Enterprise Security | Stephen Hackers Blog

22/06/2020

Microsoft Azure Security – Study Notes

By Steve inAdvisor, Alerts, Alerts, App Service, Azure AD, Azure Container Registry, Azure Monitor, Azure Security, Blueprint, Cloud & Datacenter Management, Cloud Security, Conditional Access, Content Trust, Cyber Security, Enterprise Security, Enterprise Security, Externsions, Hot Wired IT Solutions, IAM, Identity Protection, Key Vault, Kubernetes, Logs, Management Locks, Microsoft, Microsoft Azure, Networks, Powershell, Roles, Users and Groups, Security & Compliance, Security Center, Storage Tag AZ-500, AZ500, Azure, Azure Security, Exam, Microsoft, Microsoft Azure Security Technologies, Prep, Study Notes

A collection of all my study notes and lab work while working towards passing the badge Microsoft Certified Security Engineer Associate by passing the AZ-500 exam

These notes are in no order and are not focused towards any exam content other than sharing my experience of configuring and automating security within Azure in the run up to the final exam.

16/06/2020

MS365 – Azure AD – Dynamic Groups and Expiration Settings

By Steve inActive Directory, Azure AD, Azure Security, Cloud & Datacenter Management, Enterprise Security, Microsoft, Microsoft Azure, Office 365, Office Apps & Services, Roles, Users and Groups, Security & Compliance Tag -eq, Azure, Azure AD, Azure Security, Dynamic, Dynamic Groups, Expiration, Expresions, Expression, Group Liftime, Groups, Life Time, MS365, Office365, Rule, Syntax, user.department

Maintain groups in Azure AD with dynamic groups and set expiration settings.

Example scenario : Controlling remote access to sub contractors working on a short term project. The project owner should remove all access for sub contractors after the project completes

How to guide :

If we combine Dynamic Groups and Expiration settings, we can automatically populate groups and then invoke regular check to maintain groups are still required. Group owners will be reminded regularly to verify groups are required. Owners will have a better understanding of who has access and this help assist with your security policies.

Dynamic Group Example

Steps: Azure Active Directory > New Group > Type : Office 365 > Name, Description, Dynamic User > Owner > Dynamic user Members

Group Name : Sub Contractors – Set the value for department equals “Sub Contractor”

Dynamic User Members – Add Experssion

(user.department -eq “Sub Contractor”)

Configure Group lifetime / Expiration Settings

Steps: Azure Active Directory > Groups > Expiration > Days > No Owner email > Selected > Group > Save

“Renewal notifications are emailed to group owners 30 days, 15 days, and one day prior to group expiration. Group owners must have Exchange licenses to receive notification emails. If a group is not renewed, it is deleted along with its associated content from sources such as Outlook, SharePoint, Teams, and PowerBI.” Info from the portal Expiration settings.

15/06/2020

Office 365 Security and Compliance – Alert When A Specific File Is Accessed

By Steve inAlerts, Alerts, Azure Security, Cloud & Datacenter Management, Enterprise Security, Logs, Microsoft, Microsoft Azure, Office 365, Office Apps & Services, OneDrive, Security & Compliance, Security & Compliance, Security Center Tag Actions, Active, Alert, Alerts, Azure Security, Dismissed, File, File Accessed, File Activity, File Modified, File Opened, Information Governance, Investigating, Investigation, Microsoft 365, Monitor, Notifications, Office365, Resolved, Security And Compliance

When a very important file stored in OneDrive needs to be monitored. This is how to create an alert on file activity. We specifically want to monitor and alert on any activity done to the specific file by any user.

This example file is called HR.doc and is stored in OneDrive.

This is how we created an alert policy for file activity of the file “HR.doc”.

Open Office 365 Security & Compliance

https://protection.office.com/alertpolicies

Alerts > Alert Policies > New Policy

Options selected

Status – Enabled
Severity – Medium
Category – Information Governance
Conditions – Activity is File Activity and File name is HR.doc
Scope – All Users
Email Recipients – email address
Limit the number of notifications – optional. 5 in this example

Test the alert by trying to modify or access the file.

Result

Alert email notification as shown below.

This logs an alert which then should be reviewed and investigated

Action the Alert

15/06/2020

Content Search – Security And Compliance – Search A Mailbox For Specific Content And Then Export Results

By Steve inAlerts, Alerts, Azure Security, Cloud & Datacenter Management, Enterprise Security, Exchange, Logs, Microsoft, Microsoft Azure, Office 365, Office Apps & Services, Security & Compliance, Security & Compliance, Security Center Tag Azure Security, Compliance, Compliance.microsoft, Content Search, Export, Investigation, Mailbox, New Search, Search, Security, Security And Compliance, specific word

If you’re doing some compliance investigation work, you may need to search a user’s mailbox for specific words.

This is how To Search Email Content in Office 365 Security & Compliance for a specific user which sent email containing a specific word then export results.

Reference guides – Content search

Microsoft Docs Content Search

Microsoft Docs Export Search

Content Search : How to search a mailbox for specific keywords and export the data

Mircosoft 365 Admin Center -> Compliance Admin Center

Content Search > + New Search

New Search > Keywords “Blog” example > Specific Locations > Modify > Choose Users, Groups or Teams

Enter users name > Select > Choose

Done > Save > Save & Run > Save Search

This search will trigger a default alert email to be sent out

Next step, Export the results

Unable to preview results problem or export?

If you cannot preview, you need to add a role to the user account, eDiscovery Administrator role (Example) or eDiscovery Manager for specific cases / Compliance Admin / Compliance Data Administrator

You must sign out and sign in for the groups to take effect.

