The above image shows the flow of data for the three main log sources in Office 365 through to an end web portal, demonstrating some of the complexity of how data moves through these services. Flow of data for each of the three main log sources in Office 365 In this article, we aim to provide some explanations and tips for investigators to use to be able to easily understand in any situation what data is available, and in which portal.įigure 1. A drawback, however, is that it makes the barrier to entry high in terms of being able to extract the highest possible quality and fidelity of data.
WHERE TO PUT THE PICTURE IN UNPACKING PLUS
On the plus side, it provides investigators with multiple options for data extraction, enrichment, and analysis. In addition, there is often more than one place to view a particular set of data, and each location may have different retention periods. endpoint:ĭifferent per log source but often based on volume of dataīased on data location and licenses available
As an investigator, it is our job to work with what’s available, and sometimes work a little bit of magic to make the unavailable available! To begin, there are some differences worth highlighting in data availability in cloud vs. Just like traditional endpoint-based data, log data in cloud services is available based on factors largely outside of the investigator’s control. How far back does our data go? (Availability).Where can I go to find ‘x’ data? (Location).During this process there are a couple of questions we consistently stumble across: In Microsoft’s Detection and Response Team, we often find ourselves using the rich data available in Office 365 to help us with our investigations.
0 kommentar(er)
