Blog

Office 365 Audit Log Haystack: Where the Heck is that Needle?

The Pain of Failing to Log and Audit

How many user events does an Office 365 shop create? Some 5.4 million – each and every month. That is for the average shop. Larger enterprises take mere days to reach this many data points.

This poses an equally massive security problem — these data points do not exist for long, and far too few are ever used for protection or forensics.

Did you know it takes more than 4 months on average to detect a data breach? At the same time, active hackers reside on the network for a median of 146 days before being detected, all the while digging deeper and deeper into your data and quietly wreaking havoc.

This is exactly why CoreView provides 1-year audit data collection, which can be extended however long the customer wants, where Microsoft historically offers logs for only the last 30 days – which is being increased to a year but only for E5 licenses. However, ask yourself:

  • Why do you need to collect these data logs?
  • How does this impact regulatory regulations?
  • What happens if you do not save and mine that audit data?
  • What is the business impact?

Turning O365 Audit Logs into Security Gold

Before you can even think about leveraging Office 365 audits, you FIRST have to turn on logging to make sure you can detect what happened. And of course, you need to save log data far longer than Microsoft keeps the data, which is just 30 days for Azure AD sign-in events.

Are you logging all the events? Even when you set up logging, tracking all events is not enabled by default.

This audit log retention and deep actionable analysis functionality puts CoreView in the same camp as Splunk and Azure Sentinel. CoreView is a better solution than Splunk because we have no logging and auditing infrastructure required, data collection takes minutes, we are much faster, the data never leaves the Microsoft platform, and we do not have to have throttling. Plus, customers can perform administrative actions right from the reports. CoreView beats Azure Sentinel because of our O365 expertise and pre-configured playbooks, workflow, and reports – saving months of development time.

Meaningful, Actionable Logs in Seconds

With CoreView, IT can produce an audit log in seconds for every administrative action taken in Office 365 since the platform was initiated. This is not the case with the native O365 Admin Center. Ask yourself, if a bank teller has a transaction log of every deposit and withdrawal, why don’t you have this for O365?

Real-time monitoring and alerts for security compliance issues is the engine that drives much of the data that forms the logs. Smart IT shops now enable real-time monitoring and alerts for potential security compliance issues in their Office 365 environment.

One enterprise organization based in the northeastern US, reported that CoreView saved their IT team over 1,000 hours last year when researching and analyzing security related incidents.

The Power of Proper Auditing

Auditing, as experts point out, is critical. CoreView saves Office 365 audit logs for a minimum of one year, and does so securely. CoreView data collection and administrative actions are proxied via our customer’s service account, which is securely stored in Azure Key Vault Service. CoreView Operators sign in with their Azure AD credentials, including MFA, and need no administrative access to the O365 Admin Center at all. We also have action-enabled reports, which show the exact administrative access and whether the admin has MFA – and alert on this configuration as well!

CoreView enables not just mailbox auditing in Exchange Online, but auditing for all the major O365 workloads, including Azure AD, PowerBI, SharePoint, OneDrive, etc.  With CoreView, data retention is for one year by default for all workloads. 

KnockKnock Still Rapping at the Door

The KnockKnock and ShurL0ckr attacks that focus on Office 365 have been active since May 2017 and are still running, and spinning off new derivations all the time. Finding the audit trail to identify these types of attacks is extremely difficult and requires assistance from specialized tools that have powerful security auditing and analysis capabilities. That’s where the CoreView solution comes in handy. Our customers have reported that they are saving more than 50-hours per incident investigation by leveraging the built-in analysis tools in CoreView.

Finding security issues that occur within the Office 365 environment quickly and shutting down the problem is a constant challenge for IT administrators and security teams. With millions of activity events from a variety of Office 365 log file sources, it’s difficult to correlate relevant data and make sense of it. CoreView provides an intelligent, crystal ball view by aggregating data from all different Office 365 logs to help IT admins locate the corresponding security events and connect the dots to see if valuable information was included, when the incident occurred, and who was involved. Being able to locate where the breach, or security issue, originated and what documents or messages were involved can make a world of difference, especially when it was an event that happened months ago.

CoreView stores all log file information for at least one-year and can store data longer if a customer requires more historic information to perform security audits. This empowers IT admins to perform the detailed background research to know when the actual security issue first began and where it originated. This helps close the loop on the security audit and finalize the incident report with the necessary information to document the root-cause of a security breach or data loss incident. Learn more in our Office 365 Security Monitoring blog.

Protect Your O365 Tenant With CoreView

Get your O365 security profile FREE with our new CoreDiscovery solution. You can get your free software now at the CoreDiscovery sign up page: https://www.coreview.com/core-discovery-sign-up/.

Or sign up for a personalized CoreView demo.


Doug Barney

Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.