Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Office 365 with Activity Monitoring

2,982 views

Published on

As organizations move their data to the cloud, business users are using a growing number of devices to be productive in their day to day work. As a result, many enterprises are facing new challenges in information security and compliance. Office 365 provides a robust set of features to help protect and secure corporate data. One of those capabilities is Office 365 Activity Monitoring, which allows you to monitor the actions of a particular user across SharePoint Online, One Drive for Business, Exchange Online and Azure Active Directory. It also allows you to issue very detailed reports on those activities, which can facilitate investigations into security incidences. This session will review this new capability within Office 365 Activity Monitoring and discuss how it can help secure your cloud environment.

Published in: Internet
  • You can now be your own boss and get yourself a very generous daily income. START FREE...▲▲▲ https://tinyurl.com/make2793amonth
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I made $2,600 with this. I already have 7 days with this... ♣♣♣ http://ishbv.com/surveys6/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Securing Office 365 with Activity Monitoring

  1. 1. Securing Office 365 with Activity Monitoring Thank you for joining our webinar! We will begin shortly.
  2. 2. Introduction • ‘30 on Thursday’ Series • Bi-weekly 30 minute webinar series • Next Webinar: • October 22: “Building Nintex Mobile Apps” • Full Schedule: SharePoint.Protiviti.com/Webinars
  3. 3. Live Tweeting! Tweet us your questions & feedback during the webinar! Tweet @ProtivitiSP and use #30TOffice365
  4. 4. Today’s Session • Today’s session is being recorded • Archive of past sessions • SharePoint.Protiviti.com/ArchivedWebinars • Questions - Use the Question Window or tweet us your questions @ProtivitiSP using #30TOffice365
  5. 5. Session Overview • Topic: • Securing Office 365 with Activity Monitoring • Presenter: • Antonio Maio, SharePoint MVP • Moderator: • Julia Marple, Protiviti
  6. 6. LET’S GET STARTED!
  7. 7. Why Monitor and Audit Our Systems? • Meet Regulatory Compliance Obligations • Investigate Data Breaches • Audit Access to Sensitive Content
  8. 8. Office 365 Activity Monitoring Capabilities 1. Office 365 Activity Report 2. Comprehensive Event Logging 3. Search Powershell Cmdlet 4. Management Activity API
  9. 9. 1. Office 365 Activity Report • Login to Office 365 • Navigate to Admin > Compliance Center > Reports > Office 365 Activity Report
  10. 10. 1. Office 365 Activity Report • Search across SharePoint Online, OneDrive for Business, Exchange Online, Azure AD • Search by users, file, folder, site, by date range • Search by type of activity • View Activity Details (Details Pane) • Run Report on Demand • Export results to CSV
  11. 11. 1. Office 365 Activity Report • With each event, up to 37 event properties are logged • Actor • ClientIP • ClientProcessName • CreationTime • DestinationFileExtension • DestinationFileName • DestinationRelativeUrl • EventSource • ExternalAccess • SourceFileName • SourceRelativeUrl • Subject • Target • UserAgent • UserID • UserKey • UserSharedWith • UserType • Workload • ID • InternalLogonType • ItemType • LogonType • MailboxGuid • MailboxOwnerUPN • ModifiedProperties • ObjectID • Operation • OrganizationID • Path • Parameters • RecordType • ResultStatus • SharingType • Site • SiteUrl • SourceFileExtension
  12. 12. 2. Comprehensive Event Logging • User and administrator events are logged as users work within Office 365 • Over 150 events logged (Ex. view a file, mailbox owner activities, Azure AD login, etc.) • 9 Event Categories • Exchange admin events • Exchange mailbox events • File and folder events (SharePoint and OneDrive for Business) • Invitation and access request events (SharePoint and OneDrive for Business) • Sharing events (SharePoint and OneDrive for Business) • Site administration events (SharePoint and OneDrive for Business) • Synchronization events (SharePoint and OneDrive for Business) • Azure Active Directory events (Admin Activity and User Login)
