Interpreting SharePoint Online Audit Records

SharePoint Office 365 Audit Records

Microsoft Says SharePoint Online is Secure

A recent Microsoft post entitled “SharePoint and OneDrive Security and Compliance: Security you can trust, control you can count on” sets out some reasons why Microsoft thinks SharePoint Online and OneDrive for Business are capable of handling today’s security challenges. Given that I store all my work in the cloud, I hope that the assertion is true.

In any case, the post included the promise of a free eBook (in reality, a 22-page marketing white paper). The eBook “Securing your content in the new world of work with SharePoint and OneDrive eBook”) makes a big thing of auditing, saying:

With advanced auditing in Office 365, you can track changes and user activity in SharePoint Online and OneDrive for Business. This allows you to audit changes made to files and site collections, as well as the users who made changes. Every user action is recorded for a full audit trail.”

And recommends that you use the “RESTful APIs” to get an “unprecedented level of visibility into user and admin transactions within Office 365.” Quite.

SharePoint Audits Activity

There’s both good and bad in these statements, or rather, some loose language. For instance, I have no idea what “advanced auditing in Office 365” means because there’s only the Office 365 audit log. Perhaps I missed the advanced class.

It is true that the Office 365 audit log gathers a great deal of information about admin and user activity. Audit records from SharePoint and OneDrive for Business show up in the audit log about 15 minutes after events happen. The time difference is relatively short compared to some other Office 365 workloads and is accounted for by the need to gather events from multiple servers and normalize the events before ingestion into the audit log.

Chatty Applications

Compared to other Office 365 applications, SharePoint and OneDrive are “chatty” and generate many audit events. This might be due to the background in document management and the need to understand exactly what happens to documents during their lifecycle, but it means that a typical edit session for a document generates more audit records than you can imagine, especially when AutoSave is turned on for Office documents.

The upshot is that searching through SharePoint audit records using the Audit log search in the Security and Compliance Center can be tiresome because so much noise exists. For example, Figure 1 shows many “Accessed File” audit records logged at the same time. “Accessed File” is the event you’d look for if you wanted to know who updated a document, so this is an important event for investigations. In this case, ten events proclaim that I accessed the _siteIcon_.jpg file within one second, a truly impressive performance on my part. Scrolling down, a further 17 records for the same file exist.

Office 365 Audit Log SPO records
Figure 1: Many instances of _siteIcon_.jpg appear in the Office 365 audit log (image credit: Tony Redmond)

The Elusive _siteIcon_.jpg

_siteIcon_.jpg is a system file that comes from the “Site Assets” folder of SharePoint sites (the full URL is available in the audit record and looks like this: https://tenant.sharepoint.com/sites/mysite/SiteAssets/_siteIcon__.jpg). It is the graphic file for the avatar of the site. If you don’t upload a picture for the site, SharePoint builds a file based on the display name. Figure 2 shows a typical example.

SPO Site Avatar
Figure 2: Typical _siteIcon_.jpg file (image credit: Tony Redmond)

_siteIcon_.jpg is only one of the system files for which SharePoint insists on logging audit records. Among the other files you should discard from audit results are AllItems.aspx, ByAuthor.aspx, EditForm.aspx, and UpLoad..aspx. There’s a lot of rubbish to remove to find the real data.

Filtering is Needed

Given that searches might return so many audit events, is this where you’d resort to the RESTful APIs to gain the promised unprecedented level of visibility?

Well, no. Writing a program to use the APIs to search the Office 365 audit log will suffer from the same problem as the Audit log search. Unless you specify exactly what you’re looking for, a search will return many events for you to review. Precision and accuracy in search operations is paramount when it comes to looking for information about SharePoint, no matter what tool you use.

And besides, you don’t need to resort to the RESTful APIs to search programmatically. The Search-UnifiedAuditLog does a good job of searching for audit records if you are precise in what you ask it to retrieve.

For instance, this command restricts the search for a specific event in a two-hour window:

Search-UnifiedAuditLog -Operations FileAccessed -StartDate "26-Apr-2018 17:00" -EndDate "26-Apr-2018 19:00" | Format-Table UserIds, Operations, CreationDate

Some work is necessary to interpret the data returned from the audit log to extract details of the document and filter out system rubbish, but that can be done in a few lines of code. I will return to this point and explain how I filter audit records for SharePoint in a future article.

Tools to Help

Given that no one particularly likes to trawl through vast quantities of audit records looking for the proverbial needle in the audit haystack, I suspect that Microsoft had tools like Office 365 Activity Alerts or Advanced System Management when they mentioned “advanced auditing.” These are good options, if you’re willing to pay for premium licenses. Lower cost ISV products like Quadrotech Nova are available to apply intelligent filters to SharePoint (and other workload) audit data. Everything works off the same data set, so choose your tool and get to know how to exploit Office 365 audit data.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.