Tutorial / Cram Notes
They provide administrators with a detailed account of the actions taken within their systems, helping to monitor user activities, track down potential security incidents, and maintain regulatory compliance.
In the context of Microsoft 365 Mobility and Security, primarily assessed in the MS-101 exam, audit logs can be retrieved and interpreted using various tools and features available within the Microsoft 365 compliance center.
Retrieving Audit Logs
To retrieve audit logs within Microsoft 365, follow these steps:
- Access the Microsoft 365 Compliance Center: You will need appropriate permissions, such as being a global administrator or having been assigned Audit Logs or Compliance Management roles.
- Navigate to the Audit Log Search: Once in the compliance center, find the “Audit” section and select “Search”.
- Configure Your Search Criteria: You can specify what activities you’re interested in, the date range, users, files, folders, or sites. This is critical for filtering the logs and targeting the information you want.
- Run the Search: After setting your criteria, launch the search to retrieve the relevant audit logs.
- Export the Results: For further analysis or record-keeping, you can export the search results to a CSV file.
Interpreting Audit Logs
When analyzing the audit logs, look for:
- User and Admin Activities: Check for any actions taken by users or administrators that seem unusual or unauthorized.
- Failed Login Attempts: Multiple failed logins could indicate a brute force attack or unauthorized access attempts.
- File and Folder Accesses: Pay attention to who is accessing sensitive files and whether their access patterns are typical for their role.
- Changes in Permissions: Unauthorized changes could indicate someone is escalating their privileges or providing access to sensitive data to inappropriate users.
Example of Audit Log Entry Interpretation:
{
“CreationTime”: “2021-04-15T23:09:22”,
“Id”: “3456789abcdef”,
“Operation”: “FileDownloaded”,
“OrganizationId”: “12345678-90ab-cdef-1234-567890abcdef”,
“RecordType”: 6,
“UserType”: 0,
“UserKey”: “john.doe@example.com”,
“Workload”: “SharePoint”,
“UserId”: “John Doe”,
“ClientIP”: “192.168.1.1”,
“UserAgent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64)…”,
“Activity”: “John Doe downloaded financial_report.xlsx from SharePoint”,
“ItemName”: “financial_report.xlsx”,
“SiteUrl”: “https://example.sharepoint.com/sites/finance”,
“SourceFileUrl”: “https://example.sharepoint.com/sites/finance/Documents/financial_report.xlsx”
}
This log indicates that user John Doe downloaded a file named financial_report.xlsx from the finance SharePoint site. The log provides details such as the user’s IP address and the tool they used to download the file, helping administrators assess whether the action was appropriate.
Best Practices for Monitoring Workloads
- Regular Audits: Periodically review audit logs to stay aware of activities within your environment.
- Alerts and Notifications: Configure alerts for abnormal activities that could indicate potential security threats.
- Comprehensive Policy: Develop a robust auditing policy that delineates the types of activities that should be audited and how the audit logs should be reviewed.
- Retention Policy: Establish how long audit logs should be kept based on regulatory requirements, and make sure they are stored securely.
- Training: Educate your team on how to interpret audit logs and the actions that should be taken if they detect any anomaly.
The Microsoft 365 compliance center provides a one-stop-shop for retrieving and interpreting audit logs, ensuring that administrators have the visibility and capability to effectively monitor their workloads and maintain security and compliance across the organization. With the right tools and practices, the daunting task of audit log management becomes a systematic part of your security and governance strategy.
Practice Test with Explanation
1) True or False: Audit logs for workloads in Microsoft 365 can be accessed through the Azure Portal.
- Answer: False
Explanation: Audit logs for Microsoft 365 workloads are primarily accessed through the Microsoft 365 compliance center, Security & Compliance Center, or via PowerShell commands, not the Azure Portal.
2) True or False: Enabling mailbox auditing on by default is a feature in Microsoft 365 that records actions taken by mailbox owners, delegates, and administrators.
- Answer: True
Explanation: Microsoft 365 has a feature called ‘mailbox auditing on by default’ which automatically logs actions performed by mailbox owners, delegates, and administrators.
3) Which of the following services in Microsoft 365 provides detailed reports to help you understand how your organization’s data is accessed? (Select all that apply)
- a) Microsoft Defender for Identity
- b) Azure AD Identity Protection
- c) Microsoft Cloud App Security
- d) Microsoft 365 compliance center
Answer: c) Microsoft Cloud App Security and d) Microsoft 365 compliance center
Explanation: Microsoft Cloud App Security is a Cloud Access Security Broker that gives insights into suspicious activities, and the Microsoft 365 compliance center provides access to audit logs and reports related to data access and activities.
4) Single select: To retrieve and interpret audit logs for workloads in Microsoft 365, which permissions are necessary?
- a) Global Reader
- b) Security Administrator
- c) Compliance Administrator
- d) All of the above
Answer: d) All of the above
Explanation: Global Readers can view audit logs, Security Administrators have the necessary permissions to manage security-related features, including audit logs, and Compliance Administrators can manage compliance features, including access to audit logs.
