Office 365 Audit Log Retention -- Why It Matters

March 25, 2018 Elizabeth Lam Audit Log Archiving, Office 365 1 Comment

The Office 365 audit log is where you will find event details for SharePoint Online, OneDrive for Business, Skype, Exchange Online, Azure Active Directory (AD), Microsoft Teams, Sway, and Power BI. 

The audit log information is critical to for some businesses because of legal or regulatory compliance requirements to preserve event log data. We think it should also be retained data for security, HR, and eDiscovery benefits.

The problem? You can only search the last 90 days of audit log history in Office 365. Microsoft still has the data, but takes them offline after the 90-day maximum retention.

O365 Audit Log Retention Options

You can use the Office 365 Management API and ingest the data into your own database or Security Information Event Management (SIEM) application. But here are the problems with the do-it-yourself approach:

  1. No Write-Once-Read-Many (WORM) storage protection for defensible tamper-proof preservation of the data.
  2. Managing the infrastructure can be painful, especially if your Office 365 tenant has a large number of users generating hundreds of thousands or millions of events each day.
  3. No automated retention management.
  4. No easy export of the data in the original format.

For these reasons, HubStor has a native connector that captures Office 365 event data into a compliance archiving and search solution fully managed in Microsoft Azure which you can learn more about here.

Examples: Why You Need Your Audit Logs More than 90 Days

Audit logs are great tools for compliance, security, and HR. Admins can search Office 365 events by many different filters including day and time, user, device IP addresses, browser, user roles, and a lot more.

However, a 90-day limitation is a real problem. Organizations can face investigations or litigation many months after a three-month limit. Here are some examples.

  • Bad actors -- A competitor launches a surprise product one month before you announce yours. Both the product and positioning are very similar, and now the competitor is eating your go-to-market for lunch.Your developers and marketers communicated primarily through Exchange Online.
    • Archived audit log to the rescue! You filter your audit log archives for date ranges, device IP addresses, and Exchange Online logins. You find that an IT admin frequently logged in to the lead’s mailbox over a six-month period. He pleads trouble-shooting, but you launch an employee investigation. Corporate espionage is alive and well.
  • Compliance -- Your company’s governance policies require that users only access regulated documents using the company’s secure VPN. However, compliance officers suspect that employees are making end-runs around the VPN because of slower speeds.
    • Archived audit log to the rescue! You search event log archives going back one and a half years, when the organization instituted the VPN. Several employees are downloading sensitive documents from SharePoint Online or OneDrive for Business onto their laptops. Although there is no evidence that they are trying to steal the information, they are out of compliance. Officers warn the employees to stop (and suggest to IT that they increase VPN bandwidth).
  • HR scenario #1 -- A month after she was fired, a 58-year-old employee files an age discrimination complaint with the U.S. Equal Employment Opportunity Commission. After two more months, she hires a lawyer and sues the company for age-related discrimination. The company accesses her performance reviews. She was competent but not a top performer. However, HR knows that her manager is in his early 30s and has a history of hiring a young team.
    • Archived audit log to the rescue! Admins search Exchange Online audit log archives by hers and her manager’s user names, date ranges, and mailbox content. They easily apply a legal hold on the search results and prepare for the suit.
  • HR scenario #2 -- An employee has an email with harassment they claim was sent to them by a top executive in the company. 
    • Archived audit log to the rescue! Admins search the audit log and find the executive in question did not send the email and was in fact logged out at the time the supposed harassment email was sent from his mailbox.

In each of these common scenarios, the organizations needed their audit logs much later than the 90-day limit.  Thanks to HubStor and Azure, they had them.

HubStor and Azure: Office 365 Audit Log Connector and Searchable Archive

HubStor on Azure lets you archive your Office 365 audit logs for as long as you need to.

HubStor automatically harvests event history data from Office 365, indexes it, and preserves it in our Azure cloud archive. We include features like targeted capture of events, advanced searches, preservation in original format, WORM compliance, rules engine for retention policies, and easy export – all the features you need to put audit logs to work for you.

Whenever you need to search your audit logs for compliance, litigation, security, or HR, you can. You control retention, and will never lose access to your mission-critical logs.

Connect with us today to see a demo of HubStor's Office 365 audit log features. 

 

 

 

About the Author

Get Notified

Recent Posts

RSS Feed

If you wish to add the HubStor Blog to SharePoint or your favorite RSS reader, try using: blog.hubstor.net/rss.xml (or http://blog.hubstor.net/rss.xml).