User Profile

lfkentwell

Brass Contributor

Joined 6 years ago

29 Posts2 Likes

View All Badges

User Widgets

Recent Discussions

Filtering Security Graph API in power automate
I am using theMicrosoft Graph Security connector to get alerts in Power Automate. I am trying to filter the results to just MCAS alerts however there doesn't appear to be a field that just has MCAS that I can filter on. I first tried filtering on "category" field which starts with MCAS and then the "vendorInformation" field that has a sub field called "provider" field that has MCAS however these don't work when using the eq operator. Is there a "like" or "contains" option??? If there are no "like" or "contains" style options any suggestions on how to achieve the desired outcome? "category": "MCAS_ALERT_ANUBIS_DETECTION_VELOCITY", "vendorInformation": { "provider": "MCAS", { "id": "XXXXXX", "azureTenantId": "XXXXX", "azureSubscriptionId": null, "riskScore": null, "tags": [], "activityGroupName": null, "assignedTo": null, "category": "MCAS_ALERT_ANUBIS_DETECTION_VELOCITY", "closedDateTime": null, "comments": [], "confidence": null, "createdDateTime": "2020-03-15T00:02:08.093Z", "description": "The user XXXX XXXX (XXXX.XXXX@XXXX.com.au) perform failed sign in activities from remote locations that are considered an impossible travel activity. The user performed failed sign in activities from 2001:8004:c81:d661:d894:8a4e:6434:6fa2 in Australia and 183.89.211.22 in Thailand within 140 minutes.", "detectionIds": [], "eventDateTime": "2020-03-14T21:36:35Z", "feedback": null, "lastModifiedDateTime": "2020-03-15T00:02:08.6554137Z", "recommendedActions": [], "severity": "medium", "sourceMaterials": [ "https://XXXX.portal.cloudappsecurity.com/#/policy/?id=eq(XXXX)", "https://XXXX.portal.cloudappsecurity.com/#/alerts/XXXX" ], "status": "unknown", "title": "Impossible travel activity", "vendorInformation": { "provider": "MCAS", "providerVersion": null, "subProvider": null, "vendor": "Microsoft" }, "cloudAppStates": [ { "destinationServiceIp": null, "destinationServiceName": "Microsoft Exchange Online", "riskScore": null }, { "destinationServiceIp": null, "destinationServiceName": "Office 365", "riskScore": null } ], "fileStates": [], "hostStates": [], "historyStates": [], "malwareStates": [], "networkConnections": [], "processes": [], "registryKeyStates": [], "triggers": [], "userStates": [ { "aadUserId": "XXXX", "accountName": "XXXX.XXXX", "domainName": "XXXX.com.au", "emailRole": "unknown", "isVpn": null, "logonDateTime": null, "logonId": null, "logonIp": null, "logonLocation": null, "logonType": null, "onPremisesSecurityIdentifier": null, "riskScore": null, "userAccountType": null, "userPrincipalName": "XXXX.XXXX@XXXX.com.au" } ], "vulnerabilityStates": [] },
Mar 16, 2020 Place Power Apps and Power Automate in SharePoint
Microsoft Flow
PowerApps
2KViews
0likes
1Comment
Not seeing all activity
While doing some reading I came across the below article about viewing label activity https://docs.microsoft.com/en-us/microsoft-365/compliance/data-classification-activity-explorer The article says you can see a number of activities listed as: File created File modified File renamed File copied to cloud File accessed by unallowed app File printed File copied to removable media File copied to network share File read file copied to clipboard Label applied Label changed (upgraded, downgraded, or removed) My problem is when I go to the Label activity explorer I only have two options (Label Activities and Label changes). I don't see all the other useful activities such "File copied to removable media". I have the necessary license,Office 365 (E5), applied to the accounts. I've done testing by copying a labeled file to a USB and get no activity. I think I have all the right permissionsbut maybe there is a role or permission within the Security and Compliance portal I need? Can anyone help shed some light on this?
Feb 07, 2020 Place Security, Compliance, and Identity
information protection and governance
