Understanding how to retrieve and interpret audit logs for workloads is a critical element of the MS-101 Microsoft 365 Mobility and Security exam. This proficiency is essential for security administrators as it helps you to monitor and analyze activities within your Microsoft 365 environment, ultimately ensuring a more secure and compliant organization.
Retrieve and Interpret Audit Logs for Workloads
To begin, we’re going to cover how to retrieve audit logs. Microsoft 365 offers the Security & Compliance Center, which is a one-stop-solution to access and manage your organization’s data. Here, you can access audit logs under ‘Search & Investigation’ in the left navigation pane.
Prerequisite: To access the audit log, you must have the necessary permissions assigned. These include Audit Logs and View-Only Audit Logs roles, which are part of the Compliance Management and Organization Management role groups.
Here’s a simple step-by-step guide on how to retrieve audit logs:
- Go to https://protection.office.com.
- Sign in to Office 365 using your work or school credentials.
- In the left pane, click Search & Investigation, and then click Audit log search.
- A page named “Audit log search” appears. Configure the following search criteria:
- “Activities”: Choose the activities that you want to view.
- “Start date” and “End date”: Specify the date range.
- “Users”: Specify users whose activity you want to track.
- Click Search to run the configured search criteria.
Once the search is run, the results are loaded under ‘Results’.
Now, navigating audit logs might seem intimidating as it provides a vast amount of data. Interpreting them can be daunting, but once you decipher what each element means, it becomes easier.
Interpretation of Audit Logs
Let’s interpret an example log for a FileModified event:
| Column name | Description | Example |
|---|---|---|
| Date | The date and time (in UTC format) when the event occurred. | 4/20/2021 7:00 PM |
| IP Address | The IP address of the device used when the activity was logged. | 172.16.255.255 |
| User | The user (or service) who performed the action | john@contoso.com |
| Activity | The name of the event that corresponds to the user action. | FileModified |
| Item | The object of the action. | marketing.pptx |
| Detail | More information about the action. | Modified by user |
From this example, you understand that user john@contoso.com modified a file named ‘marketing.pptx’ at 7:00 PM on April 20, 2021, from the IP address 172.16.255.255.
Understanding how to retrieve and interpret audit logs for workloads can greatly help in incident investigations, improve incident response time, and formulate stronger security policies. It becomes an integral part of securing an organization’s environment and is a core aspect of the MS-101 Microsoft 365 Mobility and Security exam. Be sure to review this process thoroughly to ensure you’re as prepared as possible for this aspect of the exam.
Practice Test
True or False: Audit logs can provide evidence of security breaches and data loss and help troubleshoot issues.
- True
- False
Answer: True
Explanation: Audit logs indeed help in detecting security breaches, potential data loss, and help troubleshoot issues by recording the activities within a workload or system.
Microsoft 365 enables auditing by default. (True/False)
- True
- False
Answer: False
Explanation: By default, Microsoft 365 has auditing disabled. An administrator is needed to enable it to start recording user activities.
Which of the following activities can be traced by Audit logs in Microsoft 365?
- A. File and Page activities
- B. Exchange mailbox activities
- C. User activities
- D. All of the above
Answer: D. All of the above.
Explanation: Audit logs in Microsoft 365 records file and page activities, exchange mailbox activities, and user activities.
True or False: Audit logs keep a record of user activities for an indefinite period of time.
- True
- False
Answer: False
Explanation: In Microsoft 365, Audit logs keep the records of user activities for a fixed amount of time, usually 90 days.
True or False: Audit logs can be used to detect performance issues in a workload.
- True
- False
Answer: True
Explanation: Audit logs may provide information about activities that might be associated with performance issues within a workload.
In Microsoft 365, Audit logs can be accessed from:
- A. Security & Compliance Center
- B. Exchange admin center
- C. Both
Answer: C. Both
Explanation: In Microsoft 365, audit logs can be accessed from both the Security & Compliance Center and the Exchange admin center.
True or False: Audit logs in Microsoft 365 do not record deleted user activities.
- True
- False
Answer: False
Explanation: Audit logs in Microsoft 365 do record deleted user activities, which can be used to recover lost data and track user behavior.
True or False: You need to be a global administrator or have equivalent permissions to search the audit log.
- True
- False
Answer: True
Explanation: To search the audit log, you need to be a global administrator, or have one of several other roles or permissions.
Which among these is not a requirement to view the audit logs in Microsoft 365?
- A. Enabling the audit log search
- B. Having the right role assigned
- C. SQL knowledge
Answer: C. SQL knowledge
Explanation: To view audit logs in Microsoft 365, you need to have audit log search enabled and the right roles assigned. SQL knowledge is not directly required for viewing audit logs.
The audit data is usually retained in Microsoft 365 for:
- A. 30 days
- B. 90 days
- C. 180 days
- D. 365 days
Answer: B. 90 days
Explanation: Microsoft 365 retains your audit data for 90 days.
Interview Questions
What is the purpose of audit logs in Microsoft 365?
Audit logs in Microsoft 365 are designed to provide detailed information about specific user actions within the system. They are used for forensic analysis, troubleshooting, compliance control, and a variety of other tasks.
Where can you access the audit log reports in Microsoft 365?
You can access audit log reports in Microsoft 365 from the Security & Compliance Center.
Which feature must be enabled before you can start retrieving audit logs for workloads in Microsoft 365?
The Audit log search feature in the Security & Compliance Center must be enabled before you can start retrieving audit logs.
Is it possible to retrieve deleted items from the audit logs in Microsoft 365?
No, once an item has been deleted from the audit logs in Microsoft 365, it cannot be retrieved.
How long are audit logs for workloads stored in Microsoft 365?
Audit logs for workloads are generally retained in Microsoft 365 for 90 days.
How can one filter audit log reports in Microsoft 365?
You can filter audit log reports in Microsoft 365 by date range, users, activities, and locations.
How can audit logs help in enhancing the security of Microsoft 365?
Audit logs hold detailed information that can be used to track potentially suspicious activities or configuration changes that might impact security. Therefore, frequent auditing can help enhance the overall security of Microsoft 365.
Can all users access the audit logs in Microsoft 365?
No, only users with relevant permissions such as global administrators and compliance administrators can access the audit logs in Microsoft 365.
Why might an action be missing from the audit log in Microsoft 365?
An action might be missing from the audit log if it wasn’t performed within the capture span of 90 days, or if auditing was turned off during that operation.
Is it possible to export audit logs in Microsoft 365?
Yes, the audit logs in Microsoft 365 can be exported in CSV format for analysis in other tools.
Can you set up automated alerts based on specific audit log events in Microsoft 365?
Yes, using the Microsoft 365 Security & Compliance Center, you can create alert policies that generate automated alerts when certain audit log events occur.
What type of activities are audited in Microsoft 365?
There are many activities that are audited in Microsoft 365, including file and folder activities, sharing activities, synchronization activities, site administration activities, Exchange mailbox activities, and user administration activities.
How can you navigate to the Audit log search in Security & Compliance Center?
To navigate to Audit log search, first select “Search & Investigation” from the left-hand navigation pane within the Security & Compliance Center. Then click on the “Audit log search” link.
Are the audit logs enabled by default in Microsoft 365?
No, the audit logs in Microsoft 365 are not enabled by default and must be manually enabled by a user with appropriate permissions.
How can you interpret the results of an audit log search in Microsoft 365?
The results of an audit log search in Microsoft 365 indicate the activities carried out by different users. By reviewing the activities and their details, including user, date & time, IP address, etc., administrators can understand and analyze user behavior and system usage.
extutorials.com