This article is contributed. See the original author and article here.

Welcome to our first post in the “Microsoft Cloud App Security: The Hunt blog series!  
Using Microsoft 365 Defender, our integrated solution, we will address common alerts customers receive in Microsoft Cloud App Security (called “MCAS” by users and enthusiasts) to determine the full scope and impact of a threat. We will show case how Microsoft 365 Defender assists security engineers by providing critical details such as how the threat entered the environment, what it has affected and how it is currently impacting the enterprise.


 


We will do this by taking the details we are given from an alert from Cloud App Security, using Kusto Query Language or KQL to query logs from various products across the Microsoft security stack that are available in Microsoft 365 defender Advanced hunting today.
Additionally, we will use the mapping of the MITRE ATT&CK Framework tactics and techniques available in 
Cloud App Security to assist our investigation on where or how an adversary may move next.


 


Throughout this blog series, we will address the alerts and scenarios we have seen most frequently from customers and apply simple but effective queries that can be used in everyday investigations. 


To begin this exciting journey, our first use case will walk you through a possible investigation path you could follow once receiving a multi-stage incidents from Cloud App Security. 


 


Use case 


Contoso implemented Microsoft 365 and is monitoring users at risk using Microsoft’s security solutions. 
While reviewing the new incidents, our security analyst notices a new multi-staged incident for a user named Megan Bowens. 


Multi-stage incidentMulti-stage incident


 


 


By opening the incident, our analyst can immediately identify the incident alerts and the mapped MITRE tactics. Based on those, it looks like the user account might have been compromised. Let’s confirm this using M365 Defender!  


94387B51-CB01-4EC3-B750-208FBFA8CF74.png


 


Investigation


Step 1: review the alerts to understand the incident context 


By looking at the timeline, it seems that the user connected from a location she did not use in the last six months (Activity from infrequent country:( Romania.


444E74F8-1386-48A4-B22A-0A30FD07BBB8.png


 


Microsoft Cloud App Security then triggered an out-of-the-box alert regarding activities from distant locations (Impossible travel activity). Using the information from this alert, admins can review activities from anywhere in the world: Belgium, Romania but also Belarus! 


 


0A863139-45F3-4A83-940F-64CE5F4A6115.png


 


Finally, it appears that during this session, the user created an inbox rule forwarding emails to hackerz007@gmail.com, which is considered as suspicious by Microsoft Cloud App Security. 


 


B05AA8FA-3DE0-40C8-B77B-119DE7966C8A.png


 


Now that we understand the context, let’s investigate to understand the scope of the breach. 


 


 


Step 2: understand user’s specific context 


Before spending time in logs, we must understand the user’s context. The easiest way is to open her user page and review the provided information: 


B01A4548-8BE9-4212-9347-D30B4BDDF39E.png


 


 


 


On the user page, we are immediately provided information confirming that something happened with this user account: Megan’s account is considered a high risk by Azure Active Directory and her Investigation priority score suddenly increased in the last few days, plus her score is higher than 90% of the organization. We can also see from this page that she’s located in the United States. 


C76EBA09-2C33-47C4-BCD4-AD82E05BBA11.png


 


To understand her habits, let’s open the Locations details: 


 


345F053E-000C-48DF-874F-43EDBAA00D3F.png


This shows us the different locations used by the user in the last 30 days and the percentage of activities performed from those locations. 
It immediately appears that she is usually working from the US and Belgium, so activities performed from those countries are normal:


3C571F81-C246-4226-8C5E-6DD27CAE7CB6.png


 If we go further, we can also see that some activities have been performed from other locations: Romania and Belarus: 


7E3B54C1-2AAB-4820-8AC9-1CB6A8442374.pngE52CC868-FF08-4E76-B9C5-57D7887FC459.png


 


 


Now that we understand what is anomalous behavior for Megan (bases on the information above and her tracked “Locations” in her user profile), let’s hunt! 


 


Step 3: review the suspicious activities to understand the scope of the breach 


Our investigation will go through in different phases (list non-exhaustive). 


 


































Action 



Why ? 



Summarize all the performed actions from the suspicious IP/location for that account 



Understand the risk based on performed activities (ex: reading an email = low risk, downloading/sharing files = medium risk, creating inbox rule/admin activities = high risk).  
If low risk activities, from mobile device for example, no further investigation might be required as this could be the user using a VPN client on her phone. 



Provide details on all accessed emails and their path in the mailbox 



Understand if access was targeted to sensitive information (finance, secrets, …). 
If the information seems sensitive and the device type seems suspicious, further investigation required. 


Also review the user agent to identify suspicious access. 



If emails were sent, review the recipients and message details. 



