Threat hunting in Microsoft 365

%3CLINGO-SUB%20id%3D%22lingo-sub-1468867%22%20slang%3D%22en-US%22%3EThreat%20hunting%20in%20Microsoft%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1468867%22%20slang%3D%22en-US%22%3E%3CDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EI'm%20currently%20pulling%20as%20much%20audit%20data%20as%20I%20can%20out%20of%20the%20Microsoft%20365%20Management%20API%20into%20a%20external%20logging%20platform%20(so%20as%20to%20correlate%20data%20with%20other%20threat%20intel).%20So%20far%2C%20I've%20found%20some%20really%20basic%20things%20like%20logon%20errors%20that%20helped%20me%20find%20a%20misconfigured%20client%2C%20but%20so%20far%20the%20data%20is%20little%20more%20than%20interesting%2Finformative%3B%20I'm%20looking%20for%20good%20indicators%20of%20account%20compromise%20and%20malicious%20activity%2C%20especially%20in%20SharePoint%20and%20Exchange.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EAny%20tips%3F%20Resources%20on%20good%20indicators%20of%20compromise%3F%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EI'm%20planning%20on%20additionally%20shipping%20the%20data%20to%20Azure%20Sentinel%20to%20evaluate%20whether%20it%20provides%20any%20added%20value.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1468867%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Frequent Visitor
I'm currently pulling as much audit data as I can out of the Microsoft 365 Management API into a external logging platform (so as to correlate data with other threat intel). So far, I've found some really basic things like logon errors that helped me find a misconfigured client, but so far the data is little more than interesting/informative; I'm looking for good indicators of account compromise and malicious activity, especially in SharePoint and Exchange.
 
Any tips? Resources on good indicators of compromise?
 
I'm planning on additionally shipping the data to Azure Sentinel to evaluate whether it provides any added value.
0 Replies