User Profile

JG-Burke

Brass Contributor

Joined 7 years ago

33 Posts7 Likes2 Solutions

View All Badges

User Widgets

Recent Discussions

Re: Remove dormant accounts from sensitive groups
This evaluation by MS just doesn't appear to be completely accurate. My MSOL account for AD connect keeps showing up.
Jan 31, 2024 Place Microsoft Defender for Identity
2.7KViews
0likes
0Comments
Re: ID Protection -- CA policy for Sign-in Frequency enabled
After 2-3 months, the points came through and this is no longer listed as an open recommendation.
Jan 03, 2024 Place Microsoft Entra
527Views
0likes
0Comments
Re: Conditional Access Policy - Sign-in Frequency enabled.
After 2-3 months, the points came through and this is no longer listed as an open recommendation.
Jan 03, 2024 Place Microsoft Security
1.8KViews
0likes
0Comments
Conditional Access Policy - Sign-in Frequency enabled.
On the Security Score dashboard, I have a recommendation: Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users Description Forcing a time out for MFA will help ensure that sessions are not kept alive for an indefinite period of time, ensuring that browser sessions are not persistent will help in prevention of drive-by attacks in web browsers, this also prevents creation and saving of session cookies leaving nothing for an attacker to take. The implementation indicates to create a new CA policy; it provides the settings; and provides the minimum number of roles to apply it to. I have created the CA weeks ago and the points were never applied. This still shows as a recommendation. The implementation status says this: Setting is: sign in frequency is not yet enabled in the following accounts: "BLOCK - CA003: Block legacy authentication", "BLOCK - Risky Countries and Attackers", "ALL - CA004: Require MFA for all users" and 18 Additional accounts. Please go to "Implementation" tab to view the required steps to enable the setting. #1 -- these are not ACCOUNTS it is listing they are CA policies. #2 - implementation steps indicate to create a NEW CA policy, not edit every existing CA policy. I am wondering if anyone has been able to get this a CA policy to work (apply the points and remove the recommendation)?
Solved
Nov 20, 2023 Place Microsoft Security
identity protection
microsoft entra
microsoft secure score
1.9KViews
0likes
1Comment
ID Protection -- CA policy for Sign-in Frequency enabled
On the Security Score dashboard, I have a recommendation: Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users Description Forcing a time out for MFA will help ensure that sessions are not kept alive for an indefinite period of time, ensuring that browser sessions are not persistent will help in prevention of drive-by attacks in web browsers, this also prevents creation and saving of session cookies leaving nothing for an attacker to take. The implementation indicates to create a new CA policy; it provides the settings; and provides the minimum number of roles to apply it to. I have created the CA weeks ago and the points were never applied. This still shows as a recommendation. The implementation status says this: Setting is: sign in frequency is not yet enabled in the following accounts: "BLOCK - CA003: Block legacy authentication", "BLOCK - Risky Countries and Attackers", "ALL - CA004: Require MFA for all users" and 18 Additional accounts. Please go to "Implementation" tab to view the required steps to enable the setting. #1 -- these are not ACCOUNTS it is listing they are CA policies. #2 - implementation steps indicate to create a NEW CA policy, not edit every existing CA policy. I am wondering if anyone has been able to get this a CA policy to work (apply the points and remove the recommendation)?
Solved
Nov 16, 2023 Place Microsoft Entra
Conditional Access
identity protection
microsoft 365
791Views
0likes
1Comment
Re: Attack Simulation Training - external tag
Thanks -- not sure you read the question/issue. This has to deal with Microsoft's attack simulation -- not external labels. I have external labels on and I have a transport rule to prepend messages. the issue is MS attach simulation ignore those, so the simulation is not realistic.
Sep 18, 2023 Place Microsoft Security
49KViews
0likes
0Comments
Re: Attack Simulation Training - external tag
I did not. We continue to use KnowBe4.
Aug 15, 2023 Place Microsoft Security
49KViews
0likes
0Comments
Azure Advanced Threat Protection Sensor service terminated
Since applying June patches and Azure automatically updating the Azure Advanced Threat Protection Sensor, the service continues to bomb. Anyone else seeing this behavior? The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this 31 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. App event Application: Microsoft.Tri.Sensor.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.Net.Sockets.SocketException at System.Net.Sockets.Socket.EndReceive(System.IAsyncResult) at System.Net.Sockets.NetworkStream.EndRead(System.IAsyncResult) Exception Info: System.IO.IOException at System.Net.Sockets.NetworkStream.EndRead(System.IAsyncResult) at Microsoft.Tri.Infrastructure.TaskExtension.UnsafeAsyncCallback[[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.IAsyncResult, System.Func`2<System.IAsyncResult,Int32>, Microsoft.Tri.Infrastructure.TaskCompletionSourceWithCancellation`1<Int32>) at System.Net.LazyAsyncResult.Complete(IntPtr) at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object) at System.Net.ContextAwareResult.Complete(IntPtr) at System.Net.LazyAsyncResult.ProtectedInvokeCallback(System.Object, IntPtr) at System.Net.Sockets.BaseOverlappedAsyncResult.CompletionPortCallback(UInt32, UInt32, System.Threading.NativeOverlapped*) at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)