Identify potential phishing attempts or identify other compromised accounts. 
We will also use the user agent to identify potential tools using Graph API or SMTP. 



Review the accessed files 



Understand if access was targeted to sensitive information (finance, secrets, …). 



Review the created inbox rules 



Inbox rules can be used to exfiltrate data or hide conversations between the attacker and other recipients. 



Review other users using this IP address 



Identify potential compromised users or identify new potential corporate IP address used by a new office. 



 



  1. Obtain the user’s account object Id. 
    The Azure AD Account object ID is the unique identifier of a user account. Therefore, we will use this identifier for hunting scenarios as it is exposed in the different tables. You can get the user’s account object ID from the user entity page (screenshot below), or by querying the IdentityInfo table:

    contact.png

     Querying the table: 

    IdentityInfo | where AccountUpn =~ 'meganb@seccxp.ninja' 

    query.png




  2. Review our user’s signings to identify other potential suspicious locations or IP addresses.
    Using this query, you can get an overview of the users signing activity and identify potential anomalies. Note that if the user is using an AAD joined device and passing through a conditional access policy, the details of the managed device are exposed:

    let timeToSearch = startofday(datetime('2020-11-14')); 
    AADSignInEventsBeta  
    | where AccountObjectId == 'eababd92-9dc7-40e3-9359-6c106522db19' and Timestamp >= timeToSearch  
    | distinct Application, ResourceDisplayName, Country, City, IPAddress, DeviceName, DeviceTrustType, OSPlatform, IsManaged, IsCompliant, AuthenticationRequirement, RiskState, UserAgent, ClientAppUsed

    pc.png




  3. Summarize all the performed actions from the suspicious IP/location for that account. 
    Using this Advanced hunting query scoped to the alerts date, we can easily identify the performed actions: 

    let accountId = 'eababd92-9dc7-40e3-9359-6c106522db19'; 
    let locations = pack_array('RO', 'BY'); 
    let timeToSearch = startofday(datetime('2020-11-14')); 
    CloudAppEvents 
        | where AccountObjectId == accountId and CountryCode in (locations) and Timestamp >= timeToSearch  
    | summarize by ActionType, CountryCode, AccountObjectId  
    | sort by ActionType asc 

     
    We can see that the malicious actor accessed and deleted emails, opened files, created and deleted inbox rules. 
    That’s a great start! We know now what we are looking for. 

    6E2142E0-5376-44F5-ACA5-2742AACFFEF5.png



  4. Review the accessed emails. 
    To understand what the actor was looking for, we can use the following query. It’s using events available with advanced auditing and the EmailEvents table to enrich emails details (subject, sender, recipients, …) when possible.

    let accountId = 'eababd92-9dc7-40e3-9359-6c106522db19'; 
    let locations = pack_array('RO', 'BY'); 
    let timeToSearch = startofday(datetime('2020-11-14')); 
    CloudAppEvents 
        | where ActionType == 'MailItemsAccessed' and CountryCode in (locations) and AccountObjectId == accountId and Timestamp >= timeToSearch 
        | mv-expand todynamic(RawEventData.Folders)  
        | extend Path = todynamic(RawEventData_Folders.Path), SessionId = tostring(RawEventData.SessionId) 
        | mv-expand todynamic(RawEventData_Folders.FolderItems) 
        | project SessionId, Timestamp, AccountObjectId, DeviceType, CountryCode, City, IPAddress, UserAgent, Path, Message = tostring(RawEventData_Folders_FolderItems.InternetMessageId) 
        | join kind=leftouter ( 
            EmailEvents  
            | where RecipientObjectId == accountId  
            | project Subject, RecipientEmailAddress , SenderMailFromAddress , DeliveryLocation , ThreatTypes, AttachmentCount , UrlCount , InternetMessageId  
            ) on $left.Message == $right.InternetMessageId  
    | sort by Timestamp desc


    Note the clients used: a browser and REST, indicating potential script accessing the emails:
    766F6521-7063-4624-9C62-8748484FA4CB.png


     emails.png


     



  5. Review the accessed folders and files:

    let accountId = 'eababd92-9dc7-40e3-9359-6c106522db19'; 
    let locations = pack_array('RO', 'BY'); 
    let timeToSearch = startofday(datetime('2020-11-14')); 
    CloudAppEvents 
        | where ActionType == 'FilePreviewed' and CountryCode in (locations) and AccountObjectId == accountId and Timestamp >= timeToSearch 
        | project Timestamp, CountryCode , IPAddress , ISP, UserAgent , Application, ActivityObjects, AccountObjectId 
        | mv-expand ActivityObjects 
        | where ActivityObjects['Type'] in ('File', 'Folder')  
        | evaluate bag_unpack(ActivityObjects) 

