• User accesses: Know who is accessing your Office 365 subscription, when, and from where. By establishing a baseline of normal user access behavior, you can then identify anomalous or suspicious user activities, for example, a user trying to sign in from a country where your organization doesn’t have any presence. In addition, spikes in repeated login attempts can alert you to a potential bruteforce login attack. 
  

• Admin activities: Once attackers gain access to your environment, they often try to elevate their privileges to gain more control and access to your sensitive data—as do malicious insiders. Monitoring changes to admin roles and access rights can alert you to potential external and internal threats.
  

• File access & sharing: Monitoring changes to file share permissions and policies in OneDrive for Business can alert you to the early signs of a potential data breach. In addition, monitoring file activities of user, including file upload, delete, edit and restore, can help you to detect and investigate anomalous activities.
  

• Changes to Office 365 policies: This includes changes to Exchange malware and content filtering policies that may enable spammers to send phishing emails and malicious attachments, and changes that weaken your organization’s password policies.
  

Click here to know about all the activities that can be audited with O365 Manager Plus.