Jun 22, 2023 Place Microsoft Defender for Identity
identity protection
microsoft 365 defender
Sensor
3.7KViews
0likes
3Comments
Re: Apply a label to items in this library
Thank you for taking the time to post a solution that will help others googling this issue.
Jun 21, 2023 Place SharePoint
2.1KViews
0likes
0Comments
Altering the from field on email sent from playbooks
Our playbooks that are launched by Sentinel alerts send email with the "from" user as the playbook owner. It is possible to alter who the email comes from?
Jun 14, 2023 Place Microsoft Sentinel
playbooks
428Views
0likes
1Comment
Attack Simulation Training - external tag
I am testing the Attack Simulation Training. I noticed on the phishing email I received, that the "External" tag that Outlook assigns was missing. That would be a red flag for many people. Is there a way to make this more realistic and have the External tag? Attack Simulation Training
Apr 13, 2023 Place Microsoft Security
attack simulation training
50KViews
0likes
6Comments
Re: Investigation priority score increase (Preview) alert
Did you find a resolution for your situation?
Feb 27, 2023 Place Microsoft Defender for Cloud Apps
4.1KViews
0likes
0Comments
Group Settings - Send Copies of group conversations
We are experiencing this problem: You might not receive email notifications for responses that you submit to a Group Form, such as a Form that you create in Microsoft Teams. To receive email notifications, do the following Found this article: https://docs.microsoft.com/en-us/office/troubleshoot/microsoft-forms/no-email-notifications-for-responses-to-group-forms I am a global admin and trying to set these settings in group: The global administrator can use these steps instead: Sign in to https://admin.microsoft.com/ and go to Groups > Active groups. Select the appropriate group from the list, and then select the Settings tab. Select the Allow external senders to email this group and Send copies of group conversations and events to group members check boxes. I click the settings and Save. It says it saved them, but the settings are not saved -- refresh and the checked boxes are not checked. The mail problem is not fixed. Any suggestions?
Solved
Feb 01, 2023 Place Microsoft 365
admin
microsoft 365 groups
4.1KViews
0likes
1Comment
Re: Remediating - Stop Weak Cipher Usage
Thanks -- They have started clearing. I guess they have to change their password before the change kicks in and they are removed from the vulnerability list.
Dec 14, 2022 Place Microsoft Defender for Identity
4.7KViews
0likes
0Comments
Re: Device is showing as Non-Compliant when login from Chrome
Thanks for posting the solution!
Dec 09, 2022 Place Microsoft Security
6.4KViews
0likes
0Comments
Remediating - Stop Weak Cipher Usage
Description Weak ciphers need to be disabled because they are susceptible to cracking and reduce the overall security posture of the organization. With this security assessment, Microsoft Defender for Identity detects network activities that are using weak ciphers as a misconfiguration or as a deliberate security downgrade. Under Exposed Identities it shows Protocol Kerberos and Cipher Rc4HMac. Attempted resolution: In AD - set "This account supports Kerberos AES 256 bit encryption". (and turned on 128 bit) It has been several days and the vulnerability is not clearing for any accounts. I also applied a GPO to all workstations: Policy Setting Network security: Configure encryption types allowed for Kerberos Enabled DES_CBC_CRC Disabled DES_CBC_MD5 Disabled RC4_HMAC_MD5 Disabled AES128_HMAC_SHA1 Enabled AES256_HMAC_SHA1 Enabled Future encryption types Enabled Any other suggestions?
Oct 13, 2022 Place Microsoft Defender for Identity
identity protection
microsoft 365 defender
5.3KViews
0likes
2Comments
Re: MDE alerts with "Network traffic proxy redirector detected"
Thanks Bobbers Loopback connection A loopback connection (to IP address 127.0.0.1) can be made by Firefox on non-Unix machines. In this case the browser is communicating with itself as expected, and it is not recommended that this communication be blocked. See bug 100154 for more information.
Jun 22, 2022 Place Microsoft Defender for Endpoint
12KViews
0likes
0Comments
Re: MDE alerts with "Network traffic proxy redirector detected"
Do you also see? Network Filter Lookup Service blocked firefox.exe from accessing Connection to a custom network indicator I am wondering if this has something to do with certain traffic being blocked. Surya_2149
Jun 16, 2022 Place Microsoft Defender for Endpoint
12KViews
0likes
1Comment
Re: MDE alerts with "Network traffic proxy redirector detected"
jbmartin6
Jun 16, 2022 Place Microsoft Defender for Endpoint
12KViews
0likes
0Comments
Re: MDE alerts with "Network traffic proxy redirector detected"
We are seeing the same issue. Interested to learn what others discover about this issue. We tried changing the default system proxy error to no proxy and that doesn't seem to help.
Jun 16, 2022 Place Microsoft Defender for Endpoint
12KViews
0likes
0Comments

Recent Blog Articles

No content to show