SOLVED
Home

Logs - O365 - General activity

%3CLINGO-SUB%20id%3D%22lingo-sub-287600%22%20slang%3D%22en-US%22%3ELogs%20-%20O365%20-%20General%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-287600%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20guys%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20planning%20a%20NAS%20migration%20toward%20Sharepoint%20Online.%20There%20is%20already%20an%20O365%20access%20for%20emails.%20With%20the%20files%20being%20outside%2C%20the%20CISO%20is%20asking%20about%20the%20possibility%20to%20retreive%20%22access%20logs%22%20from%20O365.%3C%2FP%3E%3CP%3EThe%20purpose%20is%20to%20monitor%20the%20activity%20and%20all%20the%20access.%20Do%20you%20know%2C%20if%20it's%20possible%20to%20export%20those%20logs%20%3F%20If%20so%2C%20can%20you%20give%20me%20a%20pointer%20toward%20the%20procedure%20%3F%20If%20not%2C%20does%20it%20mean%20that%20a%20CASB%20is%20mandatory%20for%20this%20task%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%20in%20advance%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-287600%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMigration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-288123%22%20slang%3D%22en-US%22%3ERe%3A%20Logs%20-%20O365%20-%20General%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-288123%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20maybe%20not%20best%20practice.%20But%20certainly%20strongly%20opinionated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-288120%22%20slang%3D%22en-US%22%3ERe%3A%20Logs%20-%20O365%20-%20General%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-288120%22%20slang%3D%22en-US%22%3EStephane%2C%3CBR%20%2F%3E%3CBR%20%2F%3ETony%E2%80%99s%20articles%20on%20Petri%20and%20Office%20365%20for%20IT%20Pro%E2%80%99s%20are%20resources%20I%20would%20heavily%20recommend%20in%20terms%20of%20current%20best%20practice.%20They%20will%20answer%20a%20great%20deal%20of%20questions%20you%E2%80%99ll%20get%20from%20internal%20stakeholders%20and%20together%20with%20the%20community%20will%20give%20you%20a%20great%20foundation%20for%20getting%20the%20most%20from%20your%20office%20365%20service.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-288117%22%20slang%3D%22en-US%22%3ERe%3A%20Logs%20-%20O365%20-%20General%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-288117%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20some%20extra%20comments.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFirst%2C%20SharePoint%20Online%20is%20a%20very%20verbose%20application%20when%20it%20comes%20to%20generating%20audit%20log%20entries.%20You%60ll%20get%20lots%20of%20detail%20(here%60s%20an%20example%20of%20how%20to%20use%20the%20information%20in%20the%20audit%20log%20to%20answer%20questions%20like%20those%20often%20posed%20by%20security%20people%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.petri.com%2Fexternal-access-documents-office-365-part-3%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.petri.com%2Fexternal-access-documents-office-365-part-3%3C%2FA%3E).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESecond%2C%20a%20big%20thing%20to%20realize%20is%20that%20Office%20365%20only%20keeps%20audit%20log%20data%20for%2090%20days%20(E3%20licenses)%20or%20365%20days%20(E5%20licenses).%20If%20you%20want%20to%20keep%20audit%20data%20for%20longer%2C%20you%20need%20to%20investigate%20using%20a%20third%20party%20product%20like%20Quadrotech%20Radar%20Security%20and%20Audit.%20Again%2C%20having%20access%20to%20audit%20data%20for%20extended%20periods%20is%20the%20kind%20of%20thing%20security%20people%20worry%20about.%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.quadrotech-it.com%2Fsolutions%2Foffice-365-security-auditing-and-compliance%2Fradar-for-security-audit%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.quadrotech-it.com%2Fsolutions%2Foffice-365-security-auditing-and-compliance%2Fradar-for-security-audit%2F%3C%2FA%3E.%20You%20can%20keep%20audit%20data%20for%20years%20with%20a%20solution%20like%20Radar.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThird%2C%20if%20you%20have%20Office%20365%20E5%2C%20you%20also%20have%20Cloud%20App%20Security%20for%20Office%20365.%20The%20same%20audit%20data%20is%20available%2C%20but%20more%20intelligence%20can%20be%20applied%20to%20the%20data.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELast%2C%20it%60s%20not%20just%20SharePoint%20that%20you%20need%20to%20worry%20about.%20Office%20365%20is%20a%20big%20canvas%20with%20lots%20of%20moving%20parts%2C%20and%20the%20Office%20365%20audit%20log%20captures%20audit%20data%20about%20all%20those%20workloads.%20For%20more%20information%20about%20how%20to%20use%20that%20data%2C%20see%20Chapter%2021%20in%20Office%20365%20for%20IT%20Pros.%20See%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Foffice365itpros.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foffice365itpros.com%2F%3C%2FA%3E%20for%20more%20info.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-287618%22%20slang%3D%22en-US%22%3ERe%3A%20Logs%20-%20O365%20-%20General%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-287618%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Stephane%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20you%20are%20well.%20A%20great%20question%20for%20oversight%20and%20governance.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20find%20out%20about%20the%20Office%20365%20Audit%20log%20which%20includes%20user%20activity%20in%20SharePoint%20Online%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fsearch-the-audit-log-in-security-and-compliance%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fsearch-the-audit-log-in-security-and-compliance%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20also%20use%20activity%20reports%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Foffice365%2Fadmin%2Factivity-reports%2Factivity-reports%3FredirectSourcePath%3D%25252fen-us%25252farticle%25252fActivity-Reports-in-the-Office-365-admin-center-0d6dfb17-8582-4172-a9a9-aed798150263%26amp%3Bview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Foffice365%2Fadmin%2Factivity-reports%2Factivity-reports%3FredirectSourcePath%3D%25252fen-us%25252farticle%25252fActivity-Reports-in-the-Office-365-admin-center-0d6dfb17-8582-4172-a9a9-aed798150263%26amp%3Bview%3Do365-worldwide%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20get%20sign%20in%20logs%20through%20Azure%20AD%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Factive-directory%2Freports-monitoring%2Fconcept-sign-ins%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Factive-directory%2Freports-monitoring%2Fconcept-sign-ins%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20far%20as%20I%20know%2C%20all%20are%20exportable.%20If%20you%20are%20concerned%20about%20access%20to%20the%20data%20then%20I%20would%20heavily%20recommend%20implementing%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.)%20Multi%20Factor%20Authentication%3C%2FP%3E%3CP%3E2.)%20Conditional%20Access%3C%2FP%3E%3CP%3E3.)%20Cloud%20App%20Security%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECloud%20App%20Security%20is%20Microsoft's%20CASB%20solution.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20that%20helps!%20If%20it%20has%20answered%20your%20question%2C%20please%20select%20like%20and%20mark%20it%20as%20the%20best%20solution.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%2C%20Chris%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Stephane KLOIS
Contributor

