Need to Know podcast–Episode 233

FAQ podcasts are shorter and more focused on a particular topic. In this episode I’ll talk about Azure Sentinel.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-233-azure-sentinel/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Azure Sentinel

Office 365 Audit Retention Policy

I have spoken previously about the importance of ensuring that your unified audit logs are enabled in your Microsoft 365 tenant:

Enable activity auditing in Office 365

These logs are retained for 90 days by default for all plans. However, if you have Office 365 E5, Microsoft 365 E5 or Microsoft 365 E5 Compliance add-on license you can enable an audit retention policy for up to 1 year.

If you navigate to:

https://protection.office.com/unifiedauditlog

in your tenant you will see:

image

the button New audit retention policy at the bottom of the page as shown above.

image

Select that button will display the above dialog. Towards the bottom of this you will see that you can set up a retention policy of up to 1 year.

Of course you can enter the policy via the web interface but I prefer PowerShell. The command that you need to use is:

New-UnifiedAuditLogRetentionPolicy

you then use the recordtypes parameter to specify the audit logs of a specific record type that are retained by the policy. Currently, there are heaps of these:

  1. AeD
  2. AirInvestigation
  3. ApplicationAudit
  4. AzureActiveDirectory
  5. AzureActiveDirectoryAccountLogon
  6. AzureActiveDirectoryStsLogon
  7. CRM
  8. Campaign
  9. ComplianceDLPExchange
  10. ComplianceDLPSharePoint
  11. ComplianceDLPSharePointClassification
  12. ComplianceSupervisionExchange
  13. CustomerKeyServiceEncryption
  14. DLPEndpoint
  15. DataCenterSecurityCmdlet
  16. DataGovernance
  17. DataInsightsRestApiAudit
  18. Discovery
  19. ExchangeAdmin
  20. ExchangeAggregatedOperation
  21. ExchangeItem
  22. ExchangeItemAggregated
  23. ExchangeItemGroup
  24. HRSignal
  25. HygieneEvent
  26. InformationBarrierPolicyApplication
  27. InformationWorkerProtection
  28. Kaizala
  29. LabelExplorer
  30. MIPLabel
  31. MailSubmission
  32. MicrosoftFlow
  33. MicrosoftForms
  34. MicrosoftStream
  35. MicrosoftTeams
  36. MicrosoftTeamsAdmin
  37. MicrosoftTeamsAnalytics
  38. MicrosoftTeamsDevice
  39. MicrosoftTeamsShifts
  40. MipAutoLabelExchangeItem
  41. MipAutoLabelSharePointItem
  42. MipAutoLabelSharePointPolicyLocation
  43. OfficeNative
  44. OneDrive
  45. PowerAppsApp
  46. PowerAppsPlan
  47. PowerBIAudit
  48. Project
  49. Quarantine
  50. SecurityComplianceAlerts
  51. SecurityComplianceCenterEOPCmdlet
  52. SecurityComplianceInsights
  53. SharePoint
  54. SharePointCommentOperation
  55. SharePointContentTypeOperation
  56. SharePointFieldOperation
  57. SharePointFileOperation
  58. SharePointListItemOperation
  59. SharePointListOperation
  60. SharePointSharingOperation
  61. SkypeForBusinessCmdlets
  62. SkypeForBusinessPSTNUsage
  63. SkypeForBusinessUsersBlocked
  64. Sway
  65. SyntheticProbe
  66. TeamsHealthcare
  67. ThreatFinder
  68. ThreatIntelligence
  69. ThreatIntelligenceAtpContent
  70. ThreatIntelligenceUrl
  71. WorkplaceAnalytics
  72. Yammer

In my case I ran:

