Blogs by Ashwin

  Overview Data is sent to the Microsoft Sentinel workspace after configuring the provided data connectors, which are generally present in Out-Of-The-Box (OOTB), or built-in Content Hub solutions for Microsoft 365 services, Azure, and third-party specific. Ingest Log Data with Data Connectors Connect the data sources with Microsoft Sentinel Data Connectors, which are in the Content Hub Solutions provided by Microsoft Sentinel. After installing the Content Hub Solution, the Configuration | Data Connectors menu section will show the installed Data Connectors. Now, select the Open Connector page to view the detailed connector page split in left and right halves. The left half contains all the information regarding the connector, its status, and the last time a log was received when connected. Whereas, the bottom part displays the Data Types with the lists of tables that the connector writes to. The right half has an instructions tab that can vary according to the connector, and generally

  Overview Generally, users with an access to Microsoft Sentinel workspace, also have access to all the other data resources. However, there might be some users who require access to selective data only. Hence, it is recommended to configure role-based access control (RBAC), which is also known as setting up resource-context RBAC.  Scenarios For Resource-Context RBAC The following are the scenarios in which resource-context RBAC can be of most help: Requirement Type SOC Team Non-SOC Team Permissions The entire workspace Specific resources only Data Access All data in the workspace Only data for resources that the team is authorized to access Experience The full Microsoft Sentinel experience, possibly limited by the functional permissions assigned to the user Log queries and workbooks only  Resource-context RBAC is a good solution for the sim

  What is Microsoft Sentinel? Microsoft Sentinel is a scalable cloud-native solution. It provides intelligent security analytics and threat intelligence across the enterprise. It is a one stop solution for threat detection, threat visibility, threat proactive hunting, and threat response. It can perform following tasks: It can collect data at cloud scale across all users, devices, applications, etc., both on-premises and multiple clouds. It can also detect a previously undetected threat via Microsoft's analytics and threat intelligence, simultaneously minimizing false positives. It is capable of investigating threats with artificial intelligence and hunt for any other suspicious activities. It has a rapid response to threat incidents due to the built-in orchestration and automation of common tasks. Collects Data Via Data Connectors In order to onboard Microsoft Sentinel, it is required to connect with the data sources. It consists of various connectors for Microsoft solutions to of

  Introduction SOC (Security Operations Center) is responsible for improving an organization's threat detection and protection with the help of various cybersecurity technologies. It is a team of highly professional IT security officials, whose job is to analyze the organization's entire IT infrastructure for any security threat and take preventive measures on real-time basis. Mainly, it can unify an organization's security tools, practices, and response to security incidents, that can surely improve preventive measures and security policies, achieve faster threat detection, cost-effective response to security threats. An SOC can also help in improving customer confidence by simply strengthening the overall IT security of an organization. However, SOC team also faces some challenges on daily basis. Traditional SOC Challenges High Volume of Security Alerts- Since, the number of security alerts are increasing by the day, a considerable amount of an analyst's time always w

  Summary Users should use a password to unlock their mobile devices.  Reason If it is not made mandatory, then, the devices will become vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device. What If? This setting will require the users o provided password to unlock their mobile devices after the expiry of the time-out period. How to? To set mobile device management policies,   use the Microsoft 365 Admin Center: Under  Admin Centers  pick  Device Management. Select  Device Compliance  and then under  Policy  select  Configuration Profiles Select  Create Profile Set a  Name  for the policy, choose the appropriate  Platform, and select Device Restrictions In the Password section, ensure that Password is set to Require Monitor: To verify mobile device management profiles,   use the Microsoft 365 Admin Center: Under  Admin Centers  pick  Device Management. Select  Device Compliance  and then under  Policy  sele

  Summary Mobile device management policies should be configured to require the policy to manage the email profile of the user.  Reason If it is not made mandatory, then, users will be able to set up and configure email accounts without the protections of the mobile device management policy, leading to potential breaches to accounts and data. What If? This setting will have a moderate user impact. How to? To set mobile device management policies,   use the Microsoft 365 Admin Center: Under  Admin Centers  pick Device Management. Select  Device Compliance  and then under  Policy  select  Compliance Policies Select  Create Policy Set a  Name  for the policy, choose the appropriate  Platform Under Settings  and Email ensure that Require mobile devices to have a managed email profile is set to Require. Monitor: To verify mobile device management policies,   use the Microsoft 365 Admin Center: Under  Admin Centers  pick  Device Management. Select  Device Compliance  and then under  Policy 

  Summary Mobile device management policies should be configured to require the PC to have anti-virus and have a firewall enabled.  Reason If it is not made mandatory, then, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. What If? This setting will have minimal user impact, but if the device is not running proper protection, then, it will be blocked from connecting. How to? To set mobile device management policies,   use the Microsoft 365 Admin Center: Under  Admin Centers  pick  Endpoint Management. Select  Devices  and then under  Policy  select  Compliance Policies Select  Create Policy Set a  Name  for the policy, choose the appropriate PC  Platform Select System security under Settings.  Under Device Security set the values for Firewall, Antivirus, and Antispyware  all to Require. Monitor: To verify mobile device management profiles,   use the Microsoft 365 Admin Center: Under  Admin Cent

