Cloud-based file applications like SharePoint and OneDrive for business mean any document in your company is seconds away from being shared to the world with a unique URL that takes people directly to the file.
How do you remain compliant and exert some level of control and accountability over your organization’s documents?
Office 365 automatically audits everything that happens in your SharePoint Online sites and OneDrive for Business accounts and makes this huge amount of audit data available through the Office 365 Unified Audit Log.
In this webinar, I will zero in on how the UAL can answer these questions:
- Who viewed this file?
- Who was been downloading an abnormal amount of files?
- When was this file downloaded and by whom?
- Which users synchronize this document library to their computer?
- Which people outside this organization was this file shared with?
- When was Bob given access to this document library?
- Who modified this file?
- Where was this user located when they performed that action?
- Who made Alice a member of this site?
- Who deleted all the files in this document library?
The Office 365 Unified Audit Log is very different than other audit logs you’ve seen.
- First the UAL is JSON based
- There are no discreet event IDs
- The fields comprising an event vary wildly from one action to another
The key is understanding the various schemas that come into play depending on which Office 365 product generated the event and the type of activity produced. I will show you how all events begin with the common schema that includes data you’d expect to find in any event such as:
- Creation date/time
- Organization (aka tenant)
- Office Product (SharePoint, Exchange, etc.)
- UserId who performed the action
- ClientIP
Then we’ll move into the SharePoint common schema (events common to all SharePoint Online and OneDrive for Business events) and then finally the 2 lower level schemas used to document file operations and sharing operations.
While Office 365 does generate all this audit data, it doesn’t archive it forever and reporting and search tools are really designed for casual, one-off use. The Unified Audit Log really belongs in your SIEM where it’s protected, available long term for compliance and where it can be correlated with all the other security activity of your organization. Our sponsor, AlienVault, will show you how they accomplish all of that and beyond – such as enriching audit events with geo location based on the ClientIP field mentioned above. You’ll briefly see how AlienVault unifies all your essential security tools in one location and combines them with real-time threat intelligence.
Please join us for this real training for free event.