
close
close
In March, Microsoft eventually released the MailItemsAccessed “crucial audit event” for accounts holding Office 365 E5 licenses (other suitable licenses include Microsoft 365 E5 or the Microsoft 365 E5 compliance). Crucial events are deemed to be of higher value to investigators or others who need to understand exactly what happened when something goes wrong, such as an attacker penetrating a user account.
Microsoft has now released some additional events to allow investigators to discover information about message sending and mailbox and site searches. Based on what I see in my tenant, it appears that inflow of the message send events into the audit log began around 1 October while capture of search events started around 17 October. Due to the need to distribute updates across Office 365, the exact dates will vary from tenant to tenant. Some tenants I know who have the correct licenses see no trace of the events, including the older MailItemsAccessed event!
advertisment
The Send event captures details of messages being sent from a mailbox. The event contains the internet message identifier and subject, but you’ll have to check the actual message to find details of the recipients. The message identifier canals
Given the number of Send records which might be captured for a busy mailbox, it’s a good idea to limit the search timeframe as tightly as possible. Here’s how to create a report of Send events.
$Records = Search-UnifiedAuditLog -StartDate "18-Oct-2020 12:30" -EndDate "20-Oct-2020 11:45" -ResultSize 1000 -Operations Send $Report = [System.Collections.Generic.List[Object]]::new() # Create output file If ($Records.count -gt 0) { ForEach ($Rec in $Records) { $AuditData = ConvertFrom-Json $Rec.AuditData $ReportLine = [PSCustomObject] @{ TimeStamp = Get-Date($AuditData.CreationTime) -format g User = $AuditData.MailboxOwnerUPN Operation = $AuditData.Operation Subject = $AuditData.Item.Subject MessageId = $AuditData.Item.InternetMessageId } $Report.Add($ReportLine) } } # End if $Report | Sort User, TimeStamp | Format-Table TimeStamp, Subject, User
If the message is sent within the last ten days, the message identifier captured for an event can be used to run a message trace and return the recipients.
$Length = $Auditdata.Item.InternetMessageId.Length $MsgId = $Auditdata.Item.InternetMessageid.Substring(1,$Length-2) Get-MessageTrace -MessageId $MsgId | Format-List Senderaddress, Recipientaddress, Received SenderAddress : [email protected] RecipientAddress : [email protected] Received : 18/10/2020 20:05:08
The SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint events capture details of search events within a mailbox and SharePoint sites. The idea is that investigators can follow the track of an attacker who manages to penetrate an account to discover if they looked and potentially found sensitive or confidential information. Events are captured when users search using Outlook, OWA, or SharePoint Online search. Only events for OWA searches were captured in my testing. It might take a more recent version than Outlook build 13328.20154 before events for these searches are available.
advertisment
This code returns both types of search events and reports what it finds.
$Operations = "SearchQueryInitiatedSharePoint", "SearchQueryInitiatedExchange" $Records = Search-UnifiedAuditLog -Operations $Operations -StartDate "18-Oct-2020 12:30" -EndDate "20-Oct-2020" -ResultSize 1000 $Report = [System.Collections.Generic.List[Object]]::new() # Create output file If ($Records.count -gt 0) { ForEach ($Rec in $Records) { $AuditData = ConvertFrom-Json $Rec.AuditData Switch ($AuditData.Operation) { "SearchQueryInitiatedSharePoint" { # SharePoint search $ReportLine = [PSCustomObject] @{ TimeStamp = Get-Date($AuditData.CreationTime) -format g User = $AuditData.UserId Client = $AuditData.QuerySource Search = $AuditData.QueryText Scenario = $AuditData.ScenarioName } $Report.Add($ReportLine) } "SearchQueryInitiatedExchange" { # Exchange search event $ReportLine = [PSCustomObject] @{ TimeStamp = Get-Date($AuditData.CreationTime) -format g User = $AuditData.UserId Client = $AuditData.QuerySource Search = $AuditData.QueryText Scenario = $AuditData.ScenarioName } $Report.Add($ReportLine) } } # End Switch } # End For } # End if $Report | Format-Table TimeStamp, Client, Search, User TimeStamp Client Search User --------- ------ ------ ---- 19/10/2020 09:30 OWA teams meeting recording [email protected] 19/10/2020 08:31 SharePoint paris [email protected] 19/10/2020 08:28 OWA project moca [email protected] 19/10/2020 08:19 OWA london jobs [email protected]
Once an account has the necessary license, Exchange Online captures its Send events automatically. However, if you want to capture search events, you’ll have to update the mailbox auditing configuration for each mailbox as follows:
Set-Mailbox -Identity Kim.Akers -AuditOwner @{Add="SearchQueryInitiated"}
ad unit=’in_content_lower_block’]
The Microsoft documentation for Advanced Auditing discusses a ten-year retention period for audit data (currently the limit for E5 licenses is 365 days; for E3 it’s 90). This addresses a longstanding problem for tenants where audit data disappeared from Office 365 just when it might be useful to investigate a compliance or security problem. The solution has been to either use an ISV product to offload audit data (ISVs are happy to store the data for much longer) or DIY with PowerShell and store the audit data to Splunk or some other repository.
advertisment
Microsoft plans to introduce ten-year retention for audit data in early 2021. You’ll have to pay for the longer retention with a new add-on license. Microsoft hasn’t yet revealed how much extra the add-on will be. It probably won’t be cheap!
More from Tony Redmond
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in SharePoint Online
M365 Changelog: Configure the existing Stream tile in Microsoft 365 app launcher to go to the new Stream app on Office.com
May 18, 2022 | Rabia Noureen
M365 Changelog: OneDrive and SharePoint: Access your Teams standard and private channel files
May 13, 2022 | Rabia Noureen
M365 Changelog: (Updated) Conversation search in Office.com and SharePoint
May 10, 2022 | Rabia Noureen
M365 Changelog: SharePoint: Updates to channel site layouts and parent site settings
May 5, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group