Experiencing a data breach can be one of the most challenging experiences for a company, especially for a security or IT team responsible for addressing the incident and leading the IT recovery. After a breach or a cyber-attack, understanding the full scope of what information was accessed and shared can be difficult but crucial to an investigation. Information about what emails or Microsoft Teams chats were accessed by a compromised user account can provide valuable information in a forensics investigation and can help in meeting regulatory or compliance requirements.
Advanced Audit in Microsoft 365 helps organizations to meet these regulatory, legal, and internal obligations by providing additional audit log events used in these investigations.
Historically, forensic investigations have centered around Exchange email and SharePoint content that might be accessed by an attacker, as well as what sensitive information might potentially be exposed. These email and SharePoint file and folder investigation events are supported by capabilities available in Advanced Audit.
Increasingly, an organization’s data is also stored in other Microsoft 365 services, including communications and collaboration tools Microsoft Teams and Yammer, survey tool Microsoft Forms, and video platform Microsoft Stream. In case of a breach, organizations should be able to understand what actions an attacker took in these Microsoft 365 services, and use tools that provide a detailed audit trail. Advanced Audit helps organizations to meet these needs and to help customers meet regulatory requirements.
Microsoft is excited to announce additional events for Advanced Audit from Microsoft 365 services. These additions include:
In Microsoft Teams
Message edits: shows when a user-edited a message in a Teams chat or channel
Message deletes: shows when a user deleted a message in a Teams chat or channel is deleted
Created message: shows when a user created a message in a Yammer community
Update message: shows when a user updated a message in a Yammer community
Viewed message: shows when a user viewed a message in a Yammer community
Message Access Failure: shows when a user failed to access a message in a Yammer community
File Access Failure: shows when a user failed to access a file in a Yammer community
In Microsoft Forms
Listed forms: shows when a form owner is viewing a list of forms
Updated form setting: shows when a form owner updates one or multiple form settings
Enabled anyone can respond setting: shows when a form owner turns on the setting allowing anyone to respond to the form
Disabled anyone can respond setting: shows when a form owner turns off the setting allowing anyone to respond to the form
Enabled people in my organization collaboration: shows when a form owner turns on the setting allowing users in the current organization to view and edit the form
In Microsoft Stream
Channel view: shows when a user viewed a Stream channel
Group view: shows when a user viewed a Stream group
Get transcript: shows when a user retrieved a Stream transcript
Get text track: shows when a user retrieved a Stream text track
Get video: shows when a user failed to retrieve a Stream video
With these new events, Advanced Audit users gain better visibility into the activities taking place in their Microsoft 365 environment. The security or forensics teams have more insights and can better understand the sequence of user events in Microsoft Teams, Yammer, Forms or Stream. This additional insight helps in not just recreating a timeline of events, but in responding to regulatory requirements for data compromise.
Review the full list of Microsoft 365 services that have audit events to support your forensic investigations here.
We are committed to helping organizations with their forensic investigation needs by delivering capabilities within Advanced Audit that seamlessly integrate with their workflow and provide the insight into user activities that they need.
We are happy to share that there is now an easier way for you to try Microsoft compliance solutions directly in the Compliance Admin Center. By enabling the trial in the Compliance center, you can quickly start using all capabilities of Microsoft Compliance, including Insider Risk Management, Records Management, Advanced Audit, Advanced eDiscovery, Communications Compliance, Microsoft Information Protection, Data Loss Prevention, and Compliance Manager.
This trial is currently rolling out to tenants worldwide and you can learn more about it here.