Discovering Microsoft 365 Logs within your Organization [ Part 1] (2024)

Discovering Microsoft 365 Logs within your Organization

Part 1 Unified Access Log (UAL)

Iwas recentlyasked to deliver a session around hunting Microsoft365 logsto help an organization determine the various methods and limits to each.This seemed like an easyaskand I was suresomeone already put together content. To my surprise,I couldn’t find a colleague thathad a consolidated set of information.

Microsoft is good at updating doc pages and providing information,unfortunately,the answers can be spread across several different sitesinvariouslocations.Which bring me to this multi part series on how to hunt Microsoft365 data. My goalisto help security teamsbetter understandeach method and thelimits.

Microsoft 365 is a highly targetedresourcethat isrich with organizational data stored in Office 365, SharePoint, Teams, and other Microsoft365 components. Over the years,security teamshave gained adeeperunderstandingofMicrosoft 365andMicrosoft has continued to add additionalauditingto the platform.

For this blogserieswewillfocus on6key areas:

1. Unified Audit Logs (UAL)
2. Mailbox Audit Logs
3. Message Trace
4. Azure Active Directory
5. M365 Defender Streaming API
6. Defender 365Advanced Hunting

Auditingisnowenabled by default inMicrosoft365,however,each organization should verify their auditing is enabled byrunning the following command:

Get-AdminAuditLogConfig| FLUnifiedAuditLogIngestionEnabled.

While Azure Active Directory data is represented in the Unified Audit Log data, additional details can be found the Azure Active Directory Sign-in and Audit Logs. Details on collecting data from Azure Active Directory will be provided in a follow-on blog.

Microsoft 365 provides two levels of auditing everyone should be familiar with and the licensing requirements for each.

Basic:

1. Logs stored for90 days
2. Auditing for thousands of events
3. Enabled by default
4. Requires one of the following licenses below:

Advanced Auditing:

1. Additionallogtypes:
   1. MailitemsAccess
   2. Send
   3. SearchQueryIntiatedExchange
   4. SearchQueryInitiatedSharepoint
2. Logs stored for 1 year
3. Creation of log polices up to 10 years(additional cost)
4. Requiresany of the additional licenses outlined below:

See official list here:Advanced Audit Licensing

Who can access the logs?

Microsoft 365 provides severalbuilt-inroles and allows for the creation of custom role types. As abest practice,organizationsshould always follow the principle of leastprivilegewhen assigning permissions.

To access the UAL,teammembers will need to bedelegated one of the followingroles;View-Only Audit LogsorAudit Logs rolein Exchange online.Bydefault,members of theCompliance ManagementandOrganizational Managementroles will have access to the logs.If you assign a user the View-Only Audit Logs or Audit Logs role on thePermissionspage in the Microsoft 365 compliance center, they won't be able to search the audit log. Youhave toassign the permissions in Exchange Online. This is because the underlying cmdlet used to search the audit log is an Exchange Online cmdlet.

At this point,there should be a basic understandingof thetwo levels(basic and Advanced)of logging and the roles that are required to access the logs.

Security teams shouldknowthe time lag that can occur with the UALand take this into consideration when working through an incident or daily troubleshooting. It can take up to 30 minutes or up to 24 hours after and event occursfor the information to be returned in a search of the UAL.

The following tableprovides guidelines forvarious events andthe potential lag time for the event to show up in the UAL.Somelogs can be consumed from other locations like the Azure Active Directory sign on logsat earlier intervals:

Microsoft 365 service or feature	30 minutes	24 hours
Defender for Microsoft 365 and Threat Intelligence
Azure Active Directory (user login events)
Azure Active Directory (admin events)
Data Loss Prevention
Dynamics 365 CRM
eDiscovery
Exchange Online
Microsoft Power Automate
Microsoft Stream
Microsoft Teams
Power Apps
Power BI
Microsoft 365 compliance center
Sensitivity labels
SharePoint Online and OneDrive for Business
Workplace Analytics
Yammer
Microsoft Forms

How can data be accessed?

There are three methods that can be used to access the UALdata,and each comes with a set of limitations.

1. Graphical
2. PowerShell
3. Office Management API

Graphical:

The simplest way to access the UALis to logon to the portal and perform a search. Historically,this was done by going to the Security and Compliance portal however,theUAL is being moved totheunified security portal located at security.microsoft.com(note this is still being rolled out to GCC+ customers).Once signed into thesecurity.microsoft.com portal select Audit in the lowerleft-handcorner to access the UAL.

Figure1: Unified Audit Log

In the portal there are threeitems that can be used to manipulate the search results.

1. Data range
2. Activities
3. Files/Folder

When manipulating the date range notethe license requirements and limits that was outlinedearlier in the article.Basic will provide 90 days of retention vs Advanced Auditwhich can be up to 10 yearsbasedonpolicy.

Figure2: UAL Search

Limits to consider with thegraphicalsearch:

1. Maximum of 5kevents returned in chunks of 150and the most recent 5k will be returned
2. 90-daylimit forusers without advanced licensing
3. Limited performance for large searches

Tips:

1. Attempt to focus the search as much as possible
2. Scope the activities
3. Scope the date and time
4. Targe the appropriate files\folders
5. Export larger searches via the CSV export for more granularsearching
6. Best practice to ingest data into a SIEM or big data solution

Office Management API

The Office Management APIis a rest API provided to customersusing industry standardapproaches included OAuth V2, ODATA V4 and JSON.The API iscommonlyusedto export data to a SIEM,central storage location,or by security teams toautomate activities. To use the API there are a few steps that need tobe completed before we can access the data.

