Azure | Cloud Spells

Azure | Cloud Spells


Cloud cyber forensics and incident response have become increasingly important in today's cloud-first digital landscape. They have become critical components of any organization's cybersecurity strategy. With the rise of cloud computing, it is essential to have a solid understanding of how to conduct digital forensics in the cloud.

This section will cover tradecraft knowledge, tools, and techniques for Cloud DFIR.

Security Policies and Rules

To access or edit alert policies and rules head to:

There are four types of security policies and rules:

  • Threat Policies
  • Alert Policies: simple alerts that show up in Microsoft 365 Security
  • Advanced Alerts: essentially Office 365 Cloud App Security (UEBA, OAuth monitoring, shadow IT apps, etc.)
  • Activity Alerts: these is the old version of Security & Compliance alerts, which is now being re-designed in the Alert Policies section. Not all of the activity categories are in Alert Policies though, which is why the Activity Alerts section contains a more prolific list of potential events to alert on.
NOTE: For a list of audited activities head here

Alert Policies

You can use the alert policy and alert dashboard tools in the Microsoft 365 security and compliance centers to create alert policies and then view the alerts generated when users perform activities that match the conditions of an alert policy

  • Information on
  • The majority of the alerts that can be created via this policy relate to user actions on Files and Emails. It contains actions that apply to Sharepoint and OneDrive.
  • You can also create alert policies by using the New-ProtectionAlert cmdlet in Security & Compliance Center PowerShell.
  • It takes up to 24 hours after creating or updating an alert policy before alerts can be triggered by the policy. This is because the policy has to be synced to the alert detection engine.
  • Microsoft 365 generates an alert that’s displayed on the View alerts page in the Security & Compliance Center
  • To create alert policies, you have to be assigned the Manage Alerts role or the Organization Configuration role in the security and compliance center.

Unified Audit Log

The unifiedauditlog has a schema that varies depending on the type of service generating the log (Teams, SharePoint, Azure, ExchangeOnline, etc.). Data returned, regardless of the service of origin, contains an Audit Data section which has a combination of attributes. These attributes are described here:

NOTE: For the category of events that relate to logons, it’s important to look at the audit data section for the LogonType attribute which details the type of principal logging in. This way we can create rules that filter for things like Type 1 which indicates an administrator. Another relevant attribute to detect admin or application activity is UserType.

Graph API

Graph API Logging

There are a few things to consider when doing DFIR on Azure and O365 using Graph API:

  • Not all actions in the Graph API are logged to UAL or Azure AD
  • Read Operations are usually not logged
  • Write Operations are usually logged, but there are lots of gaps and poor documentation as to what is effectively reflected on the logs

Graph API Permissions

Documentation on scope and permissions for Azure AAD Graph API can be found in the official KB:

Interesting articles regarding Graph API permissions:

Interesting Hunting and Forensic Tools

AADInternals by Nestory

AADInternals is PowerShell module for administering Azure AD and Office 365. For details, please visit



Of course, I will take notes about my own tool in here ;) A Cloud Forensics Powershell module to run threat hunting playbooks on data from Azure and O365