# Microsoft 365 & Azure Forensic Artifacts Reference **Total Artifacts:** 28 | **Generated:** 2026-03-07 --- ## Identity & Directory ### Unified Audit Log (UAL) **Location:** `Microsoft Purview > Audit > Search (or Search-UnifiedAuditLog cmdlet)` Centralized audit log aggregating events across Exchange Online, SharePoint, OneDrive, Teams, Azure AD, Power Platform, and other M365 services. Records user and admin activity with timestamps, IP addresses, user agents, and operation details. **Forensic Value:** The UAL is the single most important artifact for M365 investigations. It captures mailbox access, file downloads, sharing changes, admin role assignments, and OAuth app consents in one searchable location. Correlating ClientIP and UserAgent across operations reveals session hijacking -- when the same session token appears from two different geolocations, a token theft is confirmed. Retention is 90 days (E3) or 365 days (E5). **Tools:** Microsoft Purview Compliance Portal, PowerShell (Search-UnifiedAuditLog), Hawk, Sparrow **Collection Commands:** - **PowerShell:** `Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date) -ResultSize 5000 | Export-Csv -Path ual_export.csv -NoTypeInformation` - **PowerShell:** `Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -RecordType ExchangeAdmin -ResultSize 5000 | Export-Csv ual_exchange_admin.csv -NoTypeInformation` - **Hawk:** `Start-HawkTenantInvestigation -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date)` ### Azure AD (Entra ID) Audit Logs **Location:** `Azure Portal > Entra ID > Monitoring > Audit logs (or Microsoft Graph API /auditLogs/directoryAudits)` Directory change logs recording modifications to users, groups, roles, applications, policies, and service principals including the initiating actor, target resource, and changed properties. **Forensic Value:** Audit logs expose persistence mechanisms in the identity plane. Key events include new service principal credential additions (indicating OAuth app backdoors), role assignment changes (privilege escalation to Global Admin), conditional access policy modifications (weakening security controls), and new federated domain additions (Golden SAML preparation). Comparing initiatedBy actors against known admin accounts identifies unauthorized changes. **Tools:** Azure Portal, Microsoft Graph API, PowerShell (AzureAD module), Azure CLI **Collection Commands:** - **Graph API:** `GET https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=activityDateTime ge 2024-01-01T00:00:00Z&$top=999` - **PowerShell:** `Get-AzureADAuditDirectoryLogs -Filter "activityDateTime ge 2024-01-01" -Top 1000 | Export-Csv audit_logs.csv -NoTypeInformation` - **az CLI:** `az rest --method GET --url "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?\$filter=activityDateTime ge 2024-01-01" --output json > directory_audits.json` ### Microsoft Defender for Cloud Apps (MDA) **Location:** `Microsoft Defender Portal > Cloud Apps > Activity Log (or API)` Cloud Access Security Broker (CASB) logging OAuth app activity, shadow IT discovery via cloud app usage, impossible travel alerts, mass download detections, suspicious inbox manipulation, and governance actions across connected cloud services. **Forensic Value:** MDA provides visibility into cloud application usage and data movement that other M365 logs miss. The Activity Log records granular actions across connected apps (Box, Salesforce, AWS) in addition to M365 services. Anomaly detection policies surface impossible travel, activity from anonymous IPs, and mass file downloads. OAuth app governance alerts identify malicious app consent grants. Session policies can reveal real-time data exfiltration attempts. **Tools:** Microsoft Defender Portal, PowerShell, Microsoft Graph API, SIEM (Sentinel) **Collection Commands:** - **Graph API:** `GET https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=serviceSource eq 'microsoftCloudAppSecurity' and createdDateTime ge 2024-01-01T00:00:00Z` - **PowerShell:** `Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -RecordType McasAlerts -ResultSize 5000 | Export-Csv mda_alerts.csv -NoTypeInformation` - **KQL:** `McasShadowItReporting | where TimeGenerated > ago(30d) | summarize TotalBytes=sum(BytesUploaded + BytesDownloaded) by AppName | sort by TotalBytes desc | take 50` ### Microsoft Sentinel Analytics & Incidents **Location:** `Azure Portal > Microsoft Sentinel > Incidents, Analytics rules, Hunting queries` SIEM platform aggregating logs from all Microsoft and third-party sources with built-in analytics rules generating security incidents, entity mapping to users/hosts/IPs, investigation graphs, and automated response playbooks. **Forensic Value:** Sentinel incidents aggregate related alerts from multiple detection sources into unified investigations with entity mapping. The investigation graph visually maps relationships between users, IPs, hosts, and alerts. Built-in analytics rules detect common attack patterns across log sources. Bookmarked hunting query results preserve evidence found during proactive threat hunting. Watchlists and threat intelligence indicators provide IOC matching across all ingested data sources. **Tools:** Azure Portal (Sentinel), KQL (Kusto Query Language), Microsoft Graph Security API, Azure CLI **Collection Commands:** - **KQL:** `SecurityIncident | where TimeGenerated > ago(30d) | where Status != "Closed" | project TimeGenerated, Title, Severity, Status, Owner, ProviderName | sort by TimeGenerated desc` - **KQL:** `SecurityAlert | where TimeGenerated > ago(7d) | summarize AlertCount=count() by AlertName, ProviderName | sort by AlertCount desc | take 25` - **az CLI:** `az sentinel incident list --workspace-name --resource-group --query "[?properties.status!