Ninja Cat Giveaway: Episode 3 | Sentinel integration
For this episode, your opportunity to win a plush ninja cat is the following - Reply to this thread with: what was your favorite feature Javier presented? Oh and what does UEBA stand for? This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.
Microsoft Azure and Microsoft 365 Security - my defense in depth strategy!
Dear Microsoft Azure and Microsoft 365 security friends, Who is interested in my (small) company? We don't have anything to protect and we don't have any money. Besides, we have a firewall. Furthermore, Mr. Wechsler, you are a bit paranoid with your security thinking. These are the first sentences I always hear when it comes to IT (Cloud) security. But the attacker is also interested in a small company and that is to use their system as a bot. It's not always about money and data. What about the reputation a company has to lose? It takes years to build a good reputation but only one event to damage the reputation. What about the employees, the trust in the company? Do you want to put this at risk as a company, I don't think so! Yes! Extended protection mechanisms always cost extra, I am absolutely aware of that. But I also pay monthly for car insurance and accident and health insurance. I'm grateful every day when I don't need the insurance. That's exactly how it should feel when it comes to IT (cloud) security. Let's start with my IT/Cloud security strategy. I am absolutely aware that this list is not exhaustive. There are so many components to consider, plus every infrastructure/company is always different. I'll try to give you a little help here. We start with Microsoft 365, as a first additional measure, use all policies that start with "Anti-". You can find all the information in the Microsoft 365 Security Center. https://security.microsoft.com/threatpolicy The next step is to use the policies that start with "Safe". You can also find this information in the Microsoft 365 Security Center. Multi factor authentication is a key element to further protect your identities/users. You can set this up per user or with a Conditional Access Policy (my preferred way). Azure Active Directory helps you integrate this protection. https://portal.azure.com If you are subject to a regulatory agency, the Microsoft 365 Compliance Center can help. Here you can set up data loss prevention policies, audits, eDiscovery and much more. https://compliance.microsoft.com/homepage In this day and age of bring your own device and work from home, it's a good idea to include the Endpoint Manager. With it you have the possibility to manage endpoints (Mobile Device Management - MDM) and applications (Mobile Application Management - MAM). https://endpoint.microsoft.com/ Get visibility into your cloud apps using sophisticated analytics to identify and protect against cyberthreats, detect Shadow IT, and control how your data travels. https://portal.cloudappsecurity.com/ The Cloudapp Security Portal provides you with the best possible support. Here you can allow or sanction cloud app, configure anti-ransomware policies, data loss prevention policies and much more. Do you want to know how your Windows Active Directory is doing? Then Microsoft Defender for Identity will help you. With this tool you can transfer the local information to the cloud. With an interface to the CloudApp Security Portal. https://yourtenant.atp.azure.com/timeline No person should always work with elevated rights. Only work with elevated rights when it is really necessary. This is where Azure Privileged Identity Management (PIM) comes in. With this tool you can configure the access as you need it for your needs. https://portal.azure.com With Azure Identity Protection do you have a tool that allows organizations to accomplish three key tasks: 1. Automate the detection and remediation of identity-based risks. 2. Investigate risks using data in the portal. 3. Export risk detection data to third-party utilities for further analysis. https://portal.azure.com Just in time access for administrators, this is also possible for virtual machines with Just in time VM Access. In Microsoft Defender for Cloud you can configure this feature (and much more). Microsoft Sentinel helps you keep track of the health of your organization. A SIEM (Security Information and Event Management) and SOAR (Security Orchestration Automation and Response) tool that should not be missing from your portfolio. The tool offers many connectors (98 at the moment) so that you can connect the most diverse portals to Sentinel. There is still so much to show, I wasn't talking about Role Based Access Control (RBAC) now or Network Security Group (NSG), etc. I know some of you are thinking, hey there is a lot more. I am aware of that. My goal is to give you some positive signals on how you can integrate additional security into your organization. Thank you for taking the time to read this article. Kind regards, Tom Wechsler
error query threat hunting
// Query2 // Summary of e-mail SEND to free web mail services let timeframe = 1d; // popular public web service domains let emailservicedomains =dynamic (["gmail.com","outlook.com","hotmail.com","gmx.de", "yahoo.com","mail.com","web.de","mail.ru","freenet.de","ziggo.nl","xs4all.nl", "seznam.cz","email.cz","aol.com","hotmail.co.uk","hotmail.fr", "msn.com","yahoo.fr","orange.fr","wanadoo.fr","comcast.net", "yahoo.com.br","yahoo.co.in","live.com","rediffmail.com","free.fr","yandex.ru","ymail.com","libero.it", "uol.com.br","bol.com.br","cox.net","hotmail.it","sbcglobal.net","sfr.fr","live.fr","verizon.net","live.co.uk","googlemail.com","yahoo.es", "ig.com.br","live.nl","bigpond.com","terra.com.br","yahoo.it","neuf.fr","yahoo.de","alice.it","rocketmail.com","att.net","laposte.net", "facebook.com","bellsouth.net","yahoo.in","hotmail.es","charter.net","yahoo.ca","yahoo.com.au","rambler.ru","hotmail.de","tiscali.it", "shaw.ca","yahoo.co.jp","sky.com","earthlink.net","optonline.net","freenet.de","t-online.de","aliceadsl.fr", "virgilio.it","home.nl","qq.com","telenet.be","me.com","yahoo.com.ar","tiscali.co.uk","yahoo.com.mx","voila.fr","gmx.net", "mail.com","planet.nl","tin.it","live.it","ntlworld.com","arcor.de","yahoo.co.id","frontiernet.net","hetnet.nl","live.com.au", "yahoo.com.sg","zonnet.nl","club-internet.fr","juno.com","optusnet.com.au","blueyonder.co.uk","bluewin.ch","highspeed.ch", "skynet.be","sympatico.ca","windstream.net","mac.com","centurytel.net","chello.nl","live.ca","aim.com","bigpond.net.au" "yahoo.co.uk"]); EmailEvents | where Timestamp > ago (timeframe) | extend ReceipientDomain = tostring(split(RecipientEmailAddress,"@",1)[0]) | where ReceipientDomain in (emailservicedomains) | summarize count() by ReceipientDomain hi, please help An error has occurred Error messageAn unexpected error occurred during query execution. Please try again in a few minutes.
