Microsoft recently released the preview of the Office365 solution for the Operations Management Suite (OMS). The ability to audit much of this information has been in Office365 for some time, but the presence in OMS brings a capability to bring automation to the operational security process, as well as analytics around Office365 usage.
The Office365 environment's audit capabilities are initially provided through a powerfull dashboard that lets an admin dig into various areas of the ecosystem.
An excellent example of where this can be used is file auditing. The Office365 solution brings over every file accessed by every user in Office365. This can detect some powerful scenarios, such as:
- Has a user who was recently terminated accessed files through an account that was re-enabled
- Is a malicious IP being used to download files from the Office365 environment
- Has an account been used to download a large number of files that might be used maliciously
- Have files been deleted by a user during a particular time
- Have user accounts been created or disabled
- Have group or user changes been performed that shouldn't
These types of scenarios can enable an IT organization to protect the data in its Office365 environment and even more powerfully to react to that scenario. For instance, upon detecting that an recently locked account is accessing files an email could be sent to an operations address, an incident opened in a service management system, or an automation executed to actually re-lock the account and disable the IP from which the user is trying to access the files.
To start, configure the Office365 preview feature, which you can find here. Then, configure a rule that looks for a target account that you want to watch:
"Operation=FileAccessed UserId = "email@example.com"
Select the "Alert" button, after which the query will open the alert tab, which allows you to create a rule, firing upon a certain interval (for instance perhaps you want to know only if the alert has fired 50 times), then has an action. The action can be sending an email, firing a webhook (such as to ServiceNow), or executing a runbook.
The alert will show up on the alert tab after creation, which will let you remove or create new alerts.
If you have an Office365 subscription it is easy enough to try and costs nothing, since OMS starts with 500 Mb of free data storage for any subscription. This being only one example, further examples can take the data and do substantial automated activities, allowing for protection of the company resources and better visibility into Office365 data.