Any time there is a compromise (or suspected compromise), one of the most important stages to a response is gathering information. Specifically, information about what the user did while logged into a system must be obtained and analyzed to determine if/what damage has occurred. It does not matter what type of system was compromised, only that the activities must be identified within that system by the user within short time.
Microsoft 365 Operations
Microsoft 365 (formerly known as Office 365) is one such system. When a user account is compromised and an adversary logs into M365, whether it be an administrator or a regular user, it is vital that the response team determines what transpired. Typically, this is done by looking at the logged events (they were sent outside of M365 for safe storage, weren’t they?) and timeline of operations.
With Microsoft 365, there are numerous operations that occur through every day use by a typical user. These events include logins, failed logins, searches, e-mails, file previews, and even chat activity within Microsoft Teams. The point here is that there is a large amount of data to sort through and analyze. Fluency uses several techniques to analyze user data, but this blog is about a specific technique we call the M365 Detailed User Investigation.
Straight Timeline vs Grouped Mini-Timelines
While it may seem appropriate to just create a single timeline of operations in the order that they were performed to look back at what a user did and when, it can be very difficult for an analyst to grasp the amount of data presented all at once. As such, Fluency takes another approach for this technique. We group the operations and then sort them so that an analyst can look at similar operations in bulk without having to jump between different sets of data.
Aggregating the Operations
First, Fluency takes a window from the user activity and aggregates all the unique operations that were performed by that user. This gives a summary of what types of activities were performed without regard to the details or the order (at first).
Gathering Important Fields
Next, Fluency iterates through the list of all the operations performed and performs another query specifically for that operation. For each operation, a list of fields is used to display only the information that has been deem previously as important (or vital) to an investigation. While a deep dive can easily pull the rest of the fields if needed, this provides what analysts need for 99% of the initial investigation. This data may include filenames, file sizes, chat threads, e-mail rules, and other information specific to the operation as well as more general information such as client, ip address, platform, etc.
With this information all gathered, an analyst can look through each group of operations and compare similar fields to determine if anything is out of place. Within the groups, the data is sorted in order – a mini-timeline so to speak. In this manner, an analyst only must change the way he or she thinks about the data between operations, not for every event in order as it happened.