Auditing and Reporting for Office 365
-
Upload
enow-software -
Category
Technology
-
view
433 -
download
0
Transcript of Auditing and Reporting for Office 365
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Auditing and Reporting for Office 365
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
@enowconsulting
Find us!
ENow Software
ENowSoftware
ENowSoftware.com
Some of ENow’s Loyal Customers
• Microsoft Silver ISV & Messaging Microsoft Partner
• Focused on building software solutions that simplify the life of IT administrators
• Software architected by MVPs with >15 years experience in high-end Microsoft
consulting and management
• Customers in over 60 countries ENow Software
About ENow
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
About the speaker – Nathan O’Bryan
MVP: Office Servers and ServicesMCSM: Messaging
Consultant @ SPShttp://www.spscom.com
@MCSMLabhttp://www.mcsmlab.com
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Introduction• Auditing and reporting is important to any organization• Office 365 is a collection of different resources, all developed
separately• Microsoft is working toward a unified auditing and reporting system,
but they are not there yet
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Auditing and Reporting• In Office 365, auditing and reporting is broken into two groups
• Exchange• Everything else
• “Everything else” is far behind Exchange for auditing and reporting features• All auditing and reporting in Office 365 requires Exchange in your tenant• Microsoft is working on bringing “everything else” up to the auditing
and reporting standards of Exchange
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Mailbox Auditing• Mailbox auditing is about figuring out who did what and when they
did it• First introduced in Exchange 2007 SP2• 3 types of mailbox auditing• Owner• Delegates• Administrator
• Mailbox auditing is not on by default
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Demo 1 – Enable Mailbox Auditing • Verify mailbox auditing is on for a mailbox• Verify mailbox auditing is on for multiple mailboxes• Turn mailbox auditing on• Verify what actions are being audited
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Mailbox actions loggedAction Description Admin Delegate Owner Copy An item is copied to another folder. Yes No No
Create An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for example, a new meeting request is created. Note that message or folder creation isn't audited. Yes* Yes* Yes
FolderBind A mailbox folder is accessed. Yes* Yes No
HardDelete An item is deleted permanently from the Recoverable Items folder. Yes* Yes* Yes
MailboxLogin The user signed in to their mailbox. No No Yes
MessageBind An item is accessed in the reading pane or opened. Yes No No
Move An item is moved to another folder. Yes* Yes Yes
MoveToDeletedItems An item is moved to the Deleted Items folder. Yes* Yes Yes
SendAs A message is sent using Send As permissions. Yes* Yes* No
SendOnBehalf A message is sent using Send on Behalf permissions. Yes* Yes No
SoftDelete An item is deleted from the Deleted Items folder. Yes* Yes* Yes
Update An item's properties are updated. Yes* Yes* Yes
* Audited by default if auditing is enabled for a mailbox.
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Demo 2 – Configuring Mailbox Auditing• Set what actions are audited• Set audit log age limit• Determine size of mailbox audit log• Delete mailbox audit log entries
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Demo 3 – Searching Mailbox Audit Log• Search mailbox audit log• Search for limited results• Search for specific actions on specific dates• Start mailbox audit log report• Search for external access• Show running audit log searches
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Auditing across Office 365 applications• Recently Microsoft has added more auditing and reporting around SharePoint
Online and OneDrive• Office 365 compliance center• Search-UnifiedAuditLog
• AzureActiveDirectory• AzureActiveDirectoryAccountLogon• ExchangeAdmin• ExchangeItem• ExchangeItemGroup• SharePoint• SharePointFileOperation
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Audit Storage Architecture
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Demo 4 – Search Unified Audit Log• Search unified audit log• Convert audit data from JSON format• Search for SharePoint file operations• Search for Azure AD operations• Search for Azure AD account login operations
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Reporting web serviceOffice 365 Reporting web servicereference page
Office 365 reporting-relatedWindows PowerShell cmdlets
CsActiveUser* reports Get-CsAVConferenceTimeReport
CsAVConferenceTime* reports Get-CsActiveUserReport
CsConference* reports Get-CsConferenceReport
CsP2PAVTime* reports Get-CsP2PAVTimeReport
CsP2PSession* reports Get-CsP2PSessionReport
ConnectionbyClientType* reports Get-ConnectionByClientTypeReport
ConnectionbyClientTypeDetail* reports Get-ConnectionByClientTypeDetailReport
GroupActivity* reports Get-GroupActivityReport
MailboxActivity* reports Get-MailboxActivityReport
MailboxUsage report Get-MailboxUsageReport
MailboxUsageDetail report Get-MailboxUsageDetailReport
MailDetail report Get-MailDetailReport
MailDetailDlpPolicy report Get-MailDetailDlpPolicyReport
MailDetailMalware report Get-MailDetailMalwareReport
MailDetailSpam report Get-MailDetailSpamReport
MailDetailTransportRule report Get-MailDetailTransportRuleReport
MailFilterList report Get-MailFilterListReport
MailTraffic report Get-MailTrafficReport
MailTrafficPolicy report Get-MailTrafficPolicyReport
MailTrafficSummary reports Get-MailTrafficSummaryReport
MailTrafficTop report Get-MailTrafficTopReport
MessageTrace report Get-MessageTrace
MessageTraceDetail report Get-MessageTraceDetail
MxRecordReport report Get-MxRecordReport
OutboundConnectorReport report Get-OutboundConnectorReport
ServiceDeliveryReport report Get-ServiceDeliveryReport
StaleMailbox report Get-StaleMailboxReport
StaleMailboxDetail report Get-StaleMailboxDetailReport
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Demo 5 – Reporting Web Service• Mx record report• Outbound connector report• Mail traffic summary report• Stale mailbox detail report• Connection by client type report• Av conference time report
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Security & Compliance Center• Intended to be single portal for all Security & Compliance
administration needs• Work in progress
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Demo 6 – Security & Compliance Center• Separate PowerShell connection• Available commands• Reports• Compliance Search
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Accessing GUI Mailbox Audit Reports• EAC > Compliance Management > Auditing• Office 365 Compliance Center
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Demo 7 – Office 365 GUI reports
A W A R D W I N N I N G E X C H A N G E & O F F I C E 3 6 5 M A N A G E M E N T
Summary• PowerShell is the best native way to get information out of Office 365
auditing and reporting• Office 365 canned reports are not currently very flexible• PowerShell reports may not be acceptable for management