If you are a security analyst, engineer, admin, or otherwise responsible for protecting the personal and private data of employees and customers – the following 3 statistics should frighten you.
Let’s face it, peace of mind is something that is far from obtainable if you are in a security position where you are responsible for protecting personal, private, or otherwise sensitive data. The likelihood of this happening under your supervision is increasing at an alarming rate but you can work against these odds.
Monitoring user activity is a critical way to understand how users are interacting with data in your environment, and essential in stopping your users from making mistakes that introduce a security risk. Keeping an eye on high-risk activities like Anonymous Link creation, sensitive data interaction and external user activity will help keep you ahead of security threats. Here is what Microsoft provides natively to monitor SharePoint and OneDrive activity.
Microsoft provides high-level views into SharePoint Activity which can be useful in monitoring things at a high-level. I say high-level because you will notice these views do not contain any file-level activity.
Navigate to the O365 admin center and expand the Reports blade and click Usage to access the out of the box SharePoint Activity views. You can take a high-level look into your SharePoint Activity by filtering the admin center report above to SharePoint. SharePoint Activity is broken down into two categories: User Activity or Site Usage.
SharePoint Activity section has three views:Files, Pages and Users.
These views are good for looking at high-level trends but they lack the file level detail. For example, in the view below I can see some of how users are interacting with files but there is not information related to what those files are, where they exist, or who specifically they are being shared with.
SharePoint Site Usage has four views: Sites, Files, Storage and Pages.
The site usage views provide high-level details into Sites, Files, Storage, and Page usage. Each view for each of the following is very high level with the same details shown below in the Details breakdown.
OneDrive Activity is also broken down similar to SharePoint in that you can look at activity or OneDrive usage. I feel repetitive but these views are pretty much exactly the same as the views available for SharePoint sites in that they are high level and lacking in terms of file-level detail.
The OneDrive activity reports are broken up by Files and Users views.
The views described above are great for looking at high-level trends across your SharePoint environment but if you really want useful security data you need to look deeper into the activity. However, be warned file-level activity isn’t the easiest thing to parse from SharePoint logs into meaningful data especially for classic sites. Microsoft’s site-level reporting is very limited especially for non-modern sites and OneDrive.
For example –
A modern site’s usage experience will provide some of the similarly detailed admin level reports shown above for specific sites. These reports include:
1. Unique viewers report
2. Site visits – pretty self explanatory.
Looking into classic SharePoint site activity auditing involves a lot of manual labor:
First you need to go to the site and run a report, there are a number of events you can choose from but those events are dumped into a csv which requires further manual analysis or otherwise third-party manipulation for any meaningful use.
Some of the usage reports can provide meaningful information in understanding which sites you may want to look into deprovisioning. The retention settings are limited to a maximum of one year for activity audit logs and require a retention policy be created with specific parameters around users and activity types, otherwise you can only look back up to 180 days. It is also nice to be able to see who in your environment is interacting with external users however the lack of file level detail leaves users with a rather vague idea of what users are doing.
For example, while there are a number of reports that give some visibility into activity, they still do not provide answers to many simple questions like:
To compliment these offerings a tool like the stealthbits Activity Monitor in conjunction with stealthAUDIT for SharePoint can pull together that file detail into much more meaningful and customizable reports. For example, with stealthbits we can provide reports on Access Link creation activity to show you when/where a link is created, what it is giving access to, who its giving access to, if it’s sensitive and if its being shared externally. You just won’t get that level of detail out of the box from Microsoft’s Native functionality.
Chris studied Information Systems at Hofstra University before joining Stealthbits – now part of Netwrix where he took on the role as the Technical Product Manager of SharePoint, Dropbox, and Box solution sets. His focus is primarily on SharePoint security, but data security, in general, is a passion. Aside from technical interests, he enjoys the outdoors and hopes to one day start an animal rescue and rehabilitation center for injured, disabled, and orphaned animals.
Adopting a Data Access Governance strategy will help any organization achieve stronger security and control over their unstructured data. Use this free guide to help choose the best available solution available today!Read more