Full Report
Patterson Cake // When it comes to M365 audit and investigation, the “Unified Audit Log” (UAL) is your friend. It can be surly, obstinate, and wholly inadequate, but your friend […] The post Wrangling the M365 UAL with PowerShell and SOF-ELK (Part 1 of 3) appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: Exchange Online Management PowerShell Module (EXO) & SOF-ELK Integration
## Overview
This summary focuses on an investigative methodology for handling the Microsoft 365 Unified Audit Log (UAL). The primary tools discussed for data acquisition and initial analysis are the **Exchange Online Management PowerShell module (EXO)** and the **Security Operations and Forensics Elasticsearch, Logstash, Kibana (SOF-ELK)** stack, used together to overcome challenges in acquiring, parsing, and querying UAL data.
## Technical Details
- Type: Tool / Framework (Investigative Procedure)
- Platform: Microsoft 365 (Exchange Online/Unified Audit Log), Windows Server (for hosting components/PowerShell)
- Capabilities: Connect to M365 services, retrieve UAL data via `Search-UnifiedAuditLog`, inline filtering during acquisition, flexible output formats suitable for external log analysis systems.
- First Seen: The article references EXO version 3.2.0, requiring PowerShell 7.
## MITRE ATT&CK Mapping
The techniques discussed relate primarily to Defensive Evasion and Discovery within the M365 environment, focusing on log analysis rather than offensive operations.
- **TA0008 - Lateral Movement** (Less direct, but the goal of an investigation is often to trace lateral movement):
- T1083 - File and Directory Discovery (Used for discovery during analysis)
- **TA0009 - Collection:**
- T1530 - Data from Local System (Collecting service logs)
- **T1560 - Archive Collected Data:**
- T1560.001 - Archive via Utility (Exporting data to CSV for external processing)
- **TA0010/TA0012 - Exfiltration/Command and Control (Relevant if an adversary is using legitimate tools for stealthy operations, though this context is defensive):**
- T1071.001 - Application Layer Protocol: Web Protocols (M365 API/PowerShell traffic)
## Functionality
### Core Capabilities
- **Data Acquisition:** Using `Connect-ExchangeOnline` (requiring modern authentication and MFA) to establish a secure connection to M365 services.
- **UAL Querying:** Utilizing the `Search-UnifiedAuditLog` cmdlet with parameters like `StartDate`, `EndDate`, and `UserIds` for targeted data retrieval.
- **Inline Filtering:** Capabilities within EXO to limit the size and scope of data returned from the UAL directly upon acquisition.
- **Output Handling:** Generating output (which includes a JSON `AuditData` blob) that is structured for subsequent parsing in an external analysis platform like SOF-ELK.
### Advanced Features
- **SOF-ELK Integration:** The methodology feeds exported UAL data (CSV format) into the SOF-ELK stack for advanced parsing, visualization, columnar display, sorting, and faceted searching of audit events.
- **Field Visualization:** Within the SOF-ELK interface, users can inspect fields within the `AuditData` JSON blob (e.g., `workload`, `operation`, `ips`, `useragent`), add them as searchable columns, and dynamically filter on specific values within those fields.
- **Iterative Analysis:** Supports an investigative loop involving adding fields, filtering results, and repeatedly refining the query parameters.
## Indicators of Compromise
*Note: Since this is a description of an independent analysis toolset and methodology, no traditional offensive IOCs (hashes, specific C2s) are present. The relevant "indicators" are the specific administrative commands and components required for the process.*
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: M365 authentication endpoints used for connection (e.g., Microsoft 365/Azure AD authentication services).
- Behavioral Indicators: Use of `pwsh.exe` (PowerShell 7) to execute administrative modules like `Install-Module` and `Connect-ExchangeOnline`.
## Associated Threat Actors
None identified. This methodology is designed for Microsoft 365 defenders and auditors.
## Detection Methods
Detection focuses on monitoring the administrative actions taken by the analyst/defender:
- **Behavioral Detection:** Monitoring for the installation of administrative PowerShell modules (`ExchangeOnlineManagement`, `microsoft.graph`) on analyst workstations or network acquisition servers.
- **Administrative Logging:** Monitoring M365 audit logs for connection events using service principals or user accounts executing high volumes of `Search-UnifiedAuditLog` commands.
## Mitigation Strategies
The strategies focus on controlling access to the UAL data:
- **Least Privilege Access:** Ensuring only authorized investigators have the necessary permissions to run `Search-UnifiedAuditLog` (reviewing required permissions documentation).
- **MFA Enforcement:** Requiring Multi-Factor Authentication for all administrative access used during the investigation.
- **SOF-ELK Security:** Securing the SOF-ELK instance, as it will contain sensitive, raw audit data.
## Related Tools/Techniques
- **Unified Audit Log (UAL):** The primary data source.
- **SOF-ELK:** The chosen platform for log ingestion, parsing, and searching.
- **Office 365 API:** An alternative method for UAL acquisition mentioned in the article.
- **Compliance Portal (Purview):** The graphical interface alternative for UAL searching.