Setup steps are outlinedhere

1. Register accessing application into Azure Active Directory
2. Tenant Consent
3. Request Access tokens from Azure Active Directory
4. Make data calls to API

APIurls

• Commercial:https://manage.office.com/api/v1.0/{tenant_id}/activity/feed/{operation}
• GCC government:https://manage-gcc.office.com/api/v1.0/{tenant_id}/activity/feed/{operation}
• GCC High government:https://manage.office365.us/api/v1.0/{tenant_id}/activity/feed/{operation}
• DoD government:https://manage.protection.apps.mil/api/v1.0/{tenant_id}/activity/feed/{operation}

Aftercompletingthe step above your application can now connect to the management APIto retrieve data from Microsoft 365.

The APIcomes with its own limitation and should be used only when appropriate.It does solve someissues we saw in the graphical approach around performancebut it not always the correct method.

Limits:

1. Limited to last 7 daysof history
2. API provides event details for a log you mustdownload the data to implement additional queries
3. Limited to 2,000 requests per minutehowever G/E5 customer will get twice as much bandwidth allocated

Additional information can be found in the FAQhere

Tips:

1. For busy tenants, page contentusing a logical loop and check theNextPageUrlheader value
2. Push data into a tool likeAzure Sentinel or other data lakesfor better search ability

Powershell

TheSearch-UnifiedAuditLogprovides a command line interface into the UAL. This method provides staff and security teams with a richer set of capabilities beyond the graphic interface. However,ifyour organization wants to download the logs;usingtheManagement API is the preferred method assuming the data you are looking for is in the last 7 days.

To use the Exchange Onlinepowershellmoduleseveralstepsneedto be complete before a searchcan run.

*Note:if you have not installed the Exchange Online Module you will need to run Install-ModuleExchangeOnlineManagmentfirst.

Step 1: connect to Exchange OnlinePowershellbyusing theImport-ModuleExchangeOnlineManagementcommand

*If you get an error youmayneed to setthe exaction policy with theSet-ExecutionPolicyRemoteSignedcommand

Step 2:RunConnect-ExchangeOnlinecommand

*Refer to the documentation for the various switches

Step 3: runSearch-UnifiedAuditLogwith the appropriate switches

Example Search-UnifiedAuditLog-StartDate09/1/2021 -EndDate09/26/2021

The Search-UnifiedAuditLoghas the following parameters

-EndDate<ExDateTime>

-StartDate<ExDateTime>

[-Formatted]

[-FreeText<String>]

[-IPAddresses<String[]>]

[-ObjectIds<String[]>]

[-Operations <String[]>]

[-RecordType<AuditRecordType>]

[-ResultSize<Int32>]

[-SessionCommand<UnifiedAuditSessionCommand>]

[-SessionId<String>]

[-SiteIds<String[]>]

[-UserIds<String[]>]

[<CommonParameters>]

To search fortextinthe logsrun the followingcommand:Search-UnifiedAuditLog-StartDate10/1/2021-EndDate10/04/2021-FreeText"baseball"

The log below returns result with text of“baseball” highlighted below

Limits:

1. TheResultSizeparameter specifies the maximum number of results to return. The default value is 100, maximum is 5,000.

Tips:

1. The Search-UnifiedAuditLogprovides some additionalability like text search over the graphic and API methods
2. Pull logs to a SIEM is preferred to provide robust searching
3. Always use the sameSessionCommandvalue for a givenSessionIdvalue. Don't switch betweenReturnLargeSetandReturnNextPreviewPagefor the same session ID. Otherwise, the output is limited to 10,000 results
4. To pull data sets larger than the 5,000 results, using a time-slicing approach is recommended. The results from the Search-UnifiedAuditLogcmdlet will include a column for theResultCountindicating the total number of recordsthat were found matching the criteria. If that number is larger than theResultSizespecified, shortening the timewindowand repeating the search is recommended.

Azure Sentinel

Per NIST and industry recommendation, organization should have a Security Incident Event Management (SIEM) system in place to aggregateinformation for better searchability and retention. Azure Sentinel provides an out of the box experienceto connect the Microsoft 365 UAL and pull datainto a rich searchable environment.Thissingleclick experience can help staffrapidly connectto the data.

Azure Sentinel stores theOffice log data in theOfficeActivitytable helping organization use the powerful KQL query languageto perform advanced searchesand join multiple tables together to expand the investigation beyondthe Microsoft 365 platform.

Azure Sentinel can store logs for up to 2 years and can work in conjunction with Azure Data Explorer or Azure storage for longer retention or archival purposes.

As the number of log locations increases and the number of API endpoints expand using Azure Sentinel to aggregate various logs can simplify organizationaccess to those logs. Even if an organization uses other SIEM solutions pull data into Azure Sentinel and then pushing to the other SIEM can reduce the complexity of connecting to multiple APIs.

Links:

1. Search-UnifiedAuditLog
2. Office 365 Management API
3. Unified AuditLogs
4. Exchange OnlinePowershell
5. Azure Sentinel Data connectors
6. Enable Auditing in Microsoft 365
7. Advanced Audit Licensing