User Profile
mrboxx
Brass Contributor
Joined Feb 16, 2020
User Widgets
Recent Discussions
Re: Classic Conditional Access Policy for Defender ATP
After a lot of digging and opening a case here's the answer. These classic conditional access polices are created by the linkage between intune and defender ATP. They are classic policies, are important, should not be changed, must not be deleted and cannot be converted to modern CA policies. Similar policies will be created other similar MTD solutions. To solve my problem (unable to pass device code auth to the defender APIs due to these policies blocking authentication), I have modified the classic policy to not apply to the specific users that require API access, after confirming that these users will not be registering devices associated with intune/defender. I've seen some discussion posts (on other forums) where people have deleted the classic policies on the assumptions they are irrelevant - which I think is a mistake. This is the applicable doc https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fmem%2Fintune%2Fprotect%2Fadvanced-threat-protection-configure&data=04%7C01%7CHUW.LYNCH%40woodside.com.au%7Cdce30e850ba44611ff2108d88a7cfc26%7Ca3299bbaade64965b011bada8d1d9558%7C0%7C0%7C637411616709644656%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FX%2FpYKzOM5IR4ZFLMYId9LCzSE9S5U%2FFGpV%2BKZt5xYQ%3D&reserved=0 “When you integrate a new application to Intune Mobile Threat Defense and enable the connection to Intune, Intune creates a classic conditional access policy in Azure Active Directory. Each MTD app you integrate, including https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fmem%2Fintune%2Fprotect%2Fadvanced-threat-protection&data=04%7C01%7CHUW.LYNCH%40woodside.com.au%7Cdce30e850ba44611ff2108d88a7cfc26%7Ca3299bbaade64965b011bada8d1d9558%7C0%7C0%7C637411616709634663%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=wua69wJuEom%2BtTFadBRm6uv%2B756sgEz0HvaOtayxhOg%3D&reserved=0 or any of our additional https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fmem%2Fintune%2Fprotect%2Fmobile-threat-defense%23mobile-threat-defense-partners&data=04%7C01%7CHUW.LYNCH%40woodside.com.au%7Cdce30e850ba44611ff2108d88a7cfc26%7Ca3299bbaade64965b011bada8d1d9558%7C0%7C0%7C637411616709644656%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tgDZga5WueZ4ivAbVzI1XhuGUXdibokLQposuWVrWOY%3D&reserved=0, creates a new classic conditional access policy. These policies can be ignored, but should not be edited, deleted, or disabled.” “Its not supported to migrate classic policies for MTD apps to the new policy type for conditional access.”18KViews8likes1CommentRe: MTC is getting ridiculously slow
I really do find the info on MTC to be useful and do want to spend more time reading through it to discover more. HOWEVER, it's so slow that it's not just practical to use. Compared to similar sites - e.g. stackoverflow - MTC is... - far too slow to expect people to use. something is wrong. don't ask me to diagnose what's wrong, the Microsoft need to start taking this seriously - a terrible UI - text areas too narrow, far too much page space used up by non-valuable banners, icons etc. Take a good look at stackoverflow/stackexchange and question why does that site/platform work so well for what it is designed, and why is techcommunity so bad. You'd do us all a big favour by changing platforms.2.7KViews1like15CommentsClassic Conditional Access Policy for Defender ATP
When Defender is first enabled, something in the sequence creates a classic conditional access policy in Azure AD called "Windows Defender ATP] Device policy". This is strange because it's not documented and Classic Policies are heavily depreciated. I found out about it because this policy blocked sign-ins when attempting to create a device-code client script using the Defender ATP APIs. Sign-ins were failing on a conditional access condition, but it wasn't obvious which policy it was until we checked classic policies. The block was happening because device enrolment was required. This same problem is described in more detail here https://www.techmymind.net/post/defender-atp-and-powerbi-authentication-failure-with-conditional-access - although the author couldn't figure out what to do with the policy so just excluded specific users from the policy. I'd like to delete this policy and replace it with a modern policy. However, the UI for classic policies doesn't tell you what the policy is doing - it looks like it has no conditions configured. If you look at the JSON the azure portal is sending to the page it has this RequiredDeviceState:["known"]. Has anyone figured out what the appropriate modern CA policy should be? Could be some combination of hybrid / managed / compliant.20KViews3likes2CommentsRe: Anomaly detection - how to
Hi Cyb3rMonk I want to identify unusual sign-in activity in Azure AD logs so that these can be investigated as potential compromised accounts. As a really simple example - I want to consider events fields (i) the UPN and and (ii) the country from the location field. - I consider an unusual event to occur when a sign-in occurs from a country that is not typical for each user For example, I rarely ever travel and live in one isolated country, so my signins each day always come from that one country. If a signin happens from a different country then that's an anomaly that needs to be investigated. In practice, by considering events fields USN, AppDisplayName and the location (or even better the IP ASN), a small number of unusual events can be identified. I typically use the same set of apps, at work (corp network), on the bus (cell phone carrier) and then at home (residential xdsl). All of the examples that I've seen using sentinel (e.g. https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AnomalousUserAppSigninLocationIncrease.yaml) summarise events to a numeric series (e.g. number of locations that a user signed in from per day) and then look for outliers in the count. In practice this event is fallible - because one of the locations in the count could be highly unusual while the count is still numerically normal. Our most important users do travel regularly so their normal pattern of use is more complex than most people, making count based approaches less effective and more likely to miss something significant.2.9KViews0likes1CommentAnomaly detection - how to
Hi - I would like to detect anomalies across multiple fields that are not numeric (e.g. looking for unusual azure ad sign-in events using source IP, app name, account name, client name). To the best of my reading, Sentinel/kusto has time series analytic capabilities and can easily detect anomalies - however only on one continuous numeric field. What I'm looking for is a way to perform anomaly detection when the event data is categorical (IP addresses, account names), rather than numeric. Splunk has a really convenient "anomalydetection" function that takes a list of fields, then computes the probability of each combination of fields in the source data, and filters to only the most unlikely events. This is exactly what I am after, but can't figure out how to do it in Sentinel. Any pointers / guides?3.1KViews1like3CommentsUsing MCAS to track down unconstrained delegation
Just wondering if anyone has had any success using MCAS to track down where unconstrained delegation is used, as the first step in figuring out how to unravel it by transitioning to constrained delegation? Ultimately what I am seeking is a mapping of what accounts/principals are impersonating other identities to other services. The Active Directory app data (from Azure ATP) has at least some of this information as "Resource Access" events, and by sorting through them it is possible to identify unconstrained delegation access in the "Activity Objects". The field is "IsResourceAccountTrustedForUnconstrainedDelegation: True". Challenges that I am facing; 1. There is no way to filter for IsResourceAccountTrustedForUnconstrainedDelegation == True, at least not that I can figure out. 2. The MCAS PS module doesn't appear to be able to search on this logic either 3. Exporting data from the MCAS UI does not include the activity objects field. So, overall it's really great to have this data available, but it's really stifling to not be able to extract it when there are thousands of records that need to be summarised.Mapping IPs to autonomous systems number and name
Hi On other SIEM's I have found it really effective to map IP addresses to BGP AS numbers and then use the AS number in anomaly detection and the AS name when displaying related logs/events. This is an alternate to relying on often inaccurate IP-to-location mapping. Does anyone know whether this is mapping capability is already built-in to sentinel or if not, whether there's a way to build-in? Thanks!Solved9.4KViews1like3Comments
Recent Blog Articles
No content to show