In today’s world, where cybersecurity is paramount, the ability to collect and analyze logs from Microsoft 365 quickly and effectively can make all the difference in forensic investigations. This guide will walk you through how to use the DFIR-O365RC PowerShell module to collect relevant logs for Microsoft 365 compromises and Entra ID investigations.
Table of Contents
- Module Description
- Installation and Prerequisites
- Managing the DFIR-O365RC Application
- Permissions and License Requirements
- Functions Included in the Module
- Files Generated
Module Description
The DFIR-O365RC PowerShell module provides forensic analysts with a suite of functions to collect logs pertinent to Microsoft 365 compromises. The logs are compiled in JSON format derived from two main sources:
Installation and Prerequisites
Using Docker
The easiest way to run DFIR-O365RC is using Docker. Here’s how you can do it:
sudo docker compose run dfir-o365rc
# or, for legacy Docker Compose
sudo docker-compose run dfir-o365rcThis approach will set up DFIR-O365RC with its dependencies seamlessly.
Manual Installation
If you prefer manual installation, follow these steps:
- Clone the DFIR-O365RC repository.
- Ensure you have the required version of Microsoft .NET Framework installed.
- Run the following commands in PowerShell to install necessary modules:
Install-Module Az.Accounts -RequiredVersion 3.0.2
Install-Module Az.Monitor -RequiredVersion 5.2.1
Install-Module Az.Resources -RequiredVersion 7.2.0
Install-Module ExchangeOnlineManagement -RequiredVersion 3.5.1
Install-Module Microsoft.Graph.Authentication -RequiredVersion 2.20.0
Install-Module Microsoft.Graph.Applications -RequiredVersion 2.20.0
Install-Module Microsoft.Graph.Beta.Reports -RequiredVersion 2.20.0
Install-Module Microsoft.Graph.Beta.Security -RequiredVersion 2.20.0
Install-Module Microsoft.Graph.Identity.DirectoryManagement -RequiredVersion 2.20.0
Install-Module PoshRSJob -RequiredVersion 1.7.4.4Managing the DFIR-O365RC Application
Creating the Application
After importing the module, you’ll need to create an Entra application. This application manages the log collection process.
Think of the Entra application as a library card for a research library. Just like you need a library card to borrow books (in this case, logs), the Entra application lets you access and collect vital information from Microsoft 365.
- Create a self-signed certificate and get the base64-encoded public part.
- Use the New-Application cmdlet to create the application.
Updating the Application
If you need to update credentials and permissions, you can continue using the Update-Application cmdlet.
Removing the Application
When you’re done collecting logs, you can use the Remove-Application cmdlet to delete the application—much like returning a library book after you’re finished.
Permissions and License Requirements
To utilize version 2.0.0 and later, you’ll operate under a Service Principal with application permissions. This includes permissions related to audit log access and Microsoft Graph API. Ensure you have appropriate licenses for required services.
Functions Included in the Module
The DFIR-O365RC module supplies a variety of commands that can be used to gather different types of logs, such as:
- Get-O365Full: Collects complete Unified Audit Logs.
- Get-AADLogs: Fetches logs specific to Microsoft Entra.
- Get-AzRMActivityLogs: Gathers Activity logs from Azure Monitor.
Each function can handle parameters such as start date and end date, making it flexible for specific queries for log collection.
Files Generated
Each operation generates output in JSON format, resulting in well-structured logs. Ensure to pay attention to file naming conventions, as they provide insights into what specific logs were collected and from where.
Troubleshooting
If you encounter issues, consider checking your permissions and ensure you have the necessary application configurations in place. Review the generated JSON files to verify their structure and content.
For more insights, updates, or to collaborate on AI development projects, stay connected with fxis.ai.
At fxis.ai, we believe that such advancements are crucial for the future of AI, as they enable more comprehensive and effective solutions. Our team is continually exploring new methodologies to push the envelope in artificial intelligence, ensuring that our clients benefit from the latest technological innovations.