Secure Office 365 with PowerShell via the CIS approach - Pt 2

Part 2: Audit

This is the second blog in a multi part series helping admins, service providers, consultants and security admins to check and achieve a level of security control in Office 365. Part 1 of this series covered the basic PowerShell commands for Authentication through CIS, here we will talk about ‘Audit’.

Need for Office 365 Automation

Many of the above are technical people, who require some amount of automation here because

1. May be frustrated with the myriad UIs from Microsoft,
2. Have multiple tenants to secure
3. Consider this a repeating task (which it should be)

To this end we will show you how to complete these tasks in PowerShell, which will allow you to script these checks and remediations. Alternately, you can skip laborious manual Office 365 PowerShell configurations by using advanced automation solutions like Octiga for achieving same results in a few clicks.

First steps

‍

Connect to Remote PowerShell

The following connections are required to run scripts in this blog

Connect-ExchangeOnline
Connect-IPPSSession
Connect-MSOLService

Enable Org Customisations

If you have never run PowerShell against a tenant before then you will have to enable organisation customisations via PowerShell

Enable-OrganizationCustomization

Unified Audit Log (UAL)

Reason:  Microsoft funnel many different log sources into one unified log for easy triage and investigation.

‍

Mailbox Audit – Basic and Advanced

Reason:  

Since this is configurable you should ensure that all types of activities are being audited for each mailbox.  Even if misconfiguration has not occurred, it may also be the case that it is not only default anyway because Microsoft applies this audit capability differently to different licence types. More info here

‍Check

The above will show the audit enabled status for all mailboxes under the field auditEnabled

The final three fields in the output show the default event types that are being audit.  (See Remediate Advanced)

Remediate Basic

Remediate Advanced

Notice in the above check that we show the audit events types that are being audited by default.  This Microsoft article shows us that this set can be altered and updated.  

The below code can be updated to include any mailbox action which you wish to audit.  The full list can be found in the above link.  Note If you do not have an E5 licence, or an E5 Compliance Add-On licence, then the following actions may not be possible and should be removed:

[Send, SearchQueryInitiated, MailItemsAccessed]

‍

Advanced Auditing (E5 and Advanced Add-On)

Advanced audit allows for increase audit retention and logs additional event types, fast event delivery among other things.

Advance Audit is available with E5 licences or through an add on (see here)

We need to ensure it is set up correctly so when the times comes to need it you aren’t left kicking yourself.  

Assigning Advanced Audit Licences

If you have purchased the required licence you must ensure they are allocated to the required users.  One mistake we often see is companies purchasing licences and then failing to allocate them, let alone configure them.  

The following script will identify any unallocated M365_ADVANCED_AUDITING service plan

Advanced Audit Events

Advanced audit logs additional mail box events (Send, MailAccessItem, SearchQueryInitiatedExchange/SharePoint) which can be crucial when investigating mail breaches

Check and Remediate

The following  script will setup advanced audit event logging for all users who have been assigned the advanced audit licence.

Advanced Retention Periods

Once Unified Audit Logging is turned on it will use a default audit storage retention policy.  Without advanced audit licence this will be 90 days.  Once advanced audit licence is activated it will default to 1 year, however it can be set optionally for up to 10 years.  

Note, setting longer retention policies than what you already have will not retrospectively reveal older logs that have not already been stored. So if you want logs for more than 1 year in the future you will need to start now

The default audit retention policy applies to all workloads (SharePoint, Teams, Exchange etc.), however any custom policy will override it for the chosen workload.  See here for a list of workloads on which it is possible to extend the storage.

In this example we will override the default retention storage for some important workloads

High-Speed Access to Audit Logs

When you subscribe to advanced audit in Office 365 you will automatically get log events faster than you would otherwise get through the Management API. Octiga’s event monitoring will automatically pick up these additional event types and at the higher rate so you will be informed even more rapidly of suspicious activity

‍

Octiga Ensures BOTH Best Practice Security Configurations AND Monitors all Risky Events

Octiga not only easily set all of the above policies across all the tenants that you manage, but also subscribes to all the resultant risky events.  It alerts you when either one of the policies does not comply with this best practice but also alerts you for all ongoing risks.  It then remediates these risks with the touch of a button. Book a quick 15 minute chat with to understand how Octiga can help your unique business needs through Office 365 security automation.