Microsoft IPs in audit logs

%3CLINGO-SUB%20id%3D%22lingo-sub-1708102%22%20slang%3D%22en-US%22%3EMicrosoft%20IPs%20in%20audit%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1708102%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20investigating%20an%20incident%20and%20noticed%20that%20in%20many%20instances%20throughout%20the%20audit%20log%2C%20there%20is%20a%20Microsoft%20IP%20address%20associated%20with%20the%20action%20(in%20this%20case%20the%20action%20is%20%22FileAccessed%22).%20I'd%20like%20to%20know%20if%20this%20is%20some%20backend%20process%20that%20occurs%20automatically%20when%20using%20Sharepoint%2C%20or%20if%20this%20action%20originated%20from%20a%20user%2C%20but%20appears%20as%20a%20Microsoft%20IP%20due%20to%20some%20interaction%20with%20the%20server%2Fonedrive%2Fother%20process.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%2C%20helping%20me%20with%20this%20example%20could%20help%20in%20a%20lot%20of%20other%20areas%20of%20this%20audit%20log%20investigation%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1708102%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EFiles%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

I'm investigating an incident and noticed that in many instances throughout the audit log, there is a Microsoft IP address associated with the action (in this case the action is "FileAccessed"). I'd like to know if this is some backend process that occurs automatically when using Sharepoint, or if this action originated from a user, but appears as a Microsoft IP due to some interaction with the server/onedrive/other process.

 

Thanks in advance, helping me with this example could help in a lot of other areas of this audit log investigation as well.

2 Replies
Run an audit log search
Go to https://protection.office.com.

Tip

Use a private browsing session (not a regular session) to access the Security & Compliance Center because this will prevent the credential that you are currently logged on with from being used. To open an InPrivate Browsing session in Internet Explorer or Microsoft Edge, just press CTRL+SHIFT+P. To open a private browsing session in Google Chrome (called an incognito window), press CTRL+SHIFT+N.

Sign in using your work or school account.

In the left pane of the Security & Compliance Center, click Search, and then click Audit log search.

The Audit log search page is displayed.

Configure criteria and then click Search to run report

Note

You have to first turn on audit logging before you can run an audit log search. If the Start recording user and admin activity link is displayed, click it to turn on auditing. If you don't see this link, auditing has already been turned on for your organization.

Configure the following search criteria:

Activities: Click the drop-down list to display the activities that you can search for. User and admin activities are organized into groups of related activities. You can select specific activities or you can click the activity group name to select all activities in the group. You can also click a selected activity to clear the selection. After you run the search, only the audit log entries for the selected activities are displayed. Selecting Show results for all activities displays results for all activities performed by the selected user or group of users.

Over 100 user and admin activities are logged in the audit log. Click the Audited activities tab at the topic of this article to see the descriptions of every activity in each of the different services.

Start date and End date: The last seven days are selected by default. Select a date and time range to display the events that occurred within that period. The date and time are presented in Coordinated Universal Time (UTC) format. The maximum date range that you can specify is 90 days. An error is displayed if the selected date range is greater than 90 days.

Tip

If you're using the maximum date range of 90 days, select the current time for the Start date. Otherwise, you'll receive an error saying that the start date is earlier than the end date. If you've turned on auditing within the last 90 days, the maximum date range can't start before the date that auditing was turned on.

Users: Click in this box and then select one or more users to display search results for. The audit log entries for the selected activity performed by the users you select in this box are displayed in the list of results. Leave this box blank to return entries for all users (and service accounts) in your organization.

File, folder, or site: Type some or all of a file or folder name to search for activity related to the file of folder that contains the specified keyword. You can also specify a URL of a file or folder. If you use a URL, be sure the type the full URL path or if you type a portion of the URL, don't include any special characters or spaces.

Leave this box blank to return entries for all files and folders in your organization.

Tip

If you're looking for all activities related to a site, add the wildcard symbol (*) after the URL to return all entries for that site; for example, "https://contoso-my.sharepoint.com/personal*".

If you're looking for all activities related to a file, add the wildcard symbol (*) before the file name to return all entries for that file; for example, "*Customer_Profitability_Sample.csv".

Click Search to run the search using your search criteria.

The search results are loaded, and after a few moments they are displayed under Results. When the search is finished, the number of results found is displayed. A maximum of 5,000 events will be displayed in the Results pane in increments of 150 events. If more than 5,000 events meet the search criteria, the most recent 5,000 events are displayed.

@Lewis-H thanks for the response. I have the full audit log already, I'm just curious about what the Microsoft IPs within it indicate. I see a combination of personal, company, and Microsoft IPs and I'm wondering whether the Microsoft IPs could indicate that the file was accessed by a person, or whether it is just a backend process that takes place when loading the page or something.