Microsoft 365: A Tale of Online Security – Chapter 3
Chapter 3: The Forensic Expert
Jake and Lily contacted Max, the forensic expert, and told him about the phishing email and their discovery of the hackers in Mr. Johnson’s Office 365 Tenant.
Max was intrigued and eager to help. He knew that time was of the essence and that they had to act quickly to prevent further damage. When Max arrived, Jake and Lily explained everything they had found. Max nodded and asked to see the audit logs. He spent some time analyzing the logs, looking for any clues about the hackers’ identity and their methods.
After a while, Max looked up and said, “I think I’ve found something. The pattern of activity suggests that the hackers are using a VPN to mask their location. I can trace their traffic and see where it’s coming from.”
# Example Microsoft Sentinel Query – Get sign-ins and location details
SigninLogs
| where UserPrincipalName == “johnson@codequest.com”
| where ResultType == 0
| extend Location = parse_json(LocationDetails)
| project City = Location.city,
State = Location.state,
Country = Location.countryOrRegion,
Latitude = Location.geoCoordinates.latitude,
Longitude = Location.geoCoordinates.longitude
Jake and Lily watched as Max used his forensic tools to trace the hackers’ traffic back to its source. They saw Max’s screen light up with a world map, with lines tracing the path of the hackers’ traffic from one country to another.
# Example Data
“TimeGenerated”,”IPAddress”,”Location”
“2023-03-01T00:00:00Z”,”104.121.69.255″,”Ukraine”
“2023-03-01T00:02:00Z”,”104.109.51.255″,”Brazil”
“2023-03-01T00:04:00Z”,”103.101.2.24″,”Australia”
“2023-03-01T00:06:00Z”,”101.110.63.10″,”Japan”
“2023-03-01T00:08:00Z”,”31.19.32.54″,”Germany”
“2023-03-01T00:10:00Z”,”184.154.83.119″,”Chicago”
Finally, Max stopped in a country in Eastern Europe. “I think I’ve found them,” he said. “The traffic seems to be originating from a server in this country. It’s a known hub for cyber-criminals and hackers.”
# Example Sentinel Query – Count IP usage
let data = datatable(TimeGenerated:datetime, IPAddress:string, Location:string)
[
datetime(“2023-03-01T00:00:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:02:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T00:04:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T00:06:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T00:08:00Z”),”31.19.32.54″,”Germany”,
datetime(“2023-03-01T00:10:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T00:12:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T00:14:00Z”),”31.19.32.54″,”Germany”,
datetime(“2023-03-01T00:16:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T00:18:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T00:20:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T00:22:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:24:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:25:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:26:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T00:28:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T00:30:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T00:32:00Z”),”31.19.32.54″,”Germany”,
datetime(“2023-03-01T00:34:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T00:36:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T00:38:00Z”),”31.19.32.54″,”Germany”,
datetime(“2023-03-01T00:40:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T00:42:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T00:44:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T00:46:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:48:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:49:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:50:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:50:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T00:52:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T00:54:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T00:56:00Z”),”31.19.32.54″,”Germany”,
datetime(“2023-03-01T00:58:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T01:00:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T01:02:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T01:06:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T01:10:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T01:12:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T01:13:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T01:15:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T01:16:00Z”),”104.121.69.255″,”Ukraine”
];
data
| summarize count() by IPAddress, Location
| order by count_ desc
Jake and Lily looked at each other nervously. Looking at the timeline of netwoirk traffic they knew they were dealing with a sophisticated group of hackers.
# Example Microsoft Sentinel Query – Create time line
let data = datatable(TimeGenerated:datetime, IPAddress:string, Location:string)
[
datetime(“2023-03-01T00:00:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:02:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T00:04:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T00:06:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T00:08:00Z”),”31.19.32.54″,”Germany”,
datetime(“2023-03-01T00:10:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T00:12:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T00:14:00Z”),”31.19.32.54″,”Germany”,
datetime(“2023-03-01T00:16:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T00:18:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T00:20:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T00:22:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:24:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:25:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:26:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T00:28:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T00:30:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T00:32:00Z”),”31.19.32.54″,”Germany”,
datetime(“2023-03-01T00:34:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T00:36:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T00:38:00Z”),”31.19.32.54″,”Germany”,
datetime(“2023-03-01T00:40:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T00:42:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T00:44:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T00:46:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:48:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:49:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:50:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:50:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T00:52:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T00:54:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T00:56:00Z”),”31.19.32.54″,”Germany”,
datetime(“2023-03-01T00:58:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T01:00:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T01:02:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T01:06:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T01:10:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T01:12:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T01:13:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T01:15:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T01:16:00Z”),”104.121.69.255″,”Ukraine”
];
data
| summarize FirstLocation = min(Location),
LastLocation = max(Location),
FirstTime = min(TimeGenerated),
LastTime = max(TimeGenerated),
count() by IPAddress
| extend duration = LastTime – FirstTime
| project TimeGenerated = FirstTime,
IPAddress, FirstLocation,
LastLocation,duration, count_
| render timechart
“What do we do now?” Lily asked.
Max thought for a moment. “We need to report this to the authorities. They can work with the local law enforcement in that country to track the hackers and bring them to justice.”
Jake and Lily nodded. They knew that this was the right thing to do. They had learned a valuable lesson about online security’s importance and cyber-crime’s dangers.
Together, they contacted the authorities and reported the hacking incident. They provided all the information they had gathered, including the IP address and the forensic analysis.
After a few days, they received news that the hackers had been identified and arrested by the local police. Mr. Johnson was relieved and grateful for their help.
Jake and Lily felt proud of themselves for stopping the hackers and helping to protect Mr. Johnson’s sensitive information. They knew they had learned an important lesson and would never be careless with their passwords again.
Chapter 4: Coming Soon
Liam Cleary
Liam began his career as a computer trainer. He quickly realized that programming, breaking and hacking were much more fun. Liam spent the next few years working within core infrastructure and security services. He is now the founder and owner of SharePlicity, a consulting company focusing on Microsoft 365 and Azure technology. His role within SharePlicity is to help organizations implement Microsoft 365 and Azure technology to enhance internal and external collaboration, document, and records management, automate business processes, and implement security controls and protection. He is a long-time Microsoft MVP and Microsoft Certified Trainer, focusing on architecture, security and crossing the boundary into software development. Over the past few years, his specialty has been security in Microsoft 365, Azure and its surrounding platforms. Liam also creates online training courses for Pluralsight, LinkedIn Learning and Cloud Academy, and he teaches multiple Microsoft certification courses for Opsgility and Microsoft. You can find him at user groups and conferences, teaching classes, offering advice, spending time in the community, teaching his kids how to code, raspberry PI programming, hacking the planet, building Lego robots, or coaching soccer. You may also find him running races in the dark, hiking, or mountain biking at breakneck speeds.