I’m starting to get lots of questions about how to determine when exactly an Office 365 account was compromised. Typically, the two most common compromises are phishing and weak passwords. This article is going to focus on one of the ways weak passwords are exploited.

The first thing to appreciate here is that, generally, Office 365 won’t maintain logs needed for detailed investigation beyond 7 days and secondly most logging in Office 365 is disabled by default. There are a number of different audits in the product that you should enable, the major one is Activity auditing which I have detailed how to enable here:

Enable activity auditing in Office 365

The place I suggest you start any investigation is with my free PowerShell Office 365 user login auditing script which I have detailed here:

Auditing Office 365 logins via PowerShell

If you are a CIAOPS Patron subscriber I have an enhanced version of this same script that also outputs the results to a CSV file.

The above shows you the screen output of this script. You’ll see successful logins in green and unsuccessful ones in red.

The indication that an account has been compromised will either be:

1. Successful login from a suspicious IP address (indicating phishing and the fact that the bad actors already have the user’s password)

or

2. A number of failed logins to an account followed immediately by a successful login (indicating that the account password has been guessed via brute force).

In this article I’m going to focus on hunting down item 2, as item 1 is tougher, and means combing through IP addresses.

So, what we now need to do is take a look at the CSV file the script generated and see if we can find the login pattern we are looking for.

I’m using Excel as my primary investigation tool here as it provides more flexibility than other tools for me.

Firstly, I’m going to insert a table to make querying data easier.

Next, I’m going to filter out my know corporate IP addresses so I am only left with those I don’t recognise. In this case, I’m also going to only focus on a single user. Finally, I’m going to sort the times from newest to oldest.

Now what I’m going to do is hone in on an unfamiliar IP – in this case 110.82.6.244. When I filter the file further I find over 85 entries for that IP as shown above. The interesting things is that these entries happen sequentially on the same day and start at 1:16AM and end at 1:35AM. This confirms that my account has probably been the subject of some sort of automated ‘password spray’ attack. This basically means the bad actors have used an automated process to repeatedly try to login to my account using different passwords.

What passwords are they using? There are huge tables out there with all sorts of passwords people like to use. Where did these tables come from? Typically from systems that have been compromised and had all their login credentials stolen. These stolen credentials are now being re-purposed sand used to attack other accounts. Have a look at Troy Hunt’s site:

Have I been Pwned?

if you haven’t already to get an idea of the sheer volume of credentials there are in the wild.

You’ll note that in this list I don’t have any filter on the Operation column. Why? Because, I’m look for the pattern of repeated logins failures and THEN a successful login indicating that the account password has been guessed.

Luckily, for this attack IP address I don’t see that pattern. So basically, they tried 85 different attempts over a 20 minutes or so and don’t appear to have gained access. Phew.

When I do a lookup on the location of this IP address, I find it is in China.

I can do some more investigation by digging into the user account details in the Azure Active Directory service inside the Azure portal as shown above.

Basically I’ve gone into the Azure portal, selected the Azure Active Directory service then select Users and then the specific user I want to to investigate.

From the items that appear on the left for that specific user I select Sign-ins and then customise the search so that:

Application = Office 365 Exchange

Status = Failure

You then need to select the Apply button to update the query. Once I have done this I now get a list of login failures as you can see above.

If I select an entry in question (i.e. one from the previous results in the CSV file generated by my script) I see the above details.

The details show it is from the same IP address (110.82.6.244) and that client app in question was SMTP, i.e. the login was attempting to do an email account login.

It is also interesting to note that Microsoft blocked the attack by locking the account because it tried to login in too many times. Thus, Microsoft is detecting this common sort of attack and mitigating it based in the IP address and the repeated attempts from a single IP address. Thanks Microsoft.

You can click through the remaining links at the top of the page to get other information.

Unsurprisingly, there is no device info as you can see above.

This screen also gives you the option to download this log information to a CSV directly from the Azure portal for further analysis if you want. Down side is, that it is simply the single user you see here, not across all the users in the tenant.

