Office 365 Audit and Compliance Now Available
Getting to know Microsoft audit data
Today we released our Office 365 Audit and Compliance module that lets you dig deep into the audit data collected by Microsoft. Activities across the Office 365 tenant, including in Azure, Exchange and other services, generate entries into the Office 365 audit log. Our new module collects those events and provides powerful analysis capability.
Over the course of the next few blogs I’ll explain how you can do queries against this audit data and discover valuable information about actions taking place both in your tenant at an ‘admin’ level and against files and services too.
In this first blog, let’s take a look at the user interface because this will give you some key understandings and help with the future blog posts.
Once you’ve signed up for the Office 365 Audit and Compliance module, we register with Microsoft to receive audit data from them. It’s sent to us automatically over a secure connection. When an activity takes place, such as someone changing a mailbox quota, or enabling a personal archive, or even moving a file in OneDrive for Business, an audit event is created and made available to us.
We store this indefinitely, which means that even after 90 days (when Microsoft removes the data) we still have it available to you. These events are not instant though, which is something to bear in mind when reviewing the data that has been collected. The other thing to bear in mind is that the data is only available from the time you sign up. When you allow us to capture audit events that starts ‘now’, actions which took place yesterday, or in the previous week, aren’t available to us.
After a few days of data collection, when you go to the ‘Auditing’ entry in our application you’ll see charts like this:
The user interface is divided into three areas.:
- Audited events chart
- Overall audited events information
This is where you build queries to search the audit data. We’ll cover that more in a future blog post, and cover several examples then too.
Audited events chart
This chart shows a stacked bar chart of the number of captured events over the course of the last 7 days, including today. This means that as you go through the day you’re likely to see the right hand most bar growing.
Overall audited events information
The final two charts show the breakdown of audited events by workload, and by sub-Operation since auditing was enabled on your cloudficient tenant.
Performing a query
Let’s perform a really simple query. In the ‘Workload’ drop down list choose ‘Azure Active Directory’, and then click on the ‘Search’ button.
Almost immediately you will see two important things. Firstly, the ‘Audited events chart’ will be changed to reflect your query. In this case it will now show just ‘Azure Active Directory’ event counts for the last week. If you change the date range, or add in other query parameters and search again, it’ll update again to reflect those changes. Secondly beneath the chart will now be a timeline view of the audit data.
The timeline view is a super-simple way of visualising the key events, starting with the most recent events. You can expand these events using the small arrow highlighted in this screenshot:
When expanded, different audit events will have different additional attributes. The one above looks like this:
Switching to the data grid view
Just above the timeline view is a button which lets you switch to the data grid view. This view lets you perform some additional real-time filtering on your results. In the above example of searching Azure Active Directory you might want to filter on a specific UPN to see activities which took place on that user. From the data grid you can also view the detailed information, this time it appears in a pop-up.
The data grid view lets you produce a PDF containing your query details, any comments that you might have added, and the results of the query. This is useful to provide in the case of discovery-type searches that you might need to perform from time to time.
That’s about it for the overview of our Audit and Compliance module, look out for the next few blogs where we’ll go into some examples of using the module and cover some of the additional features too!
We provide an extended free trial, feel free to register with your Office 365 credentials.