Tutorial / Cram Notes
The activity log in Microsoft 365 is a comprehensive record of every user and administrative action taken across the service, and it plays a crucial role in monitoring and troubleshooting issues.
Understanding Activity Logs
The activity logs in Microsoft 365 can be accessed through various tools such as the Microsoft 365 Compliance Center, Security Center, or directly via the Office 365 Management APIs. These logs contain details about operations performed in Microsoft 365 services like SharePoint, Exchange, Teams, and Azure AD, among others.
Each entry in the log includes key information such as:
- The date and time of the activity
- The user or account that performed the action
- The IP address from which the activity was initiated
- The details of the action taken
Reviewing Activity Logs
Regularly reviewing activity logs is a necessary part of security audits and compliance. Administrators should create a schedule for reviewing these logs based on their organization’s policy and the sensitivity of their data.
To review the logs, follow these steps:
- Access the Microsoft 365 Compliance Center or Security Center.
- Navigate to the ‘Audit log search’ page.
- Set the relevant filters such as date ranges, user names, or activities.
- Review the returned log data for any unusual or unauthorized activity.
Responding to Activity Log Entries
When an unexpected or unauthorized action is found in an activity log, timely response is essential. The response can vary depending on the nature of the logged activity.
| Type of Activity | Example | Response Action |
|---|---|---|
| Failed Login Attempts | Multiple failed login attempts from an unfamiliar location | Review user account for potential compromise and initiate password reset protocols. Enable multi-factor authentication if not in place. |
| File Access | A sensitive file accessed by an unauthorized user | Revoke access immediately. Inform the data owner and investigate further for a potential security breach. |
| Configuration Changes | Unexpected changes in security policies or permissions | Reverse the changes if necessary, and investigate the reason behind the changes to prevent future unauthorized alterations. |
| Data Export | Large volumes of data downloaded or exported by a user | Confirm the legitimacy of the action with the user or their manager, and review data loss prevention (DLP) policies for effectiveness. |
Utilizing Alert Policies
Microsoft 365 includes alert policies that can help automate the monitoring of activity and generate immediate notifications upon specific triggered events. Here are steps to set up an alert policy:
- In the Microsoft 365 Compliance Center or Security Center, go to ‘Alert policies’.
- Click on “+ New alert policy” to create a new one.
- Define the conditions and actions that will trigger the alert.
- Set the recipients who will receive the alert notifications.
Leveraging Advanced Tools
For more sophisticated monitoring and analysis, tools like Microsoft Cloud App Security can be employed. This provides advanced threat detection, enhanced logging capabilities, and the possibility to set up automated responses to particular types of alerts.
Best Practices for Activity Log Review
- Regular Reviews: Establish a routine for regular reviews of activity logs.
- Segmented Analysis: Focus on segments such as user logins, file accesses, and administrative activities for targeted investigation.
- Alert Policies: Utilize alert policies for efficient monitoring of critical or high-impact activities.
- Role-Based Access Control (RBAC): Ensure that administrative activities in the logs align with the RBAC policies set in the organization.
- Automated Responses: Where possible, automate responses to specific events to reduce reaction times.
- Training and Awareness: Educate users and admins on the significance of their actions being logged and the implications of security breaches.
- Integration with SIEM: Integrate activity logs with Security Information and Event Management (SIEM) systems for centralized monitoring and analysis.
In conclusion, the diligent review and response to activity logs are core components of maintaining a secure Microsoft 365 environment. Through systematic monitoring, administrators can not only detect but also prevent security incidents, thereby protecting their organization’s digital Landscape.
Practice Test with Explanation
True or False: The Activity Log in Microsoft 365 can only be accessed by global administrators.
- False
The Activity Log can be accessed by users with appropriate permissions, which include compliance administrators, security administrators, and other roles, not just global administrators.
Which of the following can you use to review sign-in activities in Microsoft 365?
- A) Security & Compliance Center
- B) Azure Active Directory Admin Center
- C) Microsoft 365 admin center
- D) All of the above
D) All of the above
Sign-in activities can be reviewed in the Security & Compliance Center, Azure Active Directory Admin Center, and the Microsoft 365 admin center.
True or False: You need to turn on audit log search before you can start searching the audit logs in the Security & Compliance Center.
- True
Before you can run an audit log search in the Security & Compliance Center, you must first turn on auditing.