    7F23CA13-92CF-4EF7-BE77-C848DEE982B3.png


     


     




  6. Review the deleted emails. This might indicate that the actor tried to remove traces of discussions with other users or deletion of alerting emails: 

    let accountId = 'eababd92-9dc7-40e3-9359-6c106522db19'; 
    let locations = pack_array('RO', 'BY'); 
    let timeToSearch = startofday(datetime('2020-11-14')); 
    CloudAppEvents 
        | where ActionType in~ ('MoveToDeletedItems', 'SoftDelete') and CountryCode in (locations) and AccountObjectId == accountId and Timestamp >= timeToSearch 
        | mv-expand ActivityObjects 
        | where ActivityObjects['Type'] in ('Email', 'Folder') 
        | evaluate bag_unpack(ActivityObjects) 
        | distinct Timestamp, AccountObjectId, ActionType, CountryCode, IPAddress, Type, Name, Id 
    | sort by Timestamp desc 



  7. Review the created/enabled/modified inbox rules. You can see here that the rule if looking for specific keywords, like “Credit Card” or “Password”: 

    let accountId = 'eababd92-9dc7-40e3-9359-6c106522db19'; 
    let locations = pack_array('RO', 'BY'); 
    let timeToSearch = startofday(datetime('2020-11-14')); 
    CloudAppEvents 
        | where ActionType contains_cs 'InboxRule' and CountryCode in (locations) 
        | extend RuleParameters = RawEventData.Parameters 
    | project Timestamp, CountryCode , IPAddress , ISP, ActionType , ObjectName , RuleParameters  
    | sort by Timestamp desc 

    299DB357-91E0-419E-9029-63AE9B538722.png

     





  8. Now is time for our latest query that will identify scope of the breach. We hunted to get more information on Megan, our impacted user we got alerted from the incident. But there might be additional compromised users, we’ll use the IP addresses from the initial breach and search for other users having activities from those IP addresses:

    let accountId = 'eababd92-9dc7-40e3-9359-6c106522db19'; 
    let locations = pack_array('RO', 'BY'); 
    let timeToSearch = startofday(datetime('2020-11-14')); 
    let ips = (CloudAppEvents 
            | where CountryCode in (locations )  
            | distinct IPAddress , AccountObjectId  
    ); 
    ips  
    | join (CloudAppEvents | project ActivityIP = IPAddress, UserId = AccountObjectId ) on $left.IPAddress == $right.ActivityIP  
    | distinct UserId  
    | join IdentityInfo on $left.UserId == $right.AccountObjectId 
    | distinct AccountDisplayName , AccountUpn , Department , Country , City, AccountObjectId  
    
      


    B318F20C-D2E2-4555-8278-3C26F1B68A8E.png

     




Step 4: time to remediate! 


Now that we have confirmed that Megan’s account had been compromised and we confirmed she was the only impacted user, it’s time to take action. 


The required actions will of course depend on your specific procedures, but a good start is confirming the user as compromised by clicking on “Take actions” or by going back to the user page and apply actions like suspending the user or requesting the user to sign-in again. 


 


take actions.png


confirm compromised.png


 


If you are syncing your accounts from Active Directory, you must perform the remediation steps on-premises. 
Also, note that integrating non-Microsoft apps to Microsoft Cloud App Security allows you to apply remediation to those apps too. 


 


124A9DE9-97CD-44A9-B758-F06C7E179562.png


 


 


A huge Thanks to @Tali Ash for the review!


 


 


 


For more information about the features discussed in this article, read: 



Learn more 


For further information on how your organization can benefit from Microsoft Cloud App Security, connect with us at the links below: 

























Join the conversation on Tech Community 


Stay up to date—subscribe to our blog.  



Upload a log file from your network firewall or enable logging via Microsoft Defender for Endpoint to discover Shadow IT in your network. 



Learn more—download Top 20 use cases for CASB. 



Connect your cloud apps to detect suspicious user activity and exposed sensitive data. 



Search documentation on Microsoft Cloud App Security 



Enable out-of-the-box anomaly detection policies and start detecting cloud threats in your environment. 



Understand your licensing options​.  



Continue with more advanced use cases across information protection, compliance, and more. 



Follow the Microsoft Cloud App Security Ninja blog and learn about Ninja Training 


Go deeper these interactive guides: 




 


 


To experience the benefits of full-featured CASB, sign up for a free trial—Microsoft Cloud App Security. 


Follow us on LinkedIn as #CloudAppSecurity. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity on Twitter, and Microsoft Security on LinkedIn for the latest news and updates on cybersecurity. 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.