![Azure | Cloud Spells](data:image/svg+xml,%3Csvg xmlns="http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg" width="256" height="256" viewBox="0 0 256 256"%3E%3Cg fill="none"%3E%3Crect width="256" height="256" fill="%23242938" rx="60"%2F%3E%3Cpath fill="url(%23skillIconsAzureDark0)" d="M94.674 34.002h59.182L92.42 216.032a9.436 9.436 0 0 1-8.94 6.419H37.422a9.42 9.42 0 0 1-9.318-8.026a9.42 9.42 0 0 1 .39-4.407L85.733 40.421A9.437 9.437 0 0 1 94.674 34v.002Z"%2F%3E%3Cpath fill="%230078D4" d="M180.674 156.095H86.826a4.34 4.34 0 0 0-4.045 2.75a4.344 4.344 0 0 0 1.079 4.771l60.305 56.287a9.484 9.484 0 0 0 6.468 2.548h53.141l-23.1-66.356Z"%2F%3E%3Cpath fill="url(%23skillIconsAzureDark1)" d="M94.674 34.002a9.36 9.36 0 0 0-8.962 6.544L28.566 209.863a9.412 9.412 0 0 0 8.882 12.588h47.247a10.106 10.106 0 0 0 7.75-6.592l11.397-33.586l40.708 37.968a9.631 9.631 0 0 0 6.059 2.21h52.943l-23.22-66.355l-67.689.016l41.428-122.11H94.675Z"%2F%3E%3Cpath fill="url(%23skillIconsAzureDark2)" d="M170.264 40.412a9.417 9.417 0 0 0-8.928-6.41H95.379a9.421 9.421 0 0 1 8.928 6.41l57.241 169.604a9.433 9.433 0 0 1-1.273 8.509a9.43 9.43 0 0 1-7.655 3.928h65.959a9.43 9.43 0 0 0 7.654-3.929a9.424 9.424 0 0 0 1.272-8.508L170.264 40.412Z"%2F%3E%3Cdefs%3E%3ClinearGradient id="skillIconsAzureDark0" x1="116.244" x2="54.783" y1="47.967" y2="229.54" gradientUnits="userSpaceOnUse"%3E%3Cstop stop-color="%23114A8B"%2F%3E%3Cstop offset="1" stop-color="%230669BC"%2F%3E%3C%2FlinearGradient%3E%3ClinearGradient id="skillIconsAzureDark1" x1="135.444" x2="121.227" y1="132.585" y2="137.392" gradientUnits="userSpaceOnUse"%3E%3Cstop stop-opacity=".3"%2F%3E%3Cstop offset=".071" stop-opacity=".2"%2F%3E%3Cstop offset=".321" stop-opacity=".1"%2F%3E%3Cstop offset=".623" stop-opacity=".05"%2F%3E%3Cstop offset="1" stop-opacity="0"%2F%3E%3C%2FlinearGradient%3E%3ClinearGradient id="skillIconsAzureDark2" x1="127.625" x2="195.091" y1="42.671" y2="222.414" gradientUnits="userSpaceOnUse"%3E%3Cstop stop-color="%233CCBF4"%2F%3E%3Cstop offset="1" stop-color="%232892DF"%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3C%2Fg%3E%3C%2Fsvg%3E)
- Summary
- Security Policies and Rules
- Alert Policies
- Unified Audit Log
- Graph API
- Graph API Logging
- Graph API Permissions
- Interesting articles regarding Graph API permissions:
- Interesting Hunting and Forensic Tools
- AADInternals by Nestory
- AzureHunter
Summary
Cloud cyber forensics and incident response have become increasingly important in today's cloud-first digital landscape. They have become critical components of any organization's cybersecurity strategy. With the rise of cloud computing, it is essential to have a solid understanding of how to conduct digital forensics in the cloud.
This section will cover tradecraft knowledge, tools, and techniques for Cloud DFIR.
Security Policies and Rules
To access or edit alert policies and rules head to: https://security.microsoft.com/securitypoliciesandrules
There are four types of security policies and rules:
- Threat Policies
- Alert Policies: simple alerts that show up in Microsoft 365 Security
- Advanced Alerts: essentially Office 365 Cloud App Security (UEBA, OAuth monitoring, shadow IT apps, etc.)
- Activity Alerts: these is the old version of Security & Compliance alerts, which is now being re-designed in the Alert Policies section. Not all of the activity categories are in Alert Policies though, which is why the Activity Alerts section contains a more prolific list of potential events to alert on.
NOTE: For a list of audited activities head here
Alert Policies
You can use the alert policy and alert dashboard tools in the Microsoft 365 security and compliance centers to create alert policies and then view the alerts generated when users perform activities that match the conditions of an alert policy
- Information on https://docs.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide
- The majority of the alerts that can be created via this policy relate to user actions on Files and Emails. It contains actions that apply to Sharepoint and OneDrive.
- You can also create alert policies by using the New-ProtectionAlert cmdlet in Security & Compliance Center PowerShell.
- It takes up to 24 hours after creating or updating an alert policy before alerts can be triggered by the policy. This is because the policy has to be synced to the alert detection engine.
- Microsoft 365 generates an alert that’s displayed on the View alerts page in the Security & Compliance Center
- To create alert policies, you have to be assigned the Manage Alerts role or the Organization Configuration role in the security and compliance center.
Unified Audit Log
The unifiedauditlog has a schema that varies depending on the type of service generating the log (Teams, SharePoint, Azure, ExchangeOnline, etc.). Data returned, regardless of the service of origin, contains an Audit Data section which has a combination of attributes. These attributes are described here: https://docs.microsoft.com/en-us/microsoft-365/compliance/detailed-properties-in-the-office-365-audit-log?view=o365-worldwide.
NOTE: For the category of events that relate to logons, it’s important to look at the audit data section for the LogonType attribute which details the type of principal logging in. This way we can create rules that filter for things like Type 1 which indicates an administrator. Another relevant attribute to detect admin or application activity is UserType.
Graph API
Graph API Logging
There are a few things to consider when doing DFIR on Azure and O365 using Graph API:
- Not all actions in the Graph API are logged to UAL or Azure AD
- Read Operations are usually not logged
- Write Operations are usually logged, but there are lots of gaps and poor documentation as to what is effectively reflected on the logs
Graph API Permissions
Documentation on scope and permissions for Azure AAD Graph API can be found in the official KB: https://docs.microsoft.com/en-us/graph/permissions-reference/
Interesting articles regarding Graph API permissions:
- https://matthewdavis111.com/msgraph/azure-ad-permission-details/
- Great website containing a Graph API explorer!: https://graphpermissions.merill.net/permission/index.html
Interesting Hunting and Forensic Tools
AADInternals by Nestory
AADInternals is PowerShell module for administering Azure AD and Office 365. For details, please visit http://o365blog.com/aadinternals
Repo: https://github.com/Gerenios/AADInternals
AzureHunter
Of course, I will take notes about my own tool in here ;) A Cloud Forensics Powershell module to run threat hunting playbooks on data from Azure and O365