To filter activity logs effectively, which of the following pieces of information are useful? (Select all that apply)
- A) User IDs
- B) Date ranges
- C) IP addresses
- D) Browser version
A) User IDs, B) Date ranges, C) IP addresses
Filtering activity logs is typically done using User IDs, date ranges, and IP addresses. The browser version is less commonly used for this purpose.
True or False: The “Audit log search” feature in Microsoft 365 includes activity from Exchange Online and Azure Active Directory.
- True
The Audit log search feature includes activities from various services, including Exchange Online and Azure Active Directory.
How long does Microsoft 365 retain audit logs by default?
- A) 30 days
- B) 90 days
- C) 180 days
- D) 365 days
B) 90 days
Audit logs are retained for 90 days by default in Microsoft
True or False: You must manually assign the “Audit Logs” role in Microsoft 365 to view the audit logs.
- True
The “Audit Logs” role must be assigned to a user before they can view the audit logs, which is usually part of the Compliance Management role group.
Which PowerShell cmdlet is used to export the Office 365 audit log?
- A) Export-AuditLog
- B) Get-AuditLogSearch
- C) Search-UnifiedAuditLog
- D) Export-ComplianceSearch
C) Search-UnifiedAuditLog
The “Search-UnifiedAuditLog” cmdlet is used to search and export entries from the unified audit log.
True or False: Only events deemed critical will appear in the Activity Log by default.
- False
The Activity Log will contain a range of events, not only those that are deemed critical. It’s up to the administrator to filter or sort according to the criticality.
What kind of activities can be monitored in the activity log? (Select all that apply)
- A) User logins
- B) File access and modifications
- C) DLP policy matches
- D) System performance data
A) User logins, B) File access and modifications, C) DLP policy matches
The activity log can be used to monitor user logins, file access and modifications, and DLP (Data Loss Prevention) policy matches. It does not typically include system performance data.
True or False: Role changes in Azure AD can be found in the activity logs.
- True
Role changes are a type of audit event that can be found in Azure Active Directory’s audit logs.
Interview Questions
What is an activity log in Microsoft Defender for Cloud Apps?
An activity log is a record of all actions and events that occur within a cloud application, such as file uploads, downloads, and access attempts.
How can you access the activity log in Microsoft Defender for Cloud Apps?
You can access the activity log by navigating to the “Activity log” section within the Defender for Cloud Apps portal.
What types of events are included in the activity log?
The activity log includes events such as user sign-ins, file uploads and downloads, failed logins, and data sharing activities.
How can you filter the activity log in Microsoft Defender for Cloud Apps?
You can filter the activity log by date range, user, app, activity type, and file type.
What is the purpose of reviewing activity logs in Microsoft Defender for Cloud Apps?
Reviewing activity logs can help you identify and respond to potential security risks or compliance issues within your cloud applications.
How can you set up alerts for specific activity types in Microsoft Defender for Cloud Apps?
You can set up alerts for specific activity types by configuring policies in the Defender for Cloud Apps portal.
How can you investigate a specific activity in the activity log in Microsoft Defender for Cloud Apps?
You can investigate a specific activity by clicking on it in the activity log and reviewing the details provided.
What actions can you take in response to activity log events in Microsoft Defender for Cloud Apps?
You can take actions such as suspending user accounts, revoking access tokens, and deleting files in response to activity log events in Defender for Cloud Apps.
How does Microsoft Defender for Cloud Apps help with compliance requirements?
Microsoft Defender for Cloud Apps can help with compliance requirements by providing audit logs and activity reports that can be used to demonstrate compliance with industry regulations.
How often should you review activity logs in Microsoft Defender for Cloud Apps?
The frequency of activity log reviews will depend on the specific needs of your organization, but it is recommended to review activity logs on a regular basis, such as weekly or monthly, to stay on top of potential security and compliance issues.
I just reviewed the Activity Log feature in MS-101, and it’s amazing how detailed the logs are. They really help in tracking user actions.
Can someone explain how to set up alerts based on the Activity Log?
Thanks for the insightful blog post!
I find it hard to filter out the noise from the Activity Log. Any tips?
What are the retention policies for Activity Logs in MS-101?
How reliable is the Activity Log data?
Appreciate the detailed review!
I don’t find this feature very user-friendly. It’s too complex for beginners.