Auditing - Ensure Microsoft 365 Audit Log Search Is Enabled

 








Summary

Enabling the audit log search in Microsoft Purview compliance will allow the recording of the user and admin activity of an organization, that can be retained for 90 days. However, if an organization is using a third-party Security Information and Event Management (SIEM) application to access the auditing data, then, a global admin can turn off audit log search in Microsoft 365.

Reason

This setting can help Office 365  back office teams to investigate activities for regular security operational or forensic purposes.

How to?

To enable Microsoft 365 audit log search, use the Microsoft 365 Admin Center:
  1. Log in as an administrator.
  2. Navigate to the Microsoft Purview compliance portal by going to https://compliance.office.com
  3. Under solutions, select Audit.
  4. Now, click on Start recording user and admin activity next to information warning at the top.
  5. Click Yes on the dialog box to confirm.

To enable Microsoft 365 audit log search via Exchange Online PowerShell:
  1. Connect to Exchange Online using Connect-ExchangeOnline.
  2. Now, run the following Exchange Online PowerShell command: 

    Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Monitor:

To verify audit log search is enabled, use the Microsoft 365 Admin Center:
  1. Log in as an administrator.
  2. Navigate to the Microsoft Purview compliance portal by going to https://compliance.office.com
  3. Under solutions, select Audit and then pick an applicable time frame
  4. Now, verify that you are able to do searches (e.g. try searching for Activities as Access file and results should be displayed).

To verify audit log search is enabled, use the Exchange Online PowerShell Module:
  1. Connect to Exchange Online using Connect-ExchangeOnline.
  2. Now, run the following Exchange Online PowerShell command: 

    Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled 
      3. Verify the resulting value is UnifiedAuditLogIngestionEnabled : True.

































Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)