Automatically generated based on tag:
| Title | Type | Summary |
|---|---|---|
| Azure activity / subscription logs | Page | The Azure activity / subscription logs record activity in an Azure subscription, such as resource modification, virtual machine creation and start, etc. |
| Logs overview | Page | A number of log sources are available in Azure, that can be useful for incident response purposes: - Office 365 Unified Audit Logs: all Office 365 logs (including Azure AD logs with a more limited level of information). - Mailbox Audit Log: logs certain actions performed on mailboxes by mailbox owners, delegates, and admins. - Azure AD sign-ins logs: logs Azure AD sign-ins and resources usage. - Azure AD audit logs: logs changes applied to the Azure AD tenant, such as users or group management and updates. - Azure Activity logs: Logs activity in an Azure subscription, such as resource modification, virtual machine creation and start, etc. - Azure DevOps Activity logs: ogs operations in the Azure DevOps organization(s). |
| Logs search and collection tools | Page | The Azure logs (Azure AD sign-ins and audit logs, Office 365 Unified and Mailbox Audit Audit Logs, Azure Activity logs, etc.) can be collected using Microsoft PowerShell modules and third-party tools, such as DFIR-O365RC or Microsoft-Extractor-Suite. |
| Office365 - Exchange workload (Mailbox and ExchangeAdmin audit logs) | Page | The Exchange workload regroup events from the Mailbox and ExchangeAdmin audit logs. The Mailbox audit logs include events on mailbox activity, such as MailboxLogin, MailItemsAccessed (for E5 users), SendAs, SendOnBehalf, MoveToDeletedItems, SoftDelete / HardDelete, etc. The ExchangeAdmin audit logs include events on administrative actions, such as Set-Mailbox, New-InboxRule, Add-MailboxPermission, Add-RecipientPermission, etc. |
| Office365 - Microsoft Flow workload | Page | Microsoft Flow workload logs record CreateFlow events. Flows can be used to forward emails, automatically copy or download files, etc. |
| Required privileges | Page | The "Global Reader" role on the Azure AD tenant is required to access the Azure AD sign-ins and audit logs. The "View-Only Audit Logs" role in Exchange Online is required to access the Office 365 Unified and Mailbox Audit Logs. The "Log Analytics Reader" role on the Azure subscription is required to access the Azure Activity logs. The "Auditing\View audit log" permission is required in the Azure DevOps organization to access the Azure DevOps Activity logs. |
View on GitHub