Top Security Logs and Reports in Office 365 and Azure AD

It’s already spring outside and I just got back from a nice walk in the sun (photo evidence below)! Today I’m writing from a small cafe in Hässleholm in southern Sweden. As always, traveling and seeing new places gives me inspiration to write. So here we go!

img_3243

This blog post is a summary of important security logs and reports in Office 365 and Azure AD that I think every organization should check at least ones a week. For large organizations this can be a challenging task but fear not! Most of these logs and reports can be automatically fetched with PowerShell and Microsoft Graph, creating a nice opportunity for automation and integration with your existing SIEM (Security Information and Event Management) tools. For example, I recently helped a customer to integrate some of these logs with Splunk and I’ve previously helped another customer alerting on risky sign-ins with SolarWinds Orion. In both of these cases Microsoft Graph was used.

This is not a complete list of important logs and reports and there are plenty more in the Security and Compliance centers of Microsoft 365 to dig into. However, these are logs covering critical security areas and where a missed event can have a large impact on the organization. I’ve provided instructions on how to get to each log or report in the portals.

I might write a follow up in the future, explaining how to fetch this information with PowerShell and Microsoft Graph.

Here are the logs and reports I will cover in this post:

  • Azure AD “Risky Sign-Ins” Report
  • Application Usage Report
  • Self-Service Password Reset Report
  • User Role Group Changes
  • Mail Forwarding Rules
  • Mailbox Access by Non-Owners Report
  • Malware Detection Report
  • Spoofed Domains Report
  • Restricted Users Report (Spam Senders)

 

Azure AD “Risky Sign-Ins” Report

  1. Go to portal.azure.com.
  2. Click Azure Active Directory.
  3. Select Risk events.
  4. Review by Detection Type.

AzureADLogs1

Application Usage Report

  1. Go to portal.azure.com.
  2. Click Azure Active Directory.
  3. Select App Registrations.
  4. Filter on All apps.
  5. Review the information.

AzureADLogs5

Self-Service Password Reset Report

  1. Go to portal.azure.com.
  2. Go to ‘Azure Active Directory’.
  3. Click on ‘Password Reset’.
  4. Select ‘Audit Logs’.
  5. Review the list of users who have reset their passwords in the last seven days.

AzureADLogs6

User Role Group Changes

  1. Go to Security and Compliance Center.
  2. Select Search and Investigation and then Audit Log Search.
  3. Set Activities to Added member to role.
  4. Set Start Date and End Date.
  5. Click Search.

AzureADLogs7

Mail Forwarding Rules

  1. Go to Security and Compliance Center.
  2. Select Mail Flow and then Dashboard.
  3. Review Auto Forwarded Messages on the dashboard.

AzureADLogs2

Mailbox Access by Non-Owners Report

  1. Click Exchange.
  2. Click Compliance Management > Auditing.
  3. Select Run a non-owner mailbox access report.
  4. Enter Start Date and End Date.
  5. Change Search for access by field to all non-owners.
  6. Select Search.

AzureADLogs3

Malware Detection Report

  1. Select Security and Compliance.
  2. Select Report and Dashboard.
  3. Review the Malware Detected in Email report.

AzureADLogs4

Spoofed Domains Report

  1. Go to Security and Compliance Center.
  2. Select Reports and then Dashboard.
  3. Click Spoofed domains that failed authentication over the past 30 days.
  4. Review.

AzureADLogs8

Restricted Users Report (Internal Spam Senders)

  1. Select Security and Compliance.
  2. Select Threat Management and Review.
  3. Click `Restricted Users’.
  4. Review alerts and take appropriate action (unblocking) after account has been re-mediated.

AzureADLogs9

Please follow me here, on LinkedIn and on Twitter!

@DanielChronlund

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s