How to capture forensic evidence for Microsoft 365

Enterprise security has never been a box-checking exercise, but the list of necessary protection technologies and configurations never seems to get any shorter. And yet true peace of mind remains elusive.

Consider the typical endpoint protection scenario: Your network is protected, and you have EDR monitoring your workstations. You are alerted to virus threats anytime someone tries to install malicious software. You are alerted when Windows is out of date and needs a security patch, when a browser patch must be installed, when third-party software needs updating. Your Microsoft Intune policies monitor and alert you when any endpoints are at risk. SIEM integration enables you to monitor all your endpoints. Automation immediately blocks communication when it detects a threat to workstations.

But are you truly protected?

Not long ago, the network described above would be considered secure and protected. But now many would argue it’s not. What has happened to make our endpoints less secure?

Attackers know we’ve invested quite a bit into securing our legacy desktops. They know we’ve added endpoint detection and remediation software to ensure our desktops and laptop are protected. So they are instead going after soft spots that we don’t spend as much time and resources to protect.

In today’s enterprise, that often means the cloud — a complex environment that’s challenging not only to secure but to obtain the kinds of forensic evidence necessary to deal with issues quickly.

Anatomy of the new access path

Recently Volexity reported that attackers are targeting business computing resources beyond desktops and laptops. They use communication applications such as Signal and WhatsApp to initiate communication with their target. Phishing links are then sent not just to obtain the targeted user’s credentials but to trick them into completing a workflow to approve OAuth credentials. As Volexity researchers pointed out in their investigation, the URLs used in the campaigns pointed to other Microsoft OAuth 2.0 authentication workflows associated with various legitimate first-party Microsoft applications.

Once they’ve received access via an OAuth token, the attackers can gain full access to whatever is in the user’s cloud resources. These days that can range from Microsoft 365 resources, to AWS Control, to Google Workspace. Attackers anywhere in the world can gain access to files stored in cloud repositories.

Why are we making this easier for attackers to access? In part, we have not assigned resources and budget to add the necessary monitoring and protection for cloud resources. We’ve also complicated our networks with IoT devices embedded in our networks that have made it difficult to track and audit entry points.

Moreover, cloud resources make it particularly challenging to perform forensic examinations. Logging is often not native, not enabled, or not available for your cloud subscription tier.

For example, to enable forensic-level logging for Microsoft 365, you need to meet certain requirements. Otherwise, you won’t be provided the resources necessary to analyze and investigate intrusions. This means having:

• A Microsoft 365 E5 license (E5, E5 Compliance, or E5 Insider Risk Management)
• Workstations that run Windows 11 Enterprise with Microsoft 365 applications
• Devices joined via Microsoft Entra with certain Defender antivirus versions and application versions on board

Only organizations that meet those criteria will be able to run Microsoft Purview Insider Risk Management to get the forensic evidence they need from the cloud.

How to capture forensic evidence from Microsoft Purview

To begin logging, ensure you have the proper subscription that includes the Insider Risk Management feature. You’ll also need to configure data storage access in order to store the necessary logging, and you’ll need to review your firewall settings to ensure you don’t have egress filtering enabled that will block transmission of information to specific Microsoft domains such as compliancedrive.microsoft.com and *.events.data.microsoft.com. (Note: Ensure you review this website to keep up to date on the latest URLs used by Microsoft monitoring. As Microsoft solutions evolve, you may need to revisit these rules and adjust accordingly.)

Next you need one of the following roles to configure the necessary settings: Microsoft Entra ID Compliance Administrator, Global Administrator, Purview Organization Management, Purview Compliance Administrator, or Insider Risk Management Admin.

To enable Forensic Evidence Capturing, sign into the Microsoft Purview portal with an one of the above Administrator accounts, and then perform the following actions:

• Go to the blade for “Insider risk management”
• Select “Forensic evidence” in the left navigation, then “Forensic evidence settings”
• Turn on “Forensic evidence capturing” to enable support for forensic evidence policies.

Susan Bradley / CSO

You’ll need to onboard the systems you want to monitor. You can use scripts or Intune to connect them to your logging.

Next configure the forensic evidence settings you want for your organization. You’ll need to define the capturing window, logging every number of seconds or every minute as you see fit for your environment. Determine whether you need to set any upload bandwidth limits. You may need to monitor and determine the impact on your bandwidth and determine whether it impacts your network environment. Consider whether you need to set limits such as a specific bandwidth limit per user per day (for example, 100MB or 1GB). Determine whether you want to limit CPU usage to a certain percentage.

Next you will need to decide whether you need to have any settings for when devices are offline. In that case, there are offline capturing cache limits you may need to set. Set the offline capturing cache limit for local storage when devices are offline.

Next you need to create your forensic evidence policies. In the Purview portal, go to “Forensic evidence policies” and select “Create forensic evidence policy.” Specify which activities to capture, such as printing, file exfiltration, specific apps or websites, or all activities for selected users. “All activities” is not a typical setting and is used only for a set period during an investigation. You can also use Microsoft 365 Defender’s Advanced Hunting and Activity Log features for additional forensic analysis.

Susan Bradley / CSO

Caveats and limitations

Even with these settings, there can be times that you are at the mercy of the vendor. Forensic examinations of cloud assets can be complicated. Tracking through your log files to review what OAuth authentication was abused often takes expert review of these log files. In additional you don’t get memory dumps or full control like you do on endpoints. You often must open a support ticket with your vendor to request log files, thereby delaying your investigation and response.

There are also budget limitations to be aware of. For example, you may need to purchase additional storage to store the forensic evidence you wish to capture.

Susan Bradley / CSO

With cloud-related attack vectors on the rise, it’s vital that you review your cloud options and risks. You may have all the necessary resources for your on-premises investigations, but it is very likely that you need to assign more resources for your cloud interactions.

The time to know your options is now, before an intrusion occurs.