Collecting and Retaining Audit Logs from Office 365

Audit logs are an essential part of cybersecurity for any organization. They provide visibility into your network and allow security analysts to investigate vulnerabilities and the extent of damage after an attack. An audit log is a time-stamped record of all actions that take place across your network. It's essentially a chronological list of who did what and when. In the event of a discrete cyberattack or data breach, it's impossible to know the extent of what was affected without reliable logs. These records also help organizations in specific industries maintain and prove compliance with national and local regulations. 

Many businesses and organizations depend on third-party programs and software to complete daily tasks and automate workflows. The ability to audit the actions that take place through such programs is as important as any other part of your organizational network. Office 365 is used by over a million companies worldwide. It has become such a popular platform for business that the Cybersecurity and Infrastructure Security Agency (CISA) has issued a report that identifies the configurations that leave O365 users vulnerable. Yet, many companies have little or no knowledge of the best practices for Office 365 audit log collection and retention. 

Office 365 audit logs are found in the Office 365 Security & Compliance Center. However, logging capabilities are not turned on by default and the retention period for O365 audit logs varies by license type. An audit log retention policy lets you specify how long to retain audit logs in your organization. Logs are kept for 90 or 365 days, or up to 10 years, depending on the license. To enable retention beyond 90 days, you'll need to have an Office 365 ES subscription or an Office 365 Advanced Compliance add-on license.

Unfortunately, O365 audit logs are sold as a premium item instead of built into the platform, making their use more complex and expensive. For businesses that depend on Office 365, ignoring the vulnerabilities presented by a system without audits in place isn't an option. That's why it's important to learn the ins and outs of O365 security logs and the best way to utilize them in your complete cybersecurity solution.

The Importance of Collecting Office 365 Security Logs

All audit logs serve as a tool that provides information about what is going on in your environment. For many businesses, Office 365 is a big part of that environment. Microsoft Office 365 is a complex ecosystem that involves multiple services used to share information, documents, and sensitive data. Global administrators in large organizations are often required to oversee multiple sub-administrators and thousands of users. 

Office 365 audit logs provide a way to track all user activity, including the movement of documents and who is viewing sensitive data. The logs provide visibility into the actions that take place on the entire platform and can indicate when abnormal behavior occurs. The collection and retention of O365 audit logs can offer these important capabilities. 

Investigation Into Vulnerabilities and Cyberattacks

If your organization experiences a data breach or attack, it's essential to know how the attacker gained access and how much damage occurred. When Office 365 platforms represent the way employees communicate and do business, the actions taken within these platforms can be an important part of data collection to locate vulnerabilities and determine the source of the attack. For example, if a user account is hacked, information from the audit logs can be used to see if user account credentials were used to escalate the attack or access specific sensitive data. Logs can also track the travel of specific files and if they were copied, printed, or deleted.

Proof of Compliance

Office 365 includes a robust group of platforms on which daily tasks are performed. Since many industries follow strict regulations for handling, storing, and transferring sensitive data, records are necessary to prove these actions were carried out correctly. When Office 365 is an active part of the way your organization works, the audit logs that record actions within these platforms can help you detect and analyze potential barriers to compliance as well as hold users accountable for their actions. 

All types of audit logs record information that defines who accessed the system, what they looked at, and what actions they took. O365 audit logs are no exception. By recording and retaining this information, it's possible to prove that all users are taking the required actions to properly secure sensitive information. Audit logs are the most effective way of tracking the actions of all users within a network, which is why logs are a required component of most security compliance programs.

Track Missing Documents

Convenient options for sharing documents are essential to keep up with the pace of modern business. However, it's common for documents to include sensitive information that must be monitored. Office 365 audit logs can be used to create a chain of command that illustrates how files are changed or handled within your network. In legal situations, how documents are handled can be considered evidence. Within your organization, the ability to track document activity can help security analysts determine whether data has been leaked or mishandled by employees.

Review Business Processes

Audit logs offer a chronological list of the tasks that are completed on business platforms in your organization. The ability to review the data collected from these actions can assist organizations in their efforts to optimize internal procedures. O365 audit logs include timestamps of when actions are performed by each user, making them ideal for reflecting the time it takes to perform a task or identifying conflicting operations.

How to Enable Your Office 365 Logs for a Security Audit

Since O365 auditing isn't enabled by default, you have to take a few steps to gain access and change the auditing status for your organization. Before turning to audit on or off, you have to be assigned the Audit Logs role in Exchange Online. By default, this role is assigned to the Compliance Management and Organization Management roles on the Permissions page in the Exchange admin center. It's important to remember that the user who generated the audit log must have the proper licensing to retain a log for more than 90 days. After being assigned the Organization Configurations role, you can enable log monitoring with these easy steps.