Question on KQL: any way to call resourcecontainers two times using Azure Resource Graph Explorer???
Is there any way to call resourcecontainers table more than two times, in a query, using Azure Resource Graph Explorer? I would like to know workarounds to avoid these known limitations. What I eventually want to do is to extract names, tags, and properties attributes from 2 of the following types, AT THE SAME TIME: microsoft.management/managementgroups microsoft.resources/subscriptions microsoft.resources/subscriptions/resourcegroups I would like to grasp and leverage/utilize all the tags and properties of these 3 levels, on top of each individual resource's portions. I am usually writing queries like this: example: securityresources. not limiting but showing just as an example of this query pattern. ---- securityresources |where type= 'type and other conditions go here; such as recommendations, alerts, security posture, etc.' | extend resId=properties.resouceDetails.Id join kind=leftouter(resourcecontainers | where type IN ("microsoft.management/managementgroups","microsoft.resources/subscriptions","microsoft.resources/subscriptions/resourcegroups") | extend SubName = iff(type == "microsoft.resources/subscriptions",name,'N/A'), subTags = iff(type == "microsoft.resources/subscriptions",tags,'N/A'), SubProperties = iff(type == "microsoft.resources/subscriptions",properties,'N/A') ) on subscriptionId join kind = inner (resources | where type IN (array; vm, apps, keyvaults, storage, etc.) | extend vmlocation = location, VMName = name ) on $left.resId=tolower ($right.Id) project id, VMName, alertDisplayName,sresourceGroup, subName,subProperties,subTags,properties,tags ---- In this pattern of query, resourcecontainers can appear only once like this and I cannot have it appear two or more times, such as individually calling in the same join or nesting/cascading resourcecontainers table, using different types. resourcecontainers table also cannot be the right position more than one time, so just nesting the same table at the current position just emits errors. So, currently we need to choose which level of the three, meaning management groups, subscriptions, or resourcegroups to grain the properties and tags. I often select subscriptions here, because there is no other way I found, to attach subscription name to the main query contents. So, is there any way to avoid these restrictions and leverage "resourcecontainers" table, at different types/levels against subscription, resource groups, management groups, within the same query, to have all of the name, properties, and tags attributes of all these 3 levels AT THE SAME TIME? Maybe managementgroups table needs to be differently queried, since it does not have a key, other than tenantId, that can be seen in other tables such as securityresources or resources. Probably even if possible, only two of these three, meaning resourcegroups and subscriptons can be queried at the same time, with one key, such as Id or subscriptionId. Any other workarouds for that, not using let to MANUALLY define arrays, writing down corresponding pairs, since, to me, there are hundreds of resource groups to tackle on. I am utilizing Microsoft Defender to query against functionalities, such as endpoint, cloud, etc, so not capable of utilizing other UIs so far. Hoping someone can find a workaround to avoid limitations with the "resourcecontainers" table. P.S. Please do not mingle the table name "resourcecontainers" with "resources" or "securityresources". I know that even in this context resources and securityresources table can be nested 4 times at maximum if necessary, and the current limit of the number of tables to JOIN is 4. However, I am not talking about that. I am talking about specific limitations with "resourcecontainers" table only. Thank you, KenjiPowerShell Suspicious Discovery Related Windows API Functions alerts about C:\ProgramData\Microsoft\
Hi, We are getting alerts named "PowerShell Suspicious Discovery Related Windows API Functions" about executing a ps script named with numbers under the path "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\". Are these legit actions or not? The query contains: NetShareEnum NetWkstaUserEnum NetSessionEnum NetLocalGroupEnum NetLocalGroupGetMembers DsGetSiteName DsEnumerateDomainTrusts WTSEnumerateSessionsEx WTSQuerySessionInformation LsaGetLogonSessionData QueryServiceObjectSecurity Thank you.Microsoft 365 Defender into Sentinel
I've just started to look at onboarding devices into 365 Defender via the script provided and all works great. We do use an independent anti-virus product but I like the additional telemetry associated with onboarding. We already have a POC Sentinel instance created with the M365 Defender connector turned on and I'm able to see it ingesting data from my onboarded device. My question really is that what data is classed as free ingested data? I'd be happy to onboard our whole estate of devices into 365 Defender but I guess they will all start throwing data into Sentinel then? I'm just concerned before we know it we could have costs spiralling out of control? Is there a matrix or chart somewhere explaining the pricing for the different data connectors? Also, is it possible to just onboard devices into the usual M365 defender without having it need to go into Sentinel? I guess I could just turn off the M365 Defender data connector but would things still get ingested via any of the other connectors. Thanks
