Thursday, February 1, 2018

Enable activity auditing in Office 365

image

Here’s something I suggest you ensure is enabled in all Office 365 tenants.

Visit the Office 365 Security and Compliance center as an administrator. From the menu on left, select the Search & investigation heading. From the items that appear select Audit log search.

If your audit logging hasn’t been enable you see a hyperlink on the right that says Start recording user and admin activity. If that link is visible, then select it as shown above.

image

You will then receive the above confirmation. Select Turn on.

image

You’ll be taken back to the Audit log search page where you’ll see a message telling you that logging is being enabled.

image

When that process is complete return to the Audit log search and select the Activities drop down.

image

You’ll now be able to audit a huge range of activities and produce a report, like this -

image

Here, I’ve run a report to display any files that have been accessed. From the results I can see the user, IP address and the file that was accessed.

image

You can now also set up an alert on any of these activities.

To do this, select the Alerts option on the left in the Security & Compliance center. From the items that appear select Manage alerts.

image

On the right select the + New alert policy button.

image

Set the Alert Type to Custom.

image

Select the Send this alert when… option and again choose the activity for the alert. The available options should be pretty much the same as you saw before with the audit logs.

image

Then choose which users you wish the alert to apply to as well as an email address to send the alert to.

As with all alert settings ensure that you don’t make these too general because you’ll end up getting too many alerts and end up spamming yourself.

The important thing here is that auditing is no enabled by default. The best practice recommendation is therefore to go and turn it on so you can audit activity in your tenant.