![]() ![]() The Office 365 Alert Policies located at require the audit log to be enabled in order to function. This is a straight-forward click of a button and can be done via the Office 365 Security & Compliance Center at :īe warned however - it can take up to 24 hours to fully activate and start recording events:Īny events occurring prior to the audit log being enabled will not be recorded and events generated while the audit log is being prepared are unlikely to be recorded. The Office 365 audit log is disabled by default and must be manually enabled. Some information regarding user actions can be inferred from these events but it is far from a complete picture. The details of these sign-ins are limited to the user’s name, the originating IP address, the country to which that IP is registered, the time of the sign-in and whether the session is currently active.Įxchange Online Admin Audit Log - The Exchange Online admin audit log records events out of the box, however the events recorded largely concern actions taken by exchange administrators. This additional logging needs to be enabled well before you have a security incident! What you get by defaultĪzure AD Risk Events - While the Azure AD Free instance does not provide access to the complete set of sign-in data, it will flag what it considers to be high risk sign-in events. Microsoft has stated an intention to enable the Office 365 Audit Log by default in future but currently additional configuration is required to ensure useful information is being recorded. The Exchange Online Admin Audit Log is enabled by default, however no user mailbox activity events are recorded. Despite this, the Office 365 Audit Log is not enabled out of the box, and the free edition of Azure AD that backs the Office 365 instance does not provide access to sign-in event information. ![]() The Office 365 and Exchange Online audit logs are of greatest interest when investigating user activity. Things will probably change, you have been warned. This article was put together using a Small Business Suite Office 365 Business Premium subscription in November 2018. Office 365 and it’s Azure AD and Exchange Online brethren are moving targets. This article is intended to provide some quick recommendations which will improve the usefulness of the information stored in the Office 365 and Exchange Online audit logs and record a couple of observations along the way. Unfortunately the logging defaults in Office 365 are unsatisfactory and a little additional configuration is required to improve the effectiveness of the logging, especially in regards to user activity. We’re coming across more and more instances of Office 365 accounts with suspicious activity. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |