The Office 365 Audit Log holds lots of interesting information about how people share information. In this article, we explore how to use the audit log records to discover the document sharing habits of users, including the documents shared with guest users and people outside the tenant.
You can capture Exchange mailbox events in the Office 365 audit log, but only if you remember to enable auditing for target mailboxes. Exchange Online doesn’t enable new mailboxes for auditing by default, so administrators must remember to enable the mailboxes manually – and check for new mailboxes periodically. If you don’t, nothing is recorded and your audit log will be empty.
Office 365 audit logging generates a lot of data – sometimes too much. The trick is to know what events are recorded and what applications capture. Some pretty strange audit events turn up in the log, but everyone should relax because they are just traces of the system doing its own thing.
No one likes looking at a stream of audit events flowing by, especially when an Office 365 tenant generates so many events. Alert policies allow tenants to define patterns of activity that indicate suspicious or harmful behavior. There’s goodness here, as long as you have Office 365 E5 subscriptions.
Background processing usually remains hidden from end users. No need exists for a user to understand what maintenance goes on under the covers of the service. Office 365 delivers service with no fuss to its users, but recently I have noticed some instances when background processes have made themselves felt. Although these are not serious issues, they are a worrying sign of a lack of attention to detail.