Now that tenant wide option is available if you return to the top level options for Azure Active Directory, but you’ll need to have a subscription for Azure AD Premium P1 or better.

What I have therefore shown you so far will work with any Office 365 tenant and that is probably a good place to call and end to this particular article. I’ll be doing more around additional investigation options available in both standard and premium offerings soon, but for now I’ll leave you with an article from Microsoft that everyone managing an Office 365 environment should read:

Azure AD and ADFS best practices: defending against password spray attacks

and watch out for more from me around detecting and blunting attacks on Office 365.

YOUR call to action after reading all this should be to go and check your tenant for attacks like this and ensure you are doing everything you can to prevent their possible success.

Data Loss Prevention (DLP) is typically an outbound scanning technology in Office 365 that monitors and prevents sensitive information from leaving the organisation.

Previous, DLP was only part of Exchange Online. It is still possible to configure policies only in Exchange Online as you can see above, in the Exchange Online Admin console.

To do this in PowerShell you’d use the command:

new-dlppolicy

The new of way doing DLP in Office 365 is via the Security and Compliance Center as you see above. The benefits of using this new method is that it is possible to use policies to not only protect Exchange Online but SharePoint and OneDrive for Business from data leakage.

Office 365 DLP has a number of pre-canned policy templates you can use as shown above. It is always best practices to at least start with these since they cover the basics.

You’ll note above that I’m looking to configure a policy based on Australian Financial Data. This in effects scans material looking for SWIFT code, Australia Tax File Number, Australia Bank Account Number and Credit Card as you see in the lower right.

Proceeding with the GUI wizard then asks for the areas in Office 365 to protect. As you can see from the above, these locations include Exchange email, SharePoint sites and OneDrive accounts. You can modify the inclusion and exclusions to all these different areas if you wish.

You then determine what content you are looking for in the policy settings, as well as when to detect.

You can customise these rules if you wish, as shown above.

Finally, you can determine how this policy will operate and whether it is active.

Why is all this important for using PowerShell? The simple answer is, that with many options, knowing what everything does in the web interface is going to help when it comes to implementing via PowerShell.

So, to start the PowerShell configuration process you are going to need to connect to the Office 365 Security and Compliance center using PowerShell. You’ll find scripts to do that at my GitHub repo here:

https://github.com/directorcia/Office365

We don’t want to use the older, Exchange Online only cmdlets like:

new-dlppolicy

we’ll be using the newer Security and Compliance cmdlets like

new-dlpcompliancepolicy

The first thing I need to is create a new DLP policy called ‘Australian Privacy Act’ and do that with the commands:

$params = @{
‘Name’ = ‘Australian Privacy Act’;
‘ExchangeLocation’ =’All’;
‘OneDriveLocation’ = ‘All’;
‘SharePointLocation’ = ‘All’;
‘Mode’ = ‘Enable’
}
new-dlpcompliancepolicy @params

Now, this basically establishes the policy and the location that it applies to in Office 365. There are not any rules yet to check the content.

To do this. you need to create a variable that holds the sensitive data types you want to check. Yo can do that with the following:

$senstiveinfo = @(@{Name =”Australia Driver’s License Number”; minCount = “1”},@{Name =”Australia Passport Number”;minCount=”1″})

You’ll find information about the specific sensitive data types for you region here:

https://docs.microsoft.com/en-us/exchange/policy-and-compliance/data-loss-prevention/sensitive-information-types?view=exchserver-2019

With all that in place, the rule can be added to the existing policy using the following:

