{"id":23756,"date":"2024-01-20T05:01:05","date_gmt":"2024-01-20T13:01:05","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/01\/20\/news-17486\/"},"modified":"2024-01-20T05:01:05","modified_gmt":"2024-01-20T13:01:05","slug":"news-17486","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/01\/20\/news-17486\/","title":{"rendered":"New Microsoft Incident Response guides help security teams analyze suspicious activity"},"content":{"rendered":"

Credit to Author: Microsoft Incident Response| Date: Wed, 17 Jan 2024 18:00:00 +0000<\/strong><\/p>\n

Today Microsoft Incident Response are proud to introduce two one-page guides<\/a> to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for and uses daily to provide our customers with evidence of Threat Actor activity in their tenant.<\/p>\n

With more than 3,000 different activities (also known as operations) logged into the Microsoft 365 suite, knowing which are useful for your investigation can be daunting. With these guides, our goal is to make triaging and analyzing data in Microsoft 365 simpler. Many of these operations are data-based storytelling vehicles, helping Microsoft Incident Response to piece together an attack chain from beginning to end. We have worked on hundreds of cloud-centric cases with our customers, and while tactics, techniques, and procedures (TTPs) change with the times, analysis methodology and data triage techniques remain consistently successful. To enable Microsoft Incident Response<\/a> to find ground truth quickly and effectively in an investigation, data mining based on known factors is essential. The known factors could be investigation specific, such as an IP address, known compromised username, or suspicious user agent string. It is also just as important to filter based on how actors move through a cloud environment and gather data. This is where these guides come into their own, and our hope is that sharing these guides can help you in the same way they help us every day.<\/p>\n

\n
\n
\n
\n
\n

Microsoft Incident Response guides<\/h2>\n
\n

These new one-page guides from Microsoft Incident Response helps security teams analyze cyberthreat data in Microsoft 365 and Microsoft Entra. <\/p>\n<\/p><\/div>\n

\t\t\t\t\t\t\t \t\t\t\t\t\t\t\tDownload the guides<\/span> \t\t\t\t\t\t\t\t<\/span> \t\t\t\t\t\t\t<\/a> \t\t\t\t\t\t<\/div>\n<\/p><\/div>\n<\/p><\/div>\n
\t\t\t\t\t\"Two\t\t\t\t<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n

Analyze the Unified Audit Log in Microsoft 365<\/h2>\n

First up is our general Microsoft 365 guide, centered around key activities in Exchange Online and SharePoint\u2014Microsoft 365 products commonly targeted in cybersecurity attacks. Keep in mind that the motives of a Threat Actor, the tools available to them, and the level of access they have achieved will determine the actions they take. No two incidents are ever the same.<\/p>\n

Actions carried out in a tenant are recorded in the Unified Audit Log, which can be accessed from the Security Portal<\/a> or through PowerShell. You can filter the audit log by date, user, activity, IP address, or file name. You can also export the audit log to a CSV file for further analysis.<\/p>\n

Most of the operations in these sheets are self-explanatory in nature, but a few deserve further context:<\/p>\n

SearchQueryPerformed<\/strong>\u2014A user or an administrator has performed a search query in SharePoint Online or OneDrive for Business. This operation returns information about the search query, such as the IP address, but does not return the query text.<\/p>\n

SearchQueryInitiatedSharePoint and SearchQueryInitiatedExchange<\/strong>\u2014These operations are only logged if you have enabled them using the Set-Mailbox PowerShell cmdlet. This operation is much like SearchQueryPerformed, except it contains the search query that was used.<\/p>\n

SearchExportDownloaded<\/strong>\u2014A report was downloaded of the results from a content search in Microsoft 365. This operation returns information about the content search, such as the name, status, start time, and end time.<\/p>\n

Update<\/strong>\u2014A message item was updated, including metadata. One example of this is when an email attachment is opened, which updates the metadata of the message item and generates this event. An update operation is not always indicative of an email message being purposefully modified by a Threat Actor.<\/p>\n

FileSyncDownloadedFull<\/strong>\u2014User establishes a sync relationship and successfully downloads files for the first time to their computer from a SharePoint or OneDrive for Business document library.<\/p>\n

