Forensic Investigations in o365 - a short thread on why it’s getting harder and not easier for investigators. 1) Historically the first thing we used to do was enable an EMS E5 trial license in the customer tenant, as that allowed us to have 6 months of MCAS logs. This is gone!
Now, when you enable an MCAS trial, you must manually enable audit logging against O365, so there is no retroactive logs that magically appear 😩… it gets worse tho.. let’s talk about Azure AD “free.” This is what “E1 or E3” gets you
You get 7 days of AAD sign-in and audit logs
Historically when you enabled an AAD P1 or P2 or EMSE5 trial, you could go back 30 days. Now? When you enable the trials, no retroactive logs magically appear. 😭
So at this point the only forensic logs available in O365 beyond 7 days is the Security and Compliance Center Log…
Normally that log is limited to 90 days unless you have an E5 or Compliance Add-on, which extends the logs to 1 yr (or the new 10 yr add-on sku). But there are some limitations of using the web interface (like only 5,000 records at a time, etc). But I’ll end this on a happy note.
I just learned that if you use PowerShell, you can search up to 365 days even without an E5 license! So that’s good news! 🤫Search-UnifiedAuditLog –StartDate <StartDate> -EndDate <EndDate>
o365reports.com/2021/07/07/mic…
@ev_maus made a great point in the comments below: with GDPR you may not want logs collecting EU citizen IP’s beyond the length of time they consented. So I’m this case forensics must take a back seat to compliance. 🤷🏻‍♂️
some context for this rant… I often get called by random businesses to investigate account takeovers in their O365 tenant. These businesses sometimes have the bare minimum licenses and thus it’s hard to give these people answers when the logs are truncated 🥺

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Joe Stocker

Joe Stocker Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ITguySoCal

25 Dec 19
New phishing campaign successfully bypasses Microsoft ATP (Office ATP, Defender ATP, and Azure ATP). It also bypasses SmartScreen. Works by sending an .HTM attachment or .ZIP containing .HTM.
IOCs
instantrep.xyz
secured.com.awi-o.online
json.geoiplookup.io
The reason this attack is so effective at reaching inbox:
1. Originates from a compromised mailbox, so it passes SPF, DMARC and DKIM.
2. The .HTM is not malicious, so sandbox detonation is not a problem.
3. There is no remote URL attempted unless the user clicks their username.
I've received the same payload from two different compromised accounts at different companies. The body of the email is the same:
"Remittance advice required."
Firstname Lastname (of compromised user)
CFO
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

:(