DFIR-O365RC: PowerShell module for Office 365 and Azure AD log collection
DFIR-O365RC
The DFIR-O365RC PowerShell module is a set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise investigations.
The logs are generated in JSON format and retrieved from two main data sources:
- Office 365 Unified Audit Logs.
- Azure AD sign-ins logs and audit logs.
The two data sources can be queried from different endpoints:
| Data source / Endpoint | History | Performance | Scope | Pre-requisites (OS or Azure) |
|---|---|---|---|---|
| Unified Audit Logs / Exchange Online PowerShell | 90 days | Poor | All Office 365 logs (Azure AD included) | None |
| Unified Audit Logs / Office 365 Management API | 7 days | Good | All Office 365 logs (Azure AD included) | Azure App registration |
| Azure AD Logs / Azure AD PowerShell Preview | 30 days | Good | Azure AD sign-ins and audit events only | Windows OS only |
| Azure AD Logs / MS Graph API | 30 days | Good | Azure AD sign-ins and audit events only | None |
DFIR-O365RC is a forensic tool, its aim is not to monitor in real-time your Office 365 infrastructure: Please use the Office 365 Management API if you want to analyze data in real-time with a SIEM.
DFIR-O365RC will fetch data from:
- Azure AD Logs using the MS Graph API because performance is good, history is 30 days and it works on PowerShell Core.
- Unified Audit Logs using Exchange online PowerShell despite poor performance, history is 90 days and it works on PowerShell Core.
As a result, DFIR-O365RC works also on Linux or Mac, as long as you have PowerShell Core and a browser in order to use device login.
Functions included in the module
The module has 6 functions:
| Function name | Data Source/History | Performance | Completeness | Details |
|---|---|---|---|---|
| Get-O365Full | Unified audit logs/90 days | Poor | All unified audit logs | A subset of logs per record type can be retrieved. Use only on a small tenant or a short period of time |
| Get-O365Light | Unified audit logs/90 days | Good | A subset of unified audit logs only | Only a subset of operations considered of interest is retrieved. |
| Get-DefenderforO365 | Unified audit logs/90 days | Good | A subset of unified audit logs only | Retrieves Defender for Office 365 related logs. Requires at least an E5 license or a license plan such as Microsoft Defender for Office 365 Plan or cloud app security |
| Get-AADLogs | Azure AD Logs/30 days | Good | All Azure AD logs | Get tenant general information, all Azure sign-ins and audit logs. Azure AD sign-ins logs have more information than Azure AD logs retrieved via Unified audit logs. |
| Get-AADApps | Azure AD Logs/30 days | Good | A subset of Azure AD logs only | Get Azure audit logs related to Azure applications and service principals only. The logs are enriched with application or service principal object information. |
| Search-O365 | Unified audit logs/90 days | Depends on the query | A subset of unified audit logs only | Search for activity related to a particular user, IP address or use the freetext query. |
When querying Unified audit logs you are limited to 3 concurrent Exchange Online Powershell sessions. DFIR-O365RC will try to use all available sessions, please close any existing session before launching the log collection.
Install & Use
Copyright (C) 2021 ANSSI-FR
