The mystery of the EnrichedOffice365AuditLogs solved

7.3.2024

De blogs zijn enkel beschikbaar in het Engels.

At some point in 2023 out of nowhere there was a new entry under the Diagnostic Settings in Entra ID called EnrichedOffice365AuditLogs there was little to no documentation on it. The name alone was interesting because when you're doing cloud incident response in Entra environments this sounds like something you want to be looking at..

Searching through through X/Twitter lots of people were anxious about this log and what this could be:

Well today is the day, because in this blog we will reveal what's inside this magic log and if it's worth your time!

Why the excitement?

One of the reasons to be excited about this is because the potential integration of the Offic365/Microsoft365 Audit Logs directly in Entra as part of Diagnostic settings would make it so much easier to configure the logs, but also to query them directly with Log Analytics or store them in a Storage account. Another reason is the word 'enriched' everyone who has spent time doing investigations based on the Unified Audit Log always wants more. Whether it's more information on service principals performing actions or who accessed emails, so when Microsoft calls it enriched most people get excited.

Global Secure Access

The EnrichedOffice365AuditLogs are part of a new Microsoft service called Global Secure Access (GSA), which is currently in preview, documentation here. In short GSA is a new Microsoft service that goes all in on the zero-trust principle. It has two main features Microsoft Entra Internet Access and Microsoft Entra Private Access. The idea is that a client is installed on an endpoint this can be a Windows laptop, but also a Mac or Android device and all traffic to Microsoft services such as Sharepoint access or Teams is routed via that client. This allows for ultimate control and security over what goes on. So things like replaying of tokens shouldn't be possible anymore. This is an extreme oversimplification, but GSA sounds a bit like very powerful Conditional Access Policies combined with network traffic tunneling and inspection.

Source

With GSA you configure a client on an endpoint or configure a trusted remote network from which devices are allowed to access Microsoft services. For Private Access you have to use the client.

How to enable the log

Instead of repeating the whole Microsoft documentation, follow the steps in the Getting Started section that will help setup GSA. After initial configuration, two additional steps are required:

  1. Go to the Entra Admin Center -- Global Secure Access (Preview) -- Logging and enable logging for Sharepoint (that's the only option for now)
  2. Go to the Entra Admin Center -- Identity -- Monitoring & Health -- Diagnostic settings and enable EnrichedOffice365AuditLogs to be stored or forwarded

Once you've configured the logs correctly it actually can take a long time for logs end up in your preferred destination as the screenshot above says it can take up to 72 hours for our tenant it took around 24-36 hours before logs started appearing.

What's in the logs?

The enriched part of the audit logs means that the following information is added as per the official documentation:

  • Improved latency
  • Additional information added to original logs
  • Accurate IP address information
  •  

At this moment in time only Sharepoint logs are available as enriched. Meaning that any enrichment isn't applied to Exchange or Teams logging. It's a bit confusing, because in the official documentation they do reference enriched logs for SharePoint, Exchange and Teams, but you cannot enable these logs in the logging section of GSA (yet). This is what an entry for the SharePoint logs look like:

Let's test the statements from the official documentation:

Improved latency

This is a bit too early to tell and requires more testing and also in a bigger tenant if we do some KQL magic we can calculate the latency or delay between when the event was generated and when it was available:

As we can see the latency is maximum 5 minutes, but this is also a small dataset so it doesn't say that much. Looking at the Microsoft documentation and people that are actually tracking latency times for log ingestion we can see that 5 minutes is significantly shorter than the provided 60-90 minutes.

Microsoft doesn’t guarantee a specific time after an event occurs for the corresponding audit record to be returned in the results of an audit log search. For core services (such as Exchange, SharePoint, OneDrive, and Teams), audit record availability is typically 60 to 90 minutes after an event occurs. For other services, audit record availability may be longer. However, some issues that are unavoidable (such as a server outage) may occur outside of the audit service that delays the availability of audit records. For this reason, Microsoft doesn’t commit to a specific time.

KQL used:

EnrichedMicrosoft365AuditLogs
|extend IngestionLatency = ingestion_time() - TimeGenerated
|project TimeGenerated, ingestion_time(), IngestionLatency,Operation

Additional information added to original logs

What is even more interesting is what additional information is available in the EnrichedOffice365AuditLogs compared to the UAL:

  • SourceIp (will be covered in next section)
  • DeviceOS & DeviceOSVersion
  • AdditionalProperties has some extra subfields

Outside of the SourceIp field, these changes aren't that big.

Accurate IP address information

This is a very important point, for everyone that has worked with the UAL knows that oftentimes there is source IP address information in the log that points back to Microsoft internal IP addresses, which isn't very useful at all. But what do we see in this log... a new field called SourceIp. The good news is that in our testing this is the IP address from the actual device performing activities, which is great news.

If we look at the same data in Splunk we can see tha this new SourceIp field is part of the NetworkAccess properties generated by the GSA service.

Also before people are going to say but this 4.234.11.243 address is also from Microsoft, you are correct but that is because I'm testing from a VM in Microsoft ;)

 TLDR

  • The EnrichedOffice365AuditLogs is part of a new Microsoft service called Global Secure Access (GSA).
  • With GSA enabled access to the Microsoft 365 services such as SharePoint/OneDrive will be recorded in the EnrichedOffice365AuditLogs.
  • At this moment in time only Sharepoint/OneDrive logging will be generated.
  • Teams and Exchange logging are going to be added.
  • The main difference between the information captured in the Unified Audit Log and the EnrichedOffice365AuditLogs is the fact that the 'real' source IP of an action is recorded and not just the Microsoft IP address for the service.

If you enjoyed this content, you might be interested in our training which we offer OnDemand and at selected live events.