Going Beyond the SharePoint Audit Log to Secure Your SharePoint Environment

Any change or data access event that occurs in a critical system like Microsoft SharePoint Server can jeopardize data security, lead to system unavailability and result in compliance failures. The SharePoint audit log helps you stay on top of auditing of changes and information access events, so you can improve security and business continuity. But native tools don’t provide detailed and ready-to-use SharePoint audit reports, the ability to dig deeper into suspicious actions, or reliable log storage, which hinders incident investigation, slows issue remediation and makes passing audits difficult.

Constraints of native SharePoint audit log reports

Creating and applying information management policies on SharePoint — for example, configuring permissions to specific site content types and assigning users proper permissions to documents with sensitive data — help you minimize the risk of a breach. But you also need to stay on top of what’s going on across your SharePoint site on a daily basis. With the built-in audit log in SharePoint Site Collection Administration, you can configure SharePoint audit settings to collect a SharePoint audit trail, and then export the collected data into an Excel report.

But you’ll have to manually sift through the data in order to find signs of abnormal activity, so an attack might slip under your radar. And even when you spot a threat, it’s difficult to dig out the details you need to combat it effectively. Additional drawbacks of the native approach include:

  • SharePoint audit log reports don’t offer any subscription capability, so you have to manually export the reports every time you need to view audit log data.
  • When you detect suspicious activity — for instance, if a library item was accessed by a user who shouldn’t have access to it — it’ll take you hours to investigate how the user inherited permissions to do it.
  • To generate audit log reports, you need the SharePoint audit trail, which takes up valuable space. Therefore, you might need to configure audit log trimming, which erases old logs to free up space for new logs. As a result, audit data from a certain date range in the past could be erased forever.

Exceeding the capabilities of native SharePoint audit reports with Netwrix Auditor

Netwrix Auditor for SharePoint tracks user activity by collecting data not only from SharePoint change logs and access audit logging, but also from other independent sources. Then it analyzes the collected data and provides you with actionable intelligence so you can quickly detect and block emerging threats to proactively secure your critical assets. The solution brings complete visibility into your SharePoint environment by delivering all the important detail about read events and changes across your farm configuration, site collections, such as changes to sites, lists, list items, site settings, permissions and more.

All SharePoint Changes by Site Collection report from Netwrix Auditor: Action, Object Type, What, Who and When

The benefits go far beyond what native audit log reports have to offer:

  • Slash the time you spend on issue detection and remediation with predefined reports that provide easy-to-read, actionable information, not raw log data.
  • Be the first to know about illicit actions by subscribing to the reports that you need and having them delivered on the schedule you set.
  • Investigate suspicious changes and read access events in minutes using the Interactive Search feature.
  • Be notified immediately about critical activity with predefined and custom alerts on threat patterns.
  • Keep your consolidated SharePoint logs for years and easily access them whenever you need to with the cost-effective two-tiered storage (SQL database + file-based).
  • Keep an eye on what’s going on across your SharePoint Online with Netwrix Auditor for Office 365.

Interactive Search feature from Netwrix Auditor: Who, Object type, Action, What, Where and When