New-UnifiedAuditLogRetentionPolicy -Name “Log Retention Policy” -Description “One year retention policy for all activities” -RecordTypes AeD,AirInvestigation,ApplicationAudit,AzureActiveDirectory,AzureActiveDirectoryAccountLogon,AzureActiveDirectoryStsLogon,CRM,Campaign,ComplianceDLPExchange,ComplianceDLPSharePoint,ComplianceDLPSharePointClassification,ComplianceSupervisionExchange,CustomerKeyServiceEncryption,DLPEndpoint,DataCenterSecurityCmdlet,DataGovernance,DataInsightsRestApiAudit,Discovery,ExchangeAdmin,ExchangeAggregatedOperation,ExchangeItem,ExchangeItemAggregated,ExchangeItemGroup,HRSignal,HygieneEvent,InformationBarrierPolicyApplication,InformationWorkerProtection,Kaizala,LabelExplorer,MIPLabel,MailSubmission,MicrosoftFlow,MicrosoftForms,MicrosoftStream,MicrosoftTeams,MicrosoftTeamsAdmin,MicrosoftTeamsAnalytics,MicrosoftTeamsDevice,MicrosoftTeamsShifts,MipAutoLabelExchangeItem,MipAutoLabelSharePointItem,MipAutoLabelSharePointPolicyLocation,OfficeNative,OneDrive,PowerAppsApp,PowerAppsPlan,PowerBIAudit,Project,Quarantine,SecurityComplianceAlerts,SecurityComplianceCenterEOPCmdlet,SecurityComplianceInsights,SharePoint,SharePointCommentOperation,SharePointContentTypeOperation,SharePointFieldOperation,SharePointFileOperation,SharePointListItemOperation,SharePointListOperation,SharePointSharingOperation,SkypeForBusinessCmdlets,SkypeForBusinessPSTNUsage,SkypeForBusinessUsersBlocked,Sway,SyntheticProbe,TeamsHealthcare,ThreatFinder,ThreatIntelligence,ThreatIntelligenceAtpContent,ThreatIntelligenceUrl,WorkplaceAnalytics,Yammer -RetentionDuration TwelveMonths -Priority 100

to set them all for my E5 environment, and thus retain all this logging information for at least 12 months!

image

You can read more about all this in the Microsoft documentation here:

Manage audit log retention policies

Remember however, for this to work:

“To retain an audit log for longer than 90 days, the user who generated the audit log must be assigned an Office 365 or Microsoft 365 E5 license or have a Microsoft 365 E5 Compliance add-on license.”

***** 9 April 2020 Update

It appears Microsoft has now changed the parameters you can specify to:

ExchangeAdmin, ExchangeItem, ExchangeItemGroup, SharePoint, SyntheticProbe, SharePointFileOperation,
OneDrive, AzureActiveDirectory, AzureActiveDirectoryAccountLogon, DataCenterSecurityCmdlet,
ComplianceDLPSharePoint, Sway, ComplianceDLPExchange, SharePointSharingOperation,
AzureActiveDirectoryStsLogon, SkypeForBusinessPSTNUsage, SkypeForBusinessUsersBlocked,      SecurityComplianceCenterEOPCmdlet, ExchangeAggregatedOperation, PowerBIAudit, CRM, Yammer,      SkypeForBusinessCmdlets, Discovery, MicrosoftTeams, ThreatIntelligence, MailSubmission, MicrosoftFlow,  AeD, MicrosoftStream, ComplianceDLPSharePointClassification, ThreatFinder, Project,  SharePointListOperation, SharePointCommentOperation, DataGovernance, Kaizala, SecurityComplianceAlerts, ThreatIntelligenceUrl, SecurityComplianceInsights, MIPLabel, WorkplaceAnalytics, PowerAppsApp,  PowerAppsPlan, ThreatIntelligenceAtpContent, LabelContentExplorer, TeamsHealthcare, ExchangeItemAggregated, HygieneEvent, DataInsightsRestApiAudit, InformationBarrierPolicyApplication,   SharePointListItemOperation, SharePointContentTypeOperation, SharePointFieldOperation,  MicrosoftTeamsAdmin, HRSignal, MicrosoftTeamsDevice, MicrosoftTeamsAnalytics, InformationWorkerProtection,  Campaign, DLPEndpoint, AirInvestigation, Quarantine, MicrosoftForms, ApplicationAudit,  ComplianceSupervisionExchange, CustomerKeyServiceEncryption, OfficeNative, MipAutoLabelSharePointItem,     MipAutoLabelSharePointPolicyLocation, MicrosoftTeamsShifts, MipAutoLabelExchangeItem, CortanaBriefing,
Search, WDATPAlerts, MDATPAudit

Blocked files types in OWA

Outlook Web Access maintain a list of allowed and blocked file types. These are contained in a policy for each user. To determine what this policy is with PowerShell, the first thing you’ll need to do is connect to Exchange Online. I have made that easy for you by creating a script to connect using the new Exchange Online V2 PowerShell module. you will find that script here:

https://github.com/directorcia/Office365/blob/master/o365-connect-exov2.ps1

Once you have connected, run the following commands:

$casmailbox=Get-CASMailbox <user email address>
$owapolicyname = $casmailbox.OwaMailboxPolicy
$owapolicyname

This should display something like:

image

which gives us the policy name.

