Embed Size (px)
Citation preview
Securing Office 365 with Activity MonitoringThank you for joining our webinar! We will begin shortly.
Introduction• ‘30 on Thursday’ Series
• Bi-weekly 30 minute webinar series
• Next Webinar:• October 22: “Building Nintex Mobile Apps”
• Full Schedule: SharePoint.Protiviti.com/Webinars
Live Tweeting!
Tweet us your questions & feedback during the webinar!
Tweet @ProtivitiSP and use #30TOffice365
Today’s Session• Today’s session is being recorded
• Archive of past sessions• SharePoint.Protiviti.com/ArchivedWebinars
• Questions - Use the Question Window or tweet us your questions @ProtivitiSP using #30TOffice365
Session Overview• Topic:
• Securing Office 365 with Activity Monitoring • Presenter:
• Antonio Maio, SharePoint MVP• Moderator:
• Julia Marple, Protiviti
LET’S GET STARTED!
Why Monitor and Audit Our Systems?
• Meet Regulatory Compliance Obligations• Investigate Data Breaches• Audit Access to Sensitive Content
Office 365 Activity Monitoring Capabilities
1. Office 365 Activity Report2. Comprehensive Event Logging3. Search Powershell Cmdlet4. Management Activity API
1. Office 365 Activity Report• Login to Office 365• Navigate to Admin > Compliance Center > Reports > Office 365 Activity Report
1. Office 365 Activity Report• Search across SharePoint
Online, OneDrive for Business, Exchange Online, Azure AD
• Search by users, file, folder, site, by date range
• Search by type of activity• View Activity Details (Details
Pane)• Run Report on Demand• Export results to CSV
1. Office 365 Activity Report• With each event, up to 37 event properties are logged
• Actor• ClientIP• ClientProcessName• CreationTime• DestinationFileExtens
ion• DestinationFileName• DestinationRelativeUr
l• EventSource• ExternalAccess
• SourceFileName• SourceRelativeUrl• Subject• Target• UserAgent• UserID• UserKey• UserSharedWith• UserType• Workload
• ID• InternalLogonType• ItemType• LogonType• MailboxGuid• MailboxOwnerUPN• ModifiedProperties • ObjectID• Operation
• OrganizationID• Path• Parameters• RecordType• ResultStatus• SharingType• Site• SiteUrl• SourceFileExtension
2. Comprehensive Event Logging• User and administrator events are logged as users work within Office 365• Over 150 events logged (Ex. view a file, mailbox owner activities, Azure AD
login, etc.)• 9 Event Categories
• Exchange admin events • Exchange mailbox events • File and folder events (SharePoint and OneDrive for Business) • Invitation and access request events (SharePoint and OneDrive for Business) • Sharing events (SharePoint and OneDrive for Business) • Site administration events (SharePoint and OneDrive for Business) • Synchronization events (SharePoint and OneDrive for Business) • Azure Active Directory events (Admin Activity and User Login)
2. Comprehensive Event Logging• Example: File and Folder Events
Event Friendly name DescriptionFileCheckedIn File checked in User checks in a document that they checked out from a SharePoint or OneDrive for Business document library.
FileCheckedOut File checked out User checks out a document located in a SharePoint or OneDrive for Business document library. Users can check out and make changes to documents that have been shared with them.
FileCheckOutDiscarded
File checkout discarded
User discards (or undos) a checked out file. That means any changes they made to the file when it was checked out are discarded, and not saved to the version of the document in the document library.
FileCopied File copied User copies a document from a SharePoint or OneDrive for Business site. The copied file can be saved to another folder on the site.
FileDeleted File deleted User deletes a document from a SharePoint or OneDrive for Business site.FileDownloaded File downloaded User downloads a document from a SharePoint or OneDrive for Business site.
FileFetched File accessedUser or system account accesses a file. When a user or the system performs an operation on a file, the file has to be located and accessed. The FileFetched event indicates that retrieval action. Note that many file and folder related events will have one or more corresponding FileFetched log entries.
FileModified File modified User or system account modifies the content or the properties of a document located on a SharePoint or OneDrive for Business site.
FileMoved File moved User moves a document from its current location on a SharePoint or OneDrive for Business site to a new location..FileRenamed File renamed User renames a document on a SharePoint or OneDrive for Business site.FileRestored File restored User restores a document from the recycle bin of a SharePoint or OneDrive for Business site. FileUploaded File uploaded User uploads a document to a folder on a SharePoint or OneDrive for Business site. FileViewed File viewed User views a document on a SharePoint or OneDrive for Business site. System accounts can also generate
FileViewed events.
2. Comprehensive Event Logging• Example: Sharing Events
Event Friendly name Description
ExternalSharingSet File or folder shared with external user
User shares a file or folder located in SharePoint or OneDrive for Business with a user outside their organization.
SharedLinkCreated Sharing link createdUser creates a link to a shared file in SharePoint or OneDrive for Business. This link can be sent to other people to give them access to the file. A user can create two types of links: a link that allows a user to view and edit the shared file, or a link that allows the user to just view the file.
SharedLinkDisabled Sharing link disabled User disables (permanently) a link that was created to share a file.
SharingRevoked File or folder unshared
User unshares a file or folder that was previously shared with other users. This event is logged when a user stops sharing a file with other users.
SharingSet File or folder shared User shares a file or folder located in SharePoint or OneDrive for Business with another user inside their organization.
3. Search Powershell Cmdlet• PowerShell Cmdlet: Search-UnifiedAuditLog
Examples:Search-UnifiedAuditLog -StartDate September 1, 2015 -EndDate September 30, 2015
Search-UnifiedAuditLog -StartDate 9/1/2015 -EndDate 9/30/2015 -RecordType SharePointFileOperation -Operations FileViewed -ObjectIds docx
• Script searches of the event logs, looking for specific details• Export logs to a file• Automate searches and reporting
4. Management Activity API (*Limited Preview)
• Integrate Office 365 activity data into internal or 3rd party security and compliance monitoring and reporting solutions• Grant rights for your application to access event data using Azure AD
Register the application in Azure AD to establish an identity for your application and specify the permission levels it needs in order to access the APIs
• Let the Office 365 service know if your application has rights to access itOffice 365 tenant admin must explicitly grant consent to allow your application to access their tenant data through the APIs.
• Request Access Tokens from Azure ADUsing the application’s credentials (as in Azure AD) the application will request “app-only” access tokens for a consented tenant on an ongoing basis, without the need for further tenant admin interaction.
• Start Calling the Management APISubscribe to content types; Receive notifications when content is available; Retrieve content as JSON
*During the limited preview period only registered participants may actually retrieve data through the API.
In Summary• Activity Monitoring/Reporting is just 1 aspect of Securing Information
Systems• Key Drivers for Monitoring Activity and Auditing our Systems:
• Enhance Compliance with Regulatory Standards• Enhance Access Control and Visibility into User Activity related to Content• Enable Detailed Investigations
• Provides deep visibility into user activity & integration with internal/3rd party tools• SharePoint Online, One Drive for Business, Exchange Online and Azure AD
• Accessed through the Office 365 Compliance Center• Some also reports accessed through Exchange Audit Reports and Azure AD Audit Reports
*Slides will be available on my blog at www.trustsharepoint.com.
QuestionsAntonio [email protected] @AntonioMaio2
SharePoint.Protiviti.com/Webinars
Julia [email protected] @ProtivitiSP
Thank You!
