Nov 16 2018 02:57 AM
Hello guys,
I'm planning a NAS migration toward Sharepoint Online. There is already an O365 access for emails. With the files being outside, the CISO is asking about the possibility to retreive "access logs" from O365.
The purpose is to monitor the activity and all the access. Do you know, if it's possible to export those logs ? If so, can you give me a pointer toward the procedure ? If not, does it mean that a CASB is mandatory for this task ?
Many thanks in advance
Nov 16 2018 04:40 AM
SolutionHi Stephane,
Hope you are well. A great question for oversight and governance.
You can find out about the Office 365 Audit log which includes user activity in SharePoint Online here: https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-c...
You can also use activity reports here: https://docs.microsoft.com/en-gb/office365/admin/activity-reports/activity-reports?redirectSourcePat...
You can get sign in logs through Azure AD here: https://docs.microsoft.com/en-gb/azure/active-directory/reports-monitoring/concept-sign-ins
As far as I know, all are exportable. If you are concerned about access to the data then I would heavily recommend implementing
1.) Multi Factor Authentication
2.) Conditional Access
3.) Cloud App Security
Cloud App Security is Microsoft's CASB solution.
Hope that helps! If it has answered your question, please select like and mark it as the best solution.
Best, Chris
Nov 16 2018 02:50 PM
Just some extra comments.
First, SharePoint Online is a very verbose application when it comes to generating audit log entries. You`ll get lots of detail (here`s an example of how to use the information in the audit log to answer questions like those often posed by security people: https://www.petri.com/external-access-documents-office-365-part-3).
Second, a big thing to realize is that Office 365 only keeps audit log data for 90 days (E3 licenses) or 365 days (E5 licenses). If you want to keep audit data for longer, you need to investigate using a third party product like Quadrotech Radar Security and Audit. Again, having access to audit data for extended periods is the kind of thing security people worry about. https://www.quadrotech-it.com/solutions/office-365-security-auditing-and-compliance/radar-for-securi.... You can keep audit data for years with a solution like Radar.
Third, if you have Office 365 E5, you also have Cloud App Security for Office 365. The same audit data is available, but more intelligence can be applied to the data.
Last, it`s not just SharePoint that you need to worry about. Office 365 is a big canvas with lots of moving parts, and the Office 365 audit log captures audit data about all those workloads. For more information about how to use that data, see Chapter 21 in Office 365 for IT Pros. See https://office365itpros.com/ for more info.
Nov 16 2018 02:58 PM
Nov 16 2018 03:02 PM
Well, maybe not best practice. But certainly strongly opinionated.
Nov 16 2018 04:40 AM
SolutionHi Stephane,
Hope you are well. A great question for oversight and governance.
You can find out about the Office 365 Audit log which includes user activity in SharePoint Online here: https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-c...
You can also use activity reports here: https://docs.microsoft.com/en-gb/office365/admin/activity-reports/activity-reports?redirectSourcePat...
You can get sign in logs through Azure AD here: https://docs.microsoft.com/en-gb/azure/active-directory/reports-monitoring/concept-sign-ins
As far as I know, all are exportable. If you are concerned about access to the data then I would heavily recommend implementing
1.) Multi Factor Authentication
2.) Conditional Access
3.) Cloud App Security
Cloud App Security is Microsoft's CASB solution.
Hope that helps! If it has answered your question, please select like and mark it as the best solution.
Best, Chris