='Closed']" --output json > open_incidents.json` ### Service Principal & App Registration Activity **Location:** `Azure Portal > Entra ID > App registrations and Enterprise applications > Audit logs (or Microsoft Graph API)` Audit trail for service principal and application registration changes including new app registrations, secret/certificate additions, API permission grants, redirect URI changes, and owner modifications. **Forensic Value:** Service principal manipulation is a critical cloud persistence technique. Attackers add secrets or certificates to existing app registrations, creating backdoor credentials that survive password resets and MFA enforcement. New API permission grants (especially Microsoft Graph with Mail.Read, Files.ReadWrite.All) enable automated data access. Redirect URI changes can intercept OAuth flows. Monitoring for new credential additions on existing apps is essential because these changes do not require user interaction after initial compromise. **Tools:** Azure Portal, Microsoft Graph API, PowerShell (AzureAD module), Azure CLI, ROADtools **Collection Commands:** - **Graph API:** `GET https://graph.microsoft.com/v1.0/applications?$select=displayName,appId,passwordCredentials,keyCredentials,createdDateTime&$top=999` - **PowerShell:** `Get-AzureADApplication -All $true | ForEach-Object { [PSCustomObject]@{Name=$_.DisplayName; AppId=$_.AppId; Creds=$_.PasswordCredentials.Count; Keys=$_.KeyCredentials.Count} } | Where-Object { $_.Creds -gt 0 -or $_.Keys -gt 0 } | Export-Csv app_credentials.csv -NoTypeInformation` - **PowerShell:** `Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date) -Operations "Add service principal credentials","Update application" -ResultSize 5000 | Export-Csv sp_credential_changes.csv -NoTypeInformation` - **ROADtools:** `roadrecon gather --access-token && roadrecon gui` ## Authentication & Access ### Azure AD (Entra ID) Sign-in Logs **Location:** `Azure Portal > Entra ID > Monitoring > Sign-in logs (or Microsoft Graph API /auditLogs/signIns)` Detailed authentication logs recording every interactive and non-interactive sign-in including result status, MFA details, conditional access policy evaluation, device compliance state, IP address, location, and risk level. **Forensic Value:** Sign-in logs are the primary source for detecting compromised identities. Filtering by ResultType reveals specific failure reasons (e.g., 50126 invalid password, 50074 MFA required, 53003 blocked by CA policy). Impossible-travel detection compares sequential sign-in locations. Non-interactive sign-in logs expose token replay attacks where stolen refresh tokens are used from attacker infrastructure without triggering MFA. **Tools:** Azure Portal, Microsoft Graph API, PowerShell (AzureAD module), Azure CLI **Collection Commands:** - **Graph API:** `GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime ge 2024-01-01T00:00:00Z&$top=999` - **PowerShell:** `Get-AzureADAuditSignInLogs -Filter "createdDateTime ge 2024-01-01" -Top 1000 | Export-Csv signin_logs.csv -NoTypeInformation` - **az CLI:** `az rest --method GET --url "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$filter=createdDateTime ge 2024-01-01" --output json > signins.json` ### Conditional Access Policy Logs **Location:** `Azure Portal > Entra ID > Monitoring > Sign-in logs > Conditional Access tab` Per-sign-in evaluation results of all Conditional Access policies showing which policies were applied, which were not matched, and whether the grant/session controls succeeded or failed. **Forensic Value:** Conditional Access logs reveal exactly which security policies were evaluated during an attacker sign-in and why access was granted. If an attacker bypassed MFA, these logs show whether it was because no CA policy required MFA for that application, the policy excluded the user, or the device was considered compliant. This directly informs remediation by identifying policy gaps exploited during the incident. **Tools:** Azure Portal, Microsoft Graph API, PowerShell (AzureAD module) **Collection Commands:** - **Graph API:** `GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime ge 2024-01-01T00:00:00Z&$select=userDisplayName,appDisplayName,conditionalAccessStatus,appliedConditionalAccessPolicies&$top=999` - **PowerShell:** `Get-AzureADAuditSignInLogs -Filter "createdDateTime ge 2024-01-01 and conditionalAccessStatus eq 'failure'" -Top 500 | Export-Csv ca_failures.csv -NoTypeInformation` - **KQL:** `SigninLogs | where TimeGenerated > ago(30d) | mv-expand ConditionalAccessPolicies | where ConditionalAccessPolicies.result == "failure" | project