Timeline Reconstruction
Correlate events across Exchange, SharePoint, Teams, and Entra into a single, ordered timeline. Spot gaps, reorder events, and surface the sequence that matters.
Reconstruct timelines, trace actors, and produce audit-ready evidence — from Exchange, SharePoint, Teams, Entra, and Purview. No agents. No data exfiltration.
Under active development. This inventory updates as functionality ships.
Correlate events across Exchange, SharePoint, Teams, and Entra into a single, ordered timeline. Spot gaps, reorder events, and surface the sequence that matters.
Start from a single artifact — an email, a sign-in, a file access — and pivot to the full scope of an actor's activity across your tenant. Defender XDR Advanced Hunting included.
Trace messages, attachments, and headers across Exchange. Pivot into Teams channel activity, membership changes, external contacts, and app installations — from the same case workspace.
Geographic and device-based authentication analysis. Spot impossible travel, MFA bypass patterns, and legacy auth usage without pivot after pivot through raw logs.
Scores every actor against their own activity baseline — flagging sign-in volume spikes, off-hours file access, and audit log gaps that sequential log review misses. Results surface ranked by risk score, not chronologically.
Ingests Exchange, SharePoint, Teams, and Entra audit records in a single pass and stores them locally — no API pagination, no rate-limit juggling. Re-query the same dataset as many times as needed without a second API call.
Write or import Sigma rules and run them against your case data. Every match maps automatically to a MITRE ATT&CK tactic and technique — giving each finding a framework context before you close the case.
Every IP address and domain in a case is enriched automatically — geolocation, hosting provider, and reputation. Pivot from an address to its full infrastructure footprint without leaving the workspace.
Generates investigation summaries and surfaces suggested next steps grounded in your case data. Ask questions in plain language; answers reference specific events in the timeline.
Runs the full CISA Secure Cloud Business Applications baseline against your Microsoft 365 tenant automatically — producing a gap report against federal security benchmarks without manual policy review.
Executes Microsoft's Zero Trust assessment across your tenant, scoring identity, device, and data controls against the Zero Trust maturity model — with findings mapped to actionable remediation steps.
Store API credentials and client secrets in your own Azure Key Vault. Recon360 retrieves them at runtime — your credentials never touch Recon360 infrastructure. Your vault, your keys, your control.
Read-only OAuth. No agents. No data leaves your environment. Recon360 requests only the permissions required for the services in scope.
Set the case: date range, actors, services. Recon360 builds the query plan and records the scope as part of the case file before any evidence is collected.
Pivot across Exchange, SharePoint, Teams, Entra, and Purview from a single workspace. Run Sigma detections, flag anomalies, and ask Copilot for an AI-generated summary at any point.
Download PDF reports, CSV exports, or full evidence ZIP packages — with chain of custody, query provenance, MITRE ATT&CK technique mapping, and analyst notes included.
A single pane of glass for portfolio-wide investigation management — open cases, triage queues, and outcome metrics across every tenant you operate.
Core investigation workflows are under active construction. This site updates as features reach a shippable state. Beta access will be considered once a critical mass of functionality is in place — no timeline set yet. Register to be notified when that threshold is reached.