Ensuring that audit logs are enabled for Microsoft Office 365 can help you investigate and determine exactly how, why, when and possibly who did what (including, but not limited to, questions from management) when conducting forensic investigations of attacks. Starting February 1, Microsoft will add auditing to track mail reads by default. This has long been a key request from forensic investigators to assist in mail investigations.
Before that, of course, you need to review your current auditing settings. You can do this via PowerShell or go to the Security and Compliance Center, then go to “Search & Investigation,” select “Audit log search” and then review your settings.