$Rulevalue = @{
‘Name’ = ‘Low volume of content detected Australia Privacy Act’;
‘Comment’ = “Helps detect the presence of information commonly considered to be subject to the privacy act in Australia, like driver’s license and passport number.”;
‘Policy’ = ‘Australian Privacy Act’;
‘ContentContainsSensitiveInformation’=$senstiveinfo;
‘BlockAccess’ = $true;
‘AccessScope’=’NotInOrganization’;
‘BlockAccessScope’=’All’;
‘Disabled’=$false;
‘GenerateAlert’=’SiteAdmin’;
‘GenerateIncidentReport’=’SiteAdmin’;
‘IncidentReportContent’=’All’;
‘NotifyAllowOverride’=’FalsePositive,WithJustification’;
‘NotifyUser’=’Owner’,’SiteAdmin’,’LastModifer’
}

New-dlpcompliancerule @rulevalue

You should recognise many of these settings from what is in the web interface. Don’t forget that DLP takes a while to crawl through all the different content areas you have selected and be applied.

If all of that executes successfully, then you should see a new DLP policy in the web interface as shown above.

If you have an Office 365 or Microsoft 365 licenses that includes DLP, you should use the pre-existing templates that Microsoft provides you for you region and create a new policy for each.

You can, of course, customise these easily by changing the PowerShell parameters or creating your own rules to suit. The great thing is, once you have worked all of this out you now a configuration you can apply to every tenant quickly and easily.

That is the power of automation thanks to PowerShell!

The question of whether you need to backup data (emails and files) stored in Office 365 is one of the most common questions I see. The best answer is that you need to have as many backups of your own data as you feel comfortable with. That comfort level will vary with each person and business, but in general, more is better.

Let’s start by defining what most people consider to be “traditional” backup. A “backup”, for this definition, is a full copy of your data at a point in time that allows you to easily do a single item restore (such as a single email or file) if required, to the original or alternate location, that is retained for an extended (greater than 30 days) period of time. If this is the type of backup you wish to have then you should look at using a third party tool to supplement the way Office 365 retains your data.

Microsoft is indeed able to restore your data if required but how they do is very different from what people may appreciate. Microsoft also does not publicly publish the specific process by which it backups up information in its data centers, however it certainly does backup your data as shown here:

Which can be found at – https://products.office.com/en-au/business/office-365-trust-center-top-10-trust-tenets-cloud-security-and-privacy

Also in “Protecting Privacy and Data” – http://download.microsoft.com/download/2/0/A/20A1529E-65CB-4266-8651-1B57B0E42DAA/Protecting-Data-and-Privacy-in-the-Cloud.pdf (page 3) you will find the following statement about Microsoft Online Services:

“Additionally, each service has established a set of standards for storing and backing up data, and securely deleting data upon request from the customer.”

Office 365 is also certified to many industry standards which you can read about here:

https://products.office.com/en-au/business/office-365-trust-center-compliance-certifications

These contain standards around maintaining data within its services. With all this, you should then feel completely at ease with the fact that Microsoft is indeed protecting your data in many different ways, to industry leading standards or better, one of which is the process of backup. It is important to however understand how the common initial “traditional” definition of backup highlighted above may be different within Office 365.

If needed, Microsoft are not going to restore a single item, such as one email message back into a mailbox. They will however restore a full mailbox for you back to a point in time. Also, they will not be able to restore a whole mailbox from say 12 months ago because, as you can appreciate, the amount of data storage required to provide this across all mailboxes in Office 365 would be enormous. Thus, if you have a need to have Microsoft restore a whole mailbox, you’ll need to typically request that as soon after the event as possible and do so by logging a support ticket with Microsoft.

Likewise with SharePoint. Microsoft won’t generally restore a single file into a document library, they will restore the whole site collection or OneDrive for Business back to a point in time provided it is within a recent time window. To do this, you’ll need to once again raise a service ticket with Microsoft.

Another point to remember with restores completed by Microsoft, for mailboxes and SharePoint sites, is that the restore will be over what is already in place. That is, restored data will be to the original location. Restored data from Microsoft cannot be recovered into an alternate location for comparison.This means that this will erase any current information in that location and replace it with everything from the restore. Thus, the data will be rolled back to that moment in time for a whole mailbox or site collection.

