We access the Azure Active Directory Audit Log data (Azure Active Directory powers access and authentication for all Office 365 systems).
A typical record contains:
- User Details (name and email)
- Time of Access
- IP Address
- Software details (e.g. Chrome on Windows 10)
We also capture additional data such as user profile data. This is so we can compare login events against the users’ job title and typical work patterns. This includes:
- Users’ names
- Job title & team details
- Email forwarding rules
When Horizon collects data, it is done under two controlled and restricted access methods; neither of which can view the content of emails or documents. In limited instances, the Microsoft APIs may present us the ‘Subject Line’ (but not the content) of an email for events that we do not subscribe to or process. We immediately blacklist these events, do not process or store them and ensure the data does not end up in any of our logging.