Ensuring that audit logs are enabled for Microsoft Office 365 can help you investigate and determine exactly how, why, when and possibly who did what (including, but not limited to, questions from management) when conducting forensic investigations of attacks. Starting February 1, Microsoft will add auditing to track mail reads by default. This has long been a key request from forensic investigators to assist in mail investigations.

Before that, of course, you need to review your current auditing settings. You can do this via PowerShell or go to the Security and Compliance Center, then go to “Search & Investigation,” select “Audit log search” and then review your settings.

Microsoft Review your settings for audit logging

Click on “Learn more about search and investigations.” If you find that auditing is not enabled, enable it as soon as possible. Once you have enabled the auditing, it takes a few hours before it’s active.

Microsoft Activate audit logging

If you are interested in learning more about auditing, there are several resources, including an online ebook Office 365 for IT pros and various documents on the Microsoft site. Remember, you can set up alerts for activity in this area as well.

You’ll also want to enable mailbox auditing. You’ll need to enable this with PowerShell as noted in the Microsoft documentation. I recommend that once you log in with PowerShell, you enable logging on all mailboxes in your organization.

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true

Logging is too key of a tool to not have enabled from the get-go. Too many times I see admins and consultants asking if they can determine what happened to an email, and unless auditing is enabled ahead of time, you can’t answer that question.

Admins must have rights assigned to review audit logs You can assign permissions to view the audit logs in the Exchange Admin Center. Additional resources regarding Office 365 audit logs can be found both on the Understanding Office 365 logging YouTube video as well as on the SANS whitepaper on logging.

As you can tell, this is just the tip of the iceberg and there is much more time and effort you need to spend to fully implement auditing and understand it. I urge you to take the time to review your settings and enable them now, before an incident, and not regret that you didn’t have them set them up.