Hello. I'm Ghazwan Khairi, a strategic systems consultant with Quest. And today I'm going to demo Quest on Demand Audit Office 365 events.
So I've logged into my Quest on Demand. And I logged into the auditing module. And I switched over to the Searches tab. And under the Searches tab I selected Office 365. As you can see, we have 16 events for Office 365.
For example, we have email forwarding that has been enabled in the last seven days, which will actually be a cool event or a cool report to see. So we've got two events in here. We've selected Events.
So it looks like the event was a set mailbox, which, by the way, I can just filter on that-- show me all set mailboxes. In this case there's only two, so it only registered two.
And then here we have the mailbox name and then the event itself. The parameter of the event-- deliver to mailbox forward. I basically forwarded emails from this mailbox to mine. And the user actor, as you can see, is me.
If I just want to filter on show me everything that I have done, I can come in here and just start searching for everything that I have done in the environment. And then I can also manipulate the search, as well. And I can save it, and it becomes my own search.
But for now, let's go back and take a look at other Office 365 events. So we looked at the email forwarding. We can just take a look at all the events that have happened in the last seven days. And again, we can modify and start filtering again, or we can visualize and see the information in different tiles. And then we can drill further into these tiles.
Here's my OneDrive and SharePoint. So let's take a look at OneDrive events in the last seven days. We've got file accessed, file modification extended, file accessed extended, file modified.
Let's take a look at file modified to see what file is modified. So there was a file modified and it's total annihilation pptx. The service is OneDrive.
And let's see who did this. Brian Hymer did this. All right. Cool.
And so these are my OneDrive events. Let's go back and take a look at our SharePoint online events. The SharePoint file activity, folder activity. But let's take a look at all of our events for SharePoint.
So these are all the SharePoint events that we have. So there is a few search by queries. And we can sort by any of these columns, as well. All you have to do is click on it. So added someone to a group in here. And again, we can drill down and filter only on these specific events.
There is one search that I actually saved outside of Office 365. I saved it under my searches. And I called it sharing operations on important file types within the last seven days.
And if I show you the parameter itself, it's basically looking at SharePoint share operation. And I'm looking at two specific file types.
So this could be critical files in the environment that are being shared. It doesn't have to be shared. It could be added. It could be any event, right. Because the filtering capabilities here-- you could filter in any of the parameters that you see from the event detail itself.
In this case, I'm only looking at sharing operations on these two file types. And then again, I can run this and take a look at the events itself. So here is the anonymous link created.
We get the file name. This is an XLSX file. That's a SharePoint share operation. And again, all I have to do is come in here and say, show me everything that happened that equals this parameter. And then the user actor, which also happens to be me in here.
So if we go back to the searches-- we kind of highlighted some of the SharePoint events, some of the OneDrive events. We looked at one of the email forwarding events for exchange.
Let's take a look at exchange online mailbox non-owner activity in the last seven days. So non-owner activity. Let's take a look at what happened here. So there was a send as-- I had actually logged into someone else's inbox and I sent an email on their behalf and that was registered in here.
I actually did it on purpose so I can show you this. But usually this is not done on purpose and this is a flag for most organizations. We often want to know who's changing, modifying permissions on someone else's inbox, whereby they can forward, read, or send on behalf of. Because a lot of harm can be done there.
So that concludes this demo. For more information, visit the Quest On Demand audit URL listed on the screen.
05:18