We currently have a use case to examine the permissions/access associated with a users Office365 or SharePoint account. There are a ton of different O365 audit logs that are related to access and sharing groups. I would like to be able to figure out some correlations but have been having some difficulty due to the confusing nature of the logs. Wondering if anyone has faced this problem and is working through it or has solved it.
Here's the smart way to get your usecases - get someone to DO the activities you want to detect, and have them tell you EXACTLY WHEN they did them, and ON WHOM.
Then you can find the appropriate records easily. Once you see those records, then you can check closely related records (by time or other field similarities) and see if you want them as well.
You're going to want the RecordType, Operation, Target, UserID, UserKey, UserSharedWIth, UserType, Workload to start with. Once you've identified the records that document the actions that you are looking for, then you can see if there are other fields available that are relevant to those exact actions.
If you know when and what the action was that you are hunting, then just filtering by date/time, Workload, and RecordType should be enough to locate the appropriate records.
Failing that, if you have to go from theory to details, then the key to figuring out your usecases is going to be drilldown, probably. Start with the recordtype, probably concentrating on 4 but later check 8, 6, 14, and then maybe 1 and 18.
1 Indicates a record from the Exchange admin audit log.
2 Indicates a record from the Exchange mailbox audit log for an operation performed on a singled mailbox item.
3 Also indicates a record from the Exchange mailbox audit log. This record type indicates the operation was performed on multiple items in the source mailbox (such as moving multiple items to the Deleted Items folder or permanently deleting multiple items).
4 Indicates a site admin operation in SharePoint, such as an administrator or user assigning permissions to a site.
6 Indicates a file or folder-related operation in SharePoint, such as a user viewing or modifying a file.
8 Indicates an admin operation performed in Azure Active Directory.
9 Indicates OrgId logon events in Azure Active Directory. This record type is being deprecated.
10 Indicates security cmdlet events that were performed by Microsoft personnel in the data center.
11 Indicates Data loss protection (DLP) events in SharePoint.
12 Indicates Sway events.
14 Indicates sharing events in SharePoint.
15 Indicates Secure Token Service (STS) logon events in Azure Active Directory.
18 Indicates Security & Compliance Center events.
20 Indicates Power BI events.
22 Indicates Yammer events.
25, 26, or 27 Indicates Microsoft Teams events.
UserType - The type of user that performed the operation. The following values indicate the user type.
0 A regular user.
2 An administrator in your Office 365 organization.
3 A Microsoft datacenter administrator or datacenter system account.
4 A system account.
5 An application.
6 A service principal.