Month: June 2020

Need to Know podcast–Episode 244

Sarah Young from Microsoft joins us again to talk about Azure Sentinel. We run through what it is and why you should be using it to protect your IT environments. Brenton joins us as well to cover off the latest news and certifications he has achieved. Listen in for all the details.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-244-sarah-young/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Sarah Young

@contactbrenton

@directorcia

L400 Sentinel Ninja Training

MS Tech Community Sentinel blog

Sentinel GitHub repo

Sentinel documentation

MS Security Community webinars

Defender ATP for Linux now GA

Defender ATP for Android

OneDrive Roadmap Roundup – May 2020

PowerPoint Live is now generally available

What’s New: Livestream for Azure Sentinel is now released for General Availability

Azure responds to COVID-19

20 updates for Microsoft Teams for Education, including 7×7 video and Breakout Rooms

Outlook for Windows: Signature cloud settings

Configure new Edge to allow Exchange PowerShell MFA module download

One of the challenges with MFA and PowerShell is that you need to basically go into the Exchange management console and download a special PowerShell module that supports MFA. The need for that MFA module when connecting to Exchange Online with PowerShell is largely being negated by using the Exchange Online PowerShell V2 module (yeah). However, if you want to connect to the Security and Compliance center online with PowerShell and MFA you are still going to need to install this special module MFA from the Exchange Admin center in the portal (damm).

image

To do this, you’ll need to navigate to the Exchange admin center as shown above and select Hybrid from the items on the left. you’ll then need to select the lower option that is then displayed on the right hand side, which allows you to download the special MFA PowerShell module.

That should commence an automated download for you. This automated download “should” work in both the older Internet Explorer and the new Edge (chromium based) browser.

image

That download process should look something like what is shown above. However, if for some reason you can’t get it working with the new Edge (chromium based) browser navigate to:

edge://flags/#edge-click-once

image

and Enable the ClickOnce Support option as shown above, if not already enabled. Most of the time it is set as Default, which you will need to change to allow the download to commence.

The browser will need to reload, but after that you should able to run the file in the Edge (chromium based) browser to get the Exchange Online MFA module installed on your local machine.

An easier way to connect using PowerShell

If you visit my Office 365 GitHub repository, you’ll find a whole of scripts there you can use for free. A subset of those scripts are designed to make connecting to the various Microsoft Cloud service easier. For example the script:

https://github.com/directorcia/Office365/blob/master/o365-connect-exov2.ps1

allows you to easily connect to Exchange Online using the version 2 module.

While all of this helps, it can still be a bit trickly for people to know what to run when to get connected. So, with that in mind I have created this script:

https://github.com/directorcia/Office365/blob/master/c.ps1

which when run by simply typing

.\c.ps1

in the PowerShell command line

image

will now pop up a dialog as shown above and allow you to select which service which wish to connect to.

image

Even better, you can also select multiple services in this same window. You simply use the CTRL and SHIFT keys to select multiple item, just as you do in any Windows desktop application (like Windows Explorer for files say).

After you have made your selection, those individual service connection scripts will be run.

Of course, the assumption is that you have all of my scripts (including the individual connection scripts) in the same directory. If not, then the connections will not be made. However, if you have ‘cloned’ what I have into a single location on your machine, then you should be all good.

I also created this short script:

https://github.com/directorcia/Office365/blob/master/r.ps1

which you can run at the PowerShell command prompt via:

.\r.ps1

to remove any currently loaded PowerShell sessions as well, quickly and easily.

Hopefully, this new ‘master connection’ script will make it easier for people to connect to the Microsoft Cloud services they need.

Make you you check back regularly to my Github repository for any updates and additions

Exchange Online mailbox check script update

I have just updated another of the free PowerShell scripts I provide on Github. This time o365-mx-check.ps1 has been given an update. You will find it here:

https://github.com/directorcia/Office365/blob/master/o365-mx-check.ps1

1. Prior to running the script you will have needed to install the Exchange Online PowerShell module. To set up your PowerShell environment I suggest you check out:

2. Connect to Exchange Online with PowerShell. For that I recommend you use my script:

That should result in you being connected to Exchange Online PowerShell as shown above.

Once you have your PowerShell environment setup, you simply run the o365-mx-check.ps1 script at the PowerShell prompt.

image

After checking that the Exchange Online PowerShell module is loaded and connected, the script will loop through all the mailboxes in your tenant.

image

For each mailbox it will check and display a number of settings as shown above including:

  • Users Display name and principal name
  • The primary outbound email address the mailbox uses
  • When the mailbox was created
  • Whether auditing is enabled for the mailbox
  • What the maximum age limit of audit log entries for the mailbox
  • Deleted items retention period
  • If Litigation Hold is enabled
  • If mailbox archiving is enabled
  • The maximum message send size
  • The maximum message receive size
  • If POP3 is enabled for the mailbox
  • If IMAP is enabled for the mailbox

Items that are not best practices will be highlighted in red for your attention as shown above.

By default, these results will only display on the screen, however if you specify the optional –CSV parameter when you run the script like:

.\o365-mx-alert –csv

A CSV file with the output will be created in the parent directory.

image

You will see the name of the CSV created at the end of the script as shown above.

image

Each CSV file is timestamped to ensure that a unique file will be created each time the script is run.

A log file, o365-mx-alert.txt is also created in the parent directory as well on each run.

image

The log file will be overwritten each time the script is run.

Thus, the o365-mx-check.ps1 script has 1 optional parameter, that can be used:

-csv = output all logs for period to a CSV file in the parent directory. A new CSV file is created for each script execution

The script will also produce a log file (o365-mx-check.txt) in the parent directory, that is overwritten on the each run of the script.

You will find this script and all my publicly available scripts at:

http://github.com/directorcia

Don’t forget to check back there regularly for updates. Also, if you have any feedback or suggestion on this script or what you’d like to see me