Office 365 log monitoring can represent an effective strategy to achieve cloud security and leverage the newly-generated log data to get insights about user behaviour and insider threats. When talking about Office 365 logs, we refer to logs generated by cloud-based Office 365 applications, such as Azure Active Directory (AD), SharePoint, Exchange, Sway, eDiscovery etc. In this article, the benefits of exporting and analyzing those logs in SIEMs or with an MSSP will be explained as much as the information that can get extracted from them.
Benefits of Office 365 Log Monitoring
Unfortunately, the vast majority of organizations are at a loss when it comes to cloud security and are still discovering the potential possibilities and challenges of cloud environments. In fact, too many organizations are not aware of how cloud-based application logs can help them get informed about administrator-privilege accesses, end-point user behavior, user access, log-in history including log-in times and location, and user sharing behavior.
Monitoring Office 365 logs offers a variety of benefits for organizations, including increased security maturity or enhanced detection capabilities, which are traditionally part of Data Loss Prevention (DLP) solutions. By monitoring and analyzing Office 365 security logs in a structured way, for example with Hitachi Systems Security’s ArkAngel platform, and referring to the control-based approach adopted at Hitachi, your organization can achieve greater security maturity and fulfill certain important 20 CIS Critical Security Controls, such as:
- CSC 5: Controlled Use of Administrative Privileges
- CSC 6: Maintenance, Monitoring and Analysis of Audit Logs
- CSC 13: Data Protection
Examples of Office 365 Log Monitoring
Here some examples of what can be detected by analyzing logs extracted by Office 365 services:
- Azure AD: Logs generated by Azure AD, Microsoft’s cloud-based identity and access management application, deliver information about user maintenance, group maintenance and authority delegation.
- Exchange Online: Logs extracted from Exchange Online provide an audit trail of what administration can do and much more. In this context, it is common knowledge that a majority of cybersecurity attacks originate from phishing emails. Analyzing Exchange logs can help detect who is infected and how the propagation spread. In addition, Exchange logs can reveal whether users are looking at other users’ mailboxes or when someone tries to synchronize his Outlook instance with somebody else’s folder. Just look for the string ‘FolderBind’ and you will know.
- SharePoint: The web-based content management and storage platform SharePoint, which is strictly linked with OneDrive for Business, produces logs that report any operation performed on files. They help to report any instance of file access, file download or file sharing via a link with a person outside the organization. In the latter case, the logs will also report the email address that the file in question has been shared with.
- Other: Additional relevant Office 365 user activity logs are related to the use of Advanced eDiscovery, also included with the Office 365 E5 license. The service can in fact be used for malicious purposes by accessing data or information that must be kept confidential. Lastly, we cannot forget to mention the Office 365 security and compliance center, which helps organizations identify deviation from regulatory standards and offers metrics to evaluate their security health.
Benefits of Using a Third-Party Entity for Office 365 Log Monitoring
As explained above, Office 365 in itself does a very good job in terms of auditing. Unfortunately, the Office 365 portal to view logs has very limited functionalities when it comes to searching (limited options), exporting (limited to 10,000 logs) and archiving (only possible for up to 90 days). Office 365 Log Monitoring services, offered by third-party entities, address these shortcomings and enable organizations to search better, export more logs and archive logs for longer periods of time. From a security perspective, it is considered best practise not to keep the logs within the same system that generated them because logs can be modified by users with privileged rights. By engaging with a third-party system to trace log data, your organization can overcome this shortcoming.
To make sure that your cloud-based application remains secure and protected against data theft, security breaches and cyber attacks, Office 365 log monitoring represents an effective strategy to achieve cloud security and leverage the newly-generated log data that would otherwise be left untouched. Hitachi Systems Security has built an Office 365 Cloud Connector as part of our ArkAngel platform to meet today’s sophisticated cloud security requirements for Office 365 users. Curious about how it works? Get in touch with us today to learn more!