Next run the command:

$policy = Get-OwaMailboxPolicy $owapolicyname

to get the settings/values of that policy.

To view the allowed file list run the commands:

$allowedFileTypes = $policy.AllowedFileTypes

$allowedFileTypes

which should show something like:

image

To view the blocked file list run the commands:

$blockedfiletypes = $policy.BlockedFileTypes
$blockedfiletypes

image

The next question is, can you adjust these lists? Yes you can. You basically do that by adjusting the list of extensions variable (here $blockedfiletypes) via something like:

$blockedFileTypes.Remove(“.XXX”)

and reapplying that to the policy like:

Set-OwaMailboxPolicy $policy -BlockedFileTypes $blockedFileTypes

and if you want to extend the list just use add instead of remove in the above command prior to applying it to the policy.

Microsoft is making additions to the BlockedFileTypes list from April 2020:

What file extensions will be added to the BlockedFileTypes list with this change?
The following extensions are used by the Python scripting language:


“.py”, “.pyc”, “.pyo”, “.pyw”, “.pyz”, “.pyzw”


The following extensions are used by the PowerShell scripting language:


“.ps1”, “.ps1xml”, “.ps2”, “.ps2xml”, “.psc1”, “.psc2”, “.psd1”, “.psdm1”, “.cdxml”, “.pssc”


The following extension is used by Windows ClickOnce


“.appref-ms”


The following extension is used by Microsoft Data Access Components (MDAC)


“.udl”


The following extension is used by the Windows sandbox


“.wsb”


The following extensions are used for digital certificates:


“.cer”, “.crt”, “.der”


The following extensions are used by the Java programming language:


“.jar”, “.jnlp”


The following extensions are used by various applications. While the associated vulnerabilities have been patched (for years, in most cases), they are being blocked for the benefit of organizations that might still have older versions of the application software in use:


“.appcontent-ms”, “.settingcontent-ms”, “.cnt”, “.hpj”, “.website”, “.webpnp”, “.mcf”, “.printerexport”, “.pl”, “.theme”, “.vbp”, “.xbap”, “.xll”, “.xnk”, “.msu”, “.diagcab”, “.grp”

The list in my test tenant right now is:

Blocked File Types:

.settingcontent-ms
.printerexport
.appcontent-ms
.appref-ms
.vsmacros
.website
.msh2xml
.msh1xml
.diagcab
.webpnp
.ps2xml
.ps1xml
.mshxml
.gadget
.theme
.psdm1
.mhtml
.cdxml
.xbap
.vhdx
.pyzw
.pssc
.psd1
.psc2
.psc1
.msh2
.msh1
.jnlp
.aspx
.xnk
.xml
.xll
.wsh
.wsf
.wsc
.wsb
.vsw
.vst
.vss
.vhd
.vbs
.vbp
.vbe
.url
.udl
.tmp
.shs
.shb
.sct
.scr
.scf
.reg
.pyz
.pyw
.pyo
.pyc
.pst
.ps2
.ps1
.prg
.prf
.plg
.pif
.pcd
.ops
.msu
.mst
.msp
.msi
.msh
.msc
.mht
.mdz
.mdw
.mdt
.mde
.mdb
.mda
.mcf
.maw
.mav
.mau
.mat
.mas
.mar
.maq
.mam
.mag
.maf
.mad
.lnk
.ksh
.jse
.jar
.its
.isp
.ins
.inf
.htc
.hta
.hpj
.hlp
.grp
.fxp
.exe
.der
.csh
.crt
.cpl
.com
.cnt
.cmd
.chm
.cer
.bat
.bas
.asx
.asp
.app
.adp
.ade
.ws
.vb
.py
.pl
.js


and Allowed File Types is:

.rpmsg
.xlsx
.xlsm
.xlsb
.tiff
.pptx
.pptm
.ppsx
.ppsm
.docx
.docm
.zip
.xls
.wmv
.wma
.wav
.vsd
.txt
.tif
.rtf
.pub
.ppt
.png
.pdf
.one
.mp3
.jpg
.gif
.doc
.bmp
.avi


Your mileage may vary.

