User Profile
keenanbrooks
Brass Contributor
Joined 3 years ago
User Widgets
Recent Discussions
Cross Workspace Queries - Possible in a central Sentinel instance you use Lighthouse to access?
Hi all, Example scenario is that an MSSP accesses a clients Microsoft Sentinel instance via Azure Lighthouse for management, however, this customer also has lets say 3 further regions which will have Microsoft Sentinel deployed into them & they're not feeding into the main instance due to networking costs. How would they gain the relevant permissions (Log Analytics Reader / Contributor) to create cross workspace queries against the additional 3 Sentinel instances for said client from the main instance they currently manage? Would an Azure Lighthouse connection between the core tenant of the MSSP and the additional Sentinel instances, with just the required role, allow them to then action cross workspace queries within the clients central instance they already have access within? Thanks,538Views0likes1CommentLive response sessions and Zscaler
Has anyone managed to get live response sessions from Defender XDR working with Zscaler enabled? I have bypassed all necessary URLs from SSL inspection but still getting blocked from performing actions on live response. It is definitely Zscaler as when it's disabled live response works perfectly.Re: Differentiaing between different tenants Do not forward emails
If you're using sensitivity labels with forwarding permissions disabled then you can use activity explorer under data loss prevention in compliance.microsoft.com. If you're specifically trying to make certain emails "internal use only" you might find it easier creating a dlp policy for exchange in which you can choose conditions contains "sensitivity label" and "content is sent outside of organisation" with the action as block.708Views0likes1CommentRe: Emails reported as Phishing not creating Alerts or Incidents
Edmund_Fearon Hey, alerts for this are default policy. Go to "Policies & Rules" under Email and Collaboration and choose 'Alert Policy', from here make sure the "Email reported by user as malware or phish" rule is enabled.1.7KViews0likes2CommentsRe: User Risk Policy Migration to Conditional Access - Alerts
Hey DiogoSousa , Yes alerting will still be the same, this is managed via Microsoft Entra ID Identity Preotection. https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-notifications776Views1like1CommentRe: Conditional access with a Device compliant not working
The reason for my above recommendation is only requiring the MFA option on an 'OR' condition puts you at risk of token hijacking. You either only want Device Compliance or both enabled. However back to your issue, at that point then I don't really know where you could go other than an MS ticket, as a workaround I would recommend spreading out your MFA policies. Create a group for corporate laptop owners and attach the group to the CA policy for require device compliance. If your mobiles are BYOD then create a policy for IOS/Android device platforms requiring app protection policy and MFA. Guest users require MFA, this can be done by ticking 'Guest or External users' in the users section. Your registration campaign for MFA can still be deployed to all users so there's no issue on a conflict of laptop vs byod mobile. And this means that CA policies for accessing admin portals for example can still require MFA. Sorry I couldn't be anymore help.1.3KViews0likes0CommentsRe: Conditional access with a Device compliant not working
Hi, Id 100% recommend keeping MFA on anyway, even with device compliancy being a setting. Anyways, at the bottom of the grant settings you will see a "For multiple controls" setting. Is this set to "require one of the selected controls"?1.5KViews0likes2CommentsRe: Wi-Fi Enterprise Profile Intune
Hey Admin6793 , When it comes to deploying the enterprise profile the below guides may help you out. https://katystech.blog/mem/intune-8021x-pkcs https://vmlabblog.com/2023/07/deploy-wpa2-enterprise-wifi-with-intune/} When it comes to testing you're going to want to choose a pilot group to deploy to, but keep them in the GPO for the time being. Users are going to need a connection in order to sync and pull through the cert/wifi profile from Intune. You can force sync the required devices and after 15-20 mins exclude them from the GPO so they're only going against the Intune profile. Also, some best practices below, such as used SCEP over PKCS etc. https://www.securew2.com/blog/intune-enterprise-wifi-profile-security580Views0likes0CommentsRe: Wi-Fi Enterprise Profile Intune
Hey Admin6793 , For enterprise profile this will be cert based, the below guide is a good place to start in initially creating this. https://katystech.blog/mem/intune-8021x-pkcs Now, when it comes to testing you're going to want to deploy the profile to a pilot/test group whilst it is still in the GPO, as they're going to need a connection to sync and pull through the new profile. You can go through Intune and force sync these devices, maybe give it 15-20 mins before removing the group from the GPO and testing specifically for Intune policies only. The above walkthrough uses PKCS, might want to use SCEP based on best practice? https://www.securew2.com/blog/intune-enterprise-wifi-profile-security Thanks,560Views0likes0CommentsRe: microsoft defender for endpoint api to get protocol and port information
Hi manohara_avt , You can find the schema for Defender for Endpoint API here https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api/exposed-apis-list?view=o365-worldwide Further information can be found on the side menu, such as samples and get started guides. I don't see anything in the schema that will provide anything you're asking for. Microsoft Sentinel has alerts for detecting outbound traffic to known malicious IPs etc, this will also provide the port they're connecting out from. Microsoft Security Graph API may be able to provide what you're looking for? Have a look under threat intelligence on the side menu : https://learn.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0567Views0likes0CommentsRe: About Setting Auto-labeling with match SITs
H hongwoo_jin Depending on the restrictions you're putting on the sensitivity label which will be used as the auto-label I would definitely recommend raising this to at least a medium level of confidence to reduce the amounts of false positives. If there's no restrictions and it's just being used as a data classification approach then all is well and good on the user side, but again, data classification will be a pain on the administration end!496Views0likes0CommentsRe: Third-party phishing simulation configuration not working?