Thus, if you are looking for single item recovery of deleted items like files and email messages and/or items that are beyond the default Office 365 retention periods (for example from 12 months ago), then you need to consider a third party backup tool that you purchase, configure, manage and maintain yourself. Also, if you are looking to restore a whole mailbox, SharePoint site collection or OneDrive for Business without logging a support ticket with Microsoft, then you need to consider a third party tool. Also, if you wish to control where the destination of the backed up data is, you will again need to consider a third party solution. Finally, if you want granular control over the schedule of when backups actually take place, then you need to look at a third party backup solution.

Office 365 typically maintains data using a retention process. This means that Office 365 will make sure the data is made available but it does not generally keep a copy of that data forever. In essence, old deleted data will be aged out and eventually purged from the service after a period of time. That period of time varies by service as well as the license assigned to that data. There are however features that are part of the more advanced licenses and available as add ins, such as Litigation Hold that can be used to retain data indefinitely. The important difference here is “traditional” backup versus retention. For an overview of Office 365 retention policies see:

https://docs.microsoft.com/en-us/office365/securitycompliance/retention-policies

The important thing people need to understand is what protection does Office 365 provide them out of the box and do they need to supplement that? Take OneDrive for Business and SharePoint for example. Every time you update a file in either of these two services a previous copy of the file is kept. This allows the user to easily roll back to a previous version of that file if needed. By default, and this can be changed, Office 365 will retain 500 copies of previous version of a file. Once it reaches that limit it will commence over writing the oldest version.

Having version history in SharePoint and OneDrive for Business means that you can “recover” older items quickly and easily. You can also recover a whole OneDrive for Business quickly and easily using this recent feature:

https://support.office.com/en-us/article/restore-deleted-files-or-folders-in-onedrive-949ada80-0026-4db3-a953-c99083e6a84f

That same feature will soon be available for SharePoint document libraries.

Next, let’s take a look a what happens when you delete a file in OneDrive for Business or SharePoint online. Once a file is deleted it goes to the user’s recycle bin where it can be recovered if needed. If it is removed from the user recycle bin it goes to an administrator recycle bin. The total time that a file is retained across these recycle bins is 93 days. After that the file is purged from the system. I have outlined this process in depth in this article:

https://blog.ciaops.com/2018/03/using-retention-policies-in-office-365.html

What about deleted emails? An email that is deleted from the inbox is sent to the deleted items folder for that mailbox and retained there indefinitely. If it is removed from the deleted items folder it can be recovered for up to 14 days by default, which can be extended to 30 days via PowerShell. After that the email is purged from the system. I have detailed how to extend the default period to 30 days using PowerShell here:

https://blog.ciaops.com/2018/03/extending-exchange-online-deleted-items.html

Now the time that both of these processes retain for can be extended. In the case of OneDrive for Business and SharePoint you can use labels and retention policies to effectively maintain that data forever. With emails you can add the Litigation Hold feature to achieve basically the same effect. Thus, with either some additional configuration or additional license, Office 365 can retain data for a very long time. However, you need to appreciate that this is retention not backup as we defined it earlier.

What’s the difference between retained and backed up data in this context? If you enable extended retention policies for file data in SharePoint Online and OneDrive for Business beyond the default period, the information is kept in something called a Preservation Library. The challenge with this is there is only one Preservation Library per site. This means all the retained data is lumped into this one location. That can make finding a single file to restore a challenge. Preservation Libraries are also generally only available to administrators not end users.

In the case of deleted emails an administrator would need to use a tool like eDiscovery search to recover the deleted items. The items will certain be available but the structure they resided in would not be. Thus, if you deleted a file from your inbox that was stored a number of sub folders below the inbox, those folders would not typically be recovered using this eDiscovery process typically.

