Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Office365 with Activity Monitoring - SharePoint Saturday San Antonio 2016

1,594 views

Published on

As organizations move their data to the cloud, business users are using a growing number of devices to be productive in their day to day work. As a result, many enterprises are facing new challenges in information security and compliance. Office 365 provides a robust set of features to help protect and secure corporate data including Office 365 Activity Monitoring, which allows you to monitor the actions of a particular user across SharePoint Online, One Drive for Business, Exchange Online and Azure Active Directory. It also allows you to issue very detailed reports on those activities, facilitating investigations into security incidences. This session will review this new Office 365 capability and discuss how Activity Monitoring can help you secure your cloud environment.

Published in: Software
  • Be the first to comment

Securing Office365 with Activity Monitoring - SharePoint Saturday San Antonio 2016

  1. 1. Securing Office 365 with Activity Monitoring ANTONIO MAIO PROTIVITI SENIOR MANAGER MICROSOFT OFFICE 365 & OFFICE SERVICES MVP Email: antonio.maio@protiviti.com Twitter: @AntonioMaio2 Blog: www.TrustSharePoint.com
  2. 2. 3,300 professionals Over 20 countries in the Americas, Europe, the Middle East and Asia-Pacific 70+ offices Our revenue: More than $743 million in 2015 Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 40 percent of FORTUNE 1000® and FORTUNE Global 500® companies. Protiviti serve clients through a network of more than 70 locations in over 20 countries. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. Who are We
  3. 3. Office 365 Security • Encrypted Storage/Fort Knox • SSL/TLS Communication • Information Rights Management • Retention Policies • Activity Monitoring • Data Loss Prevention • Audit Reports • External Sharing Controls • SharePoint Permissions
  4. 4. Activity Monitoring – What’s it all about? • Recording & maintaining a log of our user’s activity within a system • Reviewing user actions • Who is accessing sensitive content? • What are users doing with corporate content & systems? • Are users following corporate policy? • Forensic Investigation • Investigating data leaks or breaches
  5. 5. Why Monitor User Activity?
  6. 6. Who downloaded those credit card numbers?
  7. 7. I swear I didn’t delete that document!?
  8. 8. How did he get access?
  9. 9. Why Monitor Our Systems? • Audit user activity to meet regulatory compliance obligations • Protect against insider threats, inadvertent or malicious • Investigate data breaches • Find route cause – improve security, seal the leak, prevent future leaks • Gather evidence – legal cases or employee actions • Report data breaches - data quantity, data types, exposure time
  10. 10. Does it make our systems more secure? With the appropriate policies and procedures! • Quarterly access reviews for privileged users • Annual access reviews for all users • Understand data retention requirements • Automated notifications • Monitor what you need - Avoid noise! YES
  11. 11. Office 365 Activity Monitoring Capabilities 1. Office 365 Activity Report 2. Comprehensive Event Logging 3. Search Powershell Cmdlet 4. Management Activity API
  12. 12. 1. Office 365 Activity Report • Login to Office 365 • Click App Launcher > Navigate to Admin • Click Security > Reports > Office 365 Activity Report
  13. 13. 1. Office 365 Activity Report • Search across • SharePoint Online • OneDrive for Business • Exchange Online • Azure AD • Search by type of activity • Search by date range, users, file, folder, site, by • View Activity Details (Details Pane) • Run Report on Demand • Export results to CSV
  14. 14. 2. Comprehensive Event Logging • User and administrator events are logged as users work within Office 365 • Over 100 events logged (Ex. view a file, mailbox owner activities, Azure AD login, etc.) • 10 Event/Activity Categories • File and folder events (SharePoint and OneDrive for Business) • Sharing events (SharePoint and OneDrive for Business) • Synchronization events (SharePoint and OneDrive for Business) • Site administration events (SharePoint and OneDrive for Business) • Exchange mailbox events • User administration events • Group administration events • Application administration events • Role administration events • Directory administration events
