Follow me on Twitter @AntonioMaio2

Monday, December 19, 2016

A Practical Overview of Office 365 Advanced Security Management - Part 1
Introduction & Audit Logs

In June 2016, Microsoft released its first iteration of Office 365 Advanced Security Management, a new capability within the Office 365 platform that allows organizations to go above and beyond the typical security management features that let them secure users, permissions, content and apps. In September the team added the Productivity App Discovery feature, and in October the solution continued to progress with additional capabilities to manage app permissions.

This multi-part blog series will look at how to use the features that make up Advanced Security Management and share some technical details that you will hopefully find helpful.

In part 1 of this series we introduce Advanced Security Management and share technical details about how it works with the Office 365 Unified Audit Log.
Let's jump in...

Introduction to Advanced Security Management

Advanced Security Management, or ASM, is a new set of security tools integrated into Office 365 that perform advanced threat detection and policy enforcement across your Office 365 workloads.  It helps automatically identify high risk, suspicious activities and allows administrators to implement granular security policies.  It also provides discovery and insight capabilities so that you can provide visibility on 'shadow IT' within your organization.  ASM incorporates signals from several Office 365 services such as the Management Activity API and Microsoft Security Graph, and provides administrators with a dedicated management console for getting a dashboard overview, searching log data, configuring policies and reviewing alerts.

There are a few important background details about Advanced Security Management that are important for Office 365 administrators to understand before enabling it:

  • Office 365 Advanced Security Management (ASM) is a subset of the Microsoft Cloud App Security offering. Cloud App Security is a comprehensive service which provides security capabilities to a much broader set of applications beyond Office 365.  It provides features like discovery of a very wide range of cloud applications operating in your network and on all devices going through your company firewalls or proxies. It currently supports approximately 14,000 cloud services in its catalog, and its important to emphasize that devices must go through organization's firewalls or proxies or Cloud App Security will not see the traffic. It also provides granular controls and policy enforcement for data shared through your cloud applications. And finally it provides threat protection to detect abnormal user behavior through your cloud applications and help prevent threats. Office 365 ASM integrates the broad capabilities of Cloud App Security directly with Office 365, making it fairly easy to implement across the Office 365 workloads.  Learn more about the underlying technology here:  Microsoft Cloud App Security.
  • Office 365 ASM can be licensed in 1 of 2 ways: you may either license all of your Office 365 users with an E5 license (which gives you more than ASM), or you may specifically purchase the Office 365 ASM add-on license for all users (in addition to another Office 365 user license).  Office 365 does not actually check if all users in fact have one of the required ASM licenses.  So you can enable the feature for a subset of users initially, for evaluation, proof of concept and deployment planning. It is highly recommended that you license all of your users when running it in full production capacity, because you typically won't be able to predict who an attacker will target. However, it is possible to license it for just a portion of your organization if you have particular individuals that might be considered very high value or persistent targets (administrators, executives, etc.). 
  • Office 365 ASM has a very strong connection and reliance on Microsoft Azure.  Please continue reading to understand the capabilities usage of Azure.

Activating Advanced Security Management

After adding an E5 license to your Office 365 tenant, you must specifically activate Advanced Security Management:
  • Login to Office 365 as a Global Administrator
  • Click the Office 365 waffle icon and select Security and Compliance
  • In the left hand menu, click Alerts and Managed Advanced Alerts

The first screen presented will ask you to select a checkbox to 'Turn on Advanced Security Management for Office 365':

When the E5 or ASM license is added to the customer's Office 365 tenant, a new Azure tenant is automatically provisioned and associated with the customer's Office 365 tenant.  Selecting the 'Turn on...' checkbox will activate ASM and kick off a number of activities behind the scenes:
  • The Cloud App Security service within the new Azure tenant subscribes to the audit log data feed from the customer's Office 365 tenant.  This is the same audit log data you can search within the Office 365 Security and Compliance Center by clicking Search & Investigation > Audit Log Search.
  • Audit log data begins synchronizing from the Office 365 tenant to the new Azure tenant.  This data is not 'anonymized'.  By activating ASM, you are authorizing the audit log data to be transferred from your Office 365 tenant to the associated Azure tenant.
  • ASM begins to build a baseline model which will ultimately use to detect suspicious user behavior and issue automated alerts.  

