Your IT Consultant

Office 365: Make Sure Audit Logs Are Enabled

January 16, 2019

You can’t determine what happened if you don’t have some sort of history of events. That’s why people install surveillance cameras. It’s also why software developers have logging capability. Many of our security and forensic investigations are significantly crippled because logs don’t exist or minimal data is captured. That’s because most applications don’t enable logging by default. The same is true for Microsoft Office 365. The good news is that starting February 1, Microsoft will add auditing to track mail reads by default. Even with the change, you should review your current audit settings. CSO has good advice for enabling audit logs in Microsoft Office 365.

If you are good with programming, you can check the status via PowerShell. An alternative is to go to the Security and Compliance Center (Microsoft login required), go to “Search & Investigation,” select “Audit log search” and review the settings. Make sure that auditing is enable and turn it on if it is not. Turning auditing on after an event won’t help you find out what happened.

E-mail:   Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
https://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://www.senseient.com