Discover & Audit Reports

Top Operations by Service

This report shows you the most popular activities performed on each service (Azure AD, Exchange, SharePoint Online, and OneDrive). You can filter by service or operation to find specific information, or you can review top operations across your entire environment.

There are advanced filtering options, including the option to search by date, user, activity and location. The chart overview is fully customisable, depending on the operation or service you need to see. Beneath the charts, you can see the detailed information about the amount of operations occurring, split by type. If you click on the magnifying glass, you can see specific events for that operation.

Failed Events

The Failed Events view provides a list of users who failed to authenticate against a Microsoft cloud service or were denied access to a cmdlet or feature in Office 365. This could indicate that the account is experiencing a brute force attack, or it might just be caused by a user that has forgotten their credentials.

You can investigate the event using the advanced filtering options, including the option to search by date, user, activity and location. The chart overview is fully customisable, and includes a map view (simply click on the cog or globe icon below the chart). The data table below provides important details about the event, such as the time, IP address, location, and failure reason.

Administrator Activities

This timeline shows a list of administration activities performed in Exchange Online and Azure AD. At the top of the timeline, you will find advanced filtering options, including the option to search by date, user, operation, and location. The chart overview is fully customisable, and includes a map view (simply click on the cog or globe icon below the chart to change the view).

The timeline features administrator activities in chronological order, showing the time and date for each event. You can scroll down the timeline to review activity. Any filters applied at the top of the timeline, will be reflected in the view here.

Mailbox Activity Events

This report provides a list of mailbox activities performed in Exchange Online. Important: you will need to enable Mailbox Auditing on your mailboxes to see these events.

The top view shows ‘Events per day’, ‘Top Users’ and ‘Top Operations’ by default, but this is fully customisable. Below, there is a timeline view, featuring mailbox activity events. The events are listed in a timeline view, and can be expanded to show more detail.

Like all the Discover & Audit reports, you can apply advanced filters to this report, and drill down into the information to find the event or activity you need. Any filters applied at the top of the timeline, will be reflected in the timeline view below.

Exchange DLP Events (Beta)

This report lists the Data loss protection (DLP) events in Exchange Online, when configured via Unified DLP Policy. It is crucial to monitor any events whereby data could be a risk, or could be non-compliant with your DLP policies.

Use the timeline to review any events in your environment, and apply advanced filters to drill down into the information, and find the event or activity you need. Any filters applied at the top of the timeline, will be reflected in the timeline view below.

Sharing and Access requests

This report details all requests to share or access items from OneDrive or SharePoint. The top view shows an overview of activity, and it is fully customisable (just click on the cog icon in the bottom left of the chart).

As you can see below, the timeline shows a chronological view of activity, and events can be expanded to show a more detailed view. Like all the other Discover & Audit reports, you can apply advanced filters to drill down into the information, and find the event or activity you need. Any filters applied at the top of the timeline, will be reflected in the timeline view below.

File and folder operations

This report lists all the files and folders that have been modified in OneDrive or SharePoint Online. The top view shows an overview of activity, and is fully customisable (just click on the cog icon in the bottom left of the chart).

As you can see, the timeline shows a chronological view of activity, and events can be expanded to show a more detailed view. Like all the other Discover & Audit reports, you can apply advanced filters to drill down into the information, and find the event or activity you need. Any filters applied at the top of the timeline, will be reflected in the timeline view below.

SharePoint/ OneDrive Sync Operations

This report shows all files and folders that have been synchronised in OneDrive or SharePoint Online. The top view shows an overview of activity, and it is fully customisable (just click on the cog icon in the bottom left of the chart).

As you can see, the timeline shows a chronological view of activity, and events can be expanded to show a more detailed view. Like all the other Discover & Audit reports, apply advanced filters to drill down into the information to find the event or activity you need. Any filters applied at the top of the timeline, will be reflected in the timeline view below.

Sign ins after Multiple Failures

This table lists all accounts that failed to sign in multiple times and then successfully authenticated. This could indicate that the account was brute force attacked. As you can see, if there have been no events of this kind, the table will be empty. If you have an incident where a user has signed into their Office 365 after multiple failures, the details of this event will be listed here, enabling you to investigate the incident if it seems suspicious.

Irregular Sign in Activity

This report contains accounts that have been detected by Windows Azure AD to indicate events which vary from a user’s usual sign in patterns. As you can see, if there have been no events of this kind, the table will be empty. If there has been irregular sign in activity, the details of the event will be listed here.

Sign ins from Infected Devices

This table lists all accounts that have signed in from potentially infected devices. As you can see, if there have been no events of this kind, the table will be empty. If there has been sign ins from infected devices, the details of the event will be listed here.

Sign ins from Unknown Sources

This table lists all accounts that have signed in from an unknown source. As you can see, if there have been no events of this kind, the table will be empty. If there has been sign ins from unknown sources, the details of the event will be listed here.

Have more questions? Submit a request

Comments

Powered by Zendesk