TimeGenerated, UserPrincipalName, AppDisplayName, ConditionalAccessPolicies.displayName, ConditionalAccessPolicies.result` ### Entra ID (Azure AD) Risk Events **Location:** `Azure Portal > Entra ID > Security > Risk detections (or Microsoft Graph API /identityProtection/riskDetections)` Machine-learning-generated risk detections including anonymous IP usage, impossible travel, malware-linked IPs, password spray detection, leaked credential matches, token anomalies, and suspicious inbox manipulation rules. **Forensic Value:** Risk events provide Microsoft threat intelligence context that is not available in raw sign-in logs. A "leaked credentials" detection confirms the user password was found in a breach database. "Anomalous token" detections flag token theft and replay scenarios. Correlating risk event timestamps with sign-in log entries creates a high-confidence timeline of exactly when the identity was compromised and from which infrastructure. **Tools:** Azure Portal, Microsoft Graph API (/identityProtection/riskDetections), PowerShell **Collection Commands:** - **Graph API:** `GET https://graph.microsoft.com/v1.0/identityProtection/riskDetections?$filter=detectedDateTime ge 2024-01-01T00:00:00Z&$top=999` - **Graph API:** `GET https://graph.microsoft.com/v1.0/identityProtection/riskyUsers?$filter=riskLevel eq 'high'&$top=999` - **KQL:** `AADUserRiskEvents | where TimeGenerated > ago(30d) | where RiskLevel == "high" | project TimeGenerated, UserPrincipalName, RiskDetail, RiskEventType, IpAddress, Location` ### Microsoft Defender for Identity (MDI) **Location:** `Microsoft 365 Defender Portal > Identities > Health & Alerts (or Microsoft Graph Security API)` Identity threat detection system monitoring on-premises Active Directory traffic via domain controller sensors. Detects credential-based attacks including Kerberoasting, DCSync, Pass-the-Hash, Pass-the-Ticket, Golden Ticket, and reconnaissance activities. **Forensic Value:** MDI detects identity-based attacks that cloud-only logs cannot see because it monitors Active Directory network traffic directly on domain controllers. DCSync detection identifies unauthorized replication of password hashes. Kerberoasting alerts reveal service ticket harvesting for offline cracking. Lateral movement path analysis maps how an attacker could reach high-value targets. Reconnaissance detection identifies LDAP queries, SAM-R enumeration, and DNS reconnaissance that precede lateral movement. **Tools:** Microsoft 365 Defender Portal, Microsoft Graph Security API, PowerShell, SIEM (Sentinel) **Collection Commands:** - **Graph API:** `GET https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=serviceSource eq 'microsoftDefenderForIdentity' and createdDateTime ge 2024-01-01T00:00:00Z&$top=100` - **KQL:** `IdentityDirectoryEvents | where Timestamp > ago(30d) | where ActionType in ("Account enumeration reconnaissance","Security principal reconnaissance") | project Timestamp, ActionType, AccountName, TargetAccountDisplayName, DeviceName` - **KQL:** `IdentityLogonEvents | where Timestamp > ago(7d) | where LogonType == "Failed" | summarize FailCount=count() by AccountName, DeviceName | where FailCount > 10 | sort by FailCount desc` ## Email Security ### Mailbox Audit Logs **Location:** `Exchange Admin Center or Search-MailboxAuditLog cmdlet` Per-mailbox audit records capturing owner, delegate, and admin actions on mailbox items including MessageBind (read), SendAs, SendOnBehalf, MoveToDeletedItems, SoftDelete, HardDelete, and UpdateInboxRules. **Forensic Value:** Mailbox audit logs are essential for BEC and email-based data theft investigations. MessageBind events with ClientInfoString containing "Client=OWA" from unusual IPs indicate webmail access from a compromised session. HardDelete operations suggest evidence destruction. UpdateInboxRules events reveal forwarding rules created to silently exfiltrate email. Delegate access logs expose when another account accessed the mailbox. **Tools:** PowerShell (ExchangeOnlineManagement), Microsoft Purview, Hawk **Collection Commands:** - **PowerShell:** `Search-MailboxAuditLog -Identity user@domain.com -LogonTypes Owner,Delegate,Admin -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -ShowDetails | Export-Csv mailbox_audit.csv -NoTypeInformation` - **PowerShell:** `Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -RecordType ExchangeItemAggregated -UserIds user@domain.com -ResultSize 5000 | Export-Csv ual_mailbox.csv -NoTypeInformation` - **Hawk:** `Get-HawkUserMailboxAuditing -UserPrincipalName user@domain.com` ### Message Trace Logs **Location:** `Exchange Admin Center > Mail flow > Message trace (or Get-MessageTrace cmdlet)` Email transport logs recording sender, recipient, subject, message ID, delivery status, and connector details for all messages processed by Exchange Online in the last 90 days. **Forensic Value:** Message trace reconstructs the full email delivery chain for phishing investigations -- confirming which users received a malicious message, whether it was delivered to the inbox or quarantined, and if any users forwarded it. Outbound message traces detect data exfiltration via email, especially when filtered by large attachment sizes or