Office 365 Admin Audit: Tracking Critical Changes
OFFICE 365
The Challenge
Inappropriate administrative actions—intentional or accidental—are a leading cause of security incidents. Knowing who did what and when is crucial. However, the Office 365 Unified Audit Log mixes thousands of irrelevant events (file reads, user logins) with critical events (password changes, permission alterations), making manual incident detection slow and complex.
The goal was to:
- Audit the latest actions performed by administrators
- Filter only high-impact events (permissions, groups, security)
- Obtain a clear timeline for forensic investigation or compliance
- Identify anomalous behavior patterns
The Prompt Sent to Myrmex
Using the integration with the Office 365 tenant, we sent:
Audit the last 10 administrative actions in the Office 365 Unified Audit Log.
Focus on high-impact changes such as modifications to transport rules,
mailbox permissions, or security policy updates.
Present a chronological list including the user identity,
the specific change made, and the timestamp.
Note: Myrmex acts as a digital investigator, filtering "noise" from logs to present only relevant evidence.
What Myrmex Did
Myrmex queried the Office 365 Unified Audit Log, applying specific filters for administrative event categories (such as UserManagement, GroupManagement, and RoleAdministration), ignoring end-user events.
Timeline of High-Impact Actions
| Timestamp (UTC) | Identity / Actor | Action Performed | Category |
|---|---|---|---|
| 04:06:18 | System/Admin | Group Lifecycle Policies Get | Policy |
| 18:37:43 | Larissa Faustino | Change password (self-service) | User Management |
| 18:33:57 | Vinicius Silva (Admin) | Reset password (Target: Larissa) | ⚠️ User Management |
| 05:18:31 | MS Teams Services | Add member (Joao → Myrmex) | Group Management |
| 05:13:17 | MS Approval Mgmt | Add member (Joao → Everyone) | Group Management |
| 05:07:32 | Myrmex Service | Create Group (Legal Ainext) | Group Management |
| 05:07:32 | Myrmex Service | Add Owner (SP → Legal Ainext) | Group Management |
Analysis and Observations
1. High-Privilege Operations
The log highlighted a critical action at 18:33:57: administrator vinicius.silva manually reset larissa.faustino's password.
Implication: While appearing to be a legitimate support action, in a breach context, this could indicate an attacker taking control of a user account. The clear record allows for quick validation ("Vinicius, did you assist Larissa at that time?").
2. Automated Group Governance
Several automated events (by Myrmex Service and MS Teams Services) show group creation and population.
Implication: Validates that onboarding automations are working correctly, adding users to the right groups without human intervention.
3. Absence of Structural Changes
The analysis confirmed that no transport rules (Exchange) or global security policies were changed during the period, ensuring environment integrity.
Benefits of the Approach
🕵️ Total Traceability
Every action is recorded and associated with a real identity, eliminating "I didn't do that."
⚡ Relevance Filter
Myrmex ignored thousands of "email read" or "file access" events to deliver only the 10 actions that truly impact tenant configuration.
Result
With the Myrmex audit:
- ✅ Transparency: Clear history of who changed what.
- ✅ Security: Detection of manual password resets (potential risk).
- ✅ Control: Confirmation that global security configurations remained intact.
Prompt Variations
The same pattern can be used for specific investigations:
To investigate a suspicious user:
Audit all administrative actions performed by user 'admin@company.com'
in the last 7 days. Focus on data deletion or permission changes.
For email audit:
List all changes to 'Mailbox Permissions' (FullAccess or SendAs)
made in the last 48 hours on any executive mailbox.