Hi tbhellaz So it sounds like the email is getting through but the link is still triggering Windows Smartscreen via safelinks. Could you try going to security.microsoft.com > Settings > Endpoints. Within here you will see "Indicators" under the rule menu. Here you will see an option of "URLs/Domains" in which you will add your domain with the "Allow" action. This sync can take a while in my experience, clear cookies a few times and see if this helps.1.5KViews0likes1CommentRe: List of all licenses and their meaning and function?
Hey Mykey, I am not aware of a list, but https://m365maps.com/ is always very helpful to me when going through things like this. By choosing the license you have, you can find direct MS learn links to the Office 365 features and with abit of reading hopefully make an educated decision to disable or enable a feature.830Views0likes0CommentsRe: Azure Sentinel - Run Antivirus Scan using Logic App
Hey @HA01329. So your managed identity will have Scan permissions now. There's an issue with the PowerShell and the $PermissionName variable (line 3) is what needs to be changed to fix the other two perm assignments. My PowerShell isn't that good so we are going to take the noob way out. Run the code two more times and change line 3 from $PermissionName = 'Machine.Scan' to $PermissionName = 'Machine.Read.All' on run 1 and $PermissionName = 'Machine.ReadWrite.All' on run 2. This will flag errors but when you view the managed identity it will then have all permissions required. I will probably get giggled at for the above but its a workaround until I look into PowerShell more! (I had a quick look into the perms, and Machine.Scan should include the read perms anyway and Machine.ReadWrite.All shouldn't be needed as I don't believe the logic app includes tagging etc? So this logic app/playbook should now work without you running the code 2 more times for the extra perms, but to leave out any doubts and link with the prereqs I've included the work around anyway) Have a good weekend 🙂3.6KViews0likes2CommentsRe: Azure Sentinel - Run Antivirus Scan using Logic App
Hi, I meant run all the code again from the prerequisites. $MIGuid = 'Enter your managed identity guid here' $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid $MDEAppId = 'fc780465-2017-40d4-a0c5-307022471b92' $PermissionName = 'Machine.Scan' $MDEServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MDEAppId'" $AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'} New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id $PermissionName = 'Machine.Read.All' $AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'} New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id $PermissionName = 'Machine.ReadWrite.All' $AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'} New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id I've made the fix I believe will resove your issue in the above code, before running that please do connect-azuread first, and make sure to enter your managed identity on the first line. To do that click into the playbook, select identity under settings, and copy and paste the Object ID. Make sure to keep the ' ' and enter the object ID in between.3.1KViews0likes4CommentsRe: Delete an email using a playbook from MS 365
Hi, I've not seen any playbooks around for this, and I've seen people having issues creating them as the entity for mail related alerts is the network message ID of the mail. It's worth while implementing the report phishing add-in and training your users up, this way you can make use of Defender for Office 365 P2 (if you have it) and the automated investigation and response capabilities as user reports will trigger them. A few links below verifying this: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide#which-alert-policies-trigger-automated-investigations https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about-office?view=o365-worldwide#example-a-user-reported-phish-message-launches-an-investigation-playbook Hope this helps a little1KViews0likes0CommentsRe: Azure Sentinel - Run Antivirus Scan using Logic App
Hi, In Powershell just run the command Connect-AzureAD, this will trigger a sign in prompt, sign in with the account that has the admin privs assigned to it. Once you have run the command, and signed in, copy and paste the pre-req code.3.4KViews0likes8CommentsRe: Where we should create Azure AD B2C tenant in an Azure Landing Zone Architecture?
Azure AD B2C is Business 2 Consumer, so I am guessing you essentially will have a public facing website for customers to login to? If that's the case, you should make a DMZ subscription with internet traffic coming in via an app-gateway + waf. That's my opinion! The dmz vnet will be peered with the hub/connectivity vnet for management etc. If I am correct in thinking it's for customers, then you setup the Azure AD B2C tenant & create an app registration and user flows for auth. This parts not really my strong point but this should help as a react example: https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-authentication-sample-react-spa-app#31-configure-the-react-sample It doesn't really matter where you create the Azure AD B2C tenant though... Think of it exactly like Entra ID.589Views0likes0CommentsRe: Entra Permissions Manager and B2C tenant management
I wouldn't believe so no. The 3 data collectors it supports is Azure, AWS and GCP, the name is a little bit confusing. The solution would get the users from the core Entra tenant but it would only manage the permissions for them within Azure. I don't believe this would work at all in B2C as you can't make azure subscriptions within the B2C directory, you get sent back to the root. Also, Azure AD B2C doesn't support PIM as I found out 🙂 Lovely John Saville video to go through it. https://www.youtube.com/watch?v=lWUV4KZNzIk Hope this helped.574Views0likes0Comments
Recent Blog Articles
No content to show