Securing Office 365 with Activity Monitoring

ANTONIO MAIOPROTIVITI SENIOR MANAGERMICROSOFT OFFICE 365 & OFFICE SERVICES MVP

Email: antonio.maio@protiviti.comTwitter: @AntonioMaio2Blog: www.TrustSharePoint.com

3,300 professionals

Over 20 countriesin the Americas, Europe, the Middle East and Asia-Pacific

70+offices

Our revenue: More than $743 million in 2015

Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 40 percent of FORTUNE 1000® and FORTUNE Global 500® companies. Protiviti serve clients through a network of more than 70 locations in over 20 countries. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

Who are We

Office 365 Security• Encrypted Storage/Fort Knox• SSL/TLS Communication• Information Rights

Management• Retention Policies• Activity Monitoring• Data Loss Prevention

• Audit Reports• External Sharing Controls• SharePoint Permissions

Activity Monitoring – What’s it all about?

• Recording & maintaining a log of our user’s activity within a system

• Reviewing user actions• Who is accessing sensitive content?• What are users doing with corporate content & systems?• Are users following corporate policy?

• Forensic Investigation• Investigating data leaks or breaches

Why Monitor User Activity?

Who downloadedthose credit card numbers?

I swear I didn’t deletethat document!?

How did he get access?

Why Monitor Our Systems?• Audit user activity to meet regulatory compliance obligations• Protect against insider threats, inadvertent or malicious• Investigate data breaches

• Find route cause – improve security, seal the leak, prevent future leaks• Gather evidence – legal cases or employee actions• Report data breaches - data quantity, data types, exposure time

Does it make our systems more secure?

With the appropriate policiesand procedures!• Quarterly access reviews for privileged users• Annual access reviews for all users• Understand data retention requirements• Automated notifications• Monitor what you need - Avoid noise!

YES

Office 365 Activity Monitoring Capabilities

1. Office 365 Activity Report2. Comprehensive Event Logging3. Search Powershell Cmdlet4. Management Activity API

1. Office 365 Activity Report• Login to Office 365• Click App Launcher > Navigate to Admin• Click Security > Reports > Office 365 Activity Report

1. Office 365 Activity Report• Search across

• SharePoint Online• OneDrive for Business • Exchange Online• Azure AD

• Search by type of activity• Search by date range, users,

file, folder, site, by • View Activity Details (Details

Pane)• Run Report on Demand• Export results to CSV

2. Comprehensive Event Logging• User and administrator events are logged as users work within Office 365• Over 100 events logged (Ex. view a file, mailbox owner activities, Azure AD

login, etc.)• 10 Event/Activity Categories

• File and folder events (SharePoint and OneDrive for Business) • Sharing events (SharePoint and OneDrive for Business) • Synchronization events (SharePoint and OneDrive for Business) • Site administration events (SharePoint and OneDrive for Business) • Exchange mailbox events • User administration events• Group administration events• Application administration events• Role administration events• Directory administration events

2. Comprehensive Event Logging• With each event, up to 37 event properties are logged

• Actor• ClientIP• ClientProcessName• CreationTime• DestinationFileExtens

ion• DestinationFileName• DestinationRelativeUr

l• EventSource• ExternalAccess

• SourceFileName• SourceRelativeUrl• Subject• Target• UserAgent• UserID• UserKey• UserSharedWith• UserType• Workload

• ID• InternalLogonType• ItemType• LogonType• MailboxGuid• MailboxOwnerUPN• ModifiedProperties • ObjectID• Operation

• OrganizationID• Path• Parameters• RecordType• ResultStatus• SharingType• Site• SiteUrl• SourceFileExtension

2. File and Folder EventsFriendly name Operation Description

Accessed file FileAccessed User or system account accesses a file.

Checked in file FileCheckedIn User checks in a document that they checked out from a document library.

Checked out file FileCheckedOut User checks out a document located in a document library. Users can check out and make changes to documents that have been shared with them.

Copied file FileCopied User copies a document from a site. The copied file can be saved to another folder on the site.

Deleted file FileDeleted User deletes a document from a site.Discarded file checkout

FileCheckOutDiscarded

User discards (or undos) a checked out file. That means any changes they made to the file when it was checked out are discarded, and not saved to the version of the document in the document library.

Downloaded file FileDownloaded User downloads a document from a site.

Modified file FileModified User or system account modifies the content or the properties of a document located on a site.

Moved file FileMoved User moves a document from its current location on a site to a new location.Renamed file FileRenamed User renames a document on a site.Restored file FileRestored User restores a document from the recycle bin of a site. Uploaded file FileUploaded User uploads a document to a folder on a site.

2. Sharing EventsFriendly name Operation Description

Accepted access request AccessRequestAccepted An access request to a site, folder, or document was accepted and the requesting user has been granted access.

Accepted sharing invitation SharingInvitationAcceptedUser (member or guest) accepted a sharing invitation and was granted access to a resource. This event includes information about the user who was invited and the email address that was used to accept the invitation (they could be different). This activity is often accompanied by a second event that describes how the user was granted access to the resource, for example, adding the user to a group that has access to the resource.

Created a company-wide link * CompanyLinkCreated User created a company-wide link to a resource. company-wide links can only be used by members in your organization. They can't

be used by guests.Created access request AccessRequestCreated User requests access to a site, folder, or document they don't have permissions to access.

Created an anonymous link * AnonymousLinkCreated User created an anonymous link to a resource. Anyone with this link can access the resource without having to be authenticated.

