User Profile
RVC
Brass Contributor
Joined 3 years ago
User Widgets
Recent Discussions
Re: Windows event logging to SIEM (Sentinel)
Clive_Watson, thanks for your reply. I heard concerns that the format of this content (the content collected via WEF/WEC) seems slightly different than when MMA or AMA is used. Is that correct? Even if the final step is using AMA to ingest the traffic into Sentinel? That person stated that it may impact at the time we migrate to ARC/AMA for all the systems.3KViews0likes1CommentWindows event logging to SIEM (Sentinel)
I am working in a landscape where several old systems are active. Yes, it's a concern that receives attention and is being addressed, but it's separate from this question. For the SOC we need Event logging in SIEM, and thus Sentinel. We only need logging from a few servers, according to our MSSP, as the other logging is already collected by MDE & MDI agents or other log-collection methods. So the setup of the additional logging has the focus on a small amount of systems (max 10). Note, that these systems are OnPrem in our data center. Azure ARC with AMA is the option we want to go for in the end, but we do not want to introduce such new technology (as ARC in general, is not in use in the environment) overnight. But logging needs to be collected before the end of this month due to compliance requirements. So, we have two other options: using the MMA agent, which we know will be EoS August this year, but is an agent that some admins have experience with within the test/dev environment. No MMA is enabled in production. It will introduce some risks as we must install an agent on old unstable systems. But it is an option. Another method could be using a WEC (windows event collector), which will collect/receive the logging from the system in scope (again, this is a small set of systems). This WEC will be enabled on an Azure Windows server, which allows us to enable AMA on it. The advantage of it, is that we do not need to install software on the old systems. Of course, we need a configuration adjustment to get the logging from these systems. Assuming WEF (windows event forwarder) has less impact than, eg. installing MMA. Main question: will I face compatibility issues if I collect the data via WEC and ingest it into Sentinel via the AMA agent installed on the WEC server, over using MMA on the remote systems? Thanks for any response3.1KViews1like3CommentsRe: Microsoft E5 fetaures
Due to this, users' telemetry will be analyzed as the telemetry of every user in the tenant is received by Microsoft 365 defender. How do I automatically filter out all incidents created for nonlicensed users? (even if the incidents are true positives and valuable), As I'm not allowed to use it for the users that are not licensed, as then they derive a benefit. But it is not possible for us to buy E5 for all users. Or am I required to license them for AAD P2? Or, the opposite, do not use risk-based conditional access? From a legal/compliance point of view, it seems I'm forced to at least purchase AAD P2 for the whole tenant. But that is my personal interpretation2.7KViews0likes0CommentsWhat features can I not use if not all users are licensed
I have a situation where 15% of the users are knowledge workers, wherefore E5 will be purchased. All other users will have E3 or even F1. One add-on is purchased for alose the E3 amount of users, which is defender for endpoint P2. With this in mind, what functionalities am I not allowed to use? For what I have read, risk-based conditional access is used to calculate risky users based on the telemetry gathered via AAD identity protection. That functionality comes across with E5 or a separate AAD P2 license. I understand you are only allowed to use risk-based conditional access policies if all users have the AAD P2 license. Thus, without, I cannot use these type of policies? Is this correct? (even scoped deployment is not possible as scoped deployment is about assigning a policy/function, but filtering telemetry is not possible). Also, Defender for Identity, which of course, applies to the on-prem environment, can not be fully leveraged, as only a small amount of users are licensed for MDI (only 15%). Am I correct I cannot use MDI-based telemetry policies? Especially using the telemetry that comes across MDI and AAD P2 for MDCA (defender for cloud apps) policies is useful, but it seems useless if MDI or AAD p2 is not licensed for all the users. The question is, even when I purchase E5 for 15% of the users, am I required to purchase the MDI and AAD P2 for all the users to cover the identity protection fully / are allowed to use the telemetry that comes with the two separate capabilities?693Views0likes0CommentsRe: OAUTH autorization
this becomes interesting. While I still think I have to open a ticket as the experience I have is not how it should be, I have one additional question (as it may be related to where we provide the approval). As I tried to explain, the consent is given based on AAD settings. But, is there a mechanism within MDCA that a request comes in and can be approved, without having a grey period that the user can have access (use the app, with all related risk) and during a "periodic" review the app is approved or blocked? Thus, within AAD we do not restrict, but have a setting within MDCA (a policy!?) that prevent the user usews the app for accessing the data, but first (queue the request)/triggers a workflow that a admin/security officer should first review the request before it approved. Whereby the approval could be user based, for a specific group or tenant wide.1.4KViews0likes1CommentRe: OAUTH autorization
