Ninja Cat Giveaway: Episode 3 | Sentinel integration
For this episode, your opportunity to win a plush ninja cat is the following - Reply to this thread with: what was your favorite feature Javier presented? Oh and what does UEBA stand for? This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.Microsoft Azure and Microsoft 365 Security - my defense in depth strategy!
Dear Microsoft Azure and Microsoft 365 security friends, Who is interested in my (small) company? We don't have anything to protect and we don't have any money. Besides, we have a firewall. Furthermore, Mr. Wechsler, you are a bit paranoid with your security thinking. These are the first sentences I always hear when it comes to IT (Cloud) security. But the attacker is also interested in a small company and that is to use their system as a bot. It's not always about money and data. What about the reputation a company has to lose? It takes years to build a good reputation but only one event to damage the reputation. What about the employees, the trust in the company? Do you want to put this at risk as a company, I don't think so! Yes! Extended protection mechanisms always cost extra, I am absolutely aware of that. But I also pay monthly for car insurance and accident and health insurance. I'm grateful every day when I don't need the insurance. That's exactly how it should feel when it comes to IT (cloud) security. Let's start with my IT/Cloud security strategy. I am absolutely aware that this list is not exhaustive. There are so many components to consider, plus every infrastructure/company is always different. I'll try to give you a little help here. We start with Microsoft 365, as a first additional measure, use all policies that start with "Anti-". You can find all the information in the Microsoft 365 Security Center. https://security.microsoft.com/threatpolicy The next step is to use the policies that start with "Safe". You can also find this information in the Microsoft 365 Security Center. Multi factor authentication is a key element to further protect your identities/users. You can set this up per user or with a Conditional Access Policy (my preferred way). Azure Active Directory helps you integrate this protection. https://portal.azure.com If you are subject to a regulatory agency, the Microsoft 365 Compliance Center can help. Here you can set up data loss prevention policies, audits, eDiscovery and much more. https://compliance.microsoft.com/homepage In this day and age of bring your own device and work from home, it's a good idea to include the Endpoint Manager. With it you have the possibility to manage endpoints (Mobile Device Management - MDM) and applications (Mobile Application Management - MAM). https://endpoint.microsoft.com/ Get visibility into your cloud apps using sophisticated analytics to identify and protect against cyberthreats, detect Shadow IT, and control how your data travels. https://portal.cloudappsecurity.com/ The Cloudapp Security Portal provides you with the best possible support. Here you can allow or sanction cloud app, configure anti-ransomware policies, data loss prevention policies and much more. Do you want to know how your Windows Active Directory is doing? Then Microsoft Defender for Identity will help you. With this tool you can transfer the local information to the cloud. With an interface to the CloudApp Security Portal. https://yourtenant.atp.azure.com/timeline No person should always work with elevated rights. Only work with elevated rights when it is really necessary. This is where Azure Privileged Identity Management (PIM) comes in. With this tool you can configure the access as you need it for your needs. https://portal.azure.com With Azure Identity Protection do you have a tool that allows organizations to accomplish three key tasks: 1. Automate the detection and remediation of identity-based risks. 2. Investigate risks using data in the portal. 3. Export risk detection data to third-party utilities for further analysis. https://portal.azure.com Just in time access for administrators, this is also possible for virtual machines with Just in time VM Access. In Microsoft Defender for Cloud you can configure this feature (and much more). Microsoft Sentinel helps you keep track of the health of your organization. A SIEM (Security Information and Event Management) and SOAR (Security Orchestration Automation and Response) tool that should not be missing from your portfolio. The tool offers many connectors (98 at the moment) so that you can connect the most diverse portals to Sentinel. There is still so much to show, I wasn't talking about Role Based Access Control (RBAC) now or Network Security Group (NSG), etc. I know some of you are thinking, hey there is a lot more. I am aware of that. My goal is to give you some positive signals on how you can integrate additional security into your organization. Thank you for taking the time to read this article. Kind regards, Tom Wechsler
Defender console - Disabled Connected to a custom indicator & Connected to a unsanctionned
Updated - November 2024 I have found a way to disabling these annoying alerts. Look for the solution above. Issue: I want to know how I can disable these two following alerts : Disabled Connected to a custom indicator Connected to an unsanctioned blocked app Those alerts type needs to be enabled or disabled on demand, like the other alerts types. Why's that : Description of the workload : When we block(Unsanctioned) an application through Defender for Cloud apps. It creates automatically the indicators to Defender XDR. When someone for example click or go the URL related to the application, the following alerts will be triggered. When an indicator is automatically created through that, it checks the box to generate alert when the indicator is triggered. We would like to automatically uncheck the box or disable to alerts describing. Possible to disable the custom alert in setting ? No. Why ? Explanation : You cannot suppress "custom detection". But, they are categorized as "Informational" and you can suppress severity alert type. Solutions : IMPORTANT: Make sure to create a transform rule to not ingest this alerts in Sentinel. That could increased the Resolved incident ingestion and false your SOC optimization reports. The rule is automatically close only the “Informational” alerts with the specified titles. Other Informational alerts with different titles will not be affected. In the Defender XDR setting->Alert tuning->Create this rule: Here's an example: Rule Analysis From the updated rule configuration screenshot, it appears that you’ve set up a filter in the AND condition to only automatically close Informational alerts that do not match specific alert titles (e.g., “Malware was detected in an email message,” “unwanted software,” “malware,” “trojan”). This approach should ensure that the rule closes all Informational alerts except those that contain these specified titles. Here’s a breakdown of how it’s working: 1. Severity Filtering: By setting Alert severity to Informational, only Informational alerts are considered. 2. Title Exclusion: Adding Not equals conditions for each title you want to exclude prevents this rule from affecting those specific alerts. So, any Informational alert with a title that does not match the specified exclusions will be automatically closed. This setup should effectively allow you to close all unwanted Informational alerts while retaining visibility on any malware or security-related Informational alerts that require further review. Regards,
Support for LDAPS Auth events in XDR IdentityLogonEvents table?
We have a requirement to implement LDAPS auth for an appliance against AD DCs in a legacy environment. The DCs are running Defender for Identity. While testing, using LDAP, I can trace login events in the IdentityLoginEvents table, however when switching to LDAPS, I can't see any related events logged here. Interactive logins using LDAPS are working successfully, as expected, and appear in the Windows event log as EventID:4776 on the DC (but don't appear in the defender portal). It was then that I discovered that this expected behaviour according to the list of supported logon types listed here. IdentityLogonEvents table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn I'm puzzled that XDR would support a cleartext legacy authentication method like LDAP, but would not support the more secure LDAPS protocol. Is there any rationale for this, or intention to introduce support ?An actor on NULL - ATP
I’m getting a lot of these messages below, I’m not sure what to do with them, tracing via my siem the process involved is lsass.exe, my suspicion is that it is Rapid7 performing vulnerability scans but just wanted to check if anyone else had similar issues? An actor on NULL performed suspicious account enumeration, exposing Guest, while trying to access <computer> clicking on null, as expected produces an error.
Include missing ActionTypes in DeviceEvents
Hi all, There is a discrepancy between those events with certain ActionTypes that are viewable in the timeline view of a device, and those able to be searched in Advanced Hunting in KQL - this means no custom detections can be made, and threatening based on them is not possible. This article lists 61 events that are missing in the DeviceEvent table: https://medium.com/falconforce/microsoft-defender-for-endpoint-internals-0x04-timeline-3f01282839e4 Please can this data be included? Kind regards, Felix
