The reason that I did include this is, because it is true that Office 365 unified audit logs also ingests events from Azure AD. What we also have to remember is, that we only get the logs from the past 30 days, but what if an incident occurred earlier than that? As you may have notice, it is very hard to analyze the data in a CSV file. We have now downloaded both Azure AD Audit Logs and Sign-in logs.
Azure Active Directory – Interactive Sign-In Logs.When we open the CSV files, it will look something similar like this: An important thing to note is, that it’s limited to 250,000 records. In order to do this, we have to do the following:ĭo the same for Sign-In logs by clicking on ‘Sign-ins’Īs you will notice, there is a ‘Download’ button that we can use to download the logs from the past 30 days. The first logs that we are going to export will be Azure Active Directory Audit logs and the Sign-In logs. The logs are the first place to look at, when doing an IR engagement. They have created an account for you with Global Reader rights, so you could access their environment and as discussed earlier. The good thing is that we are able to export logs, that have been generated, which allows us to get all the relevant data to analyse.Īn organization has called you, because there was a breach in their tenant. But for now, the focus will be Azure AD & Office 365.Īs we all know, the majority of organizations don’t have Azure Sentinel or Log Analytics in place to monitor and alert on threats or maybe even changes, that occur in their tenant. There are other logs as well, such as Azure Activity. What kind of logs can or should we collect?Īll the sign-in events of user principalsĪll the activities in Azure AD such as modification of objectsĪll the activities in Office 365 with the likes of Exchange, SharePoint, and Teams.
Logs are usually one of the first places to look at, but now the question would be.
The goal of this blog post is to learn more about how logging works in Azure AD and how we can collect it to use it for forensics.Įvery step that an adversary takes will leave some form of traces behind in the logging. This blog post is targeted for the incident response audience or security professionals with an interest in doing IR, but with the main focus on Azure AD. Today’s focus will be on collecting logs in a Cloud environment to perform further analysis. Incident Response is a broad topic and it’s hard to cover every specific detail, so I’ve decided to split it into a series of blog posts. What are the steps, that we have to take when doing an IR engagement in a Cloud environment? Where I will focus on Azure Active Directory and Office 365. Today, I’m going to start my incident response series.
0 kommentar(er)
