Conducting a Cybersecurity Investigation in Azure O365 Environment - ToddMaxey/Technical-Documentation GitHub Wiki
—
Conducting a cybersecurity investigation within an Azure/O365 environment demands a diligent and systematic approach. Utilizing both the Graph API and PowerShell serves as pivotal tools in scrutinizing various logs and activities, thereby ascertaining the scope of any compromise. Herein, I shall articulate a consolidated and comprehensive guideline comprised of an amalgamation of Graph API queries and PowerShell commands to facilitate a proficient investigation.
**Prerequisite**
**Objective**: Required Setup.
Install necessary PowerShell modules (if not already installed)
- Install-Module -Name MSOnline
- Install-Module -Name AzureAD
- Install-Module -Name ExchangeOnlineManagement
Connect to Azure and Office 365 services
- Connect-MsolService -Credential $credential
- Connect-AzureAD -Credential $credential
- Connect-ExchangeOnline -Credential $credential
Ensure that necessary modules (like MSOnline, AzureAD, and ExchangeOnlineManagement) are installed and imported.
Authenticate to Azure and Office 365 services using appropriate credentials.
**1.1 User Account Verification and Profile Examination**
**Objective**: To validate the user’s identity and review any unauthorized modifications in the user profile.
Graph API Queries:
- Gather information about the user in question:
“`
GET https://graph.microsoft.com/v1.0/users/{user_id}
“`
PowerShell Commands:
- Get details about the user account:
“`PowerShell
Get-AzureADUser -ObjectId {user_id}
“`
**1.2 Sign-in and Login Analysis**
**Objective**: To scrutinize the sign-in logs for signs of suspicious or unauthorized access, including any unusual patterns or sign-ins from unfamiliar locations.
Graph API Queries:
- Query sign-in logs:
“`
GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=userPrincipalName eq ‘{user_email}’ and (createdDateTime ge {start_time} and createdDateTime le {end_time})
“`
PowerShell Commands:
- Retrieve detailed sign-in logs:
“`PowerShell
Get-AzureADAuditSignInLogs -Filter “UserId eq ‘{user_id}’ and CreatedDateTime ge {start_time} and CreatedDateTime le {end_time}”
“`
#### **1.3 Unusual Activity Patterns**
**Objective**: To identify anomalous patterns such as multiple failed login attempts or access from previously unused devices.
Graph API Queries:
- Detect unusual activity patterns:
“`
GET https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=(activityDateTime ge {start_time} and activityDateTime le {end_time}) and targetResources/any(tr:tr/displayName eq ‘{user_email}’) and result eq ‘failure’
“`
**2. Detailed Investigation**
#Power Tip - Use the `Search-UnifiedAuditLog` command to pull the O365 auditing and mailbox logs with one command.
- `Search-UnifiedAuditLog -StartDate “06/20/1975” -EndDate “02/10/2008” -FreeText “[email protected]” -ResultSize 5000 | export-csv c:\temp\UniAuditLog.csv`
- The switch `-FreeText` collects the logs where the included text is present.
**2.1 Email Analysis**
**Objective**: To scrutinize email messages and accesses to unearth any suspicious activities, including unauthorized email forwarding rules.
Graph API Queries:
- Check email access logs:
“`
GET https://graph.microsoft.com/v1.0/users/{user_id}/messages?$filter=receivedDateTime ge {start_time} and receivedDateTime le {end_time}
“`
PowerShell Commands:
- Retrieve detailed mailbox audit logs:
“`PowerShell
Search-MailboxAuditLog -Mailboxes ‘{user_email}’ -StartDate ‘{start_date}’ -EndDate ‘{end_date}’ -Operations ‘SendOnBehalf’, ‘SendAs’, ‘HardDelete’, ‘SoftDelete’, ‘Update’, ‘MoveToDeletedItems’
“`
#### **2.2 File and Data Access Analysis**
**Objective**: To investigate the files accessed or modified, thereby identifying any unauthorized data access or alterations.
Graph API Queries:
- Examine file access and modification logs:
“`
GET https://graph.microsoft.com/v1.0/users/{user_id}/drive/root/delta
“`
PowerShell Commands:
- Extract SharePoint and OneDrive audit logs:
“`PowerShell
Search-UnifiedAuditLog -StartDate ‘{start_date}’ -EndDate ‘{end_date}’ -Operations ‘FileAccessed’, ‘FileModified’, ‘FileDeleted’ -UserIds ‘{user_email}’
“`
#### **2.3 Application and Service Usage Analysis**
**Objective**: To gauge the usage and access logs of various applications and services for any irregularities.
Graph API Queries:
- Inspect application usage and access logs:
“`
GET https://graph.microsoft.com/beta/auditLogs/directoryAudits?$filter=(activityDateTime ge {start_time} and activityDateTime le {end_time}) and targetResources/any(tr:tr/displayName eq ‘{user_email}’)
“`
PowerShell Commands:
- Retrieve service and application audit logs:
“`PowerShell
Search-UnifiedAuditLog -StartDate ‘{start_date}’ -EndDate ‘{end_date}’ -Operations ‘Add-MailboxPermission’, ‘Add-RoleGroupMember’, ‘Set-Mailbox’, ‘Set-User’ -UserIds ‘{user_email}’
“`
2.4 Permissions and Role Analysis
**Objective**: To review the roles and permissions bestowed upon the user and pinpoint any unauthorized privilege escalations.
Graph API Queries:
- Analyze user roles and permissions:
“`
GET https://graph.microsoft.com/v1.0/users/{user_id}/memberOf
“`
#### **3. Conclusion and Additional Measures**
- Post-analysis, amalgamate all the information to formulate a comprehensive report encapsulating all potentially compromised, accessed, and altered entities within the Azure and O365 ecosystems. Employ this report to make an informed decision regarding the necessary actions, such as resetting passwords or temporarily disabling the account.
**Recommendations**:
- Implement multi-factor authentication (MFA) and bolster security measures to avert future compromises.
- Regularly revise the Azure and Office 365 security policies to ascertain their robustness and up-to-date nature.
- Consistently monitor Microsoft’s documentation for alterations and updates to the Graph API and PowerShell cmdlets.
- Replace `{user_id}`, `{user_email}`, `{start_time}`, and `{end_time}` with actual user details and the investigation time frame.