Now back to the search

After the you can see the preview, now you can click Export

Click Export > ReportsOnly or Export > Copy to clipboard export key > Download report > Install eDiscovery Export Tool

Export tool installs

Use the Export Key and Set a directory.

File Downloads

Now you can open the report exported

09/06/2020

MS 365 Compliance Admin Portal Error – Status code: 503

By Steve inAzure Security, Business Applications, Cloud & Datacenter Management, Enterprise Security, Microsoft, Office 365, Office Apps & Services, Security & Compliance, Security & Compliance Tag Azure Security, Content Search, Error 503, Icident, Security And Compliance, Service Health

Issue : Trying to connect to Compliance Admin Portal to Run a content search. Error – Status Code : 503

“The operation could not be completed. Please try again later. If the problem persists, contact Microsoft support.”

https://compliance.microsoft.com/homepage

Error – Status Code : 503

Error



The operation could not be completed. Please try again later. If the problem persists, contact Microsoft support.

Show details



Request: /api/contextinfo/

Status code: 503

Diagnostic information: **{Version:17.00.4803.004,Environment:WEUPROD,DeploymentId:ee****************e9d84,InstanceId:WebRole_IN_3,SID:ea*********81c9,CID:5b8***416}

Time: Tue, 09 Jun 2020 09:47:27 GMT

Trouble loading the page

REFRESH. Tried once. Same. Waited a few mins. Connected

Searches crashing.. Tuesday problems

Request: /api/ComplianceSearch?id=Blog+Mail+Search

Status code: 503

Diagnostic information: **{Version:17.00.4803.004,Environment:WEUPROD,DeploymentId:ee608**********84,InstanceId:WebRole_IN_3,SID:eaf****1c9,CID:433***0}

Time: Tue, 09 Jun 2020 10:28:55 GMT

Finally Ran a Content Search and another page loading error

Content search

Show in navigation

Sorry, we’re having trouble loading the page. Try refreshing the page later. (page: /Ediscovery/ContentSearch/Management)

Refreshed… Paused… Refreshed 5mins later…

Reason : Check Service Health

Service Incident “Users may also encounter similar issues when attempting to access the Security & Compliance Center.”

Solution : Intermittent Refresh Screen / Wait for Microsoft to Resolve Service Issues

03/06/2020

Microsoft 365 – Audit Log Search – UserLoginFailed

By Steve in2FA, MFA, Cloud & Datacenter Management, Cloud Security, Cyber Security, Dark Web, Enterprise Security, Enterprise Security, Exchange, Microsoft, Office 365, Office Apps & Services, Security & Compliance, Security & Compliance Tag Activity, Audit Log, CyberSecurity, Email, Filter, M365, Pwned, RaisingAwareness, Search, Security, User Login Failed, UserLoginFailed, Whois

M365 Admin Portal > “Security & Compliance” > “Search”>”Audit log search” Learn more about searching the audit log

https://protection.office.com/unifiedauditlog

Audit log search, a great place to start regularly checking for unauthorised User Login Failed attempts. This example shows multiple attempts to login from various locations. None physically possible from this user based in the UK. We suspect there has been a breach where this email address / user name was previously registered. Thankfully, this is now only an Alias used these days on a domain we imported into the tenancy. In addition, we have features like MFA, and failed login attempt setting configured on all users.

There are no more than two attempts tried at each IP address logged. So we have avoided a user account being compromised by using a mix of, basic security login attempt policies, MFA enabled and an Alias.

Where can we see Failed login attempts

Audit Log Search

Audit Log Search > Set Activities / Dates > Search

Next apply a filter

Click >Filter Results> “Activity” = “UserLoginFailed”

After identifying the IP – Next Step, check the IPs out. https://whois.domaintools.com

A quick check on the details confirm it was not possible for one of our live users to be in the locations at the time of the failed logins and the IP addresses also weren’t blacklisted.

“78.140.7.9” – Russia

“203.147.83.159” – New Caledonia

“119.160.136.138” – Brunei

One attempt maybe just a one-off end user error, but multiple attempts and various locations something has been compromised. I would certainly suggest a quick change of password and recreate and App Passwords in use.

Check if the accounts have been pwned. A quick check to see if the account has be pwned https://haveibeenpwned.com/

In this case the account has previously had information “email address” & “Password” compromised.

Now going back to the IP address’s

This example located in Australia. Not blacklisted.

So what are the next options suggestions?

Conditional Access
Disable Basic Authentication

We could look at Conditional Access and block locations. However, that doesn’t block basic authentication (from my research, maybe wrong info).

So to help block any brute force basic authentication attempts, we could disable basic authentication, but is there any challenges? So before a blanket disable basic auth, legacy applications would need to be upgraded before disabling basic authentication. Note “Blocking Basic authentication will block app passwords in Exchange Online. For more information about app passwords, see Create an app password for Office 365.”.

27/05/2020

AZ-500: Microsoft Azure Security Technologies – EXAM PASSED!!!

By Steve inAzure Security, Cloud & Datacenter Management, Cloud Security, Cyber Security, Enterprise Security, Enterprise Security, Hot Wired IT Solutions, Microsoft, Microsoft Azure, Security & Compliance Tag AZ-500, Azure, Certified, Exam, MCP, Microsoft, Microsoft Azure Security Technologies, Passed, Security, Stephen Hackers

AZ-500: Microsoft Azure Security Technologies

EXAM PASSED!!!

#Azure #Security #AzureSecurity #CertifiedProfessional #CloudSecurity #CloudFamily #CyberSecurity #MicrosoftAzure #MicrosoftCloud #Microsoft #alwaysbelearning #AZ500 #EXAM #PASSED