  15. 15. 2. Comprehensive Event Logging • With each event, up to 37 event properties are logged • Actor • ClientIP • ClientProcessName • CreationTime • DestinationFileExtension • DestinationFileName • DestinationRelativeUrl • EventSource • ExternalAccess • SourceFileName • SourceRelativeUrl • Subject • Target • UserAgent • UserID • UserKey • UserSharedWith • UserType • Workload • ID • InternalLogonType • ItemType • LogonType • MailboxGuid • MailboxOwnerUPN • ModifiedProperties • ObjectID • Operation • OrganizationID • Path • Parameters • RecordType • ResultStatus • SharingType • Site • SiteUrl • SourceFileExtension
  16. 16. 2. File and Folder Events Friendly name Operation Description Accessed file FileAccessed User or system account accesses a file. Checked in file FileCheckedIn User checks in a document that they checked out from a document library. Checked out file FileCheckedOut User checks out a document located in a document library. Users can check out and make changes to documents that have been shared with them. Copied file FileCopied User copies a document from a site. The copied file can be saved to another folder on the site. Deleted file FileDeleted User deletes a document from a site. Discarded file checkout FileCheckOutDiscard ed User discards (or undos) a checked out file. That means any changes they made to the file when it was checked out are discarded, and not saved to the version of the document in the document library. Downloaded file FileDownloaded User downloads a document from a site. Modified file FileModified User or system account modifies the content or the properties of a document located on a site. Moved file FileMoved User moves a document from its current location on a site to a new location. Renamed file FileRenamed User renames a document on a site. Restored file FileRestored User restores a document from the recycle bin of a site. Uploaded file FileUploaded User uploads a document to a folder on a site.
  17. 17. 2. Sharing Events Friendly name Operation Description Accepted access request AccessRequestAccepted An access request to a site, folder, or document was accepted and the requesting user has been granted access. Accepted sharing invitation SharingInvitationAccepted User (member or guest) accepted a sharing invitation and was granted access to a resource. This event includes information about the user who was invited and the email address that was used to accept the invitation (they could be different). This activity is often accompanied by a second event that describes how the user was granted access to the resource, for example, adding the user to a group that has access to the resource. Created a company-wide link * CompanyLinkCreated User created a company-wide link to a resource. company-wide links can only be used by members in your organization. They can't be used by guests. Created access request AccessRequestCreated User requests access to a site, folder, or document they don't have permissions to access. Created an anonymous link * AnonymousLinkCreated User created an anonymous link to a resource. Anyone with this link can access the resource without having to be authenticated. Created sharing invitation SharingInvitationCreated User shared a resource in SharePoint Online or OneDrive for Business with a user who isn't in your organization's directory. Denied access request AccessRequestDenied An access request to a site, folder, or document was denied. Removed a company-wide link * CompanyLinkRemoved User removed a company-wide link to a resource. The link can no longer be used to access the resource. Removed an anonymous link * AnonymousLinkRemoved User removed an anonymous link to a resource. The link can no longer be used to access the resource. Shared file, folder, or site SharingSet User (member or guest) shared a file, folder, or site in SharePoint or OneDrive for Business with a user in your organization's directory. The value in the Detail column for this activity identifies the name of the user the resource was shared with and whether this user is a member or a guest. This activity is often accompanied by a second event that describes how the user was granted access to the resource; for example, adding the user to a group that has access to the resource. Updated an anonymous link * AnonymousLinkUpdated User updated an anonymous link to a resource. The updated field is included in the EventData property when you export the search results. Used an anonymous link * AnonymousLinkUsed An anonymous user accessed a resource by using an anonymous link. The user’s identity might be unknown, but you can get other details such as the user's IP address. Unshared file, folder, or site SharingRevoked User (member or guest) unshared a file, folder, or site that was previously shared with another user. Used a company-wide link * CompanyLinkUsed User accessed a resource by using a company-wide link. Withdrew sharing invitation SharingInvitationRevoked User withdrew a sharing invitation to a resource.
