New Crucial Audit Events Added to Office 365

Helping Investigators Understand What Happened

In March, Microsoft eventually released the MailItemsAccessed “crucial audit event” for accounts holding Office 365 E5 licenses (other suitable licenses include Microsoft 365 E5 or the Microsoft 365 E5 compliance). Crucial events are deemed to be of higher value to investigators or others who need to understand exactly what happened when something goes wrong, such as an attacker penetrating a user account.

Microsoft has now released some additional events to allow investigators to discover information about message sending and mailbox and site searches. Based on what I see in my tenant, it appears that inflow of the message send events into the audit log began around 1 October while capture of search events started around 17 October. Due to the need to distribute updates across Office 365, the exact dates will vary from tenant to tenant. Some tenants I know who have the correct licenses see no trace of the events, including the older MailItemsAccessed event!

Mailbox Sends

The Send event captures details of messages being sent from a mailbox. The event contains the internet message identifier and subject, but you’ll have to check the actual message to find details of the recipients. The message identifier canals

Given the number of Send records which might be captured for a busy mailbox, it’s a good idea to limit the search timeframe as tightly as possible. Here’s how to create a report of Send events.

$Records = Search-UnifiedAuditLog -StartDate "18-Oct-2020 12:30" -EndDate "20-Oct-2020 11:45" -ResultSize 1000 -Operations Send
$Report = [System.Collections.Generic.List[Object]]::new() # Create output file 
If ($Records.count -gt 0) {
   ForEach ($Rec in $Records) {
      $AuditData = ConvertFrom-Json $Rec.AuditData
      $ReportLine = [PSCustomObject] @{
        TimeStamp   = Get-Date($AuditData.CreationTime) -format g
        User        = $AuditData.MailboxOwnerUPN
        Operation   = $AuditData.Operation
        Subject     = $AuditData.Item.Subject
        MessageId   = $AuditData.Item.InternetMessageId }
     $Report.Add($ReportLine) }
} # End if

$Report | Sort User, TimeStamp | Format-Table TimeStamp, Subject, User

If the message is sent within the last ten days, the message identifier captured for an event can be used to run a message trace and return the recipients.

$Length = $Auditdata.Item.InternetMessageId.Length
$MsgId = $Auditdata.Item.InternetMessageid.Substring(1,$Length-2)
Get-MessageTrace -MessageId $MsgId | Format-List Senderaddress, Recipientaddress, Received

SenderAddress    : Tony.Redmond@office365itpros.com
RecipientAddress : tracy.jones@acme.com
Received         : 18/10/2020 20:05:08

Search Events

The SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint events capture details of search events within a mailbox and SharePoint sites. The idea is that investigators can follow the track of an attacker who manages to penetrate an account to discover if they looked and potentially found sensitive or confidential information. Events are captured when users search using Outlook, OWA, or SharePoint Online search. Only events for OWA searches were captured in my testing. It might take a more recent version than Outlook build 13328.20154 before events for these searches are available.

This code returns both types of search events and reports what it finds.

$Operations = "SearchQueryInitiatedSharePoint", "SearchQueryInitiatedExchange"
$Records = Search-UnifiedAuditLog -Operations $Operations -StartDate "18-Oct-2020 12:30" -EndDate "20-Oct-2020" -ResultSize 1000 
$Report = [System.Collections.Generic.List[Object]]::new() # Create output file 
If ($Records.count -gt 0) {
   ForEach ($Rec in $Records) {
      $AuditData = ConvertFrom-Json $Rec.AuditData 
     Switch ($AuditData.Operation) {
      "SearchQueryInitiatedSharePoint" { # SharePoint search
       $ReportLine = [PSCustomObject] @{
         TimeStamp   = Get-Date($AuditData.CreationTime) -format g
         User        = $AuditData.UserId
         Client      = $AuditData.QuerySource
         Search      = $AuditData.QueryText 
         Scenario    = $AuditData.ScenarioName }
       $Report.Add($ReportLine) }
      "SearchQueryInitiatedExchange" { # Exchange search event
        $ReportLine = [PSCustomObject] @{
         TimeStamp   = Get-Date($AuditData.CreationTime) -format g
         User        = $AuditData.UserId
         Client      = $AuditData.QuerySource
         Search      = $AuditData.QueryText
         Scenario    = $AuditData.ScenarioName }
       $Report.Add($ReportLine) }
    } # End Switch
   } # End For
} # End if

$Report | Format-Table TimeStamp, Client, Search, User

TimeStamp        Client     Search                  User
---------        ------     ------                  ----
19/10/2020 09:30 OWA        teams meeting recording Tony.Redmond@office365itpros.com
19/10/2020 08:31 SharePoint paris                   Jane.Sixsmith@office365itpros.com
19/10/2020 08:28 OWA        project moca            Vasil.Michev@office365itpros.com
19/10/2020 08:19 OWA        london jobs             James.Ryan@office365itpros.com

Enabling Capture of Search Events

Once an account has the necessary license, Exchange Online captures its Send events automatically. However, if you want to capture search events, you’ll have to update the mailbox auditing configuration for each mailbox as follows:

Set-Mailbox -Identity Kim.Akers -AuditOwner @{Add="SearchQueryInitiated"}

ad unit=’in_content_lower_block’]

Retaining Audit Data for Ten Years

The Microsoft documentation for Advanced Auditing discusses a ten-year retention period for audit data (currently the limit for E5 licenses is 365 days; for E3 it’s 90). This addresses a longstanding problem for tenants where audit data disappeared from Office 365 just when it might be useful to investigate a compliance or security problem. The solution has been to either use an ISV product to offload audit data (ISVs are happy to store the data for much longer) or DIY with PowerShell and store the audit data to Splunk or some other repository.

Microsoft plans to introduce ten-year retention for audit data in early 2021. You’ll have to pay for the longer retention with a new add-on license. Microsoft hasn’t yet revealed how much extra the add-on will be. It probably won’t be cheap!