Thanks to everyone that attended my webinar last week on Securing Office 365 with Activity Monitoring. We had a great turn out and the slides presented can be found here:
Securing information systems is a very broad topic. Monitoring and auditing these systems, and in particular the activities of users, is just one important aspect of securing our corporate IT environments.
In July of this year, Microsoft announced some new capabilities around this within Office 365 – these are new Activity Monitoring and Reporting features. These capabilities are designed to help organizations that are continually facing challenges with security, privacy and compliance. In running and supporting the Office 365 service themselves, Microsoft has found that that they're capturing large amounts of data on which activities end users and administrators are performing. They typically refer to this data as telemetry, and they've built great mechanisms into Office 365 to allow them to efficiently capture (and now share) this telemetry data.
These new capabilities provide greater visibility for administrators, and ultimately compliance and risk officers, into the actions taken by users on corporate content. They also allow us to apply greater access control over data, and if needed, they give us the capability to now investigate (at a very detailed level) user actions that might be against corporate or regulatory policies.
Why is Monitoring Activity and Auditing our Systems Important?
Monitoring user activity and auditing our information systems is important for many reasons.
Regulatory Compliance
Regulatory compliance requirements are one key driver. For example, many financial institutions often deal with MNPI, or Material Non-Public Information. Generally, this is information that’s not distributed to the public that an investor would likely consider important in making an investment decision. Many institutions must put up Compliance walls to ensure that specific aspects of the business don’t communicate with each - this helps to avoid conflicts of interest and helps to ensure that they don’t inappropriately exchange MNPI.
In particular, this is required in institutions which have both a corporate-advisory unit and a brokering unit, in order to separate those people giving corporate advice on takeovers from those advising clients about buying shares. The wall is thrown up to prevent leaks of internal corporate information, which could influence the advice given to clients making investments
Detailed monitoring and auditing of user activity allows us to have a detailed view into which users are accessing sensitive content along who they’re sharing it with, and it provide assurances that our regulatory compliance obligations around in these business scenarios are being met.
Investigating Data Breaches
We've heard a lot about data breaches in recent years. Data breaches can be small or they can be very large. They can be malicious or they can be accidental. As well, data breaches can be caused by external actors like cyber criminals, or by insiders like system administrators or employees with broad levels of access. Generally, we tend to see data breaches caused more often by external actors, but we see data breaches by insiders to involve larger quantities of data or more significant data. When data breaches do occur, it’s important for organizations to investigate and find the root cause so that they can both measure the scale of a breach (ie. how much data was leaked) but also to put in place measures to prevent these breaches in the future.
When data breaches occur as a result of an insider threat, monitoring user activity at a detailed level allows us to perform investigations and root cause analysis to determine exactly who accessed data, when was it accessed and which actions were taken on that data - like who it was shared with.
Audit Access to Sensitive Information
In many organizations it’s important to audit the current access controls in place for sensitive content. This is sometimes referred to re-certifying permissions, or getting data owners to review and sign off that permissions are accurately set for data that they are responsible for. In large organizations with large diverse information systems it can be really difficult to identify who is responsible for different data repositories.
Monitoring user activity at a detailed level allows us to gain insight into who is accessing data on a regular basis, along with the level of access that they have. This can greatly help us in identifying data owners to ultimately review and re-certify permissions.
Office 365 Activity Monitoring and Reporting
The new activity monitoring and reporting capabilities include:
- Office 365 Activity Report (built into the Office 365 experience)
- Comprehensive Event Logging
- Search PowerShell Cmdlet
- Management Activity API (in preview)
1. Office 365 Activity Report
You can access and run the Activity Report by:
- Logging into your Office 365 tenant
- Navigating to Admin in the App Launcher > Compliance Center > Reports > Office 365
[Activity Report Screen Shot]
You can use the Office 365 activity report to view detailed user and administrator activity in your tenant. It contains data across SharePoint Online, One Drive for Business, Exchange Online and Azure Active Directory. You can use this report to search and investigate user activities by searching for a user, a file or folder or even a site. You can filter based on a date range or type of activity. And within the report window you can view details of each activity in the Details Pane. The report is available to run on demand as needed.
