Office 365 Security Auditing & Alerts – forensic research and analysis
With the growing adoption of Office 365 around the world, more focus is being made by Cyber Attackers on the Microsoft cloud platform. This came to the forefront over the summer with the “KnockKnock” attack which was designed to predominantly target Office 365 system accounts that aren’t usually tied to human users and often have elevated privileges. Most of these accounts suffer from lax password policies and often go unmonitored.
The KnockKnock attack has been active since May 2017 and is currently still running. It uses very sneaky tactics to hide itself from detection. The botnet driven, password hacking happens in short bursts with just 3-5 attempts of guessing the password for one system account before trying a different account within the organization. Finding the audit trail to identify these type of attacks is extremely difficult and requires assistance from specialized tools that have powerful security auditing capabilities. That’s where the CoreView solution comes in.
This blog series will showcase some of the many ways in which the CoreView solution provides a powerful toolset for administrators to perform security monitoring, auditing and forensic analysis, plus configure automated alerts for known security risks.
This blog series will cover the following main topics. The first blog information will be included below, followed by the additional entries in the weeks to come.
- Performing Security Auditing and Forensic Analysis on Log File Events
- Most Common Reports & Alerts Configured for Known Security Issues
- Monitoring and Reporting for Suspicious Sign-in Activity
Finding the Smoking Gun by using Forensic Analysis
Every organization has security events that occur within their IT environment. Finding them quickly and shutting down the problem is a constant challenge for IT administrators and security teams. With millions of activity events from a variety of O365 log file sources, it’s difficult to find relevant data and make sense of it.
CoreView provides that intelligent, crystal ball view using all different log data to help admins locate the corresponding security events and connect the dots to see if valuable information was included, and who was involved. There are simple search methods and information filtering provided to perform forensic analysis on the specific segments of activities/events and zero-in on the smoking gun. Being able to locate where the breach, or security issue, originated and what documents or messages were involved can make the world of difference.
The CoreView web-based interface correlates disparate log file data from different Office 365 workloads into a single repository in order to:
- Reduce the complexity of searching, analyzing and maintaining critical Office 365 log data from different workloads
- Speed security investigations and compliance audits with complete real-time visibility and background, historic log data
- Research and troubleshoot widespread issues should a security breach or compliance event occur
(Example of Different Log File Information/Workloads Available for Security Auditing)
Enable Historic Research with Long-Term Log File Storage
Without the background information in the older log files there is no way to perform historic research during compliance audits. The standard storage for Office 365 log file data provided by Microsoft is only 90-days. If an audit needs to go back longer to find the breadcrumb trail of the security event, then it becomes an extremely difficult process for IT administrators and security teams to request old copies of their log data from Microsoft.
CoreView stores all log file information for at least one-year and can store data longer if the customer requires more historic information to perform security audits. This empowers IT administrators to perform the background research to know for sure when the actual security issues first began and where they originated. This helps close the loop on the security audit and finalize the report with the necessary information to document the root-cause of a security breach or data loss event.
(Example of Azure AD Sign-in Details for Auditing and Forensic Analysis)
To help ease the burden on administrators we have included many useful security compliance reports as templates within our toolset. Administrators just need to modify those reports with their specific security guidelines to monitor and the reports will be published daily.
If you are interested in finding out more about our CoreView solution and how it can help with security compliance audits and cut your administration time in half, please visit our overview page online, or sign-up for a free trial.