microsoft information protection
Rights Management
2.8KViews
0likes
1Comment
Issues with sub labels
I have setup my labels etc and everything is working fine. However when I create a sub label of one of my "top level" labels I can no longer select that "top level" label. E.g. 1. I created a label of "Confidential" and set all the settings etc 2. Then I create a sub label and call it "Confidential - Do Not Forward" and setup all those settings 3. Now when I'm in a document or an email I can see the Confidential and if I click that I see theConfidential - Do Not Forward label. 4. The problem is I cannot apply the top level Confidential label now, only theConfidential - Do Not Forward sub label. Why?
Jan 23, 2020 Place Security, Compliance, and Identity
information protection and governance
microsoft information protection
Rights Management
1.2KViews
0likes
0Comments
Spike in impossible travel false positives
I've noted recently a spike in impossible travel alerts in my MCAS. When looking at the activity all the activity appears in my home country (AU) but dotted throughout is activity from other MS DC IP's in other countries causing an impossible travel alert. When I look at the type of activity that is triggering this it appears to be audit activity not user activity. nearly all the activities show as "Run command:taskMailItemsAccessed;" Googling this it looks like this is a legit activity to generate an audit log of activity on a mail file. My problem is they are being run across random and multipledata centers. How can I ensure these are not run across O\S data centers so they stop generating false positive alerts? Do I need to maybe whitelist IP's? Here is a redacted sample of one of the activities: { "OrganizationId": "REDACTED", "CreationTime": "2020-01-19T00:00:00.0000000Z", "RecordType": 50, "Operation": "MailItemsAccessed", "Workload": "Exchange", "UserType": 0, "UserKey": "REDACTED", "Version": 1, "OriginatingServer": "REDACTED (XXX.XXX.XXX.XXX)\r\n", "InternalLogonType": 0, "UserId": "REDACTED@REDACTED.com.au", "OrganizationName": "REDACTED.onmicrosoft.com", "ClientInfoString": "Client=MSExchangeRPC", "ClientIPAddress": "[XXX.XXX.XXX.XXX]:17147", "MailboxOwnerSid": "REDACTED", "MailboxOwnerUPN": "REDACTED@REDACTED.com.au", "Id": "REDACTED", "ExternalAccess": false, "ResultStatus": "Succeeded", "LogonUserSid": "REDACTED", "MailboxGuid": "REDACTED", "LogonType": 0, "SessionId": "REDACTED", "OperationProperties": [ { "Name": "MailAccessType", "Value": "Bind" }, { "Name": "IsThrottled", "Value": "False" } ], "OperationCount": 1, "Folders": [ { "Id": "REDACTED", "Path": "\\Deleted Items", "FolderItems": [ { "InternetMessageId": "<REDACTED.ausprd01.prod.outlook.com>" } ] } ] }
Jan 20, 2020 Place Microsoft 365
exchange
office 365
security
2.5KViews
0likes
1Comment
Exchange online SPF
I may be missing something basic here but can someone explain if I used the recommended spf include statement (v=spf1 include:spf.protection.outlook.com -all( (see here: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing) for all exchange online deployment becauseits not specificto my domain rather generic to outlook.com wouldn'tthat mean that any other exchange online customer could spoof my domain? If they are also coming from that host being a exchange online user just like me Does that make sense?
Jan 14, 2020 Place Microsoft 365
exchange
1.3KViews
0likes
1Comment
Using regex to match a sting in a replace function
