Purpose and value of Advanced Auditing
In this tutorial, we will get to learn the purpose and value of Advanced Auditing.
Advanced Audit helps organizations to conduct forensic and compliance investigations by increasing audit log retention that’s required to conduct an investigation. Audit log retention provides access to crucial events that help determine the scope of the compromise, and faster access to Office 365 Management Activity API. However, these capabilities differentiate Advanced Audit from the core audit functionality from the previous unit. And, this requires a Microsoft 365 E5 license, or a Microsoft 365 E3 or Office 365 E3 license with a Microsoft 365 E5 Compliance, or Microsoft 365 E5 eDiscovery and Audit add-on license.
Long-term retention of audit logs
Advanced Audit keeps all Exchange, SharePoint, and Azure Active Directory audit records for one year. Keeping audit records for longer periods can help with ongoing forensic or compliance investigations. However, Microsoft now has the capability to keep audit logs for 10 years. The 10-year retention of audit logs helps support long-running investigations and respond to regulatory, legal, and internal obligations.
Access to crucial events for investigations
Advanced Auditing helps organizations to conduct forensic and compliance investigations by providing access to crucial events. This can be when mail items access, and when and what a user search in Exchange Online and SharePoint Online. These crucial events can help admins and users investigate possible breaches and determine the scope of compromise. Advanced Auditing provides the following crucial events:
- Firstly, MailItemsAccessed. The MailItemsAccessed event is a mailbox auditing action that triggers when mail data is accessed by mail protocols and mail clients.
- Secondly, Send. The Send event is also a mailbox auditing action and triggers when a user does one of the following actions:
- Sends an email message
- Then, Replies to an email message
- Forwards an email message
- Then, SearchQueryInitiatedExchange. The SearchQueryInitiatedExchange event triggers when a person uses the Search bar in Outlook on the web (OWA) to search for items in a mailbox. However, Investigators can use the SearchQueryInitiatedExchange event to determine if an attacker may have compromised an account.
- Lastly, SearchQueryInitiatedSharePoint. Similar to searching for mailbox items, the SearchQueryInitiatedSharePoint event triggers when a person searches for items in the SharePoint home site for your organization. Investigators can use the SearchQueryInitiatedSharePoint event to determine if an attacker tried to find sensitive information in SharePoint.
High-bandwidth access to Office 365 Management Activity API
Organizations that access auditing logs through the Office 365 Management Activity API previously restrict by throttling limits at the publisher level. This means that for a publisher pulling data on behalf of multiple customers, the limit share by all those customers.
With the release of Advanced Audit, Microsoft is moving from a publisher-level limit to a tenant-level limit. The result is that each organization will get its own fully allocated bandwidth quota to access its auditing data.
Reference: Microsoft Documentation