  18. 18. 3. Search Powershell Cmdlet • PowerShell Cmdlet: Search-UnifiedAuditLog • Script your searches of the event logs – may look for specific details • Exchange Online CmdLet (must load Exchange Online PS Module) • Requires Exchange permission: Organization Management • Export logs to a file • Automate searches and reporting
  19. 19. 3. Search Powershell Cmdlet - Examples Connect to Exchange Online and import the Exchange Online PowerShell Module $UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session Example 1 – Output log to a file as a list Search-UnifiedAuditLog > c:auditlog.csv Example 2 – Specify start/end dates Search-UnifiedAuditLog -StartDate -StartDate 2/1/2016 -EndDate 4/2/2016 Example 3 – Specify start/end dates and specific operations to retrieve audit entries for Search-UnifiedAuditLog -StartDate 2/1/2016 -EndDate 4/2/2016 -RecordType SharePointFileOperation -Operations FileViewed -ObjectIds docx
  20. 20. 4. Management Activity API • Integrate Office 365 activity data into internal or 3rd party security and compliance monitoring and reporting solutions • Grant rights for your application to access event data using Azure AD Register the application in Azure AD to establish an identity for your application and specify the permission levels it needs in order to access the APIs • Let the Office 365 service know if your application has rights to access it Office 365 tenant admin must explicitly grant consent to allow your application to access their tenant data through the APIs. • Request Access Tokens from Azure AD Using the application’s credentials (as in Azure AD) the application will request “app-only” access tokens for a consented tenant on an ongoing basis, without the need for further tenant admin interaction. • Start Calling the Management API Subscribe to content types; Receive notifications when content is available; Retrieve content as JSON *API Reference: https://msdn.microsoft.com/en-us/library/office/mt227394.aspx
  21. 21. DEMONSTRATION
  22. 22. In Summary • Activity Monitoring is just 1 aspect of Securing Information Systems • Key Drivers for Monitoring Activity and Auditing our Systems: • Enhance Compliance with Regulatory Standards • Protect Against Insider Threats – inadvertent or malicious • Enable Detailed Forensic Investigations • Provides deep visibility into user activity & integration with internal/3rd party tools • SharePoint Online, One Drive for Business, Exchange Online and Azure AD • Accessed through the Office 365 Compliance Center
  23. 23. Appendix
  24. 24. Enabling Exchange Mailbox Auditing Auditing must be enabled on each mailbox you wish to audit via PowerShell! Connect to Exchange Online and import the Exchange Online PowerShell Module $UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell- liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session Options • Set-Mailbox -Identity “antonio.maio@domain.com" -AuditEnabled $true • Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true
  25. 25. Exchange Audit Reports
  26. 26. Azure AD Premium Reports Requires Azure AD Premium Subscription Sign ins from unknown sources • Use this report to identify users who have successfully signed in to your organization while assigned a client IP address that has been recognized by Microsoft as an anonymous proxy IP address. These proxies are often used by users who want to hide their computer’s IP address. Sign ins after multiple failures • Use this report to identify users who have successfully signed in after multiple consecutive failed sign-in attempts. Sign ins from multiple geographies • Use this report to identify successful sign-in activities from a user where two sign ins appeared to originate from different countries and the time between the sign ins makes it impossible for the user to have travelled between those countries. Account provisioning errors • Use this report to monitor errors that occur during the synchronization of accounts from Software as a Service (SaaS) applications to Azure AD. Entries in this report may indicate an issue with a user’s ability to access external applications. Audit • Use this report to view the Azure AD audit log. This report contains entries for events such creating a new user account, changing the properties of a user account, or changing a user password. Each entry includes the date and time of the event, the user who made the change, the change that was made, and the user account that was changed. Entries in this report are kept for 30 days
  27. 27. Thank You! ANTONIO MAIO PROTIVITI SENIOR MANAGER MICROSOFT OFFICE 365 & OFFICE SERVICES MVP Email: antonio.maio@protiviti.com Twitter: @AntonioMaio2 Blog: www.TrustSharePoint.com

×