As you can see, there is a difference between what many people consider backup and the way that Office 365 retains data and how it can be accessed. In many cases it can be as good as a backup, however if your requirement for backup is what was defined initially, then implementing a third party tool is probably recommended. The downside to implementing a third party tool is that you need to pay, configure and maintain this. This means the additional cost of this needs to be weighed up against how often it will actually be required and what situations it provides protection above and beyond what Office 365 does. That is a decision that each business needs to make for themselves. This is a risk management decision.

In all of this you’ll also need to consider that Office 365 is fast becoming more than simply emails and files. It is Teams with chat, it is Yammer with discussions, it is Sway with presentations, Planner with tasks, and so on. No third party tools I know of will in fact backup these Office 365 services in any way. As the use of these additional services continues to grow, this means that you are going to have to rely on the processes that Microsoft has in its back end to potentially recover your data if required. At this point in time, there is no other option.

Of course, some features like Litigation Hold require a more advanced license, like Exchange Online Plan 2 but generally you don’t just get the one feature with these advanced licenses, you get a range of additional features. Thus, if you want Litigation Hold and upgrade a mailbox to Exchange Online plan 2 not only do you get Litigation Hold but you also get unlimited archiving as part of that upgraded license. Compare this for paying for a third party backup solution which generally only gives you the option to backup data and doesn’t provide much in the way of end user functionality. Also, chances are that you will rarely need that backup however the added features of advanced license can improve productivity for your end user every day.

In a perfect world, yes, you would add additional backup capabilities to Office 365 because more backups are better. However, we live in a world where compromises need to be made for different business reasons. We need to make decisions based on business risk. Thus, you need to balance risk with the offset mitigation cost and return on investment. Personally, if I had to choose between having a third party backup solution or upgrading an existing Office 365 license to include more functionality, I’d fall into the camp of providing users with additional day to day functionality. This is because I understand what Office 365 does. I understand how to get the maximum retention and recovery from what is provided out of the box and by adding advanced licenses to Office 365 and I am happy with that. I don’t believe adding third party backup software provides more value than what Office 365 can provide. Yes, I understand there maybe circumstances that may not be optimal but given how likely that circumstance may be, I believe that choice to be circumspect.

In summary then, yes, Office 365 does backup your data. However, the way that backup takes place and how it can be used to recover information is probably different many people’s “traditional” concept of backup. It is therefore important to understand:

1. What Office 365 provides out of the box
2. What additional configurations can be made to Office 365 to improve that
3. What Office 365 services can be added to improve or enhance what is provide by default

I’ve previously covered off how to create a new Protection Alert in Office 365 using the web interface:

Setting an alert for file download in Office 365

I’d also tried doing this via PowerShell but ran into some issues:

I’m puzzled by new-protcetionalert

Luckily, after some chasing down, I have learned that I overlooked an important option in my scripting. It seems the option:

-aggregationtype none

needs to be included. This tells the script to only create a single alert at a time. Thus to create a Protection Alert that will tell you of malware in a file in OneDrive for Business or SharePoint you need to run:

New-protectionalert -category $category -name “Detected malware in files” -ThreatType activity –NotifyUser “user@domain.com” -Operation filemalwaredetected -AggregationType none -Severity High

You’ll first need to connect to the Security and Compliance center with PowerShell before you can run this command.

If you then at the Alert Policies you should see the above.

Interestingly, when you look at the activity that will trigger the alert you see the above, which doesn’t provide you any indication of what the activity for the alert actually is. You will also notice that I can’t edit the activity or much else on the alert once it has been created via PowerShell.

However, I do know that setting Protection alerts via PowerShell does work so I’m happy that I can do bulk add alerts via a script. I just that one option.

Recently I wrote an article about setting an alert for file download in Office 365. This is just one of many alert conditions you can configure in Office 365 here:

Here is a list of all the conditions you can set and more details on each.

