Microsoft has released information on its Advanced Audit techniques used in its Microsoft 365 platform. The tools are impressive. First, it allows firms to retain audit logs in all Exchange, SharePoint and Azure Active Directory audit records for one year with the ability to increase that audit log retention for 10 years with a license add-on. This 10-year retention will allow firms to perform investigations and respond to regulatory, legal, and internal obligations. All other audit logs will be retained for 90 days as a default.
MailItemsAccessed log event replaces MessageBind
When an intrusion occurs, the first question asked is: What did the attacker have access to? Microsoft has exposed the “MailItemsAccessed” event that can help you determine if an attacker gained access to sensitive information and the extent of the breach. If an attacker merely gained access to email messages, the MailItemsAccessed will be triggered even if there is no overt evidence that the attacker read the email.
MailItemsAccessed replaces the old MessageBind event logging and exposes delegate or owner actions on a mailbox. It also exposes actions taken by a syncing event, not just a mail client event. If the intrusion is through a third-party sync application, you will be able to review that access as well. MailItemsAccessed events are also less noisy in your logging than with MessageBind.