external recipients not in the organization directory. **Tools:** Exchange Admin Center, PowerShell (Get-MessageTrace), PowerShell (Get-MessageTraceDetail) **Collection Commands:** - **PowerShell:** `Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) -PageSize 5000 | Export-Csv message_trace.csv -NoTypeInformation` - **PowerShell:** `Get-MessageTrace -SenderAddress attacker@external.com -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) | Get-MessageTraceDetail | Export-Csv trace_detail.csv -NoTypeInformation` - **PowerShell:** `Get-MessageTrace -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) | Where-Object { $_.RecipientAddress -notlike "*@yourdomain.com" } | Export-Csv outbound_messages.csv -NoTypeInformation` ### Inbox Rules Audit (Mailbox Forwarding) **Location:** `Unified Audit Log (Operations: New-InboxRule, Set-InboxRule, UpdateInboxRules)` Audit events specifically tracking creation and modification of Exchange Online inbox rules, including server-side forwarding (Set-Mailbox -ForwardingSmtpAddress) and client-side rules that move, delete, or redirect messages. **Forensic Value:** Inbox rule manipulation is the hallmark of BEC attacks. Adversaries create rules to forward copies of all incoming email to an external address, or to auto-delete replies so the victim does not notice ongoing impersonation. Searching for New-InboxRule operations with ForwardTo, RedirectTo, or DeleteMessage actions across all mailboxes in the tenant identifies every compromised mailbox with active exfiltration rules. **Tools:** PowerShell (Get-InboxRule), PowerShell (ExchangeOnlineManagement), Hawk, Microsoft Purview **Collection Commands:** - **PowerShell:** `Get-InboxRule -Mailbox user@domain.com | Where-Object { $_.ForwardTo -or $_.RedirectTo -or $_.DeleteMessage -eq $true } | Format-List Name,Description,ForwardTo,RedirectTo,DeleteMessage` - **PowerShell:** `Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date) -Operations New-InboxRule,Set-InboxRule,UpdateInboxRules -ResultSize 5000 | Export-Csv inbox_rules_audit.csv -NoTypeInformation` - **PowerShell:** `Get-Mailbox -ResultSize Unlimited | ForEach-Object { Get-InboxRule -Mailbox $_.UserPrincipalName | Where-Object { $_.ForwardTo -or $_.RedirectTo } } | Export-Csv all_forwarding_rules.csv -NoTypeInformation` - **Hawk:** `Get-HawkUserInboxRule -UserPrincipalName user@domain.com` ## Cloud Infrastructure ### Azure Activity Logs **Location:** `Azure Portal > Monitor > Activity Log (or az monitor activity-log list)` Subscription-level logs recording control-plane operations against Azure resources including resource creation/deletion, role assignments, policy changes, and deployment operations with caller identity and IP address. **Forensic Value:** Activity logs expose infrastructure-level attacks in Azure environments. Key indicators include unexpected VM creation (cryptomining or pivot hosts), storage account access key regeneration (preparation for data exfiltration), NSG rule modifications (opening inbound RDP/SSH), and resource lock deletions (preparing for resource destruction). The caller IP and identity fields tie actions to specific compromised accounts. **Tools:** Azure Portal, Azure CLI (az monitor activity-log), PowerShell (Az module), Microsoft Graph API **Collection Commands:** - **az CLI:** `az monitor activity-log list --start-time 2024-01-01T00:00:00Z --end-time 2024-01-31T23:59:59Z --output json > azure_activity.json` - **PowerShell:** `Get-AzActivityLog -StartTime (Get-Date).AddDays(-90) -EndTime (Get-Date) | Export-Csv azure_activity_log.csv -NoTypeInformation` - **az CLI:** `az monitor activity-log list --resource-group --start-time 2024-01-01T00:00:00Z --query "[?authorization.action=='Microsoft.Compute/virtualMachines/write']" --output json > vm_changes.json` ### Azure Resource Diagnostic Logs **Location:** `Azure Portal > Resource > Diagnostic settings > Log Analytics workspace` Data-plane logs for individual Azure resources (Key Vault access, Storage Blob read/write, SQL audit, App Service HTTP logs) when diagnostic settings are configured to route to Log Analytics, Storage, or Event Hub. **Forensic Value:** Resource logs provide data-plane visibility that Activity Logs lack. Key Vault access logs reveal which secrets, keys, and certificates were read or modified during a breach. Storage account logs show exact blob names accessed and by which identity. These logs are critical for understanding what data the attacker actually accessed versus what they merely had permissions to access. **Tools:** Azure Portal, Log Analytics (KQL), Azure CLI, PowerShell (Az module) **Collection Commands:** - **KQL:** `AzureDiagnostics | where TimeGenerated > ago(30d) | where ResourceType == "VAULTS" | where OperationName == "SecretGet" | project TimeGenerated, CallerIPAddress, identity_claim_upn_s, OperationName, id_s` - **az CLI:** `az monitor diagnostic-settings list --resource --output json > diagnostic_settings.json` - **PowerShell:** `Get-AzDiagnosticSetting -ResourceId | ConvertTo-Json -Depth 10 > diagnostic_config.json` ### Azure Key Vault Diagnostic Logs **Location:** `Azure Portal > Key Vault > Diagnostic settings > AuditEvent logs in Log Analytics