Audit logging of Office 365 mail reads makes forensics investigations of attacks much easier. Here's how to make sure it's enabled. Credit: Thinkstock Ensuring that audit logs are enabled for Microsoft Office 365 can help you investigate and determine exactly how, why, when and possibly who did what (including, but not limited to, questions from management) when conducting forensic investigations of attacks. Starting February 1, Microsoft will add auditing to track mail reads by default. This has long been a key request from forensic investigators to assist in mail investigations.Before that, of course, you need to review your current auditing settings. You can do this via PowerShell or go to the Security and Compliance Center, then go to “Search & Investigation,” select “Audit log search” and then review your settings. MicrosoftReview your settings for audit loggingClick on “Learn more about search and investigations.” If you find that auditing is not enabled, enable it as soon as possible. Once you have enabled the auditing, it takes a few hours before it’s active. MicrosoftActivate audit loggingIf you are interested in learning more about auditing, there are several resources, including an online ebook Office 365 for IT pros and various documents on the Microsoft site. Remember, you can set up alerts for activity in this area as well. You’ll also want to enable mailbox auditing. You’ll need to enable this with PowerShell as noted in the Microsoft documentation. I recommend that once you log in with PowerShell, you enable logging on all mailboxes in your organization.Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true Logging is too key of a tool to not have enabled from the get-go. Too many times I see admins and consultants asking if they can determine what happened to an email, and unless auditing is enabled ahead of time, you can’t answer that question.Admins must have rights assigned to review audit logs You can assign permissions to view the audit logs in the Exchange Admin Center. Additional resources regarding Office 365 audit logs can be found both on the Understanding Office 365 logging YouTube video as well as on the SANS whitepaper on logging.As you can tell, this is just the tip of the iceberg and there is much more time and effort you need to spend to fully implement auditing and understand it. I urge you to take the time to review your settings and enable them now, before an incident, and not regret that you didn’t have them set them up. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe