Microsoft 365 Forensic Investigation

A Guide to Microsoft 365 Forensic Investigation

On Day 31 of Cybersecurity awareness month, learn how Microsoft helps in forensic investigation and where to find the forensic artifacts today. Stay tuned for more blogs in the Cybersecurity blog series.

As Cyberattacks are arising day-by-day, every organization needs to be secure enough to fight against them. Besides all the security measures, attackers can still enter an organization through any loopholes or the weakest link in the security chain. Before we realize that the attacks have happened, the attacker may access all the sensitive information, change security configurations, and can do whatever they need to do in our Office 365 environment. Here is where forensic investigation comes in.  

It’s the not knowing that’s the worst… After a breach, there are more questions than answers.

– Dwayne Melancon

As the quote goes, investigators have more questions and want more details to move further. Forensic investigators analyze the attack and identify details like how the attacker entered the organization, what data they stole, compromised Office 365 accounts, and much more. Then, they help the organization to get back to normal and recommend Office 365 security best practices to stay secure. Let’s dive deep into what details they look for when investigating the breach and where they could find the required data in Office 365. 

How Microsoft helps in Forensic Investigation?

Microsoft provides all the details about each activity that happens in the organization. Admins can monitor these details to find out unusual user activities, sensitive info accesses, unwanted changes in configurations, privileged access assignments, etc. Also, admins can use the alerting feature to stay updated about risky happenings. Similarly, forensic investigators will surf various Microsoft portals and collect the appropriate details to identify where the attack starts, what are the affected areas, and more. Here are some of the Microsoft 365 features that lend a hand to forensic investigations. 

Office 365 Audit Log

Office 365 audit log provides all the activities done by users, admins, etc., in the organization. Forensic investigators can use the audit trail to identify any suspicious activities that happened during the attack period. The attackers will primarily focus on gaining access to a privileged account like global admin. So, besides all the audit activities, investigators will focus on some of the admin activities to identify the attacker’s move. 

Some of the activities verified by the investigators are,  

  • New admin role assignments – To verify any new highly privileged admin roles are assigned to users, applications, service principals, etc.  
  • Accessed mailbox items (MailItemsAccessed) – To find out if any sensitive emails have been accessed by the attackers.  
  • Purging messages from mailboxes (HardDelete) – To verify that any confidential messages were deleted permanently from the mailbox.  
  • Inbox rule creation (New-InboxRule) – To check if any forwarding or redirecting rules created for the admin mailboxes.  
  • SharePoint and OneDrive File Activities – Activities like file accesses, file delete, file move, file sync, file downloads, etc., will be monitored to identify if any sensitive files have been accessed and used by the attackers.  
  • Role group member changes (Update-RoleGroupMember) – To check if any new members were added to highly privileged role groups like Organization Management.  
  • eDiscovery role additions – To identify if any user has been newly assigned or removed from an eDiscovery role like ‘eDiscovery Manager’ or ‘eDiscovery Administrator’.  
  • eDiscovery compliance search or Content search creation – As eDiscovery search or content search helps to search for instant messages, emails, and documents, attackers may use these searches. So, investigators can find any of these searches were started by the attackers.  
  • eDiscovery compliance search or Content search exports – To verify any eDiscovery searches or content search results have been exported by the attackers.  
  • Consent to application – To check whether any sensitive permissions have been newly granted to an application to access the resources on behalf of a user.   
  • Application modification – To identify whether any new credentials have been added to an existing application or a service principal.  
  • Directory role changes – To verify the recent changes made in the directory role and role group memberships. 

The above-mentioned activities are a few important activities that the investigators monitor in your organization post-breach. There are so many activities in the list which help to investigate and identify the attacker’s activities deeply. 

Microsoft Azure Active Directory Logs

Azure Active Directory is one of the trump cards for forensic investigators to identify activities with more details in the organization. It provides directory activities, sign-in logs, domain changes, application changes, etc. Also, you can integrate Azure AD audit data into the log analytics workspace to query the details precisely. Let’s see them in detail. 

Azure AD Sign-ins Log

This sign-ins log helps to identify the interactive user sign-ins, non-interactive user sign-ins, service principal sign-ins, and managed identity sign-ins in the organization. So, investigators can identify all the Azure AD sign-ins and risky user sign-ins with more details to find the compromised account’s sign-ins, etc. The following are a few examples of sign-in details which are beneficial for the investigators. 

  • Sign-in Location & IP – User’s sign-in location details like country, state, etc., and IP addresses of the device used to sign in.   
  • Failed Sign-ins – The user’s failed sign-ins help to identify the reason for the sign-in failure.  
  • Conditional Access Status – It provides the status of the conditional access of the users’ sign-in. It helps to identify whether the CA check is not applied, successful, or failed.  
  • Authentication Details – It provides the authentication method used to sign in and the policies applied while signing in to the tenant. So, it helps to identify whether any stronger authentication policy is applied or not. 