What supports modern authentication in Microsoft 365

I get a lot of questions of what does and doesn’t support pure modern authentication in Microsoft 365. Pure modern authentication DOESN’T include App Passwords!

In short, you are best off with the latest version of the Microsoft software. However, here’s the list:

Office 2016

Modern authentication is already enabled for Office 2016 clients, you do not need to set registry keys for Office 2016.

Office 2013

To enable modern authentication for any devices running Windows (for example on laptops and tablets), that have Microsoft Office 2013 installed, you need to set the following registry keys. The keys have to be set on each device that you want to enable for modern authentication:

Registry key        Type        Value

HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL        REG_DWORD        1

HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version        REG_DWORD        1

iOS

In order to use the native iOS mail client, you will need to be running iOS version 11.0 or later to ensure the mail client has been updated to block legacy authentication.

Mac

One of the three most recent versions of macOS. When a new major version of macOS is released, the macOS and the previous two versions.

macOS Mail on macOS < 10.14 does not support Modern Authentication

Android

Android (Google) Mail does not support Modern Authentication

Outlook on mobile

Outlook for Mobile supports modern authentication by default

Office for iPad® and iPhone® (including Outlook for iOS on iPad® and iPhone®) requires iOS 12.0 or later. Office for iPad Pro™ requires iOS 11.0 or later Office is supported on the two most recent versions of iOS.

Office for Android can be installed on tablets and phones running any of the supported versions of Android and have an ARM-based or Intel x86 processor. Starting on July 1, 2019, support will be limited to only the last four major versions of Android.

Office for Android™ can be installed on tablets and phones that meet the following criteria: running Android KitKat 4.4 or later version and have an ARM-based or Intel x86 processor.

Compare how different mobile devices work with Office 365 – https://support.office.com/en-us/article/Compare-how-different-mobile-devices-work-with-Office-365-BDD06229-776A-4824-947C-82425D72597B

Need to Know podcast–Episode 232

No interview this episode only news with Brenton and myself. Been a little while since we have chatted so a few things to cover off in the Microsoft Cloud and in general.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-232-updates/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@contactbrenton

@directorcia

Brenton’s Adoption Podcast

What’s new with Microsoft 365 February 2020

Forms Activity Reports

Staying on top of Office 365 updates

Update to Microsoft Authenticator

Microsoft’s New Cloud printing service

Detect workplace harassment

Our commitment to customer during COVID-19

Full Azure AD P1 is coming to Microsoft 365 Business

image

One of the frustrating things about Microsoft 365 Business was that it didn’t include the full Azure AD P1 feature set. It had about 80%. This unfortunately created a lot of confusion for people to know exactly was and was not included. For example, Dynamic Groups WAS part of Azure AD P1 but NOT part of Microsoft 365 Business.

That was until now! Per the above Message Center notification, Microsoft 365 Business will receive the full Azure AD P1 from April 2020! Seems like all of us (including Alex Fields, got our Christmas wish)

Thanks Microsoft, that’s going to make things much easier.

Why is there no data in my Azure Sentinel?

image

If you find that no data is flowing into your Azure Sentinel workspace then check the data connectors as shown above. You should see that the Data types are connected and actual events are appearing.

image

If you actually Open connector page you should firstly see that the data source is connected (in the top right). In the lower left you should see the connected sources as well as the log counts. However, if you see no data then the most likely cause is that you have not completed the Configuration settings (here selecting Exchange and SharePoint option).

image

Another way to check is to select the Logs option on the left menu and then run an ad hoc query against some of the data sources as shown above. that should produce some low level logs that confirm data is being ingested.

Azure Sentinel Data Connectors have different configurations, so if you are not seeing any data inside Sentinel, check that you have all the configuration options enabled and connected inside each connector.

CIAOPS Need to Know Microsoft 365 Webinar–March

laptop-eyes-technology-computer

This month I’m going to closer look at OneDrive for Business and hopefully share with you some features that you may not know about. There is more to OneDrive for Business than meets the eye. I’ll have the  the latest Microsoft Cloud updates plus open Q and A as well.

You can register for the regular monthly webinar here:

March Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – March 2020
Thursday 26th of March 2020
10.30am – 11.30am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.