Successfully reported this slideshow.
Your SlideShare is downloading. ×

Making auditing great again! Office 365

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 46 Ad
Advertisement

More Related Content

Slideshows for you (20)

Similar to Making auditing great again! Office 365 (20)

Advertisement

More from Paul Hunt (16)

Recently uploaded (20)

Advertisement

Making auditing great again! Office 365

  1. 1. SharePoint Saturday Belgium 2017 • October 21 • Brussels Track: IT PRO | Level: 200 Making auditing great again! Paul Hunt - MVP
  2. 2. PlatinumGoldSilver
  3. 3. • Solutions Architect for Trustmarque • Co-organiser of SUGUK London Region • Member of the SharePoint community since 2007 • Third time Office Server & Services MVP in 2017 • Woodturner Who am I? • Paul Hunt • @Cimares • www.myfatblog.co.uk • www.trustmarque.com
  4. 4. • Solutions Architect for Trustmarque • Co-organiser of SUGUK London Region • Member of the SharePoint community since 2007 • Third time Office Server & Services MVP in 2017 • Woodturner Who am I? • Paul Hunt • @Cimares • www.myfatblog.co.uk • www.trustmarque.com
  5. 5. SharePoint Saturday Belgium 2017 • October 21 • Brussels Agenda The importance of records Office 365 Audit comparison SharePoint Site Collection auditing SharePoint Audit in the Unified Audit Log Extracting the Unified Audit Log
  6. 6. The importance of records Beware of false knowledge; it is more dangerous than ignorance. George Bernard Shaw
  7. 7. The importance of records “If I were to run, I’d run as a republican. They’re the dumbest group of voters in the country. They believe anything on fox News. I could lie and they’d still eat it up. I bet my numbers would be terrific” FALSE
  8. 8. The importance of records • People magazine keep every copy of every magazine that has been printed. • There was no record of a 1998 interview. • No article printed in the 80s or 90s contain mention of the Republican party in articles about Donald Trump.
  9. 9. The importance of records “Not a lot of people know that..” Michael Caine FALSE
  10. 10. The importance of records • https://youtu.be/hY85a15n5QY • Peter Sellers apparently used this on his answering machine and repeated it in a Parkinson interview in the 70s. • Michael Caine has confirmed he never used the phrase until it was added as an in-joke to the film Educating Rita in 1983.
  11. 11. GDPR – Helping to prove compliance • GDPR does not mandate auditing of data. • Audit data assists in proving compliance but does not make you compliant. • Helps to identify unauthorised data access
  12. 12. You don’t need to audit everything! • Targeted auditing is easier: • To manage • To report on • To monitor • Auditing is pointless is you cannot interrogate and understand the data.
  13. 13. Understanding your organisation’s audit needs is NOT an IT function! IT should facilitate, not drive the need for Audit.
  14. 14. Audit everything is not a good option!
  15. 15. SharePoint Saturday Belgium 2017 • October 21 • Brussels Audit availability in Office 365
  16. 16. Auditing availability in Office 365 SharePoint Online Auditing • Configured per site collection • 90 day limit enforced (30 day minimum?) • Extracted automatically (if configured) • Can’t configure in EDGE! • Doesn’t record VIEW activities • OneDrive auditing difficult to manage. Office 365 Unified Audit • Broad spectrum of coverage (Beyond just SharePoint!) • 90 day limit • Manual/App based extraction • Doesn’t record LIST ITEM activities. (This includes changing DOCUMENT metadata!) • Integrates with ASM (E5)
  17. 17. SharePoint Saturday Belgium 2017 • October 21 • Brussels SharePoint Site Collection Audit Configuration
  18. 18. Configuring Site Collection Auditing • Configured on a per site collection basis. • Limited to a maximum of 90 days
  19. 19. Configuring Site Collection Auditing • Configured on a per site collection basis. • Limited to a maximum of 90 days
  20. 20. Audit log view link Classic team site Modern site /_layouts/15/Reporting.aspx?Category=Auditing
  21. 21. Demo: SharePoint Site Collection Audit
  22. 22. SharePoint Saturday Belgium 2017 • October 21 • Brussels Office 365 Unified Audit Configuration
  23. 23. Unified Audit functionality in Office 365 • User Activity • SharePoint & OneDrive • Exchange Online (requires mailbox audit logging!) • Sway* • PowerBI • Teams (Not messages!) • Yammer* • Dynamics 365 • Flow (On it’s way!) • Admin Activity • Azure Active Directory • SharePoint Online • Exchange Online • Sway* • PowerBI • Teams • Yammer* • eDiscovery • Flow (On it’s way!) Note: This list is slowly being increased!
