Add-RoleGroupMember - Detecting Persistence in Microsoft 365 Exchange with Purav Desai | EP. 6

Learn how to decipher the Microsoft Unified Audit Log (UAL) from a Digital Forensics & Incident Response (DFIR) perspective with Purav Desai, an experienced M365/Azure Incident Responder. In today's episode, we explore the Add-RoleGroupMember operation in Exchange Online.

Purav's LinkedIn

Deciphering UAL

Microsoft Application IDs

Permission Alert Policy

_____________

TIMESTAMPS:

00:00 Intro

00:48 Add-RoleGroupMember Overview

03:22 The Result Status

04:53 The Application IDs

08:59 Key Fields of Note

10:39 Fields to Decipher

20:14 Detection - Permission Alert Policies

23:18 Custom Alerting

24:32 Final Thoughts

25:39 Outro

_____________

⚡️⁠⁠⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠⁠⁠

📰 ⁠⁠⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠⁠⁠

🥶 ⁠⁠⁠CYBERWOX MERCH⁠⁠⁠

_____________

🧬 CYBERWOX RESOURCES

🔹 ⁠⁠⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠⁠⁠🔹 ⁠⁠⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠⁠⁠

🔹 ⁠⁠⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠⁠⁠

_____________

📱 LET'S CONNECT

→ ⁠⁠⁠IG⁠⁠⁠

→ ⁠⁠⁠Threads⁠⁠⁠

→ ⁠⁠⁠Substack⁠⁠⁠

→ ⁠⁠⁠Twitter⁠⁠⁠

→ ⁠⁠⁠Linkedin⁠⁠⁠

→ ⁠⁠⁠Tiktok⁠⁠⁠

Email: day@cyberwox.com

_____________

⚠️DISCLAIMER

This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!