We have an Office 365 Exchange Online Plan 1. We have a user that is logging in to their Office 365 Exchange account (via Outlook 2016 client and via Android Mail).
However, there are no entries at all in the Audit Log (through the Office 365 Admin web page portal).
Why is this? There should be entries showing this user's activity.
Now, here's the rub: We recently had one of our global administrator's Office 365 account compromised and an attacker got in and wreaked havoc in our email systems (long, unpleasant story).
I am now conducting the cleanup. I have gone through all the steps advised to take after a breach (resetting certain passwords, removing inbox rules, etc.).
Now I am searching our logs for more suspicious activity. I do see several failed login attempts from a wide range of IP addresses in foreign countries, but all activity stops about a month ago, so there are no audit entries at all for this user as of then.
However, this stopping of audit log entries happened BEFORE the compromise occurred. The last audit log entries I have for that user account are several failed login attempts from foreign IP addresses.
What settings could have been changed that would mask a user from showing activity in the audit log?
Also, cough, ahem does anyone have recommendations for security companies that would conduct security breach cleanup for Office365 accounts? I am actively seeking such a company's business...