Risky Users & Risk Detections Logs

Risky users log provides the details of the risky users and their risk status. Risk detection shows all the risks detected in the organization and their risk status. 

Microsoft Purview eDiscovery Tools

eDiscovery solutions in Microsoft Purview include content search and eDiscovery case investigation. Both help to search the content from various resource locations to identify the data instantly. Let’s see how both work and the difference between them. 

Microsoft 365 Content Search

Using the content search in Microsoft Purview, investigators can view instant messages, email attachments, documents, etc. They can search for content from the following locations.  

  • Exchange mailboxes  
  • SharePoint sites  
  • OneDrive for Business  
  • Microsoft Teams  
  • Microsoft 365 Groups  
  • Yammer Teams  

Investigators can view statistics of search results and export them if required. 

Microsoft Compliance eDiscovery

eDiscovery is commonly used for case investigations in which the data can be kept on hold and can do compliance searches for various resource locations. Similarly, forensic investigators can use eDiscovery to properly handle a case in the organization. 

  • You can create a case investigation and properly handle them using the RBAC approach. Thus, only authorized users can access the case and perform the necessary actions.  
  • Placing the data on hold helps to identify the attackers’ further activities like message modification. You can retrieve the original content as well as the modified version.  
  • Compliance search (User data search) helps to search content in various resource locations based on specific keywords, specific users’ content, or all locations in the organization.  
  • You can manage the custodians involved in the case. Custodians are the users who are suspected to be added to the case to monitor their further activities until the case is closed.   
  • You can communicate with custodians using legal hold notification to instruct them to preserve their content for the case investigation.  
  • You can collect reports, remediate processing errors, use the OCR feature, conversation threading, and more to investigate the case in detail. 

What is the difference between content search and eDiscovery?  

Content search and compliance search in eDiscovery share the same workflow but the only difference is that eDiscovery requires you to create a case and you can place the content on hold. 

Microsoft 365 Defender

Microsoft 365 Defender portal provides various features to identify threats and secure your organization. Among them, Advanced Hunting and Activity Log under Cloud Apps will be useful for a forensic audit. Let’s see how it helps forensic investigators.   

Advanced Hunting

Advanced Hunting helps to hunt threat incidents with more details in the organization. It reviews data sets from Microsoft Defender for Endpoint, Defender for cloud apps, Defender for Office 365, and Defender for Identity. Advanced hunting lets you to 

  • Query the database using Kusto Query Language (KQL).  
  • Hunt using guided mode or advanced mode based on your KQL query knowledge.  
  • Create custom detection rules that help you to query the activities using the MITRE technique.  
  • Save your queries for further usage in the investigation.  
  • Load sample queries and apply filters to ease your threat-hunting job  

The above-mentioned points are a few of the hunting features. Investigators can utilize the portal completely to hunt threats effectively. 

Activity Log

Activity log in Microsoft 365 Defender is used to store Office 365 audit log when configured explicitly. Also, the multiple alert templates help to detect and respond to various security activities in the tenant. 

Note: Microsoft Defender for Cloud Apps has been moved to Microsoft 365 Defender portal. If it is not available in your tenant, you can access the activity log in the Microsoft Defender for cloud Apps portal. 

Difficulties in Microsoft 365 Environment

  • By default, the audit log will not be turned on in the organization and won’t retain data beyond 90 days.  
  • Few auditable actions in mailboxes are not enabled by default. We need to manually enable it for every user.  
  • You can preview only 1000 mailbox items on the preview page while searching content using content search and eDiscovery.  
  • You can export only 2TB of data from a single search and for a single day. The maximum size of PST file allowed is 10GB.  
  • You can retain only 30 days of data in Azure AD logs. With a free license, you can retain only up to 7 days. For retaining data beyond that you should go for Azure storage or Log analytics workspace. 
  • Using Activity log in Defender for Cloud Apps, you can retain data up to 180 days. But, when investigating data older than 30 days, some advanced filters are not available due to Microsoft’s data retention policy. 
  • The Advanced Hunting will query the data only for the last 30 days. Also, it requires KQL language to query the database. 

Are you ready to boost up your budget?

  • Though you can extend the audit log retention period with premium licensing, you can preserve only 365 days of data. For more extensions, you should go for E5 licensing. Else, you should look for third-party tools.  
  • For retaining Azure AD logs beyond the retention period, you should go for an Azure storage account, Log analytics workspace which requires Azure Subscription.  
  • For advanced features in eDiscovery like custodian management, OCR, conversation threading, and more, you should go for eDiscovery Premium licensing.  
  • Also, the audit log results in GUI and PowerShell are not appealing and you wouldn’t get well-structured audit data. So, most admins always rely on third-party tools to audit their data efficiently. 

I hope this blog helps you to understand the requirements when doing forensic investigations and how to overcome the challenges. Feel free to drop your thoughts in the comment section. 

Leave a Reply

Your email address will not be published. Required fields are marked *

A Guide to Microsoft 365 Forensic Investigation

time to read: 8 min
Follow us!