Pre-processing and acquiring user data in Microsoft 365 is important. With a market share of close to 48%, Microsoft 365 (formerly Office 365) is used by about one million companies worldwide, including 70% of Fortune 500 firms.
With the prominence of Microsoft 365 in corporate environments, we have made some updates to streamline the user interface for cloud acquisition of user data in Microsoft 365 data and added in pre-processing options to manage the volume of data acquired.
Updated Interface and Workflow for Acquiring Cloud User Data in Microsoft 365
In the updated workflow for acquiring Microsoft data in AXIOM Cyber, an administrator with the necessary permissions can easily select the users they would like to investigate as well as the specific data to acquire for each user. To help keep this process quick and efficient we have updated the interface for acquiring user data in Microsoft 365 in AXIOM Cyber, consolidating the following data sources for users into one area:
- Outlook application data, including unified audit logs; Outlook calendar events; and Outlook contacts
- OneDrive Files and Folders, as well as version history metadata of files
- SharePoint sites and subsites associated with the targeted account’s organization
Preprocessing for Outlook Data
To manage the volume of data being acquired, as well as limiting the collection of content to a specific data source or criteria, we have also added the following pre-processing options for Outlook 365 data.
- Keywords – A list of up to 30 keywords can be added via a text file upload to the pre-processing filters to limit the email acquisition to messages that match the included keywords. For some best practices on using keywords to acquire Microsoft accounts, log in to the customer portal to read the article: Using Keyword lists for Microsoft Acquisitions.
- Folders – You can now also target specific folders and subfolders from email accounts when acquiring cloud Outlook inboxes from Microsoft 365, enabling you to select specific folders to capture message categories such as sent, important, archive, deleted items, or other custom folders that a user has created.
- Date Ranges – You can select a specific date range for the email evidence that will be acquired, with options to acquire data before or after a specific date or a custom date range of interest that can be used when investigating events leading up to or following a specific incident.
These pre-processing options can be applied in combination with each other to further refine the results of your outlook acquisition and narrow the focus of the data.
Examining Evidence in AXIOM Cyber
Once you have acquired data from Microsoft 365 you can then review the data in AXIOM Cyber’s Artifact Explorer and leverage the powerful analytical capabilities to tell help tell the story of your digital evidence.
Acquired Outlook data can be reviewed in Email Explorer to further filter and search within the data, zeroing in on the most relevant data for your investigation. This new interface helps provide important context to messages by presenting them in an intuitive and familiar format that mirrors the appearance of common email platforms.
Get Magnet AXIOM Cyber Today
If you need to collect and examine evidence from Microsoft Office 365 accounts, request a free trial of AXIOM Cyber today!