BLOG POST: Enhanced Threat Detection Using Audit Logging in Office 365
By Caitlin Robertson, IT Risk Management
With digital medical records and data on the rise, the healthcare industry has been adopting Software as a Service (SaaS) at a steadfast rate. According to McAfee’s findings, healthcare organizations have a 96% adoption rate for cloud, above the 93% global average, and 81 percent are only implementing an internal service if no cloud solution is currently available.Trust in the cloud is skyrocketing, but unfortunately the proper security controls and visibility for all this sensitive information is falling short. Audit logging is a crucial step in resolving this issue, and can be carried out using Office 365.
Internal Audit Logging and monitoring is an important component in the early detection of threats both internal and external. Through logging and monitoring in Office 365, you can learn the patterns of users and investigate suspicious activity. The log documents and unifies activities across the Office 365 environment. Many major actions are recorded including:
- Logging in/out
- Page and file views
- Downloading files/folders
- Sharing files /folders
- Creating/removing groups
- Settings changes
- Password resets
These logs can be searched using different criteria such as for a specific user or file. A report can then be complied based on the criteria. Additionally, you can set up alerts, which are triggered during certain activities, such as when receiving too many login attempts, massive downloads by a single user, or an elevation of privileges on a user.
To enable and configure audit logs, navigate to the Office 365 Security and Compliance center and select “Start recording user and admin activity” on the Audit log search page. Permissions for those accessing the logs can also be assigned as “View Only” or “Audit Logs” role. Lastly, the “Create an Alert” feature can be found here as well. Performed activities will be kept in the log for 90 days.
“Advanced Security Management” is another great tool for an in depth look at questionable activity that may be a security issue. It features the following:
- Threat detection for abnormal usage, incidents, and threats
- Enhanced control through granular controls and policies for customizing environment
- Discovery and insights with more visibility and context without end-point installation
It is available only with a license which requires a monthly subscription.
Whether investigating a potential breach or managing day to day security events, audit logging and monitoring through in Office 365 is an invaluable resource in maintaining awareness inside the organization and strengthening any security program.