Azure logging is one of the system administrator’s best friends. Without Azure logs, how could you keep an eye on changes and monitor security events in Azure Active Directory and Office 365?
But if you ever have to do a deep audit of your Azure AD and Office 365 workloads using the consoles and native tools provided by Microsoft, you’ll find gaps in their auditing capabilities. Even if you’re simply trying to monitor security events regularly and answer common questions, you’re in for a lot of work minding the gaps and dealing with them.
For a long time I’ve been thinking about the gaps in auditing, and we’ve finally rolled them into a new eBook we’re calling Top 10 Security Events to Monitor in Azure AD and Office 365. The eBook is designed to show you the Azure logging you’ll want to examine for an audit, the ways to query Azure logs and Office 365 logs, the obstacles you’ll encounter, and ways to overcome them.
Mind the gaps in auditing tools for Azure logs and Office 365 logs
“We need to audit what’s going on in Azure AD and Office 365,” your boss says.
“Which tool do we use for that?” you ask.
“Try PowerShell. You can also use the Azure portal to search through the audit events. And use the Office 365 Security & Compliance Center portal to search through the Unified Audit Log.”
That should be your first clue about minding the gaps: You’ve got three tools, and none of them is specifically made for finding and reporting on audit events in Azure AD and Office 365.
Next, you realize that you’ll need to search audit activity in both cloud and on-premises workloads. That means more tools, and none of them is designed to roll audit events up into a single view.
Worse yet, cloud events are formatted differently from on-premises events. That makes it difficult to blend them into a single picture. How are you going to bridge that gap?
Finally, it occurs to you that you’re trying to hit a moving target. Some entries take 24 hours or longer to be processed and added to the Unified Audit Log. And at the other end, logs in Azure are retained for varying lengths of time, depending on workload and subscription type. You may have trouble capturing the audit events you need for a specific point in time.
High stakes and wimpy tools
Those are large gaps to mind, considering the areas in need of auditing.
- One of the first places to look when conducting or preparing for an audit is in the changes that have been made to important roles. Why? Because over time, users such as administrators, operators, managers and helpdesk technicians gradually acquire many more rights than they should have. If you’re going to protect against having those rights used in the wrong way, you’ll need to audit and report on changes made to important roles.
- For that matter, are you using Azure Active Directory B2B to create groups for collaboration with customers and vendors? A cool use of technology, right? Too bad it raises the risk of one of your users granting unintended access to an outsider. That becomes another security event to track and audit.
- Or, do your company’s administrative assistants have access to the email accounts of the executives they support? Do you have email accounts shared by multiple employees? Keep in mind that, if an account becomes compromised, non-owner email activity in the wrong hands can result in an attacker getting access to sensitive information.
The problem is that you’re trying to monitor security events in Azure AD and Office 365 in spite of all the shortcomings of native tools, as mentioned above. Besides Azure itself, that means monitoring security in Exchange Online, SharePoint Online and OneDrive for Business. And, even if you wanted to export the events to a spreadsheet for easier review, you’d find yourself burrowing through responses delivered in JSON format.
Yet another gap to mind.
Get the eBook on monitoring security events in Azure AD and Office 365”
If you need to work with audit events in your Azure logs and Office 365 logs, download our new eBook, Top 10 Security Events to Monitor in Azure AD and Office 365. By showing you the most important places to find audit events, it will help you prepare for monitoring your cloud workloads and ensuring compliance.
You’ll begin to see how to plug the gaps in your auditing tools, instead of spending all your time minding them.
