New Microsoft Incident Response guides help security teams analyze suspicious activity>
Microsoft Blog – Microsoft Incident Response
Microsoft Incident Response has introduced two one-page guides to help security teams investigate suspicious activities in Microsoft 365 and Microsoft Entra.
These guides contain artifacts that Microsoft Incident Response uses daily to provide evidence of threat actor activity in a tenant.
The first guide focuses on analyzing the Unified Audit Log in Microsoft 365, which records actions carried out in a tenant.
Some notable operations include SearchQueryPerformed, SearchQueryInitiatedSharePoint, SearchQueryInitiatedExchange, SearchExportDownloaded, Update, and FileSyncDownloadedFull.
The second guide covers actions in Microsoft Entra, which manages and protects identities, data, and devices in the cloud.
It includes information on accessing the Microsoft Entra ID audit log and sign-in logs, which store events related to role management, device registration, and directory synchronization.
Key operations in this guide include Suspicious activity reported, Update application: Certificates and secrets management, any operation ending in ‘(bulk)’, and Elevate Access.
These guides are meant to simplify triaging and analyzing data in Microsoft 365 and Microsoft Entra by focusing on data-based storytelling vehicles that help piece together an attack chain.
They are available for download on the Microsoft website.
Link to the guides: [Download the guides](https://go.microsoft.com/fwlink/?linkid=2257423)
Link: https://www.microsoft.com/en-us/security/blog/2024/01/17/new-microsoft-incident-response-guides-help-security-teams-analyze-suspicious-activity/