If you are a security analyst, engineer, admin, or otherwise responsible for protecting the personal and private data of employees and customers – the following 3 statistics should frighten you.
- The frequency of insider threats incidents has increased by 47% in the past two years – the Ponemon Institute
- Disgruntled employees rank in the top 5 contributors for insider data breaches according to Verizon.
- Somewhere between 20 and 30 million people lost their jobs over the course of the past few months due to the Coronavirus according to statistics provided by the Bureau of Labor Statistics and the District of Labor. That is a lot of disgruntled employees.. in the United States alone.
Let’s face it, peace of mind is something that is far from obtainable if you are in a security position where you are responsible for protecting personal, private, or otherwise sensitive data. The likelihood of this happening under your supervision is increasing at an alarming rate but you can work against these odds.
Monitoring user activity is a critical way to understand how users are interacting with data in your environment, and essential in stopping your users from making mistakes that introduce a security risk. Keeping an eye on high-risk activities like Anonymous Link creation, sensitive data interaction and external user activity will help keep you ahead of security threats. Here is what Microsoft provides natively to monitor SharePoint and OneDrive activity.
Native SharePoint Online Activity Reporting
Microsoft provides high-level views into SharePoint Activity which can be useful in monitoring things at a high-level. I say high-level because you will notice these views do not contain any file-level activity.
Navigate to the O365 admin center and expand the Reports blade and click Usage to access the out of the box SharePoint Activity views. You can take a high-level look into your SharePoint Activity by filtering the admin center report above to SharePoint. SharePoint Activity is broken down into two categories: User Activity or Site Usage.
SharePoint Online Activity
SharePoint Activity section has three views: Files, Pages and Users.
These views are good for looking at high-level trends but they lack the file level detail. For example, in the view below I can see some of how users are interacting with files but there is not information related to what those files are, where they exist, or who specifically they are being shared with.
- The activity can be filtered to show Views/Edits, Locally Synced Files, Shared Internally, Shared Externally.
- The pages view provides another high-level look into activity related to user traffic across your SharePoint Sites with a breakdown of the users and several different types of actions they may be doing.
- The users view highlights Views/Edits, file Syncs, Internal/External sharing and page visits.
SharePoint Site Usage has four views: Sites, Files, Storage and Pages.
The site usage views provide high-level details into Sites, Files, Storage, and Page usage. Each view for each of the following is very high level with the same details shown below in the Details breakdown.
- This view gives you a high-level summary of the total sites you have versus how many are active with a detailed view that breaks down some site activity details.
- Similar to the sites view in that it breaks down active files versus total files. Again lacking in terms of file-level information around file interaction.
- A simple high-level report on the total storage used at a given date.
- This like all other reports can be filtered up to 180 days in the past and tracks how often pages are viewed and provides some additional page information in a details table below.
OneDrive Activity is also broken down similar to SharePoint in that you can look at activity or OneDrive usage. I feel repetitive but these views are pretty much exactly the same as the views available for SharePoint sites in that they are high level and lacking in terms of file-level detail.
The OneDrive activity reports are broken up by Files and Users views.
- Provides a view into how your users are sharing files, again does not show what your users are sharing or who specifically with.
- The users view gives some high-level details into views/edits, syncs, or internal/external sharing.
- The details section shows Last Activity Date, Number of files the user viewed or edited, number of files synced and number of files shared externally
Native SharePoint Online Activity views modern vs classic site-level experience:
The views described above are great for looking at high-level trends across your SharePoint environment but if you really want useful security data you need to look deeper into the activity. However, be warned file-level activity isn’t the easiest thing to parse from SharePoint logs into meaningful data especially for classic sites. Microsoft’s site-level reporting is very limited especially for non-modern sites and OneDrive.
For example –
A modern site’s usage experience will provide some of the similarly detailed admin level reports shown above for specific sites. These reports include:
1. Unique viewers report
2. Site visits – pretty self explanatory.
- Site traffic
- This report basically shows you what time most users are active.
Looking into classic SharePoint site activity auditing involves a lot of manual labor:
First you need to go to the site and run a report, there are a number of events you can choose from but those events are dumped into a csv which requires further manual analysis or otherwise third-party manipulation for any meaningful use.
Some of the usage reports can provide meaningful information in understanding which sites you may want to look into deprovisioning. The retention settings are limited to a maximum of one year for activity audit logs and require a retention policy be created with specific parameters around users and activity types, otherwise you can only look back up to 180 days. It is also nice to be able to see who in your environment is interacting with external users however the lack of file level detail leaves users with a rather vague idea of what users are doing.
For example, while there are a number of reports that give some visibility into activity, they still do not provide answers to many simple questions like:
- What are all the files a given user accessed the past month?
- What are all the users who have accessed a given file?
- Who is interacting with my sensitive data?
- What suspicious activity is taking place on my site?
- What are my external users accessing? Is it sensitive?
To compliment these offerings a tool like the stealthbits Activity Monitor in conjunction with stealthAUDIT for SharePoint can pull together that file detail into much more meaningful and customizable reports. For example, with stealthbits we can provide reports on Access Link creation activity to show you when/where a link is created, what it is giving access to, who its giving access to, if it’s sensitive and if its being shared externally. You just won’t get that level of detail out of the box from Microsoft’s Native functionality.
Chris studied Information Systems at Hofstra University before joining Stealthbits where he took on the role of the Technical Product Manager of SharePoint, Dropbox, and Box solution sets. His focus is primarily on SharePoint security, but data security, in general, is a passion. Aside from technical interests, he enjoys the outdoors and hopes to one day start an animal rescue and rehabilitation center for injured, disabled, and orphaned animals.