Common user activities
     – User submitted email = User reported a problem with mail filtering. This can include false positives, missed spam, or missed phishing email messages.
     – Detected malware in files = Office 365 detected malware in either a SharePoint or OneDrive file.
     – Shared file or folder = User shared or granted access to a file or folder.
     – Create mail forward/redirect rule = User created an inbox rule to forward or redirect mails.
     – Any file or folder activity = User performed any file or folder activity.
     – Change file or folder = User deleted, modified or renamed a file or folder.
     – Shared file externally = User shared, granted access of a file or folder to an external user, or created an anonymous link for it.
     – Granted Exchange admin permission = User granted admin permission to same or another user.
     – Granted mailbox permission = User granted permission for same or another user to access a target mailbox.
     – External user file activity = An external user accessed, modified, deleted, modified or checked in a file.
     – DLP policy match = A data loss prevention policy match is detected.
    
File and folder activities
     – Accessed files = User or system account accesses a file
     – Checked in file = User checks in a document that they checked out from a document library
     – Checked out file = User checks out a document located in a document library. Users can check out and make changes to documents that have been shared with them
     – Copied file = User copies a document from a site. The copied file can be saved to another folder on the site.
     – Deleted file = User deletes a document from a site.
     – Discarded file checkout = User discards (or undos) a checked out file. That means any changes they made to the file when it was checked out are discarded, and not saved to the version of the document in the document library.
     – Downloaded files = User downloads a document from a site.
     – Modified file = User downloads a document from a site.
     – Move file = User moves a document from its current location on a site to a new location.
     – Renamed file = User renames a document on a site.
     – Restored file = User restores a document from the recycle bin of a site.
     – Uploaded file = User uploads a document to a folder on a site.
    
File sharing activities
     – Accepted access request = An access request to a site, folder, or document was accepted and the requesting user has been granted access.
     – Accepted sharing invitation = User (member or guest) accepted a sharing invitation and was granted access to a resource. This event includes information about the user who was invited and the email address that was used to accept the invitation (they could be different). This activity is often accompanied by a second event that describes how the user was granted access to the resource, for example, adding the user to a group that has access to the resource.
     – Created company shareable link = User created a company-wide link to a resource. company-wide links can only be used by members in your organization. They can’t be used by guests.
     – Create access request = User requests access to a site, folder, or document they don’t have permissions to access.
     – Created anonymous link = User created an anonymous link to a resource. Anyone with this link can access the resource without having to be authenticated.
     – Created sharing invitation = User shared a resource in SharePoint Online or OneDrive for Business with a user who isn’t in your organization’s directory.
     – Denied access request = An access request to a site, folder, or document was denied.
     – Removed a company shareable link = User removed a company-wide link to a resource. The link can no longer be used to access the resource.
     – Removed anonymous link = User removed an anonymous link to a resource. The link can no longer be used to access the resource.
     – Shared file, folder or site = User (member or guest) shared a file, folder, or site in SharePoint or OneDrive for Business with a user in your organization’s directory. The value in the Detailcolumn for this activity identifies the name of the user the resource was shared with and whether this user is a member or a guest. This activity is often accompanied by a second event that describes how the user was granted access to the resource; for example, adding the user to a group that has access to the resource.
     – Updated an anonymous link = User updated an anonymous link to a resource. The updated field is included in the EventData property when you export the search results.
     – Used an anonymous link = An anonymous user accessed a resource by using an anonymous link. The user’s identity might be unknown, but you can get other details such as the user’s IP address.

Synchronization events
     – Allowed computer to sync files = User successfully establishes a sync relationship with a site. The sync relationship is successful because the user’s computer is a member of a domain that’s been added to the list of domains (called the safe recipients list) that can access document libraries in your organization.
     – Block computer from syncing files = User tries to establish a sync relationship with a site from a computer that isn’t a member of your organization’s domain or is a member of a domain that hasn’t been added to the list of domains (called the safe recipients list)that can access document libraries in your organization. The sync relationship is not allowed, and the user’s computer is blocked from syncing, downloading, or uploading files on a document library.
     – Downloaded files to computer = User establishes a sync relationship and successfully downloads files for the first time to their computer from a document library.
     – Downloaded file changes to computer = User successfully downloads any changes to files from a document library. This activity indicates that any changes that were made to files in the document library were downloaded to the user’s computer. Only changes were downloaded because the document library was previously downloaded by the user (as indicated by the Downloaded files to computer activity).
     – Uploaded files to a document library = User establishes a sync relationship and successfully uploads files for the first time from their computer to a document library.
     – Uploaded file changes to document library = User successfully uploads changes to files on a document library. This event indicates that any changes made to the local version of a file from a document library are successfully uploaded to the document library. Only changes are unloaded because those files were previously uploaded by the user (as indicated by the Uploaded files to document library activity).