Hoping someone can help me with an issue. I have some text that comes from an RSS feed that I post to Yammer using Flow. The source randomly includes text between square brackets. The text is different but it's always between squire brackets e.g.Reconsider your need to travel [/consular-services/travel-advice-explained] due... I want to simply remove the text in the square brackets along with the brackets. If I use a replace and "hard" code the string to remove (string2 in the replace function) it works fine e.g.the expressionthat works is below. replace(variables('String'),'[/consular-services/travel-advice-explained] ','New Text') However if I try to use a regex that looks for anything between square brackets in place of the "hard" coded string it fails. I know your going to say i need to escape the squarebrackets I am aware of this and tried a few different combinations. I even tested the expressions on various regex test tools and the expressionmatches but not in Flow. examples of regex strings i tried are below. They all work in the various regex testingtools and websites but Flow doesn't work. \[([^\]\[\r\n]*)\] \[(.*?)\] (\[(?:\[??[^\[]*?\])) \[([^]]+)\] Is there a special way to use a regex in a replace expression? Are regex even supported in a replace expression? Am I missing something?
Jan 09, 2020 Place Power Apps and Power Automate in SharePoint
Microsoft Flow
22KViews
0likes
5Comments
Strange new logins.
Recently in AzureAD logs I have started to see attempted logins to various users across my organisation. They all seem to have similar conditions such as: 1. Even though they are physically in Australia the logins occur from IP's in the UK e.g some IP's seen are185.59.221.83 (Hounslow, Greater London, GB) and109.70.144.22 (Needham Market, Suffolk, GB) 2. They are all showing in device info as "Azure AD registered" 3. Application identified as "Universal Store Native Client" 4. Resource identifiedas "Windows Store for Business" Sometime they also have the following: 1. Same IP as the traffic forApplication identified as "Universal Store Native Client" but 2. Application identified as "Microsoft Application Command Service" 3. Resource identifiedas "Microsoft Activity Feed Service" Now I can understand if maybe these are some kind of background services attempting to access MS resources and are suing the Login for the Office tenancy but why are they coming from an IP in the UK when I know the person is in Australia at the time. Is Windows tunneling certain traffic? What is going on????
Dec 06, 2019 Place Microsoft Entra
Azure Active Directory (AAD)
microsoft 365
19KViews
0likes
3Comments
Info about Leaked Credentials alert
Is there any way to get more information about Leaked Credentials alerts that have been triggered. I've seen one or two accounts on occasion but when I go to all my dark web and intelligence sources these accounts do not appear in any breaches, pastes, forums, classifieds for say etc. Nothing. Can Microsoft share the details of where they picked these up as a valid set of credentials? I think this would be very useful to help companies backtrack to root cause and fix the leak.
Dec 04, 2019 Place Microsoft Defender for Cloud Apps
Cloud App Security
5.3KViews
0likes
2Comments
Lync.exe failing MFA
Recently we implemented MFA and all the sudden i get loads of failed logins with Browser identified as Lync.exe with the failure "User did not pass the MFA challenge (non interactive)." Clearly Lync is the old version of Skype for Business. If this is failing wouldn't the person be having issues with their Lync not working? I would have thought so but no one is complaining.
Nov 27, 2019 Place Microsoft Entra
Azure Active Directory (AAD)
4.2KViews
1like
8Comments
Missing details in the Sign-in Log
I am seeing large gaps in info in the Azure AD sign-ins log. Specifically the Application, Application ID and Client App. A very large umber of these appear to be Edge browsers including versions 14.14393, 16.16299 and 16.1629 however also see these missing info for browsers IE 11.0, IE 7.0, Chrome 74.3.3729, 75.0.3770, 78.0.3904, 71.0.357 and 66.0.3359 Also seeingRich Client v1.0.2053.20161104 andRich Client v2.3.0.1501 I suspect these are maybe using Basic Auth which I plan to shut down but some of these are modern clients, why aren't they using modern auth? Is the use of basic auth why there field in the sign-in log empty?
Nov 26, 2019 Place Microsoft Entra
Azure Active Directory (AAD)
9.9KViews
0likes
1Comment

Groups

Recent Blog Articles

No content to show