User Profile

BCSecA

Copper Contributor

Joined Mar 03, 2021

7 Posts1 LikeLikes received

View All Badges

User Widgets

Recent Discussions

Re: Find the file creation time/date in Microsoft 365 Defender Alerts for blocked software
That is all well and good if you know roughly when the file was created but in a situation where something has been sitting dormant for a while it could outlive the log retention.
Sep 13, 2024 Place Microsoft Defender XDR
722Views
0likes
0Comments
Windows Firewall Rules for Inbound connections from specific IPs with Microsoft Direct Access in use
As the subject says, I am looking to create an inbound firewall rule that allows connections via Microsoft Direct Access but I am a complete novice when it comes to IPv6 which Direct Access operates on. Say my internal IP range of my Management Network is 10.0.1.0/24 How would I create a firewall rule allowing that IP range when IP goes through the 6to4 and Teredo IPv6 transition protocols?
Sep 26, 2023 Place Windows security
direct access
Windows Defender Firewall
358Views
0likes
0Comments
How to use AD Log On To restriction but allow Azure AD Pass-Through Authentication
As the title says I am attempting to utilize the "Log On To..." setting in on-premises AD but still allow users to log onto Azure AD authenticated resources such as Office 365. The test accounts can log into only the specified workstation when the setting is enabled. Which is the expected outcome but when this is enabled and the user attempts to log into anything that authenticates via Azure AD, the authentication fails with "Pass-through Authentication" Succeeded: "False". This totally makes sense but I am required to lock down user account(s) to specific computers and still allow Azure AD Authentication for these same users. Is this even possible without going through group policy which gets messy when you only want certain user accounts on certain machines.
Solved
Sep 13, 2023 Place Microsoft Entra
Active Directory (AD)
Authentication
Azure Active Directory (AAD)
Azure AD Connect
configuration
1.8KViews
1like
1Comment
Find the file creation time/date in Microsoft 365 Defender Alerts for blocked software
In the portal it tells you the SHA1 hash and the path of the file(s) in question but does not indicate when the file was created. This file in particular was found during a routine scan and I would like to know when the file was created for creating a timeline for hunting. Any assistance on this would be appreciated.
May 04, 2023 Place Microsoft Defender XDR
alerts
microsoft defender for endpoint
threat hunting
1.8KViews
0likes
5Comments
Azure Sentinel Log Analytics Workspace and Service Map
Hello everyone, This may be the wrong circle to ask this question but here it is. I currently have all of my on-premise servers reporting to Azure Sentinel via the MMA. I recently had a need arise to build a service map and lo and behold Microsoft has a product called Service Map that uses Log Analytics Workspace and the MMA. My question would be if I am ingesting logs for Sentinel already would enabling Service Map add any additional data ingestion/cost to run? https://docs.microsoft.com/en-us/azure/azure-monitor/vm/service-map#enable-service-map Any feedback on this would be greatly appreciated.
Jul 20, 2022 Place Microsoft Security
microsoft sentinel
security
1.4KViews
0likes
0Comments
Re: Azure Sentinel Hunting and Github - HAFNIUM
Now that I thoroughly feel like a noob thank you so much for that. That worked like a charm.
Mar 03, 2021 Place Microsoft Sentinel
2.1KViews
0likes
1Comment
Azure Sentinel Hunting and Github - HAFNIUM
Hello everyone, I am fairly new to Azure Sentinel and today I was hoping to take advantage of the Hunting queries in GitHub mentioned in this https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/. The problem is I have no idea on how to take something from GitHub (https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/HAFNIUMSuspiciousExchangeRequestPattern.yaml) and create a new hunting query from it in Sentinel. This may be something stupid simple but my google-fu has failed me. Any pointers would be very much appreciated.
Solved
Mar 03, 2021 Place Microsoft Sentinel
2.1KViews
0likes
3Comments

Recent Blog Articles

No content to show