As IT professionals we get asked to fix things daily (which is fine because that’s our job), but every once in a while, we find ourselves fixing the same issue over and over again. Something like a file getting deleted typically isn’t a huge issue since it can be restored. If the same file has to be restored multiple times, there may be a deeper problem. For Office 365 users, this is where audit logs come in handy.
Office 365 audit logs capture activities in Exchange, SharePoint, Yammer, PowerBI, Sway, and Azure Active Directory. Once it’s turned on, it records almost every major action you can think of including Office 365 logins, viewing documents, downloading documents, sharing documents, setting changes, and password resets (a full list can be found here).
In addition to recording actions, you can set alerts for certain activities. Some of the most common we set up for customers are alerts for log in attempts from other countries and too many failed log in attempts. Other common include alerts for downloading multiple files in a short period of time or mass deleting files from SharePoint.
So why is this information useful? It's useful both from a security aspect (getting alerts for suspicious activity) and just keeping up with what's going on in your environment. Audit logs can be key in figuring out the root cause of an ongoing issue. In the case of the deleted file, we found who had been deleting the file and then went and spoke to the employee – it was a training issue and was easy to fix. We haven’t had any issues since.
Office 365 audit logs are not enabled by default, so to start using them, you'll need to turn them on and set up a few configurations (please note, your Office 365 Admin will need to do this):
Logs are only kept for 90 days, so if you don't set up alerts, it's a good idea to periodically review them for suspicious activity.