Auditing Can Improve Your Secure Score

Written by Dan Callahan

I'm the VP of Global Services at CGNET. I manage our Cybersecurity and Cloud Services businesses. I also provide consulting and handle a lot of project management. I wear a lot of hats. Professionally, I'm a builder of businesses. Outside of work, I'm a hobby farmer, chef, skier, dog walker, jokester, woodworker, structuralist, husband and father.

August 22, 2018

Auditing Can Improve Your Secure Score

In my last post I reviewed the ways we’ve been working to walk up our Secure Score. Reviewing the Azure audit log for risky sign-in’s (successful sign-in’s after repeated failed attempts) showed… nothing. But nothing is good! It means there were no risky sign-in’s, which is a good thing.

And conducting the review bumped our Secure Score up by 45 points!

But there’s no resting on one’s laurels in cyber security. So, this week our Secure Score retreated, given that I hadn’t re-examined the risky sign-in audit log. This time around, I’ve chosen a few other auditing tasks that are important to accomplish.

  • Changes in role group status
  • Review of audit logs

Changes to Role Groups

One of the tried-and-true methods for compromising a network has been to gain access through stolen/compromised credentials and then elevate the role of the compromised account to have administrative privileges. From there, the attacker can often access any system, network and file store.

It’s critical to keep an eye on this potential elevation of privileges.

First, Secure Score explains what this activity is all about.

Role group status overview

Overview of monitoring role group status changes


Next, we click “Learn More” and get a more detailed explanation, with a button (not in the picture) to launch the activity.

Office 365 role group status changes

Details on reviewing changes to role group status

Now, what I would like to see if a report or an alert that tells me which users have had their roles changed or privileges escalated. I chose to check each user and inspect their account to see what role they had. Here’s an example of this, using the account of a former CGNET staffer.

Example of user role group status

Example check of role group status

Checking on user roles is useful, but it feels a bit like looking for the proverbial needle in the haystack. As it turns out, I could have run an audit log report (like the one below) to see all these changes. That would be a much better approach and the one I’ll use next time.

Check the Audit Logs

Next, I moved on to another recommendation: “use audit data.” OK, sounds great if a bit vague. But wait, there’s an explanation!

Office 365 use audit data explained

An explanation of using audit data

It certainly makes sense to look at the audit data your system is collecting.  Let’s proceed.

Office 365 use audit data details

Details on using audit data

Aha! Now we’re in Azure nerd-land, and there are lots (and I mean lots) of different audit logs we can generate and examine. They cover lots of Office 365 services, including ones you might not have expected: Power BI and Sway, to name two.

I decided to run an audit log search for instances of malware being downloaded.

Office 365 audit log search malware found

Audit log search for detected malware

Fortunately, the report showed no entries. All clean here.

Next, I looked at users who created links that are shareable within the company. This activity doesn’t raise security alarm bells. If they were links shareable outside the company, or anonymously, that would be more troubling. But I wanted to generate an audit log search that I knew would yield some results, and here they are.

Audit log create co shareable link

Example audit log search: creating a company-shareable link

This screenshot shows that a number of users have been creating company-shareable links; it even lists an instance where the system modified a folder. Why all this activity? We’re using Teams regularly now, and we often upload files and then announce them via a shared link.

What’s Next

It would be a “best practice” for me to schedule regular review of role groups, risky sign-in’s and other security-related audits. I will have to get on that.

I’d also like to turn on mailbox auditing, as the user mailbox is where a lot of mischief can happen. Activating mailbox auditing requires executing PowerShell commands, and I want to check with our technical folks before I click the button and cause unintended havoc on our production system.

If you get inspired to look at your Office 365 Secure Score, let me know what you found. I won’t tell anyone, promise! As a customer pointed out to me recently, the percentile rankings of Secure Scores indicate that lots of people are not yet paying attention to it. So, you can be the first on your block, as they say.

You May Also Like…

You May Also Like…


Translate »
Share This