Azure Active Directory audit logs now available in Advanced Hunting (public preview)

by | Dec 17, 2020 | Technology | 0 comments

This article is contributed. See the original author and article here.

We are happy to announce the availability of a new data source in Microsoft 365 Defender Advanced Hunting.


We have just enabled streaming of Azure Active Directory audit logs into Advanced Hunting, already available for all customers in public preview.


These logs provide traceability for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.


 


At the moment, the data ingestion has a dependency on MCAS, so customers that have MCAS with the Office365 connector connected will be able to see this data. Our intent is to expand availability to more Microsoft 365 Defender customers going forward.


 


The new log data is available in the CloudAppEvents table:


 


CloudAppEvents
| where Application == “Office 365”

and contains activity logs useful for investigating and finding related activities.


We are publishing a handful of relevant queries to our Git as they can assist with recent nation state attack investigation.


 


Here’s an example query that helps you see when credentials were added to an Azure AD application after ‘Admin Consent’ permissions were granted:


 


CloudAppEvents
| where Application == “Office 365”
| where ActionType == “Consent to application.”
| where RawEventData.ModifiedProperties[0].Name == “ConsentContext.IsAdminConsent” and RawEventData.ModifiedProperties[0].NewValue == “True”
| extend spnID = tostring(RawEventData.Target[3].ID)
| parse RawEventData.ModifiedProperties[4].NewValue with * “=> [[” dummpy “Scope: ” After “]]” *
| extend PermissionsGranted = split(After, “]”,0)
| project ConsentTime = Timestamp , AccountDisplayName , spnID , PermissionsGranted
| join (
CloudAppEvents
| where Application == “Office 365”
| where ActionType == “Add service principal credentials.” or ActionType == “Update application – Certificates and secrets management “
| extend spnID = tostring(RawEventData.Target[3].ID) 
| project AddSecretTime = Timestamp, AccountDisplayName , spnID 
) on spnID 
| where ConsentTime < AddSecretTime and AccountDisplayName <> AccountDisplayName1

 


Keep watching for our updates, we will publish more information and guidance on how to leverage Microsoft 365 Defender for investigations of this evolving advanced threat soon!

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

Submit a Comment