Detailed identity and access data with Microsoft Entra<\/h2>\n

Our Microsoft Entra guide covers actions which allow organizations to manage and protect their identities, data, and devices in the cloud. As an industry-leading identity platform, Microsoft Entra ID<\/a> offers advanced security features, such as multifactor authentication, Conditional Access policies, identity protection, privileged access management, and identity governance.<\/p>\n

To view the activities performed by users and administrators in Microsoft Entra ID, you can use the Microsoft Entra ID audit log, which stores events related to role management, device registration, and directory synchronization to name a few. To view detailed sign-in information, you can use the Sign-In Logs. The events located in these two data sources can help you detect and investigate security incidents, such as unauthorized access or configuration changes to the identity plane.<\/p>\n

You can use the following methods to access Microsoft Entra ID audit log data:<\/p>\n

Microsoft Entra Admin Portal<\/strong>\u2014Go to the portal<\/a> and sign in as an administrator. Navigate to Audit and\/or Sign-ins under Monitoring. Filter, sort, and export the data as needed.<\/p>\n

Azure AD PowerShell<\/strong>\u2014Install the Azure AD PowerShell module and connect to Microsoft Entra ID. Use Get-AzureADAuditDirectoryLogs and\/or Get-AzureADSignInLogs to get the data you need. Pipe the results to Export-CSV to output the information for analysis.<\/p>\n

Microsoft Graph API<\/strong>\u2014Register an application in Microsoft Entra ID and give it the permissions<\/a> to read audit log data (AuditLog.Read.All and Directory.Read.All). Use \/auditLogs\/directoryAudits and \/auditLogs\/signIns API endpoints to query the data, along with query parameters such as $filter to refine the results.<\/p>\n

Most of the operations in these sheets are self-explanatory in nature, but as with our Microsoft 365 operations, a few deserve further context:<\/p>\n

Suspicious activity reported<\/strong>\u2014This log event indicates that a user or an administrator has reported a sign-in attempt as suspicious. The log event contains information about the reported sign-in\u2014such as the user, the IP address, the device, the browser, the location, and the risk level. It also shows the status of the report\u2014whether it was confirmed, dismissed, or ignored by the user or the administrator. This log event can help identify potential security incidents, including phishing, credential compromise, or malicious insiders.<\/p>\n

Update application: Certificates and secrets management<\/strong>\u2014This log event indicates that an administrator has updated the certificates or secrets associated with an application registered in Microsoft Entra ID\u2014such as creation, deletion, expiration, or renewal. Applications are frequently misused by Threat Actors to gain access to data, making this a critical administrative event if found during an investigation.<\/p>\n

Any operation ending in \u2018(bulk)\u2019<\/strong>\u2014These are interesting as they demonstrate a bulk activity being performed\u2014such as \u2018Download users\u2019 or \u2018Delete users.\u2019 Keep in mind, however, that these are only logged if the bulk activity is performed using the graphical user interface. If PowerShell is used, you will not see these entries in your log.<\/p>\n

Elevate Access<\/strong>\u2014Assigns the currently logged-in identity the User Access Administrator role in Azure Role-Based Access Control at root scope (\/). This grants permissions to assign roles in all Azure subscriptions and management groups associated with the Microsoft Entra directory. This toggle is only available to users who are assigned the Global Administrator role in Microsoft Entra ID. It can be used by Threat Actors to gain complete control of Azure resources, often for the purposes of crypto mining or lateral movement from cloud to on-premises.<\/p>\n

Improve security analysis with the Microsoft Incident Response guides <\/h2>\n

We hope that these one-page guides<\/a> will be a valuable resource for you when you need to quickly identify and analyze suspicious or malicious activity in Microsoft 365 and Microsoft Entra ID. Print them out, save them as your desktop background, or put them on a mouse pad. Whatever you do, let us know what you find useful and remember that the audit logs in Microsoft 365 and Microsoft Entra ID are not the only source of evidence in a cloud-based case, and you should always correlate and validate your findings with other data sources where possible. <\/p>\n

To access further information on what data lies in these logs and how you can access them, reference the following blog posts from the Microsoft Incident Response team:<\/p>\n