The document discusses utilizing Microsoft APIs to access audit logs for security investigations in Office 365 and Azure AD. It provides an overview of available audit options and APIs, including the Office 365 Management Activity API and Azure AD Audit Log API. It then demonstrates an example security investigation utilizing these APIs to hunt for suspicious activity like compromised accounts and malware spreading. The investigation uncovered how a user was hacked, files were leaked, and an adversary tried to gain persistent access through creating rules and temporary users.
Microsoft Graph is the rich, robust API for an increasing number of products across Microsoft. Microsoft Graph has a large footprint of tools, SDKs, and API capabilities you can incorporate in your projects. Come see what's new across products and available for developers -- you'll take away code and tools you'll undoubtedly use as you build apps and services.
Microsoft Graph is the rich, robust API for an increasing number of products across Microsoft. Microsoft Graph has a large footprint of tools, SDKs, and API capabilities you can incorporate in your projects. Come see what's new across products and available for developers -- you'll take away code and tools you'll undoubtedly use as you build apps and services.
Automatizacion de Procesos en Modelos TabularesGaston Cruz
Muestra de opciones para automatizar refrescos en Modelos Tabulares a traves de Azure Data Factory, Azure Logic Apps, Azure Functions y refresco de base de datos, tablas y particiones en Azure Analysis Services.
Power your apps with Gmail, Google Drive, Calendar, Sheets, Slides & morewesley chun
This is a ~90-minute technical introduction to G Suite/Google Apps developer tools, platforms, and APIs. Code samples are in Python+JS. Motivation: encourage developers to write apps integrating with G Suite APIs so they can monetize, taking advantage of the many schools & enterprises that are G Suite users. Delivered sessions at ISTE (Jun 2019), Google Cloud NEXT (Jul 2018), Google Cloud Summit - São Paulo (Nov 2017), DevFest DC (May 2017), DevFest NYC (Nov 2016), and GDG LA DevFest (Dec 2016).
Jeff Scudder, Eric Bidelman
The number of APIs made available for Google products has exploded from a handful to a slew! Get
the big picture on what is possible with the APIs for everything from YouTube, to Spreadsheets, to
Search, to Translate. We'll go over a few tools to help you get started and the things these APIs share
in common. After this session picking up new Google APIs will be a snap.
Build an AI/ML-driven image archive processing workflow: Image archive, analy...wesley chun
Google provides a diverse array of services to realize the ambition of solving real business problems, like constrained resources. An image archive & analysis plus report generation use-case can be realized with just GWS (Google Workspace) & GCP (Google Cloud) APIs. The principle of mixing-and-matching Google technologies is applicable to many other challenges faced by you, your organization, or your customers. These slides are from the half-hour presentation about this case study.
Microsoft Graph is the rich, robust API for an increasing number of products across Microsoft. Microsoft Graph has a large footprint of tools, SDKs, and API capabilities you can incorporate in your projects. Come see what's new across products and available for developers -- you'll take away code and tools you'll undoubtedly use as you build apps and services.
Microsoft Graph is the rich, robust API for an increasing number of products across Microsoft. Microsoft Graph has a large footprint of tools, SDKs, and API capabilities you can incorporate in your projects. Come see what's new across products and available for developers -- you'll take away code and tools you'll undoubtedly use as you build apps and services.
Automatizacion de Procesos en Modelos TabularesGaston Cruz
Muestra de opciones para automatizar refrescos en Modelos Tabulares a traves de Azure Data Factory, Azure Logic Apps, Azure Functions y refresco de base de datos, tablas y particiones en Azure Analysis Services.
Power your apps with Gmail, Google Drive, Calendar, Sheets, Slides & morewesley chun
This is a ~90-minute technical introduction to G Suite/Google Apps developer tools, platforms, and APIs. Code samples are in Python+JS. Motivation: encourage developers to write apps integrating with G Suite APIs so they can monetize, taking advantage of the many schools & enterprises that are G Suite users. Delivered sessions at ISTE (Jun 2019), Google Cloud NEXT (Jul 2018), Google Cloud Summit - São Paulo (Nov 2017), DevFest DC (May 2017), DevFest NYC (Nov 2016), and GDG LA DevFest (Dec 2016).
