User Profile
Thortonne
Copper Contributor
Joined Jun 25, 2020
User Widgets
Recent Discussions
Using GDAP with Purview Roles for Search and Purge
I'm facing an issue that I believe may be related to how my current employer has set up GDAP, but I am struggling to get a solid answer on the solution to the issue as it's not clear if the problem is simply a limitation through GDAP or something not configured correctly. Scenario: We have a GDAP relationship set up with 20+ clients that provides us with Entra roles such as Security Operator, User Administrator, etc. Various Entra roles to perform common tasks as an MSP We are currently unable to perform email purges using Explorer in Defender or Purview, as the role required appears to be only assignable to a user account or group that exists in the tenant in question, and as we are acting through GDAP, there is no account or group to give that role to. On the back of this, I have several questions/requests: Should a GDAP relationship also create some group or guest/external user that roles of this nature can be assigned to? Is there something specific we need to do through our GDAP configuration to allow us to search and purge emails?SolvedRe: Recieving increasing number of phishing attempts mimicking Microsoft MFA QR Codes
MGessner Whilst I do not have an answer to pro-actively get these blocked, I have analyzed the IoAs and come up with a current method to try and detect these and get them actioned once they come through. See below for my KQL query: let Exclude = dynamic(['email address removed for privacy reasons','email address removed for privacy reasons','email address removed for privacy reasons']); let images = dynamic(['png','jpeg','bmp','jpg']); EmailAttachmentInfo | where ingestion_time() > ago(7d) | where SenderFromAddress !in (Exclude) | where FileName contains_cs "QR" and FileType in (images) | join kind=inner ( EmailEvents | where AttachmentCount >= 3 and EmailDirection == "Inbound") on $left.NetworkMessageId == $right.NetworkMessageId | project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, FileName, ReportId The logic of this is based on my observation that the emails I've seen reported contain 3 attachments that are images, and the QR code image contains the text string "QR" and they are always an image format. They also contain at least 3 attachments as each image is there to replace text (presumably to evade analysis in a sandbox) So far it's giving me a good success rate but it's not a silver bullet, so some forward tuning would be required to suit each environment. Set this up as a custom alert to run on a schedule and configure the 'ingestion_time() > ago(7d)' to suit the frequency and avoid duplication of detections. Hope it helps!10KViews1like0CommentsRestrict access to log analytics queries
Hi everyone, I am faced with an issue I cannot quite see a clear path out of, and I would appreciate some help with this one. We have a 3rd party managing our Sentinel solution and they have presented an issue where other 3rd parties are able to see their intellectual property. The specific IP they are referring to is the analytic queries set up in the log space. Is it possible to allow SoC team members from the other 3rd party to use Sentinel and restrict the roles they have to prevent them viewing the analytic queries but retaining the ability to still actively use Sentinel? (e.g., run queries against logs). I can see you can set up customised roles within Azure but I am struggling to get my head around it logically to be certain it would work as needed.Solved890Views0likes1Comment
Recent Blog Articles
No content to show