如何启用和配置Office 365日志和审计
社会网络|2019年1月10日
确保Microsoft Office 365的日志记录和审计设置正确,以便在需要时提供取证数据。
版权©2019Raybet2
类似的
我是CSOnline的苏珊·布拉德利。今天我要讲一些我认为被忽略了的东西。老实说,我认为它应该是所有Office 365部署中的默认配置。这就是Office 365的审计和日志。我觉得它应该是默认打开的。而且是在未来。但现在你要确保它是打开的,并检查你的设置。提醒我这一点的是Office 365管理中心即将发布的公告,该公告提醒我,邮箱审计将在下周默认添加邮件读取功能。这实际上是在法医调查中被要求的。它被称为邮件项目访问操作。 It offers comprehensive forensic coverage and mailbox accesses sync operations and will really help any kind of forensic analysis of what went on in an investigation.
2019年2月初,微软将开启这一功能。最初,这些日志将不在统一审计日志中,只能从邮箱审计日志中使用。最重要的是,如果你在365号办公室,你一定要看看这个。看看您是否执行了其他步骤来打开此日志记录。如果您正在进行日志记录,您可能需要重新评估您所做的一些设置。当然,如果你一开始没打开过审计,当打开的时候,你需要做的就是去查看,特别是在微软365或Office 365控制台的搜索和调查区域。单击审计日志搜索区域。如果你注意到上面这里说,打开审计如果它已经启用了,那么完美,你就设置好了。但是如果它说打开审计,那么我希望你继续打开审计。这是我所拥有的示例365中的一个示例。 And you can see even in the time that it's been on it showcases the number of times I've logged in and which IP address I've logged in from. You can set up new alerts and actually set up alerts of actions and accesses and again review this section if you've not already set these things up. The second step steps suggest that you do is check to see if you've turned on mailbox auditing. Now to do that you'll need PowerShell and if you haven't connected to exchange online PowerShell. I'm sure if you've done that by now but just in case there are instructions on how to do that. And once you've connected online then you want to enable mailbox auditing. And here you can see in power show a sample of the mailbox I've turned on. I've got logging enabled for 90 days. And you can see the commands there. If you use the audit command you can actually see if auditing is turned on in your environment. Now I recommend ato enable mailbox auditing for all mailboxes in your organization. You want to set it up ahead of time because if you come to a situation where you ask a question about access or who deleted something and you look at your environment and you think gee I didn't set up the mailbox auditing it's too late you need to set it up ahead of time. So that's why I suggest that you do this now while you don't need it because you never know when you might need to turn on mailbox auditing and investigate what's going on. For more information I've got some additional resources that I've linked to in the article including a YouTube video from. Randy Franklin Smith who's a guru on Windows security auditing. I’ve also linked to a white paper from the SANS infosec reading room about extracting timely signing data from Office 365 logs. Bottom line I want you to take the time now to enable auditing because you'll need it sooner versus later. Until next time this is Susan Bradley for CSOnline.
2019年2月初,微软将开启这一功能。最初,这些日志将不在统一审计日志中,只能从邮箱审计日志中使用。最重要的是,如果你在365号办公室,你一定要看看这个。看看您是否执行了其他步骤来打开此日志记录。如果您正在进行日志记录,您可能需要重新评估您所做的一些设置。当然,如果你一开始没打开过审计,当打开的时候,你需要做的就是去查看,特别是在微软365或Office 365控制台的搜索和调查区域。单击审计日志搜索区域。如果你注意到上面这里说,打开审计如果它已经启用了,那么完美,你就设置好了。但是如果它说打开审计,那么我希望你继续打开审计。这是我所拥有的示例365中的一个示例。 And you can see even in the time that it's been on it showcases the number of times I've logged in and which IP address I've logged in from. You can set up new alerts and actually set up alerts of actions and accesses and again review this section if you've not already set these things up. The second step steps suggest that you do is check to see if you've turned on mailbox auditing. Now to do that you'll need PowerShell and if you haven't connected to exchange online PowerShell. I'm sure if you've done that by now but just in case there are instructions on how to do that. And once you've connected online then you want to enable mailbox auditing. And here you can see in power show a sample of the mailbox I've turned on. I've got logging enabled for 90 days. And you can see the commands there. If you use the audit command you can actually see if auditing is turned on in your environment. Now I recommend ato enable mailbox auditing for all mailboxes in your organization. You want to set it up ahead of time because if you come to a situation where you ask a question about access or who deleted something and you look at your environment and you think gee I didn't set up the mailbox auditing it's too late you need to set it up ahead of time. So that's why I suggest that you do this now while you don't need it because you never know when you might need to turn on mailbox auditing and investigate what's going on. For more information I've got some additional resources that I've linked to in the article including a YouTube video from. Randy Franklin Smith who's a guru on Windows security auditing. I’ve also linked to a white paper from the SANS infosec reading room about extracting timely signing data from Office 365 logs. Bottom line I want you to take the time now to enable auditing because you'll need it sooner versus later. Until next time this is Susan Bradley for CSOnline.
受欢迎的
来自IDG.tv的精选视频