Jeff Scudder, Eric Bidelman
The number of APIs made available for Google products has exploded from a handful to a slew! Get
the big picture on what is possible with the APIs for everything from YouTube, to Spreadsheets, to
Search, to Translate. We'll go over a few tools to help you get started and the things these APIs share
in common. After this session picking up new Google APIs will be a snap.
Build an AI/ML-driven image archive processing workflow: Image archive, analy...wesley chun
Google provides a diverse array of services to realize the ambition of solving real business problems, like constrained resources. An image archive & analysis plus report generation use-case can be realized with just GWS (Google Workspace) & GCP (Google Cloud) APIs. The principle of mixing-and-matching Google technologies is applicable to many other challenges faced by you, your organization, or your customers. These slides are from the half-hour presentation about this case study.
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
Since 2008, Netflix has been on the cutting edge of cloud-based microservices deployments. In 2017, Netflix is recognized as one of the industry leaders at building and operating “cloud native” systems at scale. Like many organizations, Netflix has unique security requirements for many of their workloads. This variety requires a holistic approach to authorization to address “who can do what” across a range of resources, enforcement points, and execution environments.
In this talk, Manish Mehta (Senior Security Software Engineer at Netflix) and Torin Sandall (Technical Lead of the Open Policy Agent project) will present how Netflix is solving authorization across the stack in cloud native environments. The presentation shows how Netflix enforces authorization decisions at scale across various kinds of resources (e.g., HTTP APIs, gRPC methods, SSH), enforcement points (e.g., microservices, proxies, host-level daemons), and execution environments (e.g., VMs, containers) without introducing unreasonable latency. The presentation includes a deep dive into the architecture of the cloud native authorization system at Netflix as well as how authorization decisions can be offloaded to an open source, general-purpose policy engine (Open Policy Agent).
This talk is targeted at engineers building and operating cloud native systems who are interested in security and authorization. The audience can expect to take away fresh ideas about how to enforce fine-grained authorization policies across stackthe cloud environment.
Building a Windows Store App for SharePoint 2013Aspenware
Combine the fast, fluid and immersive experience of Windows Store apps with SharePoint 2013 to discover, organize and manage content. This session will walk through planning and building an app to interact with SharePoint content by utilizing the new APIs available with SharePoint 2013.
Get Well Prepared for Google Professional Cloud Developer (GCP-PCD) Certifica...Amaaira Johns
Start Here---> https://bit.ly/3d0djuQ <---Get complete detail on GCP-PCD exam guide to crack Professional Cloud Developer. You can collect all information on GCP-PCD tutorial, practice test, books, study material, exam questions, and syllabus. Firm your knowledge on Professional Cloud Developer and get ready to crack GCP-PCD certification. Explore all information on GCP-PCD exam with the number of questions, passing percentage, and time duration to complete the test.
CodeCamp Iasi - Creating serverless data analytics system on GCP using BigQueryMárton Kodok
Teaser: provide developers a new way of understanding advanced analytics and choosing the right cloud architecture
The new buzzword is #serverless, as there are many great services that helps us abstract away the complexity associated with managing servers. In this session we will see how serverless helps on large data analytics backends.
We will see how to architect for Cloud and implement into an existing project components that will take us into the #serverless architecture that will ingest our streaming data, run advanced analytics on petabytes of data using BigQuery on Google Cloud Platform - all this next to an existing stack, without being forced to reengineer our app.
BigQuery enables super-fast, SQL/Javascript queries against petabytes of data using the processing power of Google’s infrastructure. We will cover its core features, SQL 2011 standard, working with streaming inserts, User Defined Functions written in Javascript, reference external JS libraries, and several use cases for everyday backend developer: funnel analytics, email heatmap, custom data processing, building dashboards, extracting data using JS functions, emitting rows based on business logic.
Chris O'Brien - Best bits of Azure for Office 365/SharePoint developersChris O'Brien
Discussion of Azure web apps, App Insights, "Azure Functions in the real world", ARM templates, queues, BLOB storage and more. Includes a video demo of AAD-secured Azure Function called from a SharePoint Framework (SPFx) web part with SPO cookie auth.