1. Log into the Security & Compliance Center of your account.
2. From the left side panel, click Audit.
3. If auditing is not turned on for your organization, a banner is displayed prompting you to start recording user and admin activity. Click the banner to turn on auditing.

It might take up to 60 minutes for the change to take effect, after which audit logs will be available for all future activity. 

How to Turn On Auditing With PowerShell

For access to turn on auditing through PowerShell, you'll need to have either the Audit Logs or View-Only Audit Logs role assigned in Exchange. Global admins usually have this by default. Take these steps to turn on auditing.

1. Connect to Exchange Online PowerShell.
2. Run this PowerShell Command to turn on auditing: Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
3. A message is displayed saying it may take up to 60 minutes for the change to take effect.

How Long Should You Retain Your O365 Audit Logs?

After you connect the benefits of O365 audit log retention to the unique needs of your organization, it will be easier to determine how long you need to retain the information provided by these logs. For most companies, effective retention will extend beyond the 90 days offered by some versions of Office 365.

The biggest benefits of audit log collection and retention are effective cybersecurity practices and compliance programs. When you consider the nature of some recent sophisticated cyberattacks and the evolving requirements of compliance programs, it's easy to see why 3 months is ineffective for retention. For example, HIPAA compliance requires organizations to keep up to date with regular reviews of audit logs and trails and to keep these logs for a minimum of 6 years.

If compliance isn't a current concern for your organization, audit log retention is still important. Consider the timeframe of the SolarWinds attack. The SolarWinds Attack was first disclosed on December 14, 2020, but it likely actually began in September 2019. Victims of the attack included government agencies and private companies across a variety of industries. An estimated 18,000 companies were left vulnerable to attacks for 10 months during 2020, and the investigation into the attack required information that spanned over a year.

These examples illustrate why most companies will need to retain O365 audit logs for longer than a year. Exactly how long you retain your audit logs will depend on your organization's compliance requirements and the threats most likely to be relevant to your industry.

Limitations of O365 Audit Logs

While the update that allows users to retain audit logs for 10 years is a major improvement, manually searching O365 logs can be difficult and time-consuming. Search tools exist, but the following drawbacks make the log collection system less than ideal.

• Limited Filtering Options: The unified audit log contains thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions. The audit log search tool can be used to search for specific actions within this mammoth list, but filtering options are far from comprehensive for most businesses.
• 90 Day Storage Unless You Have Premium License: Microsoft's standard subscription only allows a 90 day retention period for audit logs. This means users without a premium license will need to download and save audit logs on a regular basis, then merge them together for a comprehensive list of activities.
• Challenging to Spot Abnormal Activity: While the audit log search tool is helpful in finding specific actions, using O365 audit logs to search for abnormal activity is challenging. Without a trained security analyst, the information format is difficult to understand, and therefore impossible to use for threat hunting or network visibility.
• Data is Difficult to Use: To create readable reports, the data must be exported, categorized, and normalized. This will be a cumbersome task for IT personnel to take care of manually.
• Difficult to Keep Data Secure: All audit logs contain detailed, sensitive information. The default export options to utilize these logs are likely to make your files more vulnerable.
• Properties Lumped Together: O365 audit logs lump most properties into one JSON. Microsoft offers a 10-step process to "quickly" split each property in its own column and filter columns to view records based on the values of the specific properties. This would likely be a lengthy task for a business with hundreds or thousands of users.
• Limited Predefined Log Reports: There are few predefined log reports available. This means your IT team will likely need to manually create reports. However, there is no native feature to save customized searches, so the process will have to be completed frequently.

Creating Audit Log Retention Policies 

The Audit functionality in Microsoft 365 allows organizations to access audited activities for a limited amount of time. For organizations with an Office 365 ES/A5/G5 or Microsoft 365 Enterprise E5/A5G5 subscription, Advanced Audit can provide the opportunity to create more comprehensive audit log retention policies. Advanced Audit in Microsoft 365 provides a default audit log retention policy for all organizations that retain any audit record that contains the value of Exchange, SharePoint, or AzureActiveDirectory for the Workload property (which indicates the service in which the activity occurred) for one year. 

It's crucial to note that the default audit log retention policy only applies to audit records for activity performed by users with the proper licensing. This means the corresponding audit records of non-E5 users within the organization will only be retained for 90 days.

However, Advanced Audit also includes the capability to retain logs of properly licensed users for up to 10 years. By creating customized audit log retention policies, it's possible to retain audit records that retain specific audit logs for longer periods of time. The criteria used to retain audit records can be based on:

• The Microsoft 365 service where the audited activities occur
• Specific activities
• Specific users

If you need to create multiple retention policies, you can also assign priority levels so specific policies will take priority over other policies. All custom audit retention policies will take priority over the default audit retention policy. 