workspace` Key Vault diagnostic logs capturing every operation on secrets, keys, and certificates including Get, Set, Delete, Backup, Restore, and access policy changes with caller identity, IP address, and result status. **Forensic Value:** Key Vault logs prove which secrets and keys were actually read during a breach, not just which were accessible by permissions. SecretGet operations with timestamps identify exactly when an attacker retrieved database connection strings, API keys, or certificates. Comparing actual access against RBAC permissions distinguishes between potential and confirmed data exposure. Access policy modifications reveal if the attacker granted themselves additional Key Vault permissions. **Tools:** Azure Portal, Log Analytics (KQL), Azure CLI, PowerShell (Az.KeyVault) **Collection Commands:** - **KQL:** `AzureDiagnostics | where ResourceProvider == "MICROSOFT.KEYVAULT" | where TimeGenerated > ago(30d) | where OperationName == "SecretGet" or OperationName == "SecretSet" | project TimeGenerated, CallerIPAddress, identity_claim_upn_s, OperationName, id_s, ResultType` - **az CLI:** `az monitor diagnostic-settings list --resource $(az keyvault show --name --query id -o tsv) --output json > kv_diagnostic_settings.json` - **PowerShell:** `Get-AzKeyVaultSecret -VaultName | ForEach-Object { Get-AzKeyVaultSecret -VaultName -Name $_.Name -IncludeVersions | Select-Object Name, Version, Created, Updated } | Export-Csv kv_secrets_inventory.csv -NoTypeInformation` ### Azure Kubernetes Service (AKS) Activity Logs **Location:** `Azure Portal > Monitor > Activity Log filtered to Microsoft.ContainerService/managedClusters` Azure control-plane activity logs for AKS clusters covering cluster creation, upgrade, scale changes, diagnostic-setting updates, role assignments, credential rotations, and managed cluster delete operations with caller identity and source IP. **Forensic Value:** AKS activity logs show who changed the cluster control plane and when. They are essential for identifying malicious credential rotations, unauthorized cluster admin grants, node pool changes used to stage attacker workloads, and deletion or logging-tampering actions. Correlating caller identity with Entra ID sign-ins reveals whether cluster changes came from compromised administrators, workload identities, or automation accounts. **Tools:** Azure Portal, Azure CLI, PowerShell (Az module), SIEM (Sentinel / Log Analytics) **Collection Commands:** - **az CLI:** `az monitor activity-log list --resource-group --offset 30d --query "[?contains(operationName.value, `Microsoft.ContainerService/managedClusters`)]" > aks_activity.json` - **PowerShell:** `Get-AzLog -ResourceGroupName -StartTime (Get-Date).AddDays(-30) | Where-Object { $_.ResourceProviderName.Value -like "Microsoft.ContainerService*" } | Export-Csv aks_activity.csv -NoTypeInformation` - **KQL:** `AzureActivity | where TimeGenerated > ago(30d) | where ResourceProvider has "Microsoft.ContainerService" | project TimeGenerated, OperationNameValue, Caller, CallerIpAddress, ResourceGroup, ActivityStatusValue` ### AKS Kubernetes Audit Logs **Location:** `Azure Monitor diagnostic settings for AKS (categories: kube-audit, kube-audit-admin)` Kubernetes API server audit records for AKS capturing authenticated requests against cluster resources, including pods, secrets, configmaps, role bindings, service accounts, exec sessions, and admission decisions. **Forensic Value:** Kubernetes audit logs are the primary source for reconstructing attacker actions inside the cluster control plane. They reveal pod exec abuse, secret reads, privileged workload creation, cluster role binding changes, token misuse, and direct API access to sensitive resources. When retained in Log Analytics or Sentinel they provide the only reliable record of many in-cluster administrative actions. **Tools:** Azure Monitor, Log Analytics, KQL, kubectl **Collection Commands:** - **KQL:** `AKSAudit | where TimeGenerated > ago(30d) | project TimeGenerated, Verb, UserAgent, UserUsername, SourceIps, RequestURI, ObjectRefResource, ResponseStatusCode` - **KQL:** `AKSAuditAdmin | where TimeGenerated > ago(30d) | where Verb in ("create", "patch", "delete", "update") | project TimeGenerated, UserUsername, Verb, RequestURI, ResponseStatusCode` - **kubectl:** `kubectl get events --all-namespaces --sort-by=.metadata.creationTimestamp` ### Azure Container Registry (ACR) Audit Logs **Location:** `Azure Monitor diagnostic settings for Microsoft.ContainerRegistry/registries` Audit and access logs for Azure Container Registry operations including image push and pull events, repository listing, token use, webhook changes, authentication failures, and registry configuration updates. **Forensic Value:** ACR logs reveal supply-chain and workload-staging abuse around AKS and other containerized platforms. Unauthorized image pulls can show attacker reconnaissance of private repositories. Malicious image pushes or tag changes can explain how compromised workloads were introduced. Registry authentication failures and token use help identify abused service principals or workload identities tied to cluster operations. **Tools:** Azure Monitor, Azure