Site administration activities
     – Added exempt user agent = Global administrator adds a user agent to the list of exempt user agents in the SharePoint admin center.
     – Added site collection admin = Site collection administrator or owner adds a person as a site collection administrator for a site. Site collection administrators have full control permissions for the site collection and all subsites.
     – Added user or group to SharePoint group = User added a member or guest to a SharePoint group. This might have been an intentional action or the result of another activity, such as a sharing event.
     – Allowed user to create groups = Site administrator or owner adds a permission level to a site that allows a user assigned that permission to create a group for that site.
     – Change exempt user agents = Global administrator customized the list of exempt user agents in the SharePoint admin center. You can specify which user agents to exempt from receiving an entire web page to index. This means when a user agent you’ve specified as exempt encounters an InfoPath form, the form will be returned as an XML file, instead of an entire web page. This makes indexing InfoPath forms faster.
     – Changed sharing policy = An administrator changed a SharePoint sharing policy by using the Office 365 Admin center, SharePoint admin center, or SharePoint Online Management Shell. Any change to the settings in the sharing policy in your organization will be logged. The policy that was changed is identified in the ModifiedProperty field property when you export the search results.
     – Created group = Site administrator or owner creates a group for a site, or performs a task that results in a group being created. For example, the first time a user creates a link to share a file, a system group is added to the user’s OneDrive for Business site. This event can also be a result of a user creating a link with edit permissions to a shared file.
     – Created send to connection = Global administrator creates a new Send To connection on the Records management page in the SharePoint admin center. A Send To connection specifies settings for a document repository or a records center. When you create a Send To connection, a Content Organizer can submit documents to the specified location.
     – Created site collection = Global administrator creates a new site collection in your SharePoint Online organization.
     – Deleted group = User deletes a group from a site.
     – Deleted sent to connection = Global administrator deletes a Send To connection on the Records management page in the SharePoint admin center.
     – Enabled document preview = Site administrator enables document preview for a site.
     – Enabled legacy workflow = Site administrator or owner adds the SharePoint 2013 Workflow Task content type to the site. Global administrators can also enable work flows for the entire organization in the SharePoint admin center.
     – Enabled Office on Demand = Site administrator enables Office on Demand, which lets users access the latest version of Office desktop applications. Office on Demand is enabled in the SharePoint admin center and requires an Office 365 subscription that includes full, installed Office applications.
     – Enabled RSS feeds = Site administrator or owner enables RSS feeds for a site. Global administrators can enable RSS feeds for the entire organization in the SharePoint admin center.
     – Enabled result source for People Searches = Site administrator creates or changes the result source for People Searches for a site.
     – Modified site permissions = Site administrator or owner (or system account) changes the permission level that are assigned to a group on a site. This activity is also logged if all permissions are removed from a group.
     – Removed user or group from SharePoint group = User removed a member or guest from a SharePoint group. This might have been an intentional action or the result of another activity, such as an unsharing event.
     – Renamed site = Site administrator or owner renames a site
     – Requested site admin permissions = User requests to be added as a site collection administrator for a site collection. Site collection administrators have full control permissions for the site collection and all subsites.
     – Set host site = Global administrator changes the designated site to host personal or OneDrive for Business sites.
     – Updated group = Site administrator or owner changes the settings of a group for a site. This can include changing the group’s name, who can view or edit the group membership, and how membership requests are handled.