Event banner
Event details
Thanks Trevor,\nVery keen to hear how the DART Team get a handle on things from the outset - especially blocking Legacy Auth, Conditional Access and the like.\nRegards, Dave C
eolson
Microsoft
MicrosoftOur primary goal is to find persistence in the environment, but sometimes we do take action based off indicators we are tracking. When we consider it, we look at https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication#identify-legacy-authentication-use and work with our customers before asking them to disable it if that was related to the incident. Similar discussions happen around Conditional Access. Take a look at https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common and the Conditional Access templates (Preview) for some nice templates for commonly used policies. Conditional Access policies are something you want a little bit of planning for if you are going to impact a large user base. But for privileged accounts, it's something I would recommend turning on as soon as possible.
- eolsonWe also talk to our customers about having a solid incident response plan/playbook they can execute. Think about things like application dependencies, service accounts, teams you may need to talk to in order to accomplish a task like turning off external access to the internet for example.