CLI, KQL, SIEM (Sentinel / Log Analytics) **Collection Commands:** - **az CLI:** `az monitor diagnostic-settings list --resource ` - **KQL:** `AzureDiagnostics | where TimeGenerated > ago(30d) | where ResourceProvider == "MICROSOFT.CONTAINERREGISTRY" | project TimeGenerated, OperationName, CallerIPAddress, identity, Repository, Tag` - **KQL:** `AzureActivity | where TimeGenerated > ago(30d) | where ResourceProvider has "Microsoft.ContainerRegistry" | project TimeGenerated, OperationNameValue, Caller, CallerIpAddress, ActivityStatusValue` ## Data Access & Storage ### SharePoint & OneDrive Audit Events **Location:** `Microsoft Purview > Audit (filter by SharePoint/OneDrive workload)` File-level audit events for SharePoint Online and OneDrive for Business including FileAccessed, FileDownloaded, FileUploaded, FileDeleted, SharingSet, SharingInvitationCreated, and AnonymousLinkCreated. **Forensic Value:** These events are critical for data exfiltration investigations. Bulk FileDownloaded events from a single session, especially using sync client or API access, indicate mass data theft. SharingSet and AnonymousLinkCreated events reveal whether an attacker shared sensitive documents externally. Correlating ObjectId (file path) with the user and IP address reconstructs exactly which documents were exfiltrated and through which method. **Tools:** Microsoft Purview, PowerShell (Search-UnifiedAuditLog -RecordType SharePointFileOperation), Hawk **Collection Commands:** - **PowerShell:** `Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -RecordType SharePointFileOperation -Operations FileDownloaded,FileUploaded -ResultSize 5000 | Export-Csv sp_file_ops.csv -NoTypeInformation` - **PowerShell:** `Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -RecordType SharePointSharingOperation -ResultSize 5000 | Export-Csv sp_sharing_ops.csv -NoTypeInformation` - **Graph API:** `GET https://graph.microsoft.com/v1.0/sites/{site-id}/drive/root/delta?$select=name,lastModifiedBy,lastModifiedDateTime` ### eDiscovery Content Search Results **Location:** `Microsoft Purview > eDiscovery > Content search` Preserved and exported search results from Microsoft Purview eDiscovery spanning Exchange mailboxes, SharePoint sites, OneDrive accounts, and Teams conversations, enabling keyword-based or date-range-based evidence collection. **Forensic Value:** eDiscovery is the authoritative method for legal-hold evidence preservation and targeted content collection in M365 environments. It enables searching across all content sources with a single query, placing results on legal hold to prevent spoliation, and exporting PST/ZIP bundles for offline analysis. For insider threat cases, eDiscovery searches can reveal the full scope of sensitive data a user accessed or shared. **Tools:** Microsoft Purview Compliance Portal, eDiscovery Manager role, Microsoft Graph API (Compliance) **Collection Commands:** - **PowerShell:** `New-ComplianceSearch -Name "IR-Investigation" -ExchangeLocation user@domain.com -ContentMatchQuery "subject:confidential AND sent>=2024-01-01" | Start-ComplianceSearch` - **PowerShell:** `Get-ComplianceSearch -Identity "IR-Investigation" | Format-List Status,Items,Size; New-ComplianceSearchAction -SearchName "IR-Investigation" -Export -Format FxStream` - **Graph API:** `POST https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases/{caseId}/searches/{searchId}/estimateStatistics` ### Azure Storage Analytics & Diagnostic Logs **Location:** `Azure Portal > Storage Account > Diagnostic settings (or $logs container for classic analytics)` Storage account access logs recording every read, write, delete, and list operation on blobs, files, tables, and queues with authenticated identity, source IP, request URL, and response status. **Forensic Value:** Storage analytics logs prove exactly which blobs and files were accessed or exfiltrated during a breach. Each log entry includes the authenticated caller identity, client IP address, and the specific object URL accessed. Bulk GetBlob operations indicate mass data download. ListBlob operations reveal reconnaissance of storage contents. Comparing access patterns against normal baseline identifies anomalous data access. These logs are critical for quantifying data exposure in breach notification. **Tools:** Azure Portal, Log Analytics (KQL), Azure CLI (az storage logging), Azure Storage Explorer **Collection Commands:** - **KQL:** `StorageBlobLogs | where TimeGenerated > ago(30d) | where OperationName == "GetBlob" | summarize DownloadCount=count(), TotalBytes=sum(ResponseBodySize) by CallerIpAddress, AccountName | sort by TotalBytes desc` - **az CLI:** `az storage logging show --account-name --services b --output json > storage_logging_config.json` - **az CLI:** `az storage blob list --account-name --container-name \$logs --output json > storage_analytics_logs.json` ### Microsoft Purview DLP & Insider Risk Logs **Location:** `Microsoft Purview > Data Loss Prevention > Activity explorer and Insider Risk Management > Cases` Data Loss Prevention policy match logs recording when sensitive data types (SSN, credit cards, health records, custom patterns) are detected in emails, files, Teams messages, or