D2 - Automate Custom Solutions Deployment on Office 365 and Azure - Paolo Pia...SPS Paris
Modern solutions are based on complex architectures, which are made of multiple layers and services. Often, to run your solutions, you need to host services on Azure, configure services in Office 365, and provision content in SharePoint Online. Deploying manually such kind of solutions in target environments can be really challenging, time consuming, and error-prone. In this session, you will learn how to automate the provisioning of such kind of solutions using the Microsoft Graph, the Azure Management API, and the REST API more in general. During the session you will see a real case study, based on the open source PnP Partner Pack Setup Wizard.
This is a supplementary slide deck to the presentation on how to build native Android app which integrates with SharePoint Online by using Xamarin and Visual Studio. Check out sharemuch.com for the source code
OAuth2 Goa library for Apps Script tutorial including how to use the Google Developer console dashboard. Handles Google and other providers as well as Service accounts.
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy WalkthroughVinu Gunasekaran
Agenda:
Reviewing the Exercise – Collect a Loyalty Number from your Customers
Getting Started with Azure AD B2C Custom Policies
Setting up the Policy
Defining the Loyalty Number Claim
Configuring Profile Editing to Include the Loyalty Number
Configure Reading and Writing the Claim
Updating the User Journey
Relying Party Declaration Updates
Code First with Serverless Azure FunctionsJeremy Likness
Learn about the new trend in cloud computing called serverless. See how it is implemented using Azure Functions and Logic Apps, advanced monitoring with Application Insights, and examples written in Node.js.
This talk will cover how we redesigned our analytics API from the ground up to serve metrics in near real time from billions of events per day. We'll go through the tools we considered for the job to how we actually implemented our solution, starting from the datastore up to the whole data pipeline and its API, leveraging Golang, Kubernetes, GCP and Citus.
Sylvain Friquet - Algolia
https://dataxday.fr/
Azure AD B2C Webinar Series: Custom Policies Part 1Vinu Gunasekaran
Agenda:
Introducing Custom Policies in Azure AD B2C
Custom Policy Components
Relying Party and User Journeys
Claims Definitions
Technical Profiles
Getting Started with Azure AD B2C Custom Policies
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
More Related Content
Similar to Utilizing Microsoft Graph API and Office 365 Management Activity API during security investigation
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
Since 2008, Netflix has been on the cutting edge of cloud-based microservices deployments. In 2017, Netflix is recognized as one of the industry leaders at building and operating “cloud native” systems at scale. Like many organizations, Netflix has unique security requirements for many of their workloads. This variety requires a holistic approach to authorization to address “who can do what” across a range of resources, enforcement points, and execution environments.
In this talk, Manish Mehta (Senior Security Software Engineer at Netflix) and Torin Sandall (Technical Lead of the Open Policy Agent project) will present how Netflix is solving authorization across the stack in cloud native environments. The presentation shows how Netflix enforces authorization decisions at scale across various kinds of resources (e.g., HTTP APIs, gRPC methods, SSH), enforcement points (e.g., microservices, proxies, host-level daemons), and execution environments (e.g., VMs, containers) without introducing unreasonable latency. The presentation includes a deep dive into the architecture of the cloud native authorization system at Netflix as well as how authorization decisions can be offloaded to an open source, general-purpose policy engine (Open Policy Agent).
This talk is targeted at engineers building and operating cloud native systems who are interested in security and authorization. The audience can expect to take away fresh ideas about how to enforce fine-grained authorization policies across stackthe cloud environment.
Building a Windows Store App for SharePoint 2013Aspenware
Combine the fast, fluid and immersive experience of Windows Store apps with SharePoint 2013 to discover, organize and manage content. This session will walk through planning and building an app to interact with SharePoint content by utilizing the new APIs available with SharePoint 2013.
Get Well Prepared for Google Professional Cloud Developer (GCP-PCD) Certifica...Amaaira Johns
Start Here---> https://bit.ly/3d0djuQ <---Get complete detail on GCP-PCD exam guide to crack Professional Cloud Developer. You can collect all information on GCP-PCD tutorial, practice test, books, study material, exam questions, and syllabus. Firm your knowledge on Professional Cloud Developer and get ready to crack GCP-PCD certification. Explore all information on GCP-PCD exam with the number of questions, passing percentage, and time duration to complete the test.
