Thursday, June 15, 2017

Office 365 Investigating activity

Office 365 Enterprise 3 Mobility+ Security sounds good based on features but Microsoft has a ways to come on unified logging and searching. I will do my best to make it clear where to look and what you can find. Also note that you might as well look at all three sources to ensure you didn't miss something.  Thanks Microsoft.

Azure logs
https://portal.azure.com/
Azure logs can go back 30 days

Skype
Only show Skype via web browser, it does not log client access

OneDrive
Shows Web access
Show client Sync Engine

Exchange
Client
Web Browser access

Sharepoint
Web browser access

Teams
Shows Application access, lists it as Windows 7 media center

Azure
Portal login


PowerShell Unified log search
You would think this has all the longs, WRONG
You can only seem to go back 15 days even though you can specify 30

This is a favorite PS

param (
    [Parameter(Mandatory=$true)][string]$ip= "41.*",
    [Parameter(Mandatory=$true)][string]$days = $( Read-Host "Days in minus format -10" )
 )

write "IP address" $ip
write " "
write "Days back" $days
write " "

Search-UnifiedAuditLog -StartDate (Get-Date).Adddays($days) -EndDate (Get-Date) -IPAddresses $ip | Out-GridView



Security and Investigation

Security  & Investigate can go back 90 days

OneDrive
show details as to copy, delete, modify but not contents

Email
Web changes such as creating a new rule is shown

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)