endpoint activities. Insider Risk Management correlates multiple signals into risk scores and cases. **Forensic Value:** DLP logs identify the specific sensitive data types involved in a breach, directly informing regulatory notification requirements. Policy match events prove that documents containing PII, PHI, or financial data were shared externally or downloaded, establishing the scope of data exposure. Insider Risk Management cases aggregate indicators like mass file downloads, email forwarding to personal accounts, and resignation-correlated data hoarding into scored risk assessments. **Tools:** Microsoft Purview Compliance Portal, PowerShell, Microsoft Graph API, SIEM (Sentinel) **Collection Commands:** - **PowerShell:** `Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -RecordType DLP -ResultSize 5000 | Export-Csv dlp_events.csv -NoTypeInformation` - **KQL:** `InformationProtectionLogs_CL | where TimeGenerated > ago(30d) | where Activity_s contains "DLPRuleMatch" | project TimeGenerated, UserId_s, Activity_s, PolicyName_s, SensitiveInfoType_s` - **Graph API:** `GET https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=serviceSource eq 'microsoftDataLossPrevention' and createdDateTime ge 2024-01-01T00:00:00Z` ## Execution Evidence ### Microsoft Defender for Endpoint (MDE) **Location:** `Microsoft 365 Defender Portal > Advanced Hunting (or Microsoft Graph Security API)` Endpoint detection and response platform providing Advanced Hunting tables including DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceLogonEvents, and DeviceImageLoadEvents with 30 days of queryable telemetry. **Forensic Value:** MDE Advanced Hunting provides the richest endpoint telemetry available in Microsoft environments. DeviceProcessEvents captures every process execution with full command lines, parent processes, and hashes. DeviceNetworkEvents records process-level network connections to correlate C2 communication with specific malware. DeviceFileEvents tracks file creation, modification, and deletion with SHA256 hashes. KQL queries across these tables enable rapid threat hunting and incident scoping across the entire fleet. **Tools:** Microsoft 365 Defender Portal, KQL (Kusto Query Language), Microsoft Graph Security API, PowerShell **Collection Commands:** - **KQL:** `DeviceProcessEvents | where Timestamp > ago(7d) | where FileName in~ ("powershell.exe","cmd.exe","wscript.exe","cscript.exe") | project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName | take 1000` - **KQL:** `DeviceNetworkEvents | where Timestamp > ago(7d) | where RemotePort in (4444, 8080, 8888, 1337) | project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl | take 1000` - **Graph API:** `GET https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=createdDateTime ge 2024-01-01T00:00:00Z&$top=100` ### Power Platform & Power Automate Audit Logs **Location:** `Microsoft Purview > Audit (filter by PowerApps/Flow workload) or Power Platform Admin Center > Analytics` Audit events for Power Apps, Power Automate (Flow), Power BI, and Power Virtual Agents capturing flow creation/execution, app sharing, connector usage, data export operations, and admin configuration changes. **Forensic Value:** Power Automate flows are increasingly abused for automated data exfiltration because they can connect to external services and run on schedules without user interaction. Malicious flows can forward emails, copy files to external storage, or exfiltrate data through HTTP connectors. Power BI data export events may indicate bulk download of business intelligence reports. Monitoring connector usage reveals unauthorized integrations with external services that could serve as data exfiltration channels. **Tools:** Microsoft Purview, Power Platform Admin Center, PowerShell, Microsoft Graph API **Collection Commands:** - **PowerShell:** `Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -RecordType PowerAppsApp,MicrosoftFlow -ResultSize 5000 | Export-Csv power_platform_audit.csv -NoTypeInformation` - **PowerShell:** `Get-AdminFlow -EnvironmentName | Where-Object { $_.Properties.State -eq "Started" } | Select-Object DisplayName, CreatedTime, LastModifiedTime, CreatedBy | Export-Csv active_flows.csv -NoTypeInformation` - **Graph API:** `GET https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=activityDisplayName eq 'Add app role assignment to service principal' and activityDateTime ge 2024-01-01T00:00:00Z` ### AKS Container Insights and Pod Telemetry **Location:** `Azure Monitor Container Insights / Log Analytics tables (ContainerLogV2, KubePodInventory, KubeEvents)` Runtime telemetry for AKS pods and nodes including container stdout/stderr logs, pod inventory changes, namespace placement, image names, restart activity, and Kubernetes event streams. **Forensic Value:** Container telemetry links control-plane actions to runtime behavior. It exposes suspicious images pulled into the cluster, ephemeral attacker pods, repeated crash loops caused by tampering, exec-based troubleshooting shells, and workloads that contacted unexpected destinations. Combined with Kubernetes audit logs, Container Insights reconstructs both who launched a workload and what it did