How to investigate Office Protect alerts: Microsoft 365 Audit Logs
When we suggest a remediation to an alert, we will often recommend that you investigate suspicious activity by looking at the audit logs for the user. There are two key audit logs you can look through to drive your investigation:
- The Azure Active Directory Sign-In Audit Logs will provide extensive details on any sign-in performed by an account. These logs will include the IP, location, the service that was logged in to, whether the login was successful, etc. You can access these with a Global Administrator through the Azure AD portal, in the Sign-In blade.
- The Unified Audit Logs contains almost all user activity in your Microsoft 365. Since the amount of data is extremely large, we recommend that you scope your search to one or two services (SharePoint, OneDrive, Exchange, etc.), and a scoped time-frame. You can find the Unified Audit Logs in the Compliance Portal, in the Audit Logs section.
Office Protect already has enabled your organization’s audit logs for you in its setup. This is our main tool to monitor what is going on in your Microsoft 365 tenant. Note that you need a Global Administrator to read audit logs in the Microsoft 365 Security Center.
- Microsoft’s documentation for Sign-In in Azure AD: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
- Microsoft’s documentation for Audit Logs in Security Center: https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide