{"id":3095,"date":"2025-05-08T09:00:00","date_gmt":"2025-05-08T09:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3095"},"modified":"2025-05-08T09:00:00","modified_gmt":"2025-05-08T09:00:00","slug":"how-to-capture-forensic-evidence-for-microsoft-365","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3095","title":{"rendered":"How to capture forensic evidence for Microsoft 365"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Enterprise security has never been a box-checking exercise, but the list of necessary protection technologies and configurations never seems to get any shorter. And yet true peace of mind remains elusive.<\/p>\n<p>Consider the typical endpoint protection scenario: Your network is protected, and you have <a href=\"https:\/\/www.csoonline.com\/article\/568045\/what-is-edr-endpoint-detection-and-response.html\">EDR<\/a> monitoring your workstations. You are alerted to virus threats anytime someone tries to install malicious software. You are alerted when Windows is out of date and needs a security patch, when a browser patch must be installed, when third-party software needs updating. Your Microsoft Intune policies monitor and alert you when any endpoints are at risk. <a href=\"https:\/\/www.csoonline.com\/article\/524286\/what-is-siem-security-information-and-event-management-explained.html\">SIEM<\/a> integration enables you to monitor all your endpoints. Automation immediately blocks communication when it detects a threat to workstations.<\/p>\n<p>But are you truly protected?<\/p>\n<p>Not long ago, the network described above would be considered secure and protected. But now many would argue it\u2019s not. What has happened to make our endpoints less secure?<\/p>\n<p>Attackers know we\u2019ve invested quite a bit into securing our legacy desktops. They know we\u2019ve added endpoint detection and remediation software to ensure our desktops and laptop are protected. So they are instead going after soft spots that we don\u2019t spend as much time and resources to protect.<\/p>\n<p>In today\u2019s enterprise, that often means the cloud \u2014 a complex environment that\u2019s challenging not only to secure but to obtain the kinds of forensic evidence necessary to deal with issues quickly.<\/p>\n<h2 class=\"wp-block-heading\">Anatomy of the new access path<\/h2>\n<p>Recently Volexity reported that attackers are <a href=\"https:\/\/www.volexity.com\/blog\/2025\/04\/22\/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows\/\">targeting business computing resources beyond desktops and laptops<\/a>. They use communication applications such as Signal and WhatsApp to initiate communication with their target. Phishing links are then sent not just to obtain the targeted user\u2019s credentials but to trick them into completing a workflow to approve <a href=\"https:\/\/www.csoonline.com\/article\/562635\/what-is-oauth-how-the-open-authorization-framework-works.html\">OAuth<\/a> credentials. As Volexity researchers pointed out in their investigation, the URLs used in the campaigns pointed to other Microsoft OAuth 2.0 authentication workflows associated with various legitimate first-party Microsoft applications.<\/p>\n<p>Once they\u2019ve received access via an OAuth token, the attackers can gain full access to whatever is in the user\u2019s cloud resources. These days that can range from Microsoft 365 resources, to AWS Control, to Google Workspace. Attackers anywhere in the world can gain access to files stored in cloud repositories.<\/p>\n<p>Why are we making this easier for attackers to access? In part, we have not assigned resources and budget to add the necessary monitoring and protection for cloud resources. We\u2019ve also complicated our networks with IoT devices embedded in our networks that have made it difficult to track and audit entry points.<\/p>\n<p>Moreover, cloud resources make it particularly challenging to perform forensic examinations. Logging is often not native, not enabled, or not available for your cloud subscription tier.<\/p>\n<p>For example, to enable forensic-level logging for Microsoft 365, you need to meet certain requirements. Otherwise, you won\u2019t be provided the resources necessary to analyze and investigate intrusions. This means having:<\/p>\n<p>A Microsoft 365 E5 license (E5, E5 Compliance, or E5 Insider Risk Management)<\/p>\n<p>Workstations that run Windows 11 Enterprise with Microsoft 365 applications<\/p>\n<p>Devices joined via Microsoft Entra with certain Defender antivirus versions and application versions on board<\/p>\n<p>Only organizations that meet those criteria will be able to run Microsoft Purview Insider Risk Management to get the forensic evidence they need from the cloud.<\/p>\n<h2 class=\"wp-block-heading\">How to capture forensic evidence from Microsoft Purview<\/h2>\n<p>To begin logging, ensure you have the proper subscription that includes the Insider Risk Management feature. You\u2019ll also need to configure data storage access in order to store the necessary logging, and you\u2019ll need to review your firewall settings to ensure you don\u2019t have egress filtering enabled that will block transmission of information to specific Microsoft domains such as compliancedrive.microsoft.com and *.events.data.microsoft.com. (Note: Ensure you review <a href=\"https:\/\/learn.microsoft.com\/en-us\/purview\/insider-risk-management-forensic-evidence-configure#step-1-confirm-your-subscription-and-configure-data-storage-access\">this website<\/a> to keep up to date on the latest URLs used by Microsoft monitoring. As Microsoft solutions evolve, you may need to revisit these rules and adjust accordingly.)