  Summary Users should be required to use complex passwords to unlock their mobile devices. Reason Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on device. What If? This setting will have a moderate user impact.  How to? To set mobile device management profiles,   use the Microsoft 365 Admin Center: Under  Admin Centers  pick  Endpoint Management. Select  Devices  and then under  Policy  select  Configuration profiles Select  Create Profile Set a  Name  for the policy, choose the appropriate  Platform  and select  Device restrictions. In the  Password  section, make sure that Simple Passwords  is set to Blocked. Monitor: To verify mobile device management profiles,   use the Microsoft 365 Admin Center:  Under  Admin Centers  pick  Endpoint Management. Select  Devices  and then under  Policy  select  Configuration profiles Review the list of profiles. Ensure that a profile exists

  Summary Users should be required to use complex passwords with at least two character sets (such as, letters and numbers) to unlock their mobile devices. Reason Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on device. What If? This setting will have a moderate user impact.  How to? To set mobile device management profiles,   use the Microsoft 365 Admin Center: Under  Admin Centers  pick  Endpoint Management. Select  Devices  and then under  Policy  select  Configuration profiles Select  Create Profile Set a  Name  for the policy, choose the appropriate  Platform  and select  Device restrictions. In the  Password  section, make sure that  Required password type  is set to  Alphanumeric. Monitor: To verify mobile device management profiles,   use the Microsoft 365 Admin Center:  Under  Admin Centers  pick  Endpoint Management. Select  Devices  and then under  Policy  select  Conf

  Summary Users should use encryption on their mobile devices.   Reason Unencrypted devices can be stolen and their data can be extracted by an attacker very easily.  What If? This setting has no user impact, provided the device supports the feature.  How to? To set mobile device management policies,   use the Microsoft 365 Admin Center: Under  Admin Centers  pick  Endpoint Management. Select  Devices  and then under  Policy  select  Configuration profiles Select  Create Profile Set a  Name  for the policy, choose Android as the  Platform  and select  Device restrictions. In the  Password  section, make sure that Encryption is set to Require    Monitor: To verify mobile device management profiles,   use the Microsoft 365 Admin Center:  Under  Admin Centers  pick  Endpoint Management. Select  Devices  and then under  Policy  select  Configuration profiles Review the list of profiles. Ensure that a profile exist for Android. Review the Password section under Device restrictions and verif

  Summary Users should configure their mobile devices to lock on inactivity.   Reason Unlocked devices  are generally vulnerable to being accessed physically by attackers who can then steal them and access data and account information.  What If? This setting has low impact on users. How to? To set mobile device management policies,   use the Microsoft 365 Admin Center: Under  Admin Centers  pick  Endpoint Management. Select  Devices  and then under  Policy  select  Configuration profiles Select  Create Profile Set a  Name  for the policy, choose the appropriate  Platform  and select  Device restrictions. In the  Password  section, make sure that  Maximum minutes of inactivity until screen lock is set to 5 and Maximum minutes after screen lock before password is required is set to immediately.     Monitor: To verify mobile device management profiles,   use the Microsoft 365 Admin Center: Under  Admin Centers  pick  Endpoint Management. Select  Devices  and then under  Policy  select  Co

  Summary Users should use a minimum password length of at least six characters to unlock their mobile devices.  Reason Devices without this protection are generally vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device.  What If? This setting cause a potentially high user impact depending on the willingness and awareness of the end-user.   How to? To set mobile device management profiles,   use the Microsoft 365 Admin Center: Under  Admin Centers  pick  Endpoint Management. Select  Devices  and then under  Policy  select  Configuration profiles Select  Create Profile Set a  Name  for the policy, choose the appropriate  Platform  and select  Device restrictions. In the  Password  section, make sure that  Minimum password length  is set to  6.    Monitor: To verify mobile device management profiles,   use the Microsoft 365 Admin Center: Under  Admin Centers  pick  Endpoint Management. Select  Devices  and then

  Summary Require mobile devices to wipe on multiple sign-in failures. Reason Devices without this protection are generally vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device.  What If? This setting should not cause any noticeable impact, however, if a user mistypes their password multiple times and causes their device to wipe, then, it will have high user impact.  How to? To set mobile device management profiles,   use the Microsoft 365 Admin Center: Under  Admin Centers  pick  Endpoint Management. Select  Devices  and then under  Policy  select  Configuration profiles Select  Create Profile Set a  Name  for the policy, choose the appropriate  Platform and select Device restrictions. In the Password section, make sure that Number of sign-in failures before wiping devices is set to 10.    Monitor: To verify mobile device management profiles,   use the Microsoft 365 Admin Center: Under  Admin Centers  pick

  Summary Users should not be allowed to use or connect with the mobile devices that have been jail broken or rooted. Reason These devices generally have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach.  What If? This setting should not cause any noticeable impact, however, in a event when a device is jailbroken or running a developer build of a mobile Operating System, it will be blocked from connecting. How to? To set mobile device management policies,   use the Microsoft 365 Admin Center: Under  Admin Centers  pick  Endpoint Management. Select  Devices  and then under  Policy  select  Configuration profiles Select  Create Policy Set a  Name  for the policy, choose the appropriate  Platform Under  Settings  and  Device Health  ensure that  Jailbroken devices  or Rooted devices is set to Block. Monitor: To verify mobile device management policies,   use the Microsoft 365 Admin Center: Under  Admin Centers