Hello guys,

 

I'm planning a NAS migration toward Sharepoint Online. There is already an O365 access for emails. With the files being outside, the CISO is asking about the possibility to retreive "access logs" from O365.

The purpose is to monitor the activity and all the access. Do you know, if it's possible to export those logs ? If so, can you give me a pointer toward the procedure ? If not, does it mean that a CASB is mandatory for this task ?

 

Many thanks in advance

4 Replies
Solution

Hi Stephane, 

 

Hope you are well. A great question for oversight and governance. 

 

You can find out about the Office 365 Audit log which includes user activity in SharePoint Online here: https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-c...

 

You can also use activity reports here: https://docs.microsoft.com/en-gb/office365/admin/activity-reports/activity-reports?redirectSourcePat...

 

You can get sign in logs through Azure AD here: https://docs.microsoft.com/en-gb/azure/active-directory/reports-monitoring/concept-sign-ins

 

As far as I know, all are exportable. If you are concerned about access to the data then I would heavily recommend implementing

 

1.) Multi Factor Authentication

2.) Conditional Access

3.) Cloud App Security

 

Cloud App Security is Microsoft's CASB solution. 

 

Hope that helps! If it has answered your question, please select like and mark it as the best solution.

 

Best, Chris

 

Just some extra comments.

 

First, SharePoint Online is a very verbose application when it comes to generating audit log entries. You`ll get lots of detail (here`s an example of how to use the information in the audit log to answer questions like those often posed by security people: https://www.petri.com/external-access-documents-office-365-part-3).

 

Second, a big thing to realize is that Office 365 only keeps audit log data for 90 days (E3 licenses) or 365 days (E5 licenses). If you want to keep audit data for longer, you need to investigate using a third party product like Quadrotech Radar Security and Audit. Again, having access to audit data for extended periods is the kind of thing security people worry about.  https://www.quadrotech-it.com/solutions/office-365-security-auditing-and-compliance/radar-for-securi.... You can keep audit data for years with a solution like Radar.

 

Third, if you have Office 365 E5, you also have Cloud App Security for Office 365. The same audit data is available, but more intelligence can be applied to the data.

 

Last, it`s not just SharePoint that you need to worry about. Office 365 is a big canvas with lots of moving parts, and the Office 365 audit log captures audit data about all those workloads. For more information about how to use that data, see Chapter 21 in Office 365 for IT Pros. See https://office365itpros.com/ for more info.

Stephane,

Tony’s articles on Petri and Office 365 for IT Pro’s are resources I would heavily recommend in terms of current best practice. They will answer a great deal of questions you’ll get from internal stakeholders and together with the community will give you a great foundation for getting the most from your office 365 service.

Best, Chris

Well, maybe not best practice. But certainly strongly opinionated.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies