mailbox Audit – Basic and Advanced
Since this is configurable you should ensure that all types of activities are being audited for each mailbox. Even if misconfiguration has not occurred, it may also be the case that it is not only default anyway because Microsoft applies this audit capability differently to different licence types. More info here
The above will show the audit enabled status for all mailboxes under the field auditEnabled
The final three fields in the output show the default event types that are being audit. (See Remediate Advanced)
Notice in the above check that we show the audit events types that are being audited by default. This Microsoft article shows us that this set can be altered and updated.
The below code can be updated to include any mailbox action which you wish to audit. The full list can be found in the above link. Note If you do not have an E5 licence, or an E5 Compliance Add-On licence, then the following actions may not be possible and should be removed:
[Send, SearchQueryInitiated, MailItemsAccessed]
Advanced Auditing (E5 and Advanced Add-On)
Advanced audit allows for increase audit retention and logs additional event types, fast event delivery among other things.
Advance Audit is available with E5 licences or through an add on (see here)
We need to ensure it is set up correctly so when the times comes to need it you aren’t left kicking yourself.
Assigning Advanced Audit Licences
If you have purchased the required licence you must ensure they are allocated to the required users. One mistake we often see is companies purchasing licences and then failing to allocate them, let alone configure them.
The following script will identify any unallocated M365_ADVANCED_AUDITING service plan
Advanced Audit Events
Advanced audit logs additional mail box events (Send, MailAccessItem, SearchQueryInitiatedExchange/SharePoint) which can be crucial when investigating mail breaches
Check and Remediate
The following script will setup advanced audit event logging for all users who have been assigned the advanced audit licence.
Advanced Retention Periods
Once Unified Audit Logging is turned on it will use a default audit storage retention policy. Without advanced audit licence this will be 90 days. Once advanced audit licence is activated it will default to 1 year, however it can be set optionally for up to 10 years.
Note, setting longer retention policies than what you already have will not retrospectively reveal older logs that have not already been stored. So if you want logs for more than 1 year in the future you will need to start now
The default audit retention policy applies to all workloads (SharePoint, Teams, Exchange etc.), however any custom policy will override it for the chosen workload. See here for a list of workloads on which it is possible to extend the storage.
In this example we will override the default retention storage for some important workloads
High-Speed Access to Audit Logs
When you subscribe to advanced audit in Office 365 you will automatically get log events faster than you would otherwise get through the Management API. Octiga’s event monitoring will automatically pick up these additional event types and at the higher rate so you will be informed even more rapidly of suspicious activity
Octiga Ensures BOTH Best Practice Security Configurations AND Monitors all Risky Events
Octiga not only easily set all of the above policies across all the tenants that you manage, but also subscribes to all the resultant risky events. It alerts you when either one of the policies does not comply with this best practice but also alerts you for all ongoing risks. It then remediates these risks with the touch of a button. Book a quick 15 minute chat with to understand how Octiga can help your unique business needs through Office 365 security automation.