CodeCamp Iasi - Creating serverless data analytics system on GCP using BigQueryMárton Kodok
Teaser: provide developers a new way of understanding advanced analytics and choosing the right cloud architecture
The new buzzword is #serverless, as there are many great services that helps us abstract away the complexity associated with managing servers. In this session we will see how serverless helps on large data analytics backends.
We will see how to architect for Cloud and implement into an existing project components that will take us into the #serverless architecture that will ingest our streaming data, run advanced analytics on petabytes of data using BigQuery on Google Cloud Platform - all this next to an existing stack, without being forced to reengineer our app.
BigQuery enables super-fast, SQL/Javascript queries against petabytes of data using the processing power of Google’s infrastructure. We will cover its core features, SQL 2011 standard, working with streaming inserts, User Defined Functions written in Javascript, reference external JS libraries, and several use cases for everyday backend developer: funnel analytics, email heatmap, custom data processing, building dashboards, extracting data using JS functions, emitting rows based on business logic.
Chris O'Brien - Best bits of Azure for Office 365/SharePoint developersChris O'Brien
Discussion of Azure web apps, App Insights, "Azure Functions in the real world", ARM templates, queues, BLOB storage and more. Includes a video demo of AAD-secured Azure Function called from a SharePoint Framework (SPFx) web part with SPO cookie auth.
D2 - Automate Custom Solutions Deployment on Office 365 and Azure - Paolo Pia...SPS Paris
Modern solutions are based on complex architectures, which are made of multiple layers and services. Often, to run your solutions, you need to host services on Azure, configure services in Office 365, and provision content in SharePoint Online. Deploying manually such kind of solutions in target environments can be really challenging, time consuming, and error-prone. In this session, you will learn how to automate the provisioning of such kind of solutions using the Microsoft Graph, the Azure Management API, and the REST API more in general. During the session you will see a real case study, based on the open source PnP Partner Pack Setup Wizard.
This is a supplementary slide deck to the presentation on how to build native Android app which integrates with SharePoint Online by using Xamarin and Visual Studio. Check out sharemuch.com for the source code
OAuth2 Goa library for Apps Script tutorial including how to use the Google Developer console dashboard. Handles Google and other providers as well as Service accounts.
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy WalkthroughVinu Gunasekaran
Agenda:
Reviewing the Exercise – Collect a Loyalty Number from your Customers
Getting Started with Azure AD B2C Custom Policies
Setting up the Policy
Defining the Loyalty Number Claim
Configuring Profile Editing to Include the Loyalty Number
Configure Reading and Writing the Claim
Updating the User Journey
Relying Party Declaration Updates
Code First with Serverless Azure FunctionsJeremy Likness
Learn about the new trend in cloud computing called serverless. See how it is implemented using Azure Functions and Logic Apps, advanced monitoring with Application Insights, and examples written in Node.js.
This talk will cover how we redesigned our analytics API from the ground up to serve metrics in near real time from billions of events per day. We'll go through the tools we considered for the job to how we actually implemented our solution, starting from the datastore up to the whole data pipeline and its API, leveraging Golang, Kubernetes, GCP and Citus.
Sylvain Friquet - Algolia
https://dataxday.fr/
Azure AD B2C Webinar Series: Custom Policies Part 1Vinu Gunasekaran
Agenda:
Introducing Custom Policies in Azure AD B2C
Custom Policy Components
Relying Party and User Journeys
Claims Definitions
Technical Profiles
Getting Started with Azure AD B2C Custom Policies
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Utilizing Microsoft Graph API and Office 365 Management Activity API during security investigation
1. Utilizing Microsoft Graph API
and Office 365 Management
Activity API during security
investigations
Kirill Bogdanov,
Security TSP, Microsoft
2. phdays.com #PHDays
Agenda:
• Audit options available in Office 365 and Azure AD
• Office 365 Management Activity API
• Azure AD Audit API
• DIY PowerShell script to download logs
• Investigating attack
3. phdays.com #PHDays
Key takeaways:
• Understand audit options in Office 365 and Azure
• Get basic understanding of APIs for retrieving audit events
• Observe example investigation utilizing the APIs
6. #PHDaysphdays.com
What activities are available?
