Blogs by Ashwin

  To read part 1, please click  here To read part 2, please click  here To read part 3, please click  here To read part 4, please click  here To read part 5, please click  here Cross-Workspace Since, artifacts can exist on both MSSP and customer workspaces, it is easier to keep the ones having intellectual property within MSSP workspace only. The following options shows how can they be used to access customers' data: Multiple workspace incident view- This view is available as soon as the customers delegate access using Azure Lighthouse or if there are multiple workspaces within the tenant. Cross workspace querying- Multiple workspaces can be queried through the Logs blade using the workspace() expression and the union operator. Cross workspace analytic rules- Partners can create analytic rules that include up to 20 workspaces in the query. Most analytic rules run on the customer's workspace, but this option is for cases where a cross workspace analytic rule is needed.  Cross wo

  To read part 1, please click  here To read part 2, please click  here To read part 3, please click  here To read part 4, please click  here To read part 6, please click  here Storage Options The default storage option for Sentinel ingestion is Analytics table whose retention time can be adjusted for all tables within the workspace or individually per table. A different cost efficient plan can also be used which is called Basic which has interactive retention of 8 days. However, it does have some restrictions, like- not able to trigger alerts and limited KQL commands. This tables are meant to be used with noisy logs, such as firewall logs or flow logs, and are normally used for debugging or troubleshooting purposes.  A total retention can be set for both Analytic and Basic tables by configuring a total retention period, after which the data will be moved to Archive completing the retention period. The total retention is maximum 7 years. Search feature can be useful to query and rehydr

  To read part 1, please click  here To read part 2, please click  here To read part 3, please click  here To read part 5, please click  here Agents and Forwarders Since, the Log Analytics Agent will be retired till August 2024, the new Azure Monitor Agent (AMA), which is a consolidation of all agents, will replace it along with the Telegraf agent and the Diagnostics extension. AMA actively supports Data Collection Rules (DCRs) that not only supports filtering of data during ingestion time not only for agents but also for other types of ingested data. The AMA and DCRs helps in sending different types of data to different Log Analytic Workspaces, hence, if their is data that is not useful then it is not required to send it to the workspace associated with Sentinel. XPath queries can be used to filter out the events. AMA agent can be easily installed via VM extensions, Azure Policy, or the Windows installer. However, the most preferable option is Azure Policy via Defender for Cloud (MDC)

  To read part 1, please click  here To read part 2, please click  here To read part 4, please click  here To read part 5, please click  here Migrations Currently, MSSPs on POC needs to migrate from the legacy SIEM in use and generally, the main concern is to convert the existing rule into Sentinel KOL. However, the focus should be on data sources because many of the connectors are available as Content hub solutions, which  means that the connector will also have other artifacts like analytic rules, workbooks, playbooks, etc. Over 250 solutions are there in the marketplace and once it is determined which data sources needed to be covered during the POC. After that, the rules will be mapped within the SIEM legacy to the rules provided within the solution.  Partners may end up with some gaps, but, not all the rules will have to be converted. Some repositories like unified Microsoft Sentinel and Microsoft 365 Defender repository, also have many artifacts available. Some tools also offers

  To read part 1, please click  here To read part 3, please click  here To read part 4, please click  here To read part 5, please click  here B2B or GDAP  In order to access tenant level services, tenant level access is required. However, while testing Sentinel, this becomes more important because there are links provided to Microsoft Defender 365 and to make those links to work properly, the user must have access to the services. GDAP and B2B offers the ability to access tenant level services. Everyone is quite familiar with B2B, which is available for all tenants to invite guests into their tenant to collaborate. But, some partners may have either compliance or cybersecurity insurance requirements preventing them from having an identity in their customers' tenants. Granular Delegated Admin Privileges (GDAP) is exclusively available to Cloud Solution Providers (CSPs) and it is configured by Partner Center. This one can help in accessing customer resources securely and does not req

  To read part 2, please click  here To read part 3, please click  here To read part 4, please click  here To read part 5, please click  here MSSP Architecture Goal The following diagram provides the overview of the typical architecture an MSSP partner should build to evaluate Sentinel's capabilities. Sentinel is configured at the core in the Log Analytics Workspace (LAW), and both of them exists in a resource group within a subscription. MSSPs will deploy these resources associated with the MSSP tenant, to gain access to MSSP's customers' resources via Azure Lighthouse. Tenants and Subscriptions for the Sentinel POC in the Context of an MSSP Tenants- A tenant will be required that will work as the MSSP tenant and at least one tenant that can work as the customer's tenant. Although, Microsoft Sentinel and its associated LAW are subscription resources, but, they must be associated with a tenant. Subscriptions- A subscription within the MSSP tenant and at least one subscr

  Summary Users passwords on their mobile devices should never expire. Reason It has been found in a research that if periodic password resets are enforced, then, they will become weak as users generally tends to choose something weaker and use the pattern of it for rotation. However, a strong password- long, complex and without any pragmatic words present, it will remain as strong after 60 days as today. It is Microsoft's official security position to not expire passwords periodically without a specific reason. What If? This setting should not cause any noticeable impact to users. How to? To set mobile device management profiles,   use the Microsoft 365 Admin Center: Under  Admin Centers  pick Device Management. Select  Devices  and then under  Policy  select  Configuration profiles Review the list of profiles. From there go to the device policies page to remove any device security policies that expire passwords. Monitor: To verify mobile device management profiles,   use the Micr