after launch. **Tools:** Azure Monitor, Log Analytics, KQL, kubectl **Collection Commands:** - **KQL:** `ContainerLogV2 | where TimeGenerated > ago(7d) | project TimeGenerated, PodNamespace, PodName, ContainerName, LogMessage` - **KQL:** `KubePodInventory | where TimeGenerated > ago(7d) | project TimeGenerated, Namespace, PodName, ContainerName, ContainerID, Image, PodStatus` - **KQL:** `KubeEvents | where TimeGenerated > ago(7d) | project TimeGenerated, Namespace, Name, Reason, Message` ## Network Traffic ### Azure NSG Flow Logs (Network Watcher) **Location:** `Azure Portal > Network Watcher > NSG Flow Logs (stored in Storage Account as JSON)` Network Security Group flow logs recording allowed and denied network flows through Azure NSGs. Version 2 logs include byte counts, packet counts, and flow state (begin/continue/end) in addition to the 5-tuple connection data. **Forensic Value:** NSG flow logs provide network-level visibility for Azure virtual networks equivalent to on-premises NetFlow. They record every allowed and denied connection attempt through NSGs with source/destination IPs, ports, and protocol. Large outbound byte counts to external IPs indicate data exfiltration from Azure VMs. Denied flows reveal reconnaissance and lateral movement attempts blocked by NSG rules. Traffic Analytics integration provides enriched insights including geographic and threat intelligence context. **Tools:** Azure Portal, Log Analytics (KQL), Traffic Analytics, Azure Network Watcher **Collection Commands:** - **KQL:** `AzureNetworkAnalytics_CL | where TimeGenerated > ago(7d) | where FlowStatus_s == "A" and FlowDirection_s == "O" | summarize TotalBytes=sum(OutboundBytes_d) by DestIP_s | sort by TotalBytes desc | take 50` - **az CLI:** `az network watcher flow-log list --location --output json > nsg_flow_log_config.json` - **PowerShell:** `Get-AzNetworkWatcherFlowLogStatus -NetworkWatcherName -ResourceGroupName -TargetResourceId | ConvertTo-Json > nsg_flow_status.json` ## User Activity ### Microsoft Teams Audit Logs **Location:** `Microsoft Purview > Audit (filter by MicrosoftTeams workload) or Search-UnifiedAuditLog -RecordType MicrosoftTeams` Teams-specific audit events capturing channel creation/deletion, membership changes, meeting recordings, file sharing in Teams, guest user additions, app installations, and messaging policy changes. **Forensic Value:** Teams audit logs reveal collaboration-based attack vectors including unauthorized guest additions, malicious app installations, and data sharing through Teams channels. Guest user additions grant external parties access to internal resources. Teams app installations may introduce malicious bots or connectors. File sharing events in Teams channels supplement SharePoint/OneDrive audit data. Meeting recording access logs show who viewed recorded meetings containing sensitive information. **Tools:** Microsoft Purview, PowerShell (Search-UnifiedAuditLog), Microsoft Graph API, SIEM (Sentinel) **Collection Commands:** - **PowerShell:** `Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -RecordType MicrosoftTeams -ResultSize 5000 | Export-Csv teams_audit.csv -NoTypeInformation` - **PowerShell:** `Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -Operations MemberAdded,MemberRemoved,AppInstalled,ChannelAdded -RecordType MicrosoftTeams -ResultSize 5000 | Export-Csv teams_membership.csv -NoTypeInformation` - **Graph API:** `GET https://graph.microsoft.com/v1.0/teams/{team-id}/channels?$select=displayName,membershipType,createdDateTime` ## System Configuration ### Microsoft Intune Compliance & Device Logs **Location:** `Microsoft Intune Admin Center > Devices > Monitor (or Microsoft Graph API /deviceManagement)` Intune device management logs capturing device compliance state, configuration profile deployment results, app installation status, device enrollment events, remote action execution (wipe, lock, retire), and discovered application inventory. **Forensic Value:** Intune logs reveal the security posture of endpoints during a breach. Non-compliant device status indicates missing patches, disabled encryption, or outdated antivirus that enabled the compromise. Device enrollment events from unexpected locations suggest attacker device registration. Remote wipe and lock action logs document containment actions taken during incident response. Application inventory identifies which apps were installed on compromised devices without requiring direct endpoint access. **Tools:** Microsoft Intune Admin Center, Microsoft Graph API, PowerShell (Microsoft.Graph.Intune), SIEM (Sentinel) **Collection Commands:** - **Graph API:** `GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$filter=complianceState eq 'noncompliant'&$select=deviceName,userPrincipalName,complianceState,lastSyncDateTime,osVersion` - **Graph API:** `GET https://graph.microsoft.com/v1.0/deviceManagement/detectedApps?$top=999&$select=displayName,version,deviceCount` - **PowerShell:** `Get-MgDeviceManagementManagedDevice -Filter "complianceState eq 'noncompliant'" -Property DeviceName,UserPrincipalName,ComplianceState,LastSyncDateTime | Export-Csv noncompliant_devices.csv -NoTypeInformation` --- *Generated by DFIR Assist*