Why is Monitoring Activity and Auditing our Systems Important?
Office 365 Activity Monitoring and Reporting
- Office 365 Activity Report (built into the Office 365 experience)
- Comprehensive Event Logging
- Search PowerShell Cmdlet
- Management Activity API (in preview)
1. Office 365 Activity Report
- Logging into your Office 365 tenant
- Navigating to Admin in the App Launcher > Compliance Center > Reports > Office 365
- Actor - The user that performed the action; can be a service principle
- ClientIP - The IP address of the device that was used when the activity was logged. The IP address can be either IPv4 or IPv6.
- EventSource – Identifies that an event occurred in SharePoint, OneDrive for Business or the ObjectModel.
- LogonType – Applies to Exchange only; this is the type of user who accessed an Exchange mailbox: mailbox owner, administrator, delegate, the Exchange Transport Service, a service account or a delegated administrator.
- Subject – Applies to Exchange only; this is the subject line of the message that was accessed.
- UserSharedWith – The user that a resource was shared with.
- UserType - The type of user that performed the operation: a regular user, an administrator in your Office 365 tenant or a Microsoft data center administrator.
You can see documentation on the full list of properties here:
- Exchange admin events
- Exchange mailbox events
- File and folder events (SharePoint and OneDrive for Business)
- Invitation and access request events (SharePoint and OneDrive for Business)
- Sharing events (SharePoint and OneDrive for Business)
- Site administration events (SharePoint and OneDrive for Business)
- Synchronization events (SharePoint and OneDrive for Business)
- Azure Active Directory events (Admin Activity and User Login)
You can view documentation on the full list of events here:
3. Search Powershell Cmdlet
- Getting Started - https://msdn.microsoft.com/EN-US/library/office/dn707383.aspx
- Management Activity API Reference – https://msdn.microsoft.com/library/office/mt227394.aspx
- Registering for the Limited Preview Program - http://dev.office.com/programs/managementactivityapideveloperpreviewprogram
- This API is in limited preview now, and during the preview anyone can use the API, but only those registered with Microsoft will be able to actually retrieve data from Office 365.
- Actions and events are stored in content blobs in a database, and they are gathered across multiple servers and datacenters. As a result of this distributed collection process, the actions and events contained in the content blobs will not necessarily appear in the order in which they occurred. One content blob could contain actions and events that occurred prior to the actions and events contained in an earlier content blob.