Security, et al

Randy's Blog on Infosec and Other Stuff

«  Tracking Physical Presenc... | How to control and detect... »

How to Audit Privileged Operations and Mailbox Access in Office 365 Exchange Online

Fri, 02 Dec 2016 12:40:20 GMT

Moving Exchange to the Office 365 cloud eliminates a lot of work but it doesn’t eliminate your compliance responsibilities or security requirements. To be compliant and to detect information grabs and data theft you need 2 critical feeds of activity from Exchange Online:

  1. Non-owner mailbox access – especially “high value” mailboxes like executives
  2. Privileged user operations

Exchange Online provides the ability to monitor both. And if you are familiar with Exchange on-premise you will find a degree of shared functionality – at least on the surface.

For instance, the configuration of mailbox audit policy and of the admin audit log use the same 2 PowerShell commands as Exchange on-premise

  • Set-Mailbox and all the “-Audit…” parameters
  • Set-AdminAuditLogConfig

But as with Exchange on-premise, getting the audit data out of Exchange Online is nowhere as easy. Especially with regard to mailbox auditing. The Search-MailboxAuditLog command that runs synchronously has restrictions on the amount of detail that eliminates it from consideration. The asynchronous New-MailboxAuditLogSearch command has restrictions (also found in Exchange 2016) that silently limits you to 10 search requests in any 12-hour period. And those search requests have caps on the amount of results and can take many hours to be fulfilled.

On the interactive side, Office 365 provides an Audit and Compliance portal that allows you to perform ad hoc searches against the “unified audit log” which includes Exchange Online audit events. However this portal is really only appropriate for fairly casual investigations into recent activity. You are limited to certain pre-conceived search scenarios of which viewing content of mailboxes is conspicuously absent. Perhaps most importantly, Office 365 only keeps audit data for 90 days.

So how does an enterprise fulfill their compliance requirements? Microsoft is certainly not unaware of compliance and the fact that they can’t go to market without giving customers some options. Right now there is just one option: the Management Activity API. This RESTful service does provide an enterprise-grade ability to get all your audit data out of Office 365. But it requires custom programming and at that point you’ve only gotten the audit data out of the cloud in XML format. What do you do with it then? Never mind the rest of the compliance story such as reporting, alerting, archiving and so on. And if I was a cyber security officer I’d want to be able to correlate that activity in the cloud with everything else going on in my network.

That’s where Quest Change Auditor comes in. The folks at Quest have done the heavy lifting to integrate audit logs from Exchange Online with the rest of the activity they collect, normalize and monitor from all over your network. The latest version of Change Auditor implements the Management Activity API and other APIs from Office 365 to automatically collect Exchange Online mailbox and administrator audit logs. Change Auditor brings to Exchange Online the same Who, What, When, Where, and what Workstation capability ChangeAuditor is famous for. And the cool thing is now you see what a given user like Bob is doing both in the cloud and on your internal network because ChangeAuditor already monitors

  • Active Directory
  • Azure AD
  • Windows
  • SharePoint
  • SQL Server
  • Network Attached Storage - EMC, NetApp, Dell FluidFS
  • Skype for Business/Lync
  • VMware

You can’t be secure and compliant without monitoring your environment and that fact doesn’t go away when you move to the cloud. Office 365 captures the activity required by enterprises for compliance but it’s up to you after that. Change Auditor simplifies the audit process by tracking, auditing, reporting and alerting on Microsoft® Exchange Server and Office 365 Exchange Online configuration and permission changes in real time, and solves this issue by combining cloud activity and on-premise activity on the same pane of glass. To ensure Exchange and Office 365 compliance, you can automatically generate intelligent, in-depth reports, protecting you against policy violations and avoiding the risks and errors associated with day-to-day modifications. And, for fast troubleshooting, you always get the original and current values.

To learn more information on Change Auditor please visit:

Or for a Trial Download of Change Auditor for Exchange and Exchange Online:

email this digg reddit dzone
comments (0)references (0)

Auditing Privileged Operations and Mailbox Access in Office 365 Exchange Online
5 Indicators of Endpoint Evil
Severing the Horizontal Kill Chain: The Role of Micro-Segmentation in Your Virtualization Infrastructure
Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond

Comments disabled

powered by Bloget™


Recent Blogs


Additional Resources