  Summary Users are not allowed to reuse the same password on their mobile devices. Reason Mobile devices without this protection are vulnerable to attackers who can steal account credentials, data, or install malware on the device. Unique and unused passwords should be chosen whenever a password is changed. This practice will lessen the probability of the password being guessed by the attacker. What If? This change will have a moderate user impact. How to? To set mobile device management profiles,   use the Microsoft 365 Admin Center: Under  Admin Centers  pick  Endpoint Management. Select  Devices  and then under  Policy  select  Configuration profiles Now, select  Create profile  Set a Name for the policy, choose the appropriate Platform and select Device restrictions. In the Password section, ensure that Prevent reuse of previous passwords is set to 5 Monitor: To verify mobile device management profiles,   use the Microsoft 365 Admin Center: Under  Admin Centers  pick  Endpoint Man

  Summary Mobile device management polices must be configured to require advanced security configurations. If it id not done, then, users may connect with the devices vulnerable to basic exploits, leading to potential breaches of accounts and data. Reason Managing mobile devices in an organization can help in providing a basic level of security to protect against attacks from these platforms. For example, making sure that the device is up to date on patches or is not rooted. These configurations open those devices to vulnerabilities that are addressed in patched versions of the mobile OS. What If? Affect of this setting mainly depends upon the settings specified in the mobile device configuration profile. How to? To set mobile device management profiles,   use the Microsoft 365 Admin Center: Under Admin Centers pick Endpoint Management. Select Devices and then under Policy select Configuration profiles Now, select Create profile to create a new profile. Select the appropriate Platform

  Summary Storage providers that are integrated with Outlook on the web should be restricted. Reason By default. additional storage providers are allowed in Outlook on the Web (such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This may lead to information leakage and additional risk of infection from organizational non-trusted storage providers. By restricting this will inherently reduce risk as it will narrow-down the opportunities for infection and data leakage. What If? Affect of this setting mainly depends upon current practices in the tenant. If the other storage providers are not in use, then the impact will be minimal, but, if it is done regularly, then, it will affect their ability to continue to do so. How to? To disable external storage providers , use the Exchange Online PowerShell Module: Connect to Exchange Online using  Connect-ExchangeOnline. Run the following PowerShell command: Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default - AdditionalSt

  Summary Users can easily share content with people outside the organization (such as partners, vendors, clients, or customers) with the help of the external sharing features of Microsoft SharePoint, where, it is a part of secure collaboration with Microsoft 365. Reason An attacker can compromise a user account for a short period of time, send anonymous sharing links to an external account, then take their time accessing the data. External accounts can also be compromised and the anonymous sharing links can be stolen to send those external entities after the data has been shared. By restricting how long the links are valid can reduce the window of opportunity for attackers. What If? If this feature is enabled, then, it will ensure that the link expires within the defined number of days. This will however, have an effect on the links that were previously not set with an expiration. How to? To set expiration for anonymous access links,  use the Microsoft 365 Admin Center: Select Admin c

  Summary Users can sign in to their cloud tenant account via Microsoft OneDrive, and can start syncing selected folders or the entire contents of OneDrive to a local computer. By default, this includes any computer with OneDrive already installed, whether or not it is Azure Domain Joined or Active Directory Domain joined. Reason Since the security of unmanaged devices cannot be verified through existing policies, brokers or endpoint protection, they may become risky. If the users are allowed to sync data to these devices, then, this will take that data out of the control of the organization which in turn increases the risk of the data either being intentionally or accidentally leaked. Note- However, this setting is only applicable to Active Directory domains when operating in a hybrid configuration and not to Azure AD domains. If you have devices which are only Azure AD joined, then, Conditional Access policy can be used instead. What If? If this feature is enabled, then, it will prev

  Summary Sharing of documents to external domains should be controlled by either blocking domains or by only allowing sharing with specific named domains. Reason Attackers often targets sensitive information and expose them to external entities via sharing, and restricting the domains that the users can share documents with will reduce the surface area.  What If? If this feature is enabled, then, it will prevent users from sharing documents with domains outside of the organization unless allowed. How to? To configure domain sharing restrictions,  use the Microsoft 365 Admin Center: Navigate to Microsoft 365 administration portal ( https://admin.microsoft.com), click on Admin centers and then Sh arePoint. Expand Policies and click Sharing. Now, expand More external sharing settings and check Limit external sharing by domain. Select Add domains to add a list of approved domains Click Save at the bottom page. To configure document sharing restrictions, you can also  use SharePoint Online

  Summary Guest users is generally set up for those users who are not among the tenants, in order to grant access to the resources. However, it is very important to maintain visibility for what guest users are established in the tenant. Reason Regular review of guest users ensures proper access and safety of the resources in the tenant. How to? To verify guest users, use the Microsoft 365 Admin center: Log in as an administrator. Now, navigate to the Users and Guest Users Review the list of users To verify Microsoft 365 audit log search is enabled,  use the Microsoft Online PowerShell Module: Run Microsoft Online PowerShell Module Connect using Connect-MsolService Now, run the following PowerShell command:   Get-MsolUser -all | Where-Object {$_.UserType -ne "Member"} |Select-Object UserPrincipalName, UserType, CreatedDate        3. Review the list of users Monitor: To verify the report is being reviewed at least biweekly, confirm that the necessary procedures are in place and