5) True or False: SharePoint Online and OneDrive for Business activities can be tracked using audit logs in the Microsoft 365 compliance center.
- Answer: True
Explanation: The Microsoft 365 compliance center audit logs include activities related to SharePoint Online and OneDrive for Business.
6) True or False: Audit logs in Microsoft 365 are retained indefinitely by default.
- Answer: False
Explanation: Audit logs in Microsoft 365 are not retained indefinitely by default; the retention period depends on the type of subscription, and additional steps are required to configure longer retention periods.
7) Which feature must be turned on to track user and admin activities in Microsoft 365 workloads?
- a) Directory synchronization
- b) Multi-Factor Authentication
- c) Unified Audit Log
- d) Data Loss Prevention
Answer: c) Unified Audit Log
Explanation: The Unified Audit Log must be enabled to track user and administrator activities across Microsoft 365 services including Exchange Online, SharePoint Online, and OneDrive for Business.
8) True or False: The Security & Compliance Center PowerShell cmdlet ‘Search-UnifiedAuditLog’ can be used to retrieve audit log entries.
- Answer: True
Explanation: The ‘Search-UnifiedAuditLog’ PowerShell cmdlet is used to search and retrieve entries from the unified audit log in the Security & Compliance Center.
9) What Azure tool can be integrated with Microsoft 365 to enhance the visibility and analysis of audit logs?
- a) Azure Logic Apps
- b) Azure Monitor
- c) Azure Active Directory Connect
- d) Azure Sentinel
Answer: d) Azure Sentinel
Explanation: Azure Sentinel is a cloud-native SIEM (Security Information and Event Management) tool that can be integrated with Microsoft 365 to provide intelligent security analytics across the enterprise.
10) True or False: You can set up audit log alert policies in Microsoft 365 to get notified about specific activities.
- Answer: True
Explanation: In the Microsoft 365 compliance center, you can create alert policies that notify you when certain events are found in the audit logs.
11) Single select: For which type of operations is Audit Log Search used in the Microsoft 365 compliance center?
- a) User sign-in activities only
- b) File and page activities only
- c) Admin and user activities
- d) External user activities only
Answer: c) Admin and user activities
Explanation: Audit Log Search in the Microsoft 365 compliance center is used to track both admin and user activities within Microsoft 365 workloads.
12) True or False: Audit logs are only necessary for investigating security breaches and incidents in Microsoft
- Answer: False
Explanation: Audit logs are used for various purposes, including monitoring user and administrator activity, compliance, and forensic analysis, not just for investigating security incidents.
Interview Questions
What is the audit log in Microsoft 365?
The audit log in Microsoft 365 is a record of user and administrator activity in Microsoft 365.
What can you search for in the audit log?
You can search for specific user activities, file and folder activities, admin activities, and policy changes.
How can you access the audit log?
You can access the audit log through the Security & Compliance Center in Microsoft 365.
What is the maximum retention period for the audit log?
The maximum retention period for the audit log is 365 days.
What is the purpose of audit log retention policies?
Audit log retention policies allow you to specify how long you want to retain audit log data and when you want to delete it.
Can you export audit log data to a CSV file?
Yes, you can export audit log data to a CSV file for further analysis.
What is the difference between search and activity alerts in the audit log?
Search allows you to look for specific events in the audit log, while activity alerts notify you when certain activities occur.
Can you search the audit log for activities by a specific user?
Yes, you can search the audit log for activities by a specific user.
What is the difference between the Exchange and Exchange admin audit logs?
The Exchange audit log records user activity in Exchange Online mailboxes, while the Exchange admin audit log records administrative activity in Exchange Online.
Can you search for activities that occurred on a specific date in the audit log?
Yes, you can search for activities that occurred on a specific date in the audit log.
What is the purpose of the audit log search schema?
The audit log search schema allows you to view the available fields and properties you can search for in the audit log.
Can you view audit log search results in the Security & Compliance Center?
Yes, you can view audit log search results in the Security & Compliance Center.
Can you use the audit log to track user sign-ins?
Yes, you can use the audit log to track user sign-ins to Microsoft 365 services.
What is the maximum number of audit log search queries you can run in a day?
The maximum number of audit log search queries you can run in a day is 500.
What is the purpose of the audit log search feedback feature?
The audit log search feedback feature allows you to provide feedback on the relevance and accuracy of search results in the audit log.
The MS-101 exam heavily focuses on managing audit logs. Any tips on the best practices for retrieving and interpreting these logs?
Can anyone elaborate on the differences between using Azure Monitor and the Security & Compliance Center for audit logs?
How can I filter audit logs to find specific events related to mailbox access?
I appreciate the detailed information in this blog post!
Is the data retention period for audit logs configurable?
For those studying for the MS-101, don’t overlook the importance of understanding role-based access control (RBAC) for managing who can access audit logs.
The blog could have elaborated more on interpreting log data. Finding specific log entries isn’t enough without proper analysis.
What tools can I use to correlate events across multiple logs?