cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Reporting when macro-enabled documents are opened

Paul_Weller
Copper Contributor

‎Nov 02 2021 12:21 AM

‎Nov 02 2021 12:21 AM

Reporting when macro-enabled documents are opened

Hi there,

 

We need to log/report when any macro-enabled document in our environment is opened (whether it be located on a file server, Nutanix Files, eDocs or OneDrive).  We hoped that the Microsoft 365 Apps admin center could provide this information, but it looks as though it only reports that a device has recently opened a macro-enabled document, it doesn't provide any further information on the file itself.

 

Does anyone know whether this feature is actually available in the Microsoft 365 Apps admin center, or if not, any suggestions on a tool we could use instead?

 

Thanks

2,023 Views
0 Likes
5 Replies
Reply
5 Replies
Martin Nothnagel

‎Nov 03 2021 01:43 AM

‎Nov 03 2021 01:43 AM

Re: Reporting when macro-enabled documents are opened

Hi Paul, this functionality is not available in the Apps admin center nor on the roadmap for the near future. I'm not aware of any Microsoft product which would cover the requested functionality. But there are 3rd party tools for the management of VBA-based documents which integrate into Office and might offer this capability.
0 Likes
Reply
Alexander72

‎Nov 03 2021 02:06 AM

‎Nov 03 2021 02:06 AM

Re: Reporting when macro-enabled documents are opened

@Paul_Weller 

Hi Paul, what information do you need?

Cheers Alex

0 Likes
Reply
Paul_Weller

‎Nov 03 2021 05:16 PM

‎Nov 03 2021 05:16 PM

Re: Reporting when macro-enabled documents are opened

Ok, thanks for the response
0 Likes
Reply
Paul_Weller

‎Nov 03 2021 05:25 PM

‎Nov 03 2021 05:25 PM

Re: Reporting when macro-enabled documents are opened

Hi Alex,

We're looking for a solution that'll alert us when a macro-enabled document is run (detailing the user, hostname, filename and location), although the alert doesn't need to be instantaneous. We use Splunk to collect data every day from the event logs of every Windows machine within the environment, so if an event is logged when a macro is run, we would pick that up.

Cheers,

Paul
0 Likes
Reply
Alexander72

‎Nov 04 2021 12:32 AM

‎Nov 04 2021 12:32 AM

Re: Reporting when macro-enabled documents are opened

@Paul_Weller 

Hi Paul,

the next question is: why do you want to collect the data? Do you want to find out about every macro in your company or do you want to find out about the usage of the macros?

If you would like to find out about all macros, then digital signatures plus a signing portal would be the way to go. This would also increase the security.

My company developed an eco system of different tools to deal with VBA macros. You can analyze and sign them and gather information about every macro.

The other way would be to utilize the IOfficeAntivirus or the AMSI interface to get the information you want. IOfficeAntivirus is quite old and is called by Windows Defender or - with some registry settings  -by most of the Office applications when a File ist opened. There you could check if there is a macro in the file. AMSI is newer and I really do not know if Office also calls this interface when a file ist opened.

Both depend on the old COM technology, so I do not know if this also runs in the Mac world. But if you just have Windows machines, this would be the way I would go.

 

Cheers

Alex

0 Likes
Reply