Hi Keith, thanks for you reply. Do you mean, beside the approval on the app, there must be an additional consent given on graph to pass that information to CLOUD-APP? At the moment every OAUTH request done is quested due to the Azure setting "Consent and permissions | User consent settings" to Allow user consent for apps from verified publishers, for selected permissions (Recommended), under Enterprise Applications. A global Admin has approved the specific app. But, while I can see the last authorization for that app within the the "Manage OAuth apps", there is no record shown in the activity log as well as the user (me in tbis case) does no shown in the users list under authorzied by. I expected at least to find my name under the user list, and as all the other users did not use the app anymore and I know for 100% sure that I'm the person who created the new timestamp, that at least an item regards the access is shown. So, I guess I have to open a ticket with Microasoft for that, or do I misinterpret your answer that if the app is already shown in the app-list, not new logging will be visisble? Is for that purpose app-governacne needed? The company I'm investigating this for is in negotiation with Microsoft, but are not happy that an add-on needs to be purchases. So what will be the added value for app-governance over the default features of MDCA?1.5KViews0likes3CommentsOAUTH autorization
Hi, We have set a policy within Azure that ALL OAUTH request nbeeds to be approved first. After approval I should expect to view (and monitor) the app in MDCA dashboard. But waiting for 24 hours, I do not see my approval within the dashboard. Where does MDCA get it's OAUTH information from1.5KViews0likes5CommentsRe: Microsoft E5 fetaures
Hmm, based on the information within : Microsoft 365 Tenant-Level Services Licensing Guidance It seems, I can scope the capability to only licensed users quote "Azure Active Directory Identity Protection Azure Active Directory Identity Protection (AADIP) is a feature of the Azure Active Directory Premium P2 that enables you to detect potential vulnerabilities affecting your organization’s identities, configure automated responses to detected suspicious actions that are related to your organization’s identities and investigate suspicious incidents and take appropriate action to resolve them. Who is entitled to the service? Licensed users of Enterprise Mobility + Security E5, Microsoft 365 E5, Microsoft 365 E5 Security, and Azure Active Directory Premium Plan 2 are entitled to receive the benefit of AADIP. How is a user benefiting from the service? SecOps analysts and security professionals benefit from having consolidated views of flagged users and risk events based on machine learning algorithms. End users benefit from the automatic protection provided through risk-based Conditional Access and the improved security posture provided by acting on vulnerabilities. How is the service provisioned/deployed? By default, AADIP features are enabled at the tenant-level for all users within the tenant. For information on configuring AADIP, refer to https://docs.microsoft.com/azure/active-directory/identity-protection/enable How can the service be applied to only users in the tenant that are licensed for the service? Admins can scope AADIP by assigning risk policies that define the level for password resets and allowing access for licensed users only. Follow the instructions here for scoping AADIP deployments: Configure the sign-in risk policy" The question is : while I can scope the use of risk-based conditional access to only users that are licensed, the requirements seem I need a license for all the TENANT users for Azure AD P2, as risk calculation is performed for all users in the tenant. This creates confusion as well it feels like cross-selling practices or even forced selling practices.3.1KViews0likes2CommentsMDCA (Defender for cloud apps) and Risk Based Conditional Access
When you purchase E5, MDCA and Azure AD P2 become available. However, we have to limit the benefits for the number of users we license. Our AAD is much larger than the knowledge workers we are going to license with E5. If E5 (or AAD P2) is enabled, risk-based conditional access becomes available. As far as I oversee, this is related to two additional "parameters/options" within conditional access to filter/act on. How does this particular capability relate to assessment/judgments within MDCA (some use-cases, may be those where sign-in risks are assessed)? This is important as I understand if Risk Based Conditional Access should be used, every user in the tenant must be licensed for AAD P2 because; For risk-based conditional access policies in Identity Protection, Azure AD Premium P2 is needed for every user in the tenant, as risk calculation is performed for all users in the tenant. Of course, this does not require every user to have an E5 license, but still, a lot of E3 and F1 licenses need upgraded with AAD P2 as well.1.2KViews0likes0CommentsRe: Microsoft E5 fetaures
And I assume you also comment on the statement of the snippet that "For risk-based conditional access policies in Identity Protection, Azure AD Premium P2 is needed for every user in the tenant, as risk calculation is performed for all users in the tenant" As I became aware that due to my question, it could be not clear I referred to that statement.3.2KViews0likes1CommentRe: Edge Sync w/ MS 365 Basic and Business Standard
I have the same issue, have a Business Premium, but on all systems, no matter wat OS it is installed on, sync is disabled. Very frustrating as there seems no option to pull to enable this sync. Microsoft is very eager to get you money, but support is not their best side3KViews0likes3CommentsRe: Microsoft E5 fetaures
Thanks, but this list is only related to features you can license. Within these features, there are many options to configure. For some reason, that list is not available and could only be created by investigating feature by feature to find out what options become available.3.3KViews0likes1CommentRe: Microsoft E5 fetaures
Thanks, but this list is only related to features you can license. Within these features, there are many options to configure. For some reason, that list is not available and could only be created by investigating feature by feature to find out what options become available.3.3KViews0likes0CommentsMicrosoft E5 fetaures
Is there a comprehensive overview of all features which come available if we purchase E5 licenses? Of course, a high-level overview can be found here (Microsoft 365 E5 | Advanced Security 365 | Microsoft), but I'm looking for a more detailed overview. In addition, are there features that come available only if you purchase E5, and cannot be purchased as a standalone option?3.4KViews1like13Comments
Recent Blog Articles
No content to show