The baseline model is built for every user and updated periodically as additional data is received.  It is based on both user logins and user activities like: 
  • Whether they access administrator activities or user activities
  • Frequency of activities
  • The device, browser and OS used to access Office 365 (through the user agent string)
This process does not currently use InTune so it cannot recognize the device itself - it cannot distinguish specific devices, nor whether the device is company managed or domain-joined.  This process also does not look at the amount of data downloaded by a user because the management activity API (audit log API) does not provide full metadata about files accessed. 

Activation only needs to occur the first time you access ASM.  The next time you login, you'll see the same screen without the checkbox.  Just click Go to Advanced Security Management to access its management console.

Audit Log Data Enrichment

At the core of ASM is the audit log data and signals it receives from your Office 365 tenant and other sources (data logs that you upload, the Microsoft Security Graph, etc.).

If you've ever searched or tried to work with audit log data provided within the built in Audit Log Search, you'll find that it is fairly extensive and very useful, but also quite raw.  It is just that: audit log data.  The interpretation is entirely up to you.  There is no threat intelligence built into it; no correlation of IP addresses to known malicious addresses; no heuristics or correlation between multiple events for the same user or location.  The work to understand and make use of that data is up to you. 

With ASM, as audit log data is transmitted from your Office 365 tenant it is enriched with additional threat analytics, logic and heuristics - for example, ASM will:
  • Standardize the incoming event: it is an admin activity, a user activity, an activity impersonated by another user, etc.
  • Is the IP address coming from a Microsoft Data Center
  • Incorporate Microsoft Security Graph data to determine if the IP address is from a known threat or risky location (ex. known TOR node or Botnet)
  • Interpret the user agent string to display the OS name/version, device type and browser type/version
  • Search for more user activities that are related to a specific activity (Ex. if a user uploaded and shared a file, quickly find out who accessed or downloaded the file)
  • An administrator can define known IP addresses for the organization which will then be incorporated into determining on which activities to raise alerts.  For example, they could list their VPN subnet addresses as known addresses and thereby make their alerts smarter.
We can easily compare audit log results from the 2 solutions by bringing them up side-by-side and immediately seeing some of the differences.

In the built-in Office 365 Audit Log Search function, here is an example of the results returned when we perform a search:

We get the date/time, originating IP address, username, activity name, item acted upon and a list of raw details.  If we click on a line we're presented with a list of that raw detail:

Many of the details are listed in their full technical form.  Again, this is all very useful data, but it is raw and requires your own interpretation and correlation with other events.

ASM allows us to perform simple or complex searches against the same data set.  If we look at an example of the search results, we get similar data but with a view that is easier to read and some details summarized for us.  We're presented with an activity name that is more meaningful, the user, the app from which the entry was reported, originating IP address, the physical location of that IP (country), the device type, OS version and browser type/version (seen by hovering over the icons), and the date/time.

If we click on a line in our search results, we're given a summarized view that may be much more meaningful depending on the event:

We get the city, state and country of the originating IP address.  The ISP which that IP is assigned through.  The full username and Azure AD groups which that user belongs to.  If the entry matches any currently configured policies those will be listed as well under 'Matched Policies'.  Here is another example of a file access entry:

In addition, we can easily determine if other there are other activities in the log which are related to this IP address, this user, this type of activity or this country/region by clicking the ... beside the entry and selecting one of the actions:

Audit log data enrichment is a big part of the value which Advanced Security Management provides Office 365 customers.  These are just some current, simple examples of logic and signals added to the management activity API feed as it comes into ASM.  We do hope to see some additional intelligence added over time, given the breath of data available from Office 365 workloads - in particular more specific data about our users, about our files and about the SharePoint and Office 365 groups that our users belong to.

Audit Log Data Retention

Another important distinction between the Office 365 audit log data feature and ASM is that Office 365 retains audit log data for a maximum of 90 days.  However, ASM retains audit log data for 6 months.  This is important when corporate security policies or regulations require you to be able to investigate data breaches for longer periods of time after they have occurred. 

Often, data breaches are not discovered for several months after they have occurred and this data becomes critical to performing analysis to determine how a breach occurred and how to prevent it in the future.  To be honest, even 6 months can seem a bit short.  In several organizations where I've performed cybersecurity audits, they often have requirements to maintain audit log data for up to 1 year.  If you're in that situation you may need to look for an additional solution to store such audit data longer term (for example, Microsoft Operations Management Suite).

What's Next...

This was just a quick introduction to the Office 365 Advanced Security Management solution, how to activate it and the data which is incorporated into policies and alerts.  There is a lot more exciting security capabilities too look at!

In part 2 and 3 of this series, we'll look at the Discovery Dashboard, how to bring in data from other internal systems and how to configure policies & alerts.



