Threat hunting in Microsoft 365

%3CLINGO-SUB%20id%3D%22lingo-sub-1468867%22%20slang%3D%22en-US%22%3EThreat%20hunting%20in%20Microsoft%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1468867%22%20slang%3D%22en-US%22%3E%3CDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EI'm%20currently%20pulling%20as%20much%20audit%20data%20as%20I%20can%20out%20of%20the%20Microsoft%20365%20Management%20API%20into%20a%20external%20logging%20platform%20(so%20as%20to%20correlate%20data%20with%20other%20threat%20intel).%20So%20far%2C%20I've%20found%20some%20really%20basic%20things%20like%20logon%20errors%20that%20helped%20me%20find%20a%20misconfigured%20client%2C%20but%20so%20far%20the%20data%20is%20little%20more%20than%20interesting%2Finformative%3B%20I'm%20looking%20for%20good%20indicators%20of%20account%20compromise%20and%20malicious%20activity%2C%20especially%20in%20SharePoint%20and%20Exchange.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EAny%20tips%3F%20Resources%20on%20good%20indicators%20of%20compromise%3F%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EI'm%20planning%20on%20additionally%20shipping%20the%20data%20to%20Azure%20Sentinel%20to%20evaluate%20whether%20it%20provides%20any%20added%20value.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1468867%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1958189%22%20slang%3D%22en-US%22%3ERe%3A%20Threat%20hunting%20in%20Microsoft%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1958189%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20it's%20been%206%20months%20since%20I%20posted%20this%2C%20so%20I%20thought%20to%20update%20it%20with%20what%20has%20been%20happening%20recently.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EA%20lot%20of%20Microsoft%20reps%20touted%20Azure%20Sentinel%20as%20being%20a%20silver%20bullet%2C%20so%20I%20deployed%20Azure%20Sentinel%20and%20set%20up%20whatever%20alert%20policies%20seemed%20useful.%20So%20far%20little%20more%20than%20a%20lot%20of%20noise%20and%20false%20positives.%3C%2FLI%3E%3CLI%3EThe%20Azure%20AD%20Identity%20Protection%20has%20been%20the%20only%20thing%20so%20far%20that%20has%20produced%20actionable%20intel.%20Some%20alerts%20lit%20up%20and%20we%20were%20able%20to%20reset%20a%20few%20compromised%20user%20passwords.%3C%2FLI%3E%3CLI%3EIn%20terms%20of%20the%20celebrated%20ML%20capabilities%20of%20Azure%20Sentinel%2C%20I%20have%20yet%20to%20see%20any%20substantial%20benefit.%3C%2FLI%3E%3CLI%3EOur%20best%20approach%20has%20been%20to%20pull%20the%20data%20in%20from%20the%20management%20API%20and%20whatever%20we%20can%20get%20our%20hands%20on%20with%20the%20Graph%20API%20into%20our%20own%20SIEM.%20For%20what%20we%20can%20get%20however%2C%20the%20data%2C%20queries%2C%20keywords%20are%20not%20consistent.%3C%2FLI%3E%3CLI%3EThese%20APIs%20are%20not%20as%20available%20as%20you%20would%20think%20they%20should%20be%20for%20being%20supported%20by%20a%20major%20tech%20company.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThe%20main%20issue%20now%3A%26nbsp%3B%20a%20lot%20of%20lookup%20and%20remediation%20actions%20for%20Microsoft365%20are%20mysteriously%20absent%20from%20any%20API%20(and%20many%20APIs%20seem%20to%20be%20in%20a%20weird%20deprecation%20limbo)%2C%20but%20are%20mostly%20offered%20in%20PowerShell%2C%20which%20is%20a%20major%20hurdle%20for%20our%20infrastructure%20paradigm%20which%20focuses%20on%20event-driven%20containerized%20applications.%20In%20this%20I%20recognize%20my%20bias%3A%20coming%20from%20a%20Linux%20background%20I%20find%20Powershell%20abhorrent%2C%20but%20I%20digress...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor
I'm currently pulling as much audit data as I can out of the Microsoft 365 Management API into a external logging platform (so as to correlate data with other threat intel). So far, I've found some really basic things like logon errors that helped me find a misconfigured client, but so far the data is little more than interesting/informative; I'm looking for good indicators of account compromise and malicious activity, especially in SharePoint and Exchange.
 
Any tips? Resources on good indicators of compromise?
 
I'm planning on additionally shipping the data to Azure Sentinel to evaluate whether it provides any added value.
1 Reply

Well, it's been 6 months since I posted this, so I thought to update it with what has been happening recently.

 

  • A lot of Microsoft reps touted Azure Sentinel as being a silver bullet, so I deployed Azure Sentinel and set up whatever alert policies seemed useful. So far little more than a lot of noise and false positives.
  • The Azure AD Identity Protection has been the only thing so far that has produced actionable intel. Some alerts lit up and we were able to reset a few compromised user passwords.
  • In terms of the celebrated ML capabilities of Azure Sentinel, I have yet to see any substantial benefit.
  • Our best approach has been to pull the data in from the management API and whatever we can get our hands on with the Graph API into our own SIEM. For what we can get however, the data, queries, keywords are not consistent.
  • These APIs are not as available as you would think they should be for being supported by a major tech company.

The main issue now:  a lot of lookup and remediation actions for Microsoft365 are mysteriously absent from any API (and many APIs seem to be in a weird deprecation limbo), but are mostly offered in PowerShell, which is a major hurdle for our infrastructure paradigm which focuses on event-driven containerized applications. In this I recognize my bias: coming from a Linux background I find Powershell abhorrent, but I digress...