• Administrative actions
• Sign-on information
• User actions
• DLP alerts
• eDiscovery requests
• Depending on subscription
7. #PHDaysphdays.com
Retention
• Events are stored for 90 days
• Office 365 E5 users’ actions will be retained for 365 days (Private preview)
• Office 365 Management Activity API exposes only 7 days of history
11. #PHDaysphdays.com
«Get into local infrastructure»
Download using native SIEM connectors and Office 365 Management Activity API
Microsoft Cloud App Security SYSLOG SIEM connector
Create a connector by yourself!
13. #PHDaysphdays.com
Office 365 Management Activity API
REST web service
Uses Azure AD and OAuth2 for authentication and Authorization
SO…
1. Register App in Azure AD
2. Get JWT Token for the App and activity API and craft a header
(use https://login.windows.net/{TenantID}/oauth2/token/{TenantID} for Authority)
3. Use REST methods to get or post info from/to API
(Use https://manage.office.com/api/v1.0/{TenantID}/activity/feed for requests)
15. #PHDaysphdays.com
Office 365 Management Activity API
Step1: Enable Content type (optionally add webhook)
POST {root}/subscriptions/stop?contentType=Audit.SharePoint
Step2: Retrieve available content
GET {root}/subscriptions/content?contentType=Audit.SharePoint
Step3: Retrieve events in JSON form from content URI
GET {root}/audit/301299007231$301299007231
16. #PHDaysphdays.com
Office 365 Management Activity API
Data is aggregated from different sources and is not aligned in time
Some sources can take up to 24h to provide data
Request throttling – 60K req/min via PublisherIdentifier
By default returns content for the last 24 hours. You can specify any interval less then 24h within last 7 days
Results are paginated with NextPageUri returned in the response
Webhook will get content address as soon as content is available
18. #PHDaysphdays.com
Azure AD Audit Log API
Subset of Microsoft Graph REST API
Supports OData query parameters for response customization
Sign-on data requires Azure AD P1 or higher
Information contained depends on available subscriptions
Uses Azure AD and OAuth2 for authentication and Authorization
SO…
19. #PHDaysphdays.com
Azure AD Audit Log API
1. Register App in Azure AD
2. Get JWT Token for the App and activity API and craft a header
(use https://login.Microsoftonline.com/{TenantID} for Authority)
3. Use REST methods to get or post info from/to API
(Use https://graph.microsoft.com/{version}/{resource}?query-parameters for requests)
39. #PHDaysphdays.com
Investigating incident
During routine work, administrator founds out a Journaling rule forwarding all his mail to
external mailbox.
It has not existed a week ago and we hope to get details (or we regularly download events
and have them locally)
41. #PHDaysphdays.com
$result | where {$_.operation –like “*Journl*”}
First step
Who is NewUser ? We do not have him in organization…
What else has he done?
63. #PHDaysphdays.com
$return2.value | where {$_.ipaddress -eq "191.232.238.156"}|
Sort-Object -Property CreatedDateTime |select
CreatedDateTime,AppDisplayName,ResourceDisplayName,
UserDisplayName
What can Graph API tell us?
65. #PHDaysphdays.com
What can Graph API tell us?
$BaseURI = "https://graph.microsoft.com/beta"
$SubURI = "auditLogs/directoryaudits"
$URI = "$BaseURI/$SubURI"
$Return = Invoke-RestMethod -Uri $URI -Headers $authHeader -Method Get -Verbose
$Return
66. #PHDaysphdays.com
Findings:
Patient zero probably is Irvin who was hacked due to weak password
His OneDrive and SharePoint files leaked
Adversary tried to send malware through OneDrive synch
Skype web experience logins point to EWS connection attempts.
We can suppose use of MailSniper or similar tools
DemoAdm password probably leaked from Irvin
Adversary created a temp user, gave him GA role and tried to gain persistence through setting mail
forwarding for administrator account using journaling rules
Temp user was deleted
67. #PHDaysphdays.com
Takeaways:
1. We have got a basic understanding of audit mechanisms in Office 365 and Azure AD
2. We have got basic skills working with O365 Management API and Graph API
3. We have demonstrated possible investigation using Powershell and API