How to Create an Audit Log Retention Policy in the Compliance Center

Creating custom audit log retention policies allows you to retain data for longer than a year and define the retention term for specific criteria. When you create multiple policies, you can divide specific data into manageable categories. You'll need to be assigned the Organization Configuration role in the Security & Compliance Center to create an audit retention policy. Take these steps to create a custom audit log retention policy in the Compliance Center.

1. Go to the Compliance Center and log in.
2. In the left navigation panel, click Show All, then click Audit.
3. When the audit page is displayed, click "Create an audit retention policy."
4. Complete these fields on the "New audit retention policy" page.

• Name: This name is used to identify the specific log retention policy, and must be unique to your organization.
• Description: This is optional but can provide useful information about the policy such as the record type, workload, users, and length of retention time.
• Users: List the names of users the policy applies to. This is optional. However, if left blank the policy will apply to all users, and Record Type cannot be left blank.
• Record Type: Identify the record type the policy applies to. This can be left blank only if users are identified.
• Duration: Identify the amount of time to retain the audit logs within the policy.
• Priority: While any custom log takes priority over the default, listing a priority value will determine the order in which audit log retention policies are processed. A higher value indicates a higher priority.

5. Click Save to create the new audit log retention policy.

Using Office 365 Audit Logs

There are a variety of ways organizations can utilize the information collected from O365 audit logs, but without the right education and experience, the data could be simply ignored. Audit logs include sensitive information about all the actions taken by users within your network. The process of exporting and retaining such data can present vulnerabilities if the information isn't properly secured. For organizations that fail to learn how to use the data provided by these logs, collection and retention would serve no purpose, and expose your company to unnecessary risks.

Office 365 audit logs are only a valuable part of your cybersecurity solution if you use them. All logs require the attention of a human to conduct an investigation for digital threats. Data collected from O365 audit logs will be lengthy and difficult to digest. Security analysts normalize the data and search entries for normal behavior as well as conduct targeted searches to find specific information.

How to Conduct a Search of O365 Audit Logs

You can use native O365 audit log search tools to conduct a search with these steps.

1. Visit the Security & Compliance Center and log into your account.
2. Start a new search by clicking Search on the left navigation panel, then select Audit log search.
3. Configure your search criteria by defining specific activities to be included in the search. Then determine a time frame for the search, users to include in the report, and locations (files, folders, or sites) to limit the search. You can also search criteria like activities related to a website or a given file. 
4. Filter the search results with keywords, specific dates, users, or other details.
5. Save your results by clicking Export results, and selecting Save loaded results, to generate a CSV file with your data.

Secure O365 Data with SIEM Integration

Logging and monitoring activity through Office 365 is a necessity for businesses that depend on the software. However, you may have realized that utilizing the data from these logs isn't something that will be easily accomplished by the average O365 user, or even IT professionals. Data compiled from audit logs aren't automatically categorized and easy to digest. It's generated in complex codes and technical terms not recognizable by typical computer users. For many companies, Software as a Service (SaaS), like O365, is a critical part of doing efficient business. This is why you need a system to address potential vulnerabilities created by such software.

Along with using best practices to keep information secure, integrating your Office 365 cloud suite with a robust Security Information and Event Management (SIEM) system can offer the visibility and security you need. SIEM as a Service from BitLyft utilizes Securonix SIEM for complete visibility into the actions that take place on your network. Securonix has a built-in API integration with Office 365 to collect data from SharePoint Online, Onedrive, Exchange Online, Azure AD, Outlook, and Office 365 ATP.  Events collected include:

• SharePoint admin events
• File sharing and download activity
• Outlook email activity
• Exchange configuration events
• Azure AD authentication events
• OneDrive file operations
• Office 365 ATP threat alerts

As companies use third-party integrations to migrate their data to the cloud, bad actors are continually searching for ways to exploit potential vulnerabilities to access sensitive data that can be used to make a profit. This is why you need to set and implement a cloud strategy across your entire organization to protect your infrastructure assets. BitLyft Air® combines Securonix SIEM as a Service with central threat intelligence (CTI), a remote Security Operations Center (SOC), and Security Orchestrated Automated Response (SOAR) for a complete security system at a fraction of the cost of an on-site security team. You get the deepest visibility into your system (including third-party software like O365), lightning-fast incident response, and a SOC team that watches over your network 24/7. Learn more about how BitLyft can help with Office 365 and a full cybersecurity operations schedule with a needs assessment to help create your tailored cybersecurity solution.