Preparing Office 365 Environment for Forensic Analysis | VerSprite DFIR Preparing Office 365 Environment for Forensic Analysis | VerSprite DFIR

Home  |  Resources  |  Digital Forensics & Incident Response

Preparing Your Microsoft Office 365 Environment for Forensic Analysis

Written By: Robyn Wilson

Office 365

< Back to Blog Home

Microsoft Office 365 (O365)

Microsoft’s Office 365 adoption continues among larger enterprises with small and medium size businesses adopting at lower rates.

With this market share comes increasing needs for administrators and analysts to further understand the activities taking place in their cloud environments.

Office 365 offers several different business license types. Currently, these types offer different capabilities in the security and auditing area, in addition to main differentiators such as mailbox size and Office application availability.

As features are always being updated, referencing Microsoft’s offering for Small Business and Enterprise is always a good idea, but key security features available in at least one of the offerings or add-ons are:

  • Exchange Online Protection – helps protect email against spam, malware and other threats
  • Security and privacy controls
  • Security groups/permissions
  • Policy creation and enforcement (e.g. passwords)
  • Advanced Threat Protection – helps protect against ransomware, advanced malware
  • Remote wipe company data from devices
  • Restrict copy/saving company information to unauthorized apps
  • Information Rights Management – do not forward, similar policies
  • Windows Defender Exploit Guard – Windows 10 malware protection

Enabling Auditing

It is important to know that auditing may not be enabled currently in the Office 365 environment you manage.

While this setting may change in future O365 updates, if you are unsure on your Office 365 auditing status, you can check it in the Security & Compliance admin center > Search & investigations > Audit log search.

Below you can see that there is a notification that auditing needs to be enabled – and this was the default config for an Enterprise trial.

Enabling Auditing

Step 1:To enable auditing, follow the directions seen in the yellow banner.

If you don’t see the banner, auditing at this level has already been turned on and you should be able to search.

Alternatively, you can connect via PowerShell and run the following command to accomplish the same task: Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Step 2: Additionally, given that Exchange and email activities are often the first line in understanding the scope of an incident and performing forensic analysis, you’ll also want to ensure that mailbox audit logging is enabled by following these PowerShell steps outlined by Microsoft.

This will allow you to see Exchange results in the above audit log, if not already enabled – and currently it is not enabled by default in all instances – but but Microsoft is changing this.

Logging Uses

What does auditing enable for you? As you can see in the above screenshot, you’ll be able to run searches from the Admin Center on logs for the past 90 days (or longer, as Microsoft appears to be making steps toward extending this to a year for some subscription types).

The actions you can search on are grouped into these activity categories:

  • File, folder, and page
  • Sharing and access requests
  • Synchronization
  • Site permission and administration
  • Exchange mailbox
  • Sway
  • User and Azure AD group administration
  • Application administration
  • Role and directory administration
  • eDiscovery
  • Power BI
  • Microsoft Kaizala
  • Microsoft Workplace Analytics
  • Microsoft Teams
  • Dynamics 365
  • Microsoft Flow
  • Microsoft Stream

Log Collection, Review and Analysis

Listed below are some examples of the logging that we have found helpful in our Digital Forensics and Incident Response practice.

Note that these logs were pulled via the Hawk tool, but many others exist to help you collect and gather the information necessary to help reconstruct activities.

Example 1 – Office 365 Malware Report

This report shows suspected malware sent into and out of the Office 365 environment.

Note that some columns are hidden for readability (total bytes, message ID, network id, etc.) and other details have been generalized for simplicity.

O365 Malware Report

Example 2 – Azure AD Authentication

Logs for a particular user, as obtained from the Hawk tool, showing a pattern of potentially unusual login attempts. As above, columns have been hidden for readability and information has been simplified.

O365 Malware Report

For a deeper understanding of activities occurring in your Office 365 environment, contact VerSprite.

We are an international squad of professionals working as one.