  13. 13. 2. Comprehensive Event Logging • Example: File and Folder Events Event Friendly name Description FileCheckedIn File checked in User checks in a document that they checked out from a SharePoint or OneDrive for Business document library. FileCheckedOut File checked out User checks out a document located in a SharePoint or OneDrive for Business document library. Users can check out and make changes to documents that have been shared with them. FileCheckOutDiscarded File checkout discarded User discards (or undos) a checked out file. That means any changes they made to the file when it was checked out are discarded, and not saved to the version of the document in the document library. FileCopied File copied User copies a document from a SharePoint or OneDrive for Business site. The copied file can be saved to another folder on the site. FileDeleted File deleted User deletes a document from a SharePoint or OneDrive for Business site. FileDownloaded File downloaded User downloads a document from a SharePoint or OneDrive for Business site. FileFetched File accessed User or system account accesses a file. When a user or the system performs an operation on a file, the file has to be located and accessed. The FileFetched event indicates that retrieval action. Note that many file and folder related events will have one or more corresponding FileFetched log entries. FileModified File modified User or system account modifies the content or the properties of a document located on a SharePoint or OneDrive for Business site. FileMoved File moved User moves a document from its current location on a SharePoint or OneDrive for Business site to a new location.. FileRenamed File renamed User renames a document on a SharePoint or OneDrive for Business site. FileRestored File restored User restores a document from the recycle bin of a SharePoint or OneDrive for Business site. FileUploaded File uploaded User uploads a document to a folder on a SharePoint or OneDrive for Business site. FileViewed File viewed User views a document on a SharePoint or OneDrive for Business site. System accounts can also generate FileViewed events.
  14. 14. 2. Comprehensive Event Logging • Example: Sharing Events Event Friendly name Description ExternalSharingSet File or folder shared with external user User shares a file or folder located in SharePoint or OneDrive for Business with a user outside their organization. SharedLinkCreated Sharing link created User creates a link to a shared file in SharePoint or OneDrive for Business. This link can be sent to other people to give them access to the file. A user can create two types of links: a link that allows a user to view and edit the shared file, or a link that allows the user to just view the file. SharedLinkDisabled Sharing link disabled User disables (permanently) a link that was created to share a file. SharingRevoked File or folder unshared User unshares a file or folder that was previously shared with other users. This event is logged when a user stops sharing a file with other users. SharingSet File or folder shared User shares a file or folder located in SharePoint or OneDrive for Business with another user inside their organization.
  15. 15. 3. Search Powershell Cmdlet • PowerShell Cmdlet: Search-UnifiedAuditLog Examples: Search-UnifiedAuditLog -StartDate September 1, 2015 -EndDate September 30, 2015 Search-UnifiedAuditLog -StartDate 9/1/2015 -EndDate 9/30/2015 -RecordType SharePointFileOperation -Operations FileViewed - ObjectIds docx • Script searches of the event logs, looking for specific details • Export logs to a file • Automate searches and reporting
  16. 16. 4. Management Activity API (*Limited Preview) • Integrate Office 365 activity data into internal or 3rd party security and compliance monitoring and reporting solutions • Grant rights for your application to access event data using Azure AD Register the application in Azure AD to establish an identity for your application and specify the permission levels it needs in order to access the APIs • Let the Office 365 service know if your application has rights to access it Office 365 tenant admin must explicitly grant consent to allow your application to access their tenant data through the APIs. • Request Access Tokens from Azure AD Using the application’s credentials (as in Azure AD) the application will request “app-only” access tokens for a consented tenant on an ongoing basis, without the need for further tenant admin interaction. • Start Calling the Management API Subscribe to content types; Receive notifications when content is available; Retrieve content as JSON *During the limited preview period only registered participants may actually retrieve data through the API.
  17. 17. In Summary • Activity Monitoring/Reporting is just 1 aspect of Securing Information Systems • Key Drivers for Monitoring Activity and Auditing our Systems: • Enhance Compliance with Regulatory Standards • Enhance Access Control and Visibility into User Activity related to Content • Enable Detailed Investigations • Provides deep visibility into user activity & integration with internal/3rd party tools • SharePoint Online, One Drive for Business, Exchange Online and Azure AD • Accessed through the Office 365 Compliance Center • Some also reports accessed through Exchange Audit Reports and Azure AD Audit Reports *Slides will be available on my blog at www.trustsharepoint.com.
  18. 18. Questions Antonio Maio Antonio.Maio@protiviti.com @AntonioMaio2 SharePoint.Protiviti.com/Webinars Julia Marple Julia.Marple@protiviti.com @ProtivitiSP
  19. 19. Thank You!

×