Microsoft 365: A Tale of Online Security – Chapter 3

Chapter 3: The Forensic Expert

Jake and Lily contacted Max, the forensic expert, and told him about the phishing email and their discovery of the hackers in Mr. Johnson’s Office 365 Tenant.

Max was intrigued and eager to help. He knew that time was of the essence and that they had to act quickly to prevent further damage. When Max arrived, Jake and Lily explained everything they had found. Max nodded and asked to see the audit logs. He spent some time analyzing the logs, looking for any clues about the hackers’ identity and their methods.

After a while, Max looked up and said, “I think I’ve found something. The pattern of activity suggests that the hackers are using a VPN to mask their location. I can trace their traffic and see where it’s coming from.”

# Example Microsoft Sentinel Query – Get sign-ins and location details
SigninLogs
| where UserPrincipalName == “johnson@codequest.com”
| where ResultType == 0
| extend Location = parse_json(LocationDetails)
| project City = Location.city,
State = Location.state,
Country = Location.countryOrRegion,
Latitude = Location.geoCoordinates.latitude,
Longitude = Location.geoCoordinates.longitude

Jake and Lily watched as Max used his forensic tools to trace the hackers’ traffic back to its source. They saw Max’s screen light up with a world map, with lines tracing the path of the hackers’ traffic from one country to another.

# Example Data
“TimeGenerated”,”IPAddress”,”Location”
“2023-03-01T00:00:00Z”,”104.121.69.255″,”Ukraine”
“2023-03-01T00:02:00Z”,”104.109.51.255″,”Brazil”
“2023-03-01T00:04:00Z”,”103.101.2.24″,”Australia”
“2023-03-01T00:06:00Z”,”101.110.63.10″,”Japan”
“2023-03-01T00:08:00Z”,”31.19.32.54″,”Germany”
“2023-03-01T00:10:00Z”,”184.154.83.119″,”Chicago”

Finally, Max stopped in a country in Eastern Europe. “I think I’ve found them,” he said. “The traffic seems to be originating from a server in this country. It’s a known hub for cyber-criminals and hackers.”

# Example Sentinel Query – Count IP usage
let data = datatable(TimeGenerated:datetime, IPAddress:string, Location:string)
[
datetime(“2023-03-01T00:00:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:02:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T00:04:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T00:06:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T00:08:00Z”),”31.19.32.54″,”Germany”,
datetime(“2023-03-01T00:10:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T00:12:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T00:14:00Z”),”31.19.32.54″,”Germany”,
datetime(“2023-03-01T00:16:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T00:18:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T00:20:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T00:22:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:24:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:25:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:26:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T00:28:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T00:30:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T00:32:00Z”),”31.19.32.54″,”Germany”,
datetime(“2023-03-01T00:34:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T00:36:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T00:38:00Z”),”31.19.32.54″,”Germany”,
datetime(“2023-03-01T00:40:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T00:42:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T00:44:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T00:46:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:48:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:49:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:50:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:50:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T00:52:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T00:54:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T00:56:00Z”),”31.19.32.54″,”Germany”,
datetime(“2023-03-01T00:58:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T01:00:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T01:02:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T01:06:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T01:10:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T01:12:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T01:13:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T01:15:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T01:16:00Z”),”104.121.69.255″,”Ukraine”
];
data
| summarize count() by IPAddress, Location
| order by count_ desc

Jake and Lily looked at each other nervously. Looking at the timeline of netwoirk traffic they knew they were dealing with a sophisticated group of hackers.

# Example Microsoft Sentinel Query – Create time line
let data = datatable(TimeGenerated:datetime, IPAddress:string, Location:string)
[
datetime(“2023-03-01T00:00:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:02:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T00:04:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T00:06:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T00:08:00Z”),”31.19.32.54″,”Germany”,
datetime(“2023-03-01T00:10:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T00:12:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T00:14:00Z”),”31.19.32.54″,”Germany”,
datetime(“2023-03-01T00:16:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T00:18:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T00:20:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T00:22:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:24:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:25:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:26:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T00:28:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T00:30:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T00:32:00Z”),”31.19.32.54″,”Germany”,
datetime(“2023-03-01T00:34:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T00:36:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T00:38:00Z”),”31.19.32.54″,”Germany”,
datetime(“2023-03-01T00:40:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T00:42:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T00:44:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T00:46:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:48:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:49:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:50:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T00:50:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T00:52:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T00:54:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T00:56:00Z”),”31.19.32.54″,”Germany”,
datetime(“2023-03-01T00:58:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T01:00:00Z”),”184.154.83.119″,”Chicago”,
datetime(“2023-03-01T01:02:00Z”),”101.110.63.10″,”Japan”,
datetime(“2023-03-01T01:06:00Z”),”103.101.2.24″,”Australia”,
datetime(“2023-03-01T01:10:00Z”),”104.109.51.255″,”Brazil”,
datetime(“2023-03-01T01:12:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T01:13:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T01:15:00Z”),”104.121.69.255″,”Ukraine”,
datetime(“2023-03-01T01:16:00Z”),”104.121.69.255″,”Ukraine”
];
data
| summarize FirstLocation = min(Location),
LastLocation = max(Location),
FirstTime = min(TimeGenerated),
LastTime = max(TimeGenerated),
count() by IPAddress
| extend duration = LastTime – FirstTime
| project TimeGenerated = FirstTime,
IPAddress, FirstLocation,
LastLocation,duration, count_
| render timechart

“What do we do now?” Lily asked.

Max thought for a moment. “We need to report this to the authorities. They can work with the local law enforcement in that country to track the hackers and bring them to justice.”

Jake and Lily nodded. They knew that this was the right thing to do. They had learned a valuable lesson about online security’s importance and cyber-crime’s dangers.

Together, they contacted the authorities and reported the hacking incident. They provided all the information they had gathered, including the IP address and the forensic analysis.

After a few days, they received news that the hackers had been identified and arrested by the local police. Mr. Johnson was relieved and grateful for their help.

Jake and Lily felt proud of themselves for stopping the hackers and helping to protect Mr. Johnson’s sensitive information. They knew they had learned an important lesson and would never be careless with their passwords again.

Chapter 4: Coming Soon