When conducting investigations, having access to Unified Audit Logs (UALs) from Microsoft 365 (M365) environments is crucial. These logs help investigators trace activities within an organization, covering everything from user login attempts to changes made in Azure Active Directory (AD) and Exchange Online.
There are two primary ways for investigators to search and filter through UALs:
Via the Microsoft 365 web interface for basic investigation.
Using ready-made script frameworks to automate data acquisition and conduct more in-depth, offline analysis.
While the M365 interface is helpful for small-scale operations, using PowerShell scripts or specialized tools can save a lot of time in larger investigations. This article will walk you through the process of acquiring Office 365 logs, setting up acquisition accounts, and leveraging open-source tools to make investigations more efficient.
---------------------------------------------------------------------------------------------------------
Setting Up a User Account for Log Acquisition
To extract logs for analysis, you need to set up a special user account in M365 with specific permissions that provide access to both Azure AD and Exchange-related information. This process requires setting up roles in both the Microsoft 365 Admin Center and the Exchange Admin Center.
Step 1: Create an Acquisition Account in M365 Admin Center
Go to the M365 Admin Center.
Create a new user account.
Assign the Global Reader role to the account. This role grants access to Unified Audit Logs (UALs).
Step 2: Set Up Exchange Permissions
Next, you’ll need to set up permissions in the Exchange Admin Center:
Go to the Exchange Admin Center and create a new group.
Assign the Audit Log permission to the group. This role allows access to audit logs for Exchange activities.
Add the user you created in the M365 Admin Center to this group.
Now that the account has the necessary permissions, you are ready to acquire logs from Microsoft 365 for your investigation.
Note: If in future it became possible i will create an detailed blog to how to setup account and collect logs manually.
---------------------------------------------------------------------------------------------------------
Automation: Using Ready-Made Acquisition Scripts
Several pre-built scripts make the process of acquiring Unified Audit Logs (UALs) and other cloud-based logs easier, especially when conducting large-scale investigations. Below are two of the most widely used frameworks:
1. DFIR-O365RC (Developed by ANSSI)
DFIR-O365RC is a powerful PowerShell-based tool developed by ANSSI, the French governmental Cyber Security Agency. This tool is designed to extract UAL data and integrate with Azure APIs to provide a more comprehensive view of the data.
Key Features:
Access to both UAL and multiple Azure APIs, allowing for more enriched data acquisition.
The tool is somewhat complex, but the GitHub page provides guidance on setup and usage.
Usage:Once you set up the Global Reader account and Audit Log permissions, you can use DFIR-O365RC to automate the extraction of logs. The tool provides a holistic view of available data, including enriched details from Azure AD and Exchange.
Reference:
2. Office-365-Extractor (Developed by PwC Incident Response Team)
Another useful tool is Office-365-Extractor, developed by PwC’s incident response team. This tool includes functional filters that let investigators fine-tune their extraction depending on the type of investigation they are running.
Key Features:
Functional filters for tailoring data extraction to specific investigation needs.
Complements PwC’s Business Email Compromise (BEC) investigation guide, which offers detailed instructions on analyzing email compromises in Office 365 environments.
Usage:Investigators can quickly set up the tool and begin filtering logs by specific criteria like user activity, mailbox access, or login attempts.
Both DFIR-O365RC and Office-365-Extractor provide a more streamlined approach for handling larger volumes of data, making it easier to manage in-depth investigations without running into the limitations of the Microsoft UI.
---------------------------------------------------------------------------------------------------------
Tool I prefer
Microsoft Extractor Suite: Another Cloud-Based Log Acquisition Tool
In addition to the tools mentioned above, there is another robust tool known as the Microsoft Extractor Suite. It is considered one of the best options for cloud-based log analysis and acquisition. Though we won’t dive into full details in this article, it’s worth noting that this tool is highly recommended for investigators dealing with larger or more complex environments.
---------------------------------------------------------------------------------------------------------
Why Automated Tools Are Crucial for Large-Scale Investigations
While the M365 UI is convenient for smaller investigations, its limitations become apparent during large-scale data acquisitions. Automated scripts not only save time but also allow for more thorough and efficient data collection. These tools can help investigators get around the API export limitations, ensuring that no critical data is missed.
Additionally, data science methodologies can be applied to the collected logs to uncover patterns, trends, or anomalies that might otherwise go unnoticed in manual analysis. As cloud-based environments continue to grow in complexity, leveraging these automation frameworks becomes increasingly essential for effective incident response.
---------------------------------------------------------------------------------------------------------
Final Thoughts and Next Steps
In conclusion, the combination of Microsoft 365 Admin Center, Exchange Admin Center, and automated tools like DFIR-O365RC and Office-365-Extractor provides investigators with a powerful framework for extracting and analyzing Office 365 logs. Setting up the right user accounts with appropriate roles is the first step, followed by leveraging these scripts to automate the process, ensuring no data is overlooked.
Stay tuned for a detailed guide on the Microsoft Extractor Suite, which we’ll cover in an upcoming blog post. Until then, happy investigating!
Akash Patel
Comments