Office 365 Forensics
I'm examining O365 data in Magnet Axiom and Microsoft Security and Compliance Center. More specifically I'm looking at files downloaded from Sharepoint and trying to correlate if they were downloaded on a particular machine. The Unified Audit Log provides me with the IP address and several different ID #'s, but I'm not sure exactly what they are. Does any of these ID #'s point to a specific machine?
Can anyone recommend a best practice to correlate Sharepoint activity with a machine. I looked for web activity during the date/time of download to see if there were artifacts pointing to the download and I'm not finding anything. I'm starting to think that a different machine was used for the download, but feel that I may be missing something.