  24. 24. Unified audit lag times Workload 30 Mins 24 Hours SharePoint Online and OneDrive for Business X Exchange Online X Azure Active Directory (User login events) X Azure Active Directory (admin events) X Sway X PowerBI X Yammer X Security & Compliance Centre (eDiscovery) X Teams X Dynamics 365 X Flow (When it arrives) X
  25. 25. Turning on Unified O365 auditing • Sign in to Security & Compliance Centre. • Select Search & Investigation/Audit Log Search
  26. 26. Searching the Unified Audit log
  27. 27. Searching the Unified Audit log
  28. 28. Searching the Unified Audit log - Filter & Export
  29. 29. Demo: Configuring & Searching the O365 Unified Audit log
  30. 30. Additional steps for Exchange • Connect using Exchange Online PowerShell Module.* • Set-mailbox “name” –AuditEnabled $true • Default Audit gives: *Now supports MFA & ADFS Admin Delegate Owner Update Update None Move MoveToDeletedItems SoftDelete SoftDelete HardDelete HardDelete FolderBind SendAs SendAs SendOnBehalf Create Create
  31. 31. Audit actions available Action Admin Delegate Owner Copy Yes No No Create Yes* Yes* Yes FolderBind Yes* Yes** No HardDelete Yes* Yes* Yes MailboxLogin No No Yes*** MessageBind Yes No No Move Yes* Yes Yes MoveToDeleteItems Yes* Yes Yes SendAs Yes* Yes No SendOnBehalf Yes* Yes No SoftDelete Yes* Yes* Yes Update Yes* Yes* Yes Bind = Open or Read (including preview pane) * - Default action auditing when enabled. ** - Aggregated for a 24 hour period *** - Only applies to POP3/IMAP4 or Oauth logins. Does not track NTLM or Kerberos logins
  32. 32. But I need more than 90 days worth of audit!
  33. 33. SharePoint Saturday Belgium 2017 • October 21 • Brussels Extracting the O365 Unified Audit Log using the Management API
  34. 34. Options for Extracting the Unified Audit log Pull method • Register your APP! • Register a collector subscription • Download a manifest file • Download content blobs listed in Manifest. • Process data into backend storage Push method • Register your APP! • Register a collector subscription • Register a WebHook • Content blob manifests are pushed to the Webhook. • Download content blobs when notified. • Process data into backend storage Note: Subscribed data is available for 7 days only!
  35. 35. Registering Your APP ID in Azure AD. • Requires Web app/API configuration • And Tenant level permissions.
  36. 36. Don’t forget to GRANT permissions
  37. 37. Registering a collector subscription Available for 5 Content Types • Audit.AzureActiveDirectory • Audit.Exchange • Audit.SharePoint • Audit.General (Sway, Yammer etc) • DLP.All Notes: • When a subscription is registered, it can take up to 12 hours for the first content to be available. • DLP.All is only available to users with the “Read DLP Sensitive Data” permission.
  38. 38. Retrieving the Blob Manifest • Returns a collection of JSON objects contentUri : https://manage.office.com/api/v1.0/d3c8c691-7321-4cc4-ac08-7c a6f05be84c/activity/feed/audit/20170809160530886001699$201708 09160530886001699$audit_sharepoint$Audit_SharePoint contentId : 20170809160530886001699$20170809160530886001699$audit_sharepo int$Audit_SharePoint contentType : Audit.SharePoint contentCreated : 2017-08-09T16:05:30.886Z contentExpiration : 2017-08-16T16:05:30.886Z
  39. 39. Retrieving the Blob Content • Returns a collection of JSON objects CreationTime : 2017-08-15T10:30:58 Id : 93c5b9d0-f916-46d0-7a2f-08d4e3c8b7db Operation : FileUploaded OrganizationId : d3c8c691-7321-4cc4-ac08-7ca6f05be84c RecordType : 6 UserKey : i:0h.f|membership|10037ffe9e27c68a@live.com UserType : 0 Version : 1 Workload : SharePoint ClientIP : 52.169.28.217 ObjectId : https://wharfconsulting.sharepoint.com/sites/audit-test-c/Audit Samples/Prime Minister without Education and skills.txt UserId : joan.jett@wharf-media.co.uk EventSource : SharePoint ItemType : File ListId : 7db7d957-69fc-4c2d-b191-82868c1928be ListItemUniqueId : b081f0c2-f055-437f-b128-8666bead8ddd Site : ad4040da-0b0a-4059-958c-5f6c27d181e6 WebId : 97c2f404-3aa8-4efd-8e34-6736c3aefcec SourceFileExtension : txt SiteUrl : https://wharfconsulting.sharepoint.com/sites/audit-test-c/ SourceFileName : Prime Minister without Education and skills.txt SourceRelativeUrl : Audit Samples
  40. 40. Where to put all that data?
  41. 41. Gotchas! • Subscription content expires 7 days after collection. • Watch out for oAuth token expiry. • Beware the back-off command. MS will throttle excessive requests.
  42. 42. Demo: Extracting the Unified Audit Log
  43. 43. Reporting on your audit data from Azure SQL
  44. 44. Questions?
  45. 45. References • Office 365 Management Activity API Reference
  46. 46. SharePoint Saturday Belgium 2017 • October 21 • Brussels Thank You!

