New Crucial Audit Events Added to Office 365

Helping Investigators Understand What Happened

In March, Microsoft eventually released the MailItemsAccessed “crucial audit event” for accounts holding Office 365 E5 licenses (other suitable licenses include Microsoft 365 E5 or the Microsoft 365 E5 compliance). Crucial events are deemed to be of higher value to investigators or others who need to understand exactly what happened when something goes wrong, such as an attacker penetrating a user account.

Microsoft has now released some additional events to allow investigators to discover information about message sending and mailbox and site searches. Based on what I see in my tenant, it appears that inflow of the message send events into the audit log began around 1 October while capture of search events started around 17 October. Due to the need to distribute updates across Office 365, the exact dates will vary from tenant to tenant. Some tenants I know who have the correct licenses see no trace of the events, including the older MailItemsAccessed event!

Mailbox Sends

The Send event captures details of messages being sent from a mailbox. The event contains the internet message identifier and subject, but you’ll have to check the actual message to find details of the recipients. The message identifier canals

Given the number of Send records which might be captured for a busy mailbox, it’s a good idea to limit the search timeframe as tightly as possible. Here’s how to create a report of Send events.


If the message is sent within the last ten days, the message identifier captured for an event can be used to run a message trace and return the recipients.

Search Events

The SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint events capture details of search events within a mailbox and SharePoint sites. The idea is that investigators can follow the track of an attacker who manages to penetrate an account to discover if they looked and potentially found sensitive or confidential information. Events are captured when users search using Outlook, OWA, or SharePoint Online search. Only events for OWA searches were captured in my testing. It might take a more recent version than Outlook build 13328.20154 before events for these searches are available.

This code returns both types of search events and reports what it finds.

Enabling Capture of Search Events

Once an account has the necessary license, Exchange Online captures its Send events automatically. However, if you want to capture search events, you’ll have to update the mailbox auditing configuration for each mailbox as follows:


ad unit=’in_content_lower_block’]

Retaining Audit Data for Ten Years

The Microsoft documentation for Advanced Auditing discusses a ten-year retention period for audit data (currently the limit for E5 licenses is 365 days; for E3 it’s 90). This addresses a longstanding problem for tenants where audit data disappeared from Office 365 just when it might be useful to investigate a compliance or security problem. The solution has been to either use an ISV product to offload audit data (ISVs are happy to store the data for much longer) or DIY with PowerShell and store the audit data to Splunk or some other repository.

Microsoft plans to introduce ten-year retention for audit data in early 2021. You’ll have to pay for the longer retention with a new add-on license. Microsoft hasn’t yet revealed how much extra the add-on will be. It probably won’t be cheap!

 

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for Petri.com and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with change in the cloud.