As organizations move their data to the cloud, business users are using a growing number of devices to be productive in their day to day work. As a result, many enterprises are facing new challenges in information security and compliance. Office 365 provides a robust set of features to help protect and secure corporate data. One of those capabilities is Office 365 Activity Monitoring, which allows you to monitor the actions of a particular user across SharePoint Online, One Drive for Business, Exchange Online and Azure Active Directory. It also allows you to issue very detailed reports on those activities, which can facilitate investigations into security incidences. This session will review this new capability within Office 365 Activity Monitoring and discuss how it can help secure your cloud environment.
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
ย
Securing Office 365 with Activity Monitoring
1. Securing Office 365 with
Activity Monitoring
Thank you for joining our webinar!
We will begin shortly.
2. Introduction
โข โ30 on Thursdayโ Series
โข Bi-weekly 30 minute webinar series
โข Next Webinar:
โข October 22: โBuilding Nintex Mobile Appsโ
โข Full Schedule: SharePoint.Protiviti.com/Webinars
3. Live Tweeting!
Tweet us your questions & feedback
during the webinar!
Tweet @ProtivitiSP and use
#30TOffice365
4. Todayโs Session
โข Todayโs session is being recorded
โข Archive of past sessions
โข SharePoint.Protiviti.com/ArchivedWebinars
โข Questions - Use the Question Window or tweet us your
questions @ProtivitiSP using #30TOffice365
5. Session Overview
โข Topic:
โข Securing Office 365 with Activity Monitoring
โข Presenter:
โข Antonio Maio, SharePoint MVP
โข Moderator:
โข Julia Marple, Protiviti
9. 1. Office 365 Activity Report
โข Login to Office 365
โข Navigate to Admin > Compliance Center > Reports > Office 365 Activity Report
10. 1. Office 365 Activity Report
โข Search across SharePoint Online,
OneDrive for Business, Exchange
Online, Azure AD
โข Search by users, file, folder, site,
by date range
โข Search by type of activity
โข View Activity Details (Details Pane)
โข Run Report on Demand
โข Export results to CSV
12. 2. Comprehensive Event Logging
โข User and administrator events are logged as users work within Office 365
โข Over 150 events logged (Ex. view a file, mailbox owner activities, Azure AD login, etc.)
โข 9 Event Categories
โข Exchange admin events
โข Exchange mailbox events
โข File and folder events (SharePoint and OneDrive for Business)
โข Invitation and access request events (SharePoint and OneDrive for Business)
โข Sharing events (SharePoint and OneDrive for Business)
โข Site administration events (SharePoint and OneDrive for Business)
โข Synchronization events (SharePoint and OneDrive for Business)
โข Azure Active Directory events (Admin Activity and User Login)
13. 2. Comprehensive Event Logging
โข Example: File and Folder Events
Event Friendly name Description
FileCheckedIn File checked in User checks in a document that they checked out from a SharePoint or OneDrive for Business document library.
FileCheckedOut File checked out
User checks out a document located in a SharePoint or OneDrive for Business document library. Users can check out and make
changes to documents that have been shared with them.
FileCheckOutDiscarded
File checkout
discarded
User discards (or undos) a checked out file. That means any changes they made to the file when it was checked out are discarded,
and not saved to the version of the document in the document library.
FileCopied File copied User copies a document from a SharePoint or OneDrive for Business site. The copied file can be saved to another folder on the site.
FileDeleted File deleted User deletes a document from a SharePoint or OneDrive for Business site.
FileDownloaded File downloaded User downloads a document from a SharePoint or OneDrive for Business site.
FileFetched File accessed
User or system account accesses a file. When a user or the system performs an operation on a file, the file has to be located and
accessed. The FileFetched event indicates that retrieval action. Note that many file and folder related events will have one or more
corresponding FileFetched log entries.
FileModified File modified
User or system account modifies the content or the properties of a document located on a SharePoint or OneDrive for Business
site.
FileMoved File moved User moves a document from its current location on a SharePoint or OneDrive for Business site to a new location..
FileRenamed File renamed User renames a document on a SharePoint or OneDrive for Business site.
FileRestored File restored User restores a document from the recycle bin of a SharePoint or OneDrive for Business site.
FileUploaded File uploaded User uploads a document to a folder on a SharePoint or OneDrive for Business site.
FileViewed File viewed User views a document on a SharePoint or OneDrive for Business site. System accounts can also generate FileViewed events.
14. 2. Comprehensive Event Logging
โข Example: Sharing Events
Event Friendly name Description
ExternalSharingSet
File or folder shared with
external user
User shares a file or folder located in SharePoint or OneDrive for Business with a user outside their organization.
SharedLinkCreated Sharing link created
User creates a link to a shared file in SharePoint or OneDrive for Business. This link can be sent to other people to
give them access to the file. A user can create two types of links: a link that allows a user to view and edit the shared
file, or a link that allows the user to just view the file.
SharedLinkDisabled Sharing link disabled User disables (permanently) a link that was created to share a file.
SharingRevoked File or folder unshared
User unshares a file or folder that was previously shared with other users. This event is logged when a user stops
sharing a file with other users.
SharingSet File or folder shared User shares a file or folder located in SharePoint or OneDrive for Business with another user inside their organization.
15. 3. Search Powershell Cmdlet
โข PowerShell Cmdlet: Search-UnifiedAuditLog
Examples:
Search-UnifiedAuditLog -StartDate September 1, 2015 -EndDate September 30, 2015
Search-UnifiedAuditLog -StartDate 9/1/2015 -EndDate 9/30/2015 -RecordType SharePointFileOperation -Operations FileViewed -
ObjectIds docx
โข Script searches of the event logs, looking for specific details
โข Export logs to a file
โข Automate searches and reporting
16. 4. Management Activity API (*Limited Preview)
โข Integrate Office 365 activity data into internal or 3rd party security and compliance
monitoring and reporting solutions
โข Grant rights for your application to access event data using Azure AD
Register the application in Azure AD to establish an identity for your application and specify the permission levels it
needs in order to access the APIs
โข Let the Office 365 service know if your application has rights to access it
Office 365 tenant admin must explicitly grant consent to allow your application to access their tenant data through
the APIs.
โข Request Access Tokens from Azure AD
Using the applicationโs credentials (as in Azure AD) the application will request โapp-onlyโ access tokens for a
consented tenant on an ongoing basis, without the need for further tenant admin interaction.
โข Start Calling the Management API
Subscribe to content types; Receive notifications when content is available; Retrieve content as JSON
*During the limited preview period only registered participants may actually retrieve data through the API.
17. In Summary
โข Activity Monitoring/Reporting is just 1 aspect of Securing Information Systems
โข Key Drivers for Monitoring Activity and Auditing our Systems:
โข Enhance Compliance with Regulatory Standards
โข Enhance Access Control and Visibility into User Activity related to Content
โข Enable Detailed Investigations
โข Provides deep visibility into user activity & integration with internal/3rd party tools
โข SharePoint Online, One Drive for Business, Exchange Online and Azure AD
โข Accessed through the Office 365 Compliance Center
โข Some also reports accessed through Exchange Audit Reports and Azure AD Audit Reports
*Slides will be available on my blog at www.trustsharepoint.com.