Editor's Notes

  • I also do woodturning, It’s cheaper than therapy!! SharePoint can be a lot like woodturning.. If you don’t pay attention to what you’re doing, it’s easy to make a mistake and go through the bottom of the bowl!
  • Statements made in the past are often attributed to people, Politicians are a most excellent source of these examples.

    Donald Trump in an interview in People magazine is claimed to have made this statement.
    People magazines keep a copy of every magazine printed, none of which contain this statement.
    This is an example of audit history
  • This supposed line became one of the most repeated “catch phrases” associated with Michael Caine… but he never uttered the words originally..
    But the immortal line was uttered by Peter Sellers, when doing an impersonation of Michael Caine.
  • The requirements for audit must come from the business.
    Audit Everything is not a solution!
    IT is a facilitator in this process
  • That said, Office 365 pretty much does… but if we’re taking it offline, we just keep what we need.
  • Note: 30 day minimum on SharePoint Online auditing.. I’m set to 5 days trimming, but seeing 30 days being actioned.
    This only changed in July this year so monitoring.
  • Note: I’ve set it to 5 days, but I’m actually seeing the trim occur every 30 days in my tenant.
    Appears that the July change also enforced a minimum 30 days
    If you don’t specify a library, the data is deleted.
  • Sway and Yammer auditing may not be available yet to all tenants.
    https://support.office.com/en-us/article/Detailed-properties-in-the-Office-365-audit-log-ce004100-9e7f-443e-942b-9b04098fcfc3
  • Note: MS are in the process of turning on Audit by default.. But it’s not available yet!
  • There’s a few options..
    Download the logs from the Compliance centre..
    Uses ADM (gives you 6 months)
    SCOM may let you extract (Need to verify)
    Office 365 Management API lets you extract data
  • This goes back to our earlier comment on being able to search data.
    And don’t forget that GDPR will apply to this data too if it contains usernames (which it does..)
    You should only keep it for as long as you may need it.

×