Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra.
These guides contain the artifacts that Microsoft Incident Response hunts for and uses daily to provide our customers with evidence of Threat Actor activity in their tenant.
With more than 3,000 different activities logged into the Microsoft 365 suite, knowing which are useful for your investigation can be daunting.
With these guides, our goal is to make triaging and analyzing data in Microsoft 365 simpler.
Many of these operations are data-based storytelling vehicles, helping Microsoft Incident Response to piece together an attack chain from beginning to end.
To enable Microsoft Incident Response to find ground truth quickly and effectively in an investigation, data mining based on known factors is essential.
First up is our general Microsoft 365 guide, centered around key activities in Exchange Online and SharePoint-Microsoft 365 products commonly targeted in cybersecurity attacks.
SearchExportDownloaded-A report was downloaded of the results from a content search in Microsoft 365.
Our Microsoft Entra guide covers actions which allow organizations to manage and protect their identities, data, and devices in the cloud.
As an industry-leading identity platform, Microsoft Entra ID offers advanced security features, such as multifactor authentication, Conditional Access policies, identity protection, privileged access management, and identity governance.
To view the activities performed by users and administrators in Microsoft Entra ID, you can use the Microsoft Entra ID audit log, which stores events related to role management, device registration, and directory synchronization to name a few.
Azure AD PowerShell-Install the Azure AD PowerShell module and connect to Microsoft Entra ID. Use Get-AzureADAuditDirectoryLogs and/or Get-AzureADSignInLogs to get the data you need.
Microsoft Graph API-Register an application in Microsoft Entra ID and give it the permissions to read audit log data.
Suspicious activity reported-This log event indicates that a user or an administrator has reported a sign-in attempt as suspicious.
This log event can help identify potential security incidents, including phishing, credential compromise, or malicious insiders.
Update application: Certificates and secrets management-This log event indicates that an administrator has updated the certificates or secrets associated with an application registered in Microsoft Entra ID-such as creation, deletion, expiration, or renewal.
This grants permissions to assign roles in all Azure subscriptions and management groups associated with the Microsoft Entra directory.
This toggle is only available to users who are assigned the Global Administrator role in Microsoft Entra ID. It can be used by Threat Actors to gain complete control of Azure resources, often for the purposes of crypto mining or lateral movement from cloud to on-premises.
We hope that these one-page guides will be a valuable resource for you when you need to quickly identify and analyze suspicious or malicious activity in Microsoft 365 and Microsoft Entra ID. Print them out, save them as your desktop background, or put them on a mouse pad. Whatever you do, let us know what you find useful and remember that the audit logs in Microsoft 365 and Microsoft Entra ID are not the only source of evidence in a cloud-based case, and you should always correlate and validate your findings with other data sources where possible.
To learn more about Microsoft Security solutions, visit our website.
This Cyber News was published on www.microsoft.com. Publication date: Thu, 18 Jan 2024 17:13:04 +0000