When you find what you're looking for, you can either review activities and details right within this window or you can download the list of activities to a CSV file.
With each event captured there are up to 37 different properties logged. Not all properties apply to all Office 365 services. Some only apply to SharePoint Online and OneDrive for Business, whereas others only apply to Exchange. The list of properties captured is shown here, with my favorites highlighted in red – my favorites are data like:
You can see documentation on the full list of properties here:
- Actor - The user that performed the action; can be a service principle
- ClientIP - The IP address of the device that was used when the activity was logged. The IP address can be either IPv4 or IPv6.
- EventSource – Identifies that an event occurred in SharePoint, OneDrive for Business or the ObjectModel.
- LogonType – Applies to Exchange only; this is the type of user who accessed an Exchange mailbox: mailbox owner, administrator, delegate, the Exchange Transport Service, a service account or a delegated administrator.
- Subject – Applies to Exchange only; this is the subject line of the message that was accessed.
- UserSharedWith – The user that a resource was shared with.
- UserType - The type of user that performed the operation: a regular user, an administrator in your Office 365 tenant or a Microsoft data center administrator.
You can see documentation on the full list of properties here:
2. Comprehensive Event Logging
In order to enable the Activity Report and make it really useful, events related to user and administrator activities are logged as users work across SharePoint Online, One Drive for Business, Exchange Online and Azure Active Directory.
Currently there are over 150 events that are logged, and these are divided into 9 categories:
You can view documentation on the full list of events here:
- Exchange admin events
- Exchange mailbox events
- File and folder events (SharePoint and OneDrive for Business)
- Invitation and access request events (SharePoint and OneDrive for Business)
- Sharing events (SharePoint and OneDrive for Business)
- Site administration events (SharePoint and OneDrive for Business)
- Synchronization events (SharePoint and OneDrive for Business)
- Azure Active Directory events (Admin Activity and User Login)
You can view documentation on the full list of events here:
The events logged are diverse and very comprehensive, with Microsoft continually working to log more events. When it comes to investigating data leaks, this gives administrators very detailed investigation capabilities to determine how leaks occur and how to prevent them.
3. Search Powershell Cmdlet
You can also search for events in the activity logs that we’ve been looking at using Powershell. This is a new Powershell cmdlet to search all the event logs based on date range, the user who performed an action, the type of action, or the target object.
Examples of using this cmdlet are:
Search-UnifiedAuditLog -StartDate September 1, 2015 -EndDate September 30, 2015
Search-UnifiedAuditLog -StartDate 9/1/2015 -EndDate 9/30/2015 -RecordType SharePointFileOperation -Operations FileViewed -ObjectIds docx
With this capability we can script our searches of the event logs. We can also have these searches output the results to a file. And ultimately, this can allow us to schedule our reports to occur automatically on a regular basis so that administrators or infosec people can get insight into specific activities either every morning, every week or whenever the business schedule demands.
4. Management Activity API (in limited preview)
The final capability provided with this release is a new Management Activity API, which allows developers to integrate Office 365 activity and event data with either internal tools or with 3rd party monitoring and reporting solutions.
Full documentation on the Management Activity API can be found here:
- Getting Started - https://msdn.microsoft.com/EN-US/library/office/dn707383.aspx
- Management Activity API Reference – https://msdn.microsoft.com/library/office/mt227394.aspx
- Registering for the Limited Preview Program - http://dev.office.com/programs/managementactivityapideveloperpreviewprogram
There are a couple of important points about the API:
- This API is in limited preview now, and during the preview anyone can use the API, but only those registered with Microsoft will be able to actually retrieve data from Office 365.
- Actions and events are stored in content blobs in a database, and they are gathered across multiple servers and datacenters. As a result of this distributed collection process, the actions and events contained in the content blobs will not necessarily appear in the order in which they occurred. One content blob could contain actions and events that occurred prior to the actions and events contained in an earlier content blob.
Enjoy.
-Antonio