  1. Microsoft Office has always been safe and useful. To me, it is the most important thing for any of my device whether it is a mobile or a laptop. I am really glad that they improved their security management as well.

  2. Today, an important aspect of corporate security apart from security guard services is the use of technological devices. guarantor loans

  3. This comment has been removed by the author.

  4. Oh, I'm really glad to see how cool you can explain hard things in easy way. I think you should write more. Maybe even teach others and make money on that. I think you should check prices of and then you can make a decision. I'm sure that a lot of people would be glad to receive a paper, written by you.

  5. I might want to thank you for the endeavors you have made in composing this article. I am trusting the same best work from you later on too..  vpn guide

  6. A portable fish finder has other benefits too. They are light-weight and simple to use. Plus they let you use a fish finder in eventualities where you will not be able to employ a fixed one.

  7. I am come here first time, i find the perfect article. Thanks for sharing interesting and informative post. vpnveteran

  8. I really enjoy simply reading all of your weblogs. Simply wanted to inform you that you have people like me who appreciate your work. Definitely a great post. Hats off to you! The information that you have provided is very helpful. internet

  9. Amazingly accommodating post. This is my first time i visit here. I found such an extensive number of captivating stuff in your blog especially its trade. Genuinely its unprecedented article. Keep it up.

  10. Security Operations to Invest More in System Intelligence: Companies have at this point, surely knew the estimation of enormous information to increase noteworthy astuteness for their business basic leadership.Data Analytics Courses

  11. I feel very grateful that I read this. It is very helpful and very informative and I really learned a lot from it.360DigiTMG big data in malaysia
    360DigiTMG artificial intelligence in malaysia
    360DigiTMG machine learning course

  12. Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article.
    data science course

  13. I want to say thanks to you. I have bookmark your site for future updates.
    Data Science Institute in Bangalore

  14. Really impressed! Everything is very open and very clear clarification of issues. It contains truly facts. Your website is very valuable. Thanks for sharing.

  15. You have provided finicky information for a new blogger so it has turned out to be really obliging. Keep up the good work!
    SAP training in Kolkata
    SAP training Kolkata
    Best SAP training in Kolkata
    SAP course in Kolkata

  16. Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work! 360DigiTMG

  17. of luck for all your blogging efforts.
    a href=""> Data Analytics Course in Pune/">It is perfect time to make some plans for the future and it is time to be happy. I've read this post and if I could I desire to suggest you some interesting things or suggestions. Perhaps you could write next articles referring to this article. I want to read more things about it!
    I have express a few of the articles on your website now, and I really like your style of blogging. I added it to my favorite’s blog site list and will be checking back soon…

  18. I need to communicate my deference of your composing aptitude and capacity to make perusers read from the earliest starting point as far as possible. I might want to peruse more up to date presents and on share my musings with you.

  19. We very much appreciate your hard work as knowledge provider, which has helped us through a difficult period.
    machine learning course malaysia

  20. If you are looking for Illinois license plate sticker renewals online, you have to go to the right place. We have the fastest Illinois license plate sticker renewals in the state.

    Data Analytics Course in Bangalore

  21. I am sure that this is going to help a lot of individuals. Keep up the good work. It is highly convincing and I enjoyed going through the entire blog.
    data science course in malaysia

  22. Very good message. I stumbled across your blog and wanted to say that I really enjoyed reading your articles. Anyway, I will subscribe to your feed and hope you post again soon.

    Best Data Science Courses in Bangalore

  23. bp doctor 3.0 pro wearable blood pressure smartwatch If you want to find an accurate fitness tracker, just try this smartwatch.

  24. yhe bp doctor smartwatch Have a smart watch that you can use for exercise and daily life

  25. Very good message. I came across your blog and wanted to tell you that I really enjoyed reading your articles.

    IoT Training in Bangalore

  26. Unleash your potential and expand your capabilities with the Data Science Certification Course.

    data analytics course in borivali

  27. Start Data Science online course today with 360DigiTMg and be ready when the job opportunity presents analytics course in dombivli

  28. 360DigiTMG is the top-ranked and the best Data Science Course Training Institute in Hyderabad..
    data analytics course in lucknow

  29. It’s really a cool and helpful piece of info. I am happy that you simply shared this. Ziyyara Edutech’s top-notch online tutoring site offers personalized and interactive sessions tailored specifically for Class 11 students.
    For more info Contact us: +91-9654271931, +971-505593798 or visit Online tuition for 11th class