Using O365 Activities API for Incident Response

7/6/18 Update: Microsoft has closed off access to their API (AppID: 32613fc5-e7ac-4894-ac94-fbc39c9f3e4a).

I’ve worked a few cases in which the customer was an Office 365 tenant and attackers gained unauthorized access to credentials. Not only does this give the attacker access to the inbox, but also the entire O365 suite, including SharePoint, OneDrive, etc. This puts a lot more in scope than just email, and sometimes it’s hard to prove what the attacker gained access to (which is necessary to determine the extent of the incident).

Many times, incident responders will find themselves using the Audit Log in the Security & Compliance Center. If you are an O365 Enterprise E5 subscriber, you may also use the Cloud App Security portal to consume logs. Both are great sources of data, but can be somewhat cumbersome (and cost prohibitive).

Recently, it was revealed that Microsoft has had the “Activities API” available for quite some time. This tool allows the user to pull back historical data for Office 365 and Microsoft accounts. Now, I’m not going to debate the ethics of hiding it from the community, making companies pay more for data/tools that already exist in secrecy, etc. However, if you’d like to delve into that, check out LMG Security’s Blog Post.

Using “Magic Unicorn”

LMG was kind enough to create a parser to make the output of CrowdStrike’s retreiver.py a little more human friendly. Start off by cloning the repository.

git clone https://github.com/LMGsec/Magic-Unicorn-Tool.git

Next, you will need to first run the retriever.py script. This is located in the “CrowdStrike-Retriever-Scripts” directory. In order to run this script, you will need the OAuth Access Token of the account you wish to investigate. You can generate that here.

Execute the response.py script with the parameters to get your data. Note: this script requires Python3, otherwise the export to the csv_file will throw an error.

python3 retriever.py --user user@domain.com --output ~/Desktop/output --token <yourOAuthtoken>

In my case, the script retrieved 14,114 ‘activities.’ This is just a .csv that you could open in something like Excel, but it’s even easier if we break it down.

Yeah, maybe 1,048,576 rows is a little much to parse manually.

Next, we need to parse the data with Magic Unicorn. This is pretty simple, just point it at the data export you just made.

As you can see, it creates multiple .tsv files of the data.

Working with the Data

Now that you have this broken out, you can begin to work with the data to determine what the attacker did with the victim’s account.

For example, if you want to see every IP address and User Agent associated with logins, check out the logon-activity.tsv.

There’s a lot you can get from the snippet above, such as what OSes I use, what mobile app I use to sync email, who my wireless carrier is, and who my home ISP is.

The “read-activity-by-item” is also interesting, in that you can view the user’s emails read, at what times, and what platform.

The most interesting piece I found was the “search-activity” log. It looks like Microsoft is keeping track of every search query the user makes. So, for example, if I search my inbox for a name, it will show up here.


There is a lot of great data in these logs, and I encourage you to check them out and play around a little bit. Document your processes, you never know when you’ll need to use it!