Any change or data access event that occurs in a critical system like Microsoft SharePoint Server can jeopardize data security, lead to system unavailability and result in compliance failures. The SharePoint audit log helps you stay on top of auditing of changes and information access events, so you can improve security and business continuity. But native tools don’t provide detailed and ready-to-use SharePoint audit reports, the ability to dig deeper into suspicious actions, or reliable log storage, which hinders incident investigation, slows issue remediation and makes passing audits difficult.
SharePoint Online and SharePoint Server audit logs track the following actions in your SharePoint environment:
• Opened and downloaded documents, viewed items in lists, viewed item properties
• Edited items
• Checked out and checked in items
• Items that have been moved and copied to another location in the site collection
• Deleted and restored items
• Changes to content types and columns
• Search queries
• Changes to user accounts and permissions
• Workflow events
• Custom events
Note that you have to be a SharePoint Site Collection Administrator to change audit settings. By default, configuration is done at the site level.
To setup auditing, open Site Collection Administration and navigate to Site collection audit settings:
• In SharePoint Server, the Configure Audit Settings section consists of three subsections:
◦ Audit log trimming (erasing old data to free up space for new data) — You can set the log retention period (for SharePoint Server 2019, the maximum period is 90 days) and specify a document library path to save log before system trimming.
◦ Documents and items — Choose particular events to audit for your documents and items.
◦ Lists, Libraries and Sites — Choose particular events to audit for your lists, libraries and sites.
• SharePoint Online auditing is powered by Office 365 Unified Audit Logging, which means that:
◦ Audit log retention is set to 90 days.
◦ There’s no option to choose which events you want to audit.
For both SharePoint Server and Sharepoint Online:
1. In Site actions, click Site settings.
2. If you are not at the root of your site collection, under Site Collection Administration, click Go to top level site settings.
3. In the Site Collection Administration section, click Audit log reports.
4. On the View Auditing Reports page, select a pre-built report or click “the Run a custom report” link to manually specify filters. In Office 365, reports scoped at the sub-site level are no longer supported, so SharePoint Online audit log reports always will be generated at the site level.
5. Type a path manually or Browse to the library where you want to save the report, and then click OK.
6. On the Operation Completed Successfully page, choose click here to view this report.
Note that you must have Excel installed to view and process audit log reports.
Office 365 allow you to review all events using the Unified Audit Log through the Office 365 Security & Compliance Center’s audit log search:
1. Sign in to Office 365.
2. In Security & Compliance Center, choose Search, and then click Audit log search.
3. Choosing the events you are interested in from the Activities list, and then click Search. The results will be displayed in the Results pane. A maximum of 5,000 events will be displayed, with 150 records per page. If more than 5,000 events meet the search criteria, the most recent 5,000 events are displayed.
Native SharePoint auditing is limited to exporting a subset of the audit data to an Excel spreadsheet, so you have to manually sift through the data in order to find signs of abnormal activity. As a result, an attack might easily slip under your radar. Even when you manage to spot a threat, it’s difficult to dig out the details you need to combat it effectively.
Additional drawbacks of the native approach include:
• SharePoint audit log reports don’t offer any subscription capability, so you have to manually export the reports every time you need to view audit log data.
• When you detect suspicious activity — for instance, a library item was accessed by a user who shouldn’t be able to view it — it’ll take you hours to investigate how the user inherited permissions to do it.
• The SharePoint audit trail takes up a great deal of space, so you need to configure audit log trimming, which erases old data to free up space for new data. As a result, important audit data could be erased forever. SharePoint Online has a fixed retention policy of 90 days, so you will have to back up event logs manually.
Netwrix Auditor for SharePoint tracks user activity by collecting data not only from SharePoint change logs and access audit logging, but also from other independent sources. Then it analyzes the collected data and provides you with actionable intelligence so you can quickly detect and block emerging threats to proactively secure your critical assets. The solution brings complete visibility into your SharePoint environment by delivering all the important detail about read events and changes across your farm configuration, site collections, such as changes to sites, lists, list items, site settings, permissions and more.
The benefits go far beyond what native audit log reports and alerts have to offer: