Don’t Assume Everything a Computer System Spits Out is the Truth
As Office 365 for IT Pros subscribers know, we publish a new edition annually. Part of the preparation for a new edition is an end-to-end technical review of all content. This happens to make sure that our material is current and accurate. The review picks up issues like dead hyperlinks, unnecessary (some might say verbose) text, and outdated graphics. It’s a good process to keep our authors focused on delivering the best possible book, something that’s only possible because of our ePublishing model.
Office 365 Client App Security
Microsoft 365 applications update GUIs on an ongoing basis. Sometimes it’s just a matter of adding a new option or changing the words on a button. Other times it’s a more fundamental makeover, such as the introduction of a new interface for content searches. Office 365 Cloud App Security (OCAS) is available to tenants with Office 365 E5 licenses. OCAS is a subset of the full Microsoft 365 Cloud App Security product, tailored for Office 365.
Figuring Out Impossible Travel
OCAS analyzes the data ingested from multiple workloads into the Office 365 audit log to identify anomalies and other potential issues. As we reviewed the chapter on reporting and auditing, the technical editor highlighted the need to refresh some screen shots to reflect the new OCAS GUI, which brings us to Figure 1, which shows how OCAS highlights a potential impossible travel activity issue.
Figure 1: OCAS highlights a potential impossible travel activity alert
In other words, the IP addresses captured by OCAS for client connection events over a certain period originate in multiple countries where it would be impossible for the user to travel between those countries during that time. In this case, the alert flagged interactions from Ireland and the Netherlands within a 99-minute period. It’s possible to fly from Dublin to Schiphol in this time, so that’s probably why OCAS uses this period to test for suspicious connections.
Applying the Human Touch
On the surface, this looks like a problem which deserves investigation to understand if an attacker has compromised the user’s account. In fact, it’s a good example of how human intelligence can quickly make sense of activity which a computer deems suspicious. At first glance, the facts are:
The user signed in from two different IP addresses within a short period.
The IP addresses indicate connections from Ireland and the Netherlands.
In both cases, the application was Teams.
But when we examine the detailed records, we see a continuous set of connections first originating from The Netherlands and then switching to Ireland, all within a very short time (Figure 2). Most of the records are for login events. Some others (not shown here) record SharePoint Online activities like opening a document.
Figure 2: Switching connections from The Netherlands to Ireland
Searching the audit log with the Search-UnifiedAuditLog cmdlet to find the underlying records confirms that the user connected multiple times to work with Teams and SharePoint Online over the period. The IP addresses are correct, the connections valid, so what’s happening? Everything makes more sense when you consider that:
Teams and its associated applications use Azure AD secure token service (AzureActiveDirectoryStsLogon) logons to validate user credentials. The logged sign-in events all use the token service.
The tenant is in Microsoft’s EMEA datacenter region, and the Teams service runs in the region.
The EMEA datacenter region includes datacenters in Ireland and the Netherlands.
Therefore, the most likely explanation is that the Teams client attempted to use its access token to connect. During this process, the server handling the request changed from a server in the Netherlands to one in Ireland. Azure AD captured details of the connections and sent them to the Office 365 audit log where OCAS picked up the information, analyzed the events, and concluded that a potential impossible travel situation exists. As it happens, I know that this is exactly what transpired, but it’s a great example of how tenant administrators need to apply their knowledge of Office 365 and how Microsoft’s datacenter infrastructure operates to assess and resolve a flagged alert.
Administrator in Office 365
Another thing to consider is that OCAS notes that the user is an administrator in Office 365. This doesn’t mean that the account is a tenant administrator. It means that the account holds an administrative role. In this case, the account holds the SharePoint administrator role. Again, when probing details of an incident, check before assuming the worst.
Resolving Issues
This case did not take much to resolve. Other OCAS alerts require substantially more effort to understand and conclude. The point I make is that OCAS is a tool to highlight issues to administrators which deserve some attention. Just because OCAS flags an alert isn’t evidence that a problem exists. Always use human intelligence to validate computer indications when resolving alerts. You’ll get better results that way.
One Reply to “Why Humans Should Apply Their Knowledge of Office 365 When Reviewing OCAS Alerts”
But the user’s original IP hasn’t changed. Why it doesn’t take this into account? Given how many DCs they have (and the number is growing) current system is prone to produce false alarms. At least they should apply some of their glorified AI here to filter this out 🙂
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
But the user’s original IP hasn’t changed. Why it doesn’t take this into account? Given how many DCs they have (and the number is growing) current system is prone to produce false alarms. At least they should apply some of their glorified AI here to filter this out 🙂