<\/p>\n<p>Next you need one of the following roles to configure the necessary settings: Microsoft Entra ID Compliance Administrator, Global Administrator, Purview Organization Management, Purview Compliance Administrator, or Insider Risk Management Admin.<\/p>\n<p>To enable <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-365\/enterprise\/forensic-evidence-set-up\">Forensic Evidence Capturing<\/a>, sign into the Microsoft Purview portal with an one of the above Administrator accounts, and then perform the following actions:<\/p>\n<p>Go to the blade for \u201cInsider risk management\u201d<\/p>\n<p>Select \u201cForensic evidence\u201d in the left navigation, then \u201cForensic evidence settings\u201d<\/p>\n<p>Turn on \u201cForensic evidence capturing\u201d to enable support for forensic evidence policies.<\/p>\n<div class=\"extendedBlock-wrapper block-coreImage undefined\">\n<p class=\"imageCredit\">Susan Bradley \/ CSO<\/p>\n<\/div>\n<p>You\u2019ll need to onboard the systems you want to monitor. You can use scripts or Intune to connect them to your logging.<\/p>\n<p>Next configure the forensic evidence settings you want for your organization. You\u2019ll need to define the capturing window, logging every number of seconds or every minute as you see fit for your environment. Determine whether you need to set any upload bandwidth limits. You may need to monitor and determine the impact on your bandwidth and determine whether it impacts your network environment. Consider whether you need to set limits such as a specific bandwidth limit per user per day (for example, 100MB or 1GB). Determine whether you want to limit CPU usage to a certain percentage.<\/p>\n<p>Next you will need to decide whether you need to have any settings for when devices are offline. In that case, there are offline capturing cache limits you may need to set. Set the offline capturing cache limit for local storage when devices are offline.<\/p>\n<p>Next you need to create your forensic evidence policies. In the Purview portal, go to \u201cForensic evidence policies\u201d and select \u201cCreate forensic evidence policy.\u201d Specify which activities to capture, such as printing, file exfiltration, specific apps or websites, or all activities for selected users. \u201cAll activities\u201d is not a typical setting and is used only for a set period during an investigation. You can also use Microsoft 365 Defender\u2019s Advanced Hunting and Activity Log features for additional forensic analysis.<\/p>\n<div class=\"extendedBlock-wrapper block-coreImage undefined\">\n<p class=\"imageCredit\">Susan Bradley \/ CSO<\/p>\n<\/div>\n<h2 class=\"wp-block-heading\">Caveats and limitations<\/h2>\n<p>Even with these settings, there can be times that you are at the mercy of the vendor. Forensic examinations of cloud assets can be complicated. Tracking through your log files to review what OAuth authentication was abused often takes expert review of these log files. In additional you don\u2019t get memory dumps or full control like you do on endpoints. You often must open a support ticket with your vendor to request log files, thereby delaying your investigation and response.<\/p>\n<p>There are also budget limitations to be aware of. For example, you may need to purchase additional storage to store the forensic evidence you wish to capture.<\/p>\n<div class=\"extendedBlock-wrapper block-coreImage undefined\">\n<p class=\"imageCredit\">Susan Bradley \/ CSO<\/p>\n<\/div>\n<p>With cloud-related attack vectors on the rise, it\u2019s vital that you review your cloud options and risks. You may have all the necessary resources for your on-premises investigations, but it is very likely that you need to assign more resources for your cloud interactions.<\/p>\n<p>The time to know your options is now, before an intrusion occurs.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Enterprise security has never been a box-checking exercise, but the list of necessary protection technologies and configurations never seems to get any shorter. And yet true peace of mind remains elusive. Consider the typical endpoint protection scenario: Your network is protected, and you have EDR monitoring your workstations. You are alerted to virus threats anytime [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3087,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3095","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3095"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3095"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3095\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3087"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3095"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3095"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3095"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}