User Profile
danb1967
Copper Contributor
Joined Oct 20, 2019
User Widgets
Recent Discussions
learn how to Automate mail trace via graph
Hi All, I am currently working on getting relevant data from various API's to Azure Storage for reporting purposes. I am authenticating using an app registration. I have been able to pull Sentinel data, Attack Simulator data, Defender for Endpoint data and more and get this data to Azure storage using a runbook on a pre defined schedule. I want to now pull email trace data but the documentation is all over the place tbh. Has anyone been able to pull data from exchange that shows mailflow info such398Views0likes0CommentsCan't find Machine.Read.All permissions for Defender for Endpoint API
Hi, I am trying to access the following https://api.securitycenter.microsoft.com/api/machines via Graph. The documentation tells me to add the below permissions https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api/get-machines?view=o365-worldwide Application Machine.Read.All 'Read all machine profiles' Application Machine.ReadWrite.All 'Read and write all machine information' I cannot find these permission in Azure under Graph or API's my org uses. Where can I add these permissions so that I can access this API for reporting purposes?3.9KViews0likes1CommentRe: Block-AADUser - Azure Sentinel Playbook
Hi, I am using a managed identity to run this. When I run the trigger the playbook completes but when I look into the run details I see that most of the actions seem to be 'skipped' When I click into these I see errors like {"code":"ActionConditionFailed","message":"The execution of template action 'Update_user_-_disable_user' is skipped: there are no items to repeat."} So I have misconfigured something somewhere. How best to troubleshoot this or has anyone here seen these types of errors before? Should I be using the managed identity as the connection for all section of the logic app? If I open the logic app and breakdown each part I can connect various different accounts.3.7KViews0likes0CommentsBlock-AADUser - Azure Sentinel Playbook
Hi, I am a security Engineer and I have just started using Sentinel and Logic Apps for the first time. I have been adding various out of the box playbooks etc and triggering them in my lab. One playbook I am keen to see working is Block-AADUser/ This is available on github https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser I have followed the post deployment steps 1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity - 2. Assign API permissions to the managed identity so that we can search for user's manager. You can find the managed identity object ID on the Identity blade under Settings for the Logic App. If you don't have Azure AD PowerShell module, you will have to install it and connect to Azure AD PowerShell module. I am confused at part 3 instruction 3. Open the playbook in the Logic App Designer and authorize Azure AD and Office 365 Outlook Logic App connections Does this simply mean within the login app that I need to connect using an account that has permissions in both Azure and Office365 or do I need to ad additional steps into the playbook to connect this playbook to office365 or azure?4.1KViews0likes2CommentsGenerating alerts in test lab
Hi All, I have set myself up a Defender test lab and I have my DC connected to Defender for Identity and I have 2 user machines that are onboarded to Defender for Endpoint. I also have all the relevant integrations in place with Azure Sentinel also configured. I am looking to start generating alerts by using various tools on my machines to recreate the kind of activity that would require investigation Does anyone know of any resources/guides that can teach me how to begin to perform activities that would generate these alerts. Like Lateral Movement and LDAP reconnaissance etc?Emergency Addresses
Hi I am adding Emergency Addresses within the Teams admin centre. When adding these addresses we can obviously choose the region. How can we add a region to this? We have offices in Dubai and Norway for example but these are not options available to us. Ireland is not even there but Puerto Rico is?? Can we add these manually or are there only certain locations that are available?2.7KViews0likes1CommentUploading Emergency locations using CSV
Hi In our organisation we are updating our list of emergency locations in the admin section of Teams. We were able to export the current out of date list using Get-CsOnlineLisLocation | Select-Object companyname, description, HouseNumber, Streetname, City, p ostalcode | Export-Csv c:\temp\skypelocation.csv -NoTypeInformation -Append We now have the correct up to date list populated in a CSV and we would like to know if its possible to import this back to teams? There is no import-CsOnlineLisLocation command so I am unsure if this is even possible. Is there a way to use import-csv and then pipe it into the New-CsOnlineLisLocation command? Something like the following? Import-Csv -Path <Input CSV File Path and Name> | foreach {New-CSOnlineLisLocation -Location $_.Location –PostalCode $_.PostalCode}1.8KViews0likes1Comment
Recent Blog Articles
No content to show