Created sharing invitation SharingInvitationCreated User shared a resource in SharePoint Online or OneDrive for Business with a user who isn't in your organization's directory.

Denied access request AccessRequestDenied An access request to a site, folder, or document was denied.Removed a company-wide link * CompanyLinkRemoved User removed a company-wide link to a resource. The link can no longer be used to access the resource.Removed an anonymous link * AnonymousLinkRemoved User removed an anonymous link to a resource. The link can no longer be used to access the resource.

Shared file, folder, or site SharingSetUser (member or guest) shared a file, folder, or site in SharePoint or OneDrive for Business with a user in your organization's directory. The value in the Detail column for this activity identifies the name of the user the resource was shared with and whether this user is a member or a guest. This activity is often accompanied by a second event that describes how the user was granted access to the resource; for example, adding the user to a group that has access to the resource.

Updated an anonymous link * AnonymousLinkUpdated User updated an anonymous link to a resource. The updated field is included in the EventData property when you export the

search results.Used an anonymous link * AnonymousLinkUsed An anonymous user accessed a resource by using an anonymous link. The user’s identity might be unknown, but you can get other

details such as the user's IP address.Unshared file, folder, or site SharingRevoked User (member or guest) unshared a file, folder, or site that was previously shared with another user. Used a company-wide link * CompanyLinkUsed User accessed a resource by using a company-wide link.

Withdrew sharing invitation SharingInvitationRevoked User withdrew a sharing invitation to a resource.

3. Search Powershell Cmdlet• PowerShell Cmdlet: Search-UnifiedAuditLog

• Script your searches of the event logs – may look for specific details

• Exchange Online CmdLet (must load Exchange Online PS Module)

• Requires Exchange permission: Organization Management

• Export logs to a file• Automate searches and reporting

3. Search Powershell Cmdlet - Examples

Connect to Exchange Online and import the Exchange Online PowerShell Module$UserCredential = Get-Credential$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirectionImport-PSSession $Session

Example 1 – Output log to a file as a listSearch-UnifiedAuditLog > c:\auditlog.csv

Example 2 – Specify start/end datesSearch-UnifiedAuditLog -StartDate -StartDate 2/1/2016 -EndDate 4/2/2016

Example 3 – Specify start/end dates and specific operations to retrieve audit entries forSearch-UnifiedAuditLog -StartDate 2/1/2016 -EndDate 4/2/2016 -RecordType SharePointFileOperation -Operations FileViewed -ObjectIds docx

4. Management Activity API• Integrate Office 365 activity data into internal or 3rd party security and

compliance monitoring and reporting solutions• Grant rights for your application to access event data using Azure AD

Register the application in Azure AD to establish an identity for your application and specify the permission levels it needs in order to access the APIs

• Let the Office 365 service know if your application has rights to access itOffice 365 tenant admin must explicitly grant consent to allow your application to access their tenant data through the APIs.

• Request Access Tokens from Azure ADUsing the application’s credentials (as in Azure AD) the application will request “app-only” access tokens for a consented tenant on an ongoing basis, without the need for further tenant admin interaction.

• Start Calling the Management APISubscribe to content types; Receive notifications when content is available; Retrieve content as JSON

*API Reference: https://msdn.microsoft.com/en-us/library/office/mt227394.aspx

DEMONSTRATION

In Summary• Activity Monitoring is just 1 aspect of Securing Information Systems• Key Drivers for Monitoring Activity and Auditing our Systems:

• Enhance Compliance with Regulatory Standards• Protect Against Insider Threats – inadvertent or malicious• Enable Detailed Forensic Investigations

• Provides deep visibility into user activity & integration with internal/3rd party tools• SharePoint Online, One Drive for Business, Exchange Online and Azure AD

• Accessed through the Office 365 Compliance Center

Appendix

Enabling Exchange Mailbox Auditing

Auditing must be enabled on each mailbox you wish to audit via PowerShell!

Connect to Exchange Online and import the Exchange Online PowerShell Module$UserCredential = Get-Credential$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirectionImport-PSSession $Session

Options

• Set-Mailbox -Identity “antonio.maio@domain.com" -AuditEnabled $true

• Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true

Exchange Audit Reports

Azure AD Premium ReportsRequires Azure AD Premium Subscription

Sign ins from unknown sources• Use this report to identify users who have successfully signed in to your organization while assigned a client IP address that

has been recognized by Microsoft as an anonymous proxy IP address. These proxies are often used by users who want to hide their computer’s IP address.

Sign ins after multiple failures• Use this report to identify users who have successfully signed in after multiple consecutive failed sign-in attempts.

Sign ins from multiple geographies• Use this report to identify successful sign-in activities from a user where two sign ins appeared to originate from different

countries and the time between the sign ins makes it impossible for the user to have travelled between those countries.

Account provisioning errors• Use this report to monitor errors that occur during the synchronization of accounts from Software as a Service (SaaS)

applications to Azure AD. Entries in this report may indicate an issue with a user’s ability to access external applications.

Audit• Use this report to view the Azure AD audit log. This report contains entries for events such creating a new user account,

changing the properties of a user account, or changing a user password. Each entry includes the date and time of the event, the user who made the change, the change that was made, and the user account that was changed. Entries in this report are kept for 30 days

Thank You!

ANTONIO MAIOPROTIVITI SENIOR MANAGERMICROSOFT OFFICE 365 & OFFICE SERVICES MVP

Email: antonio.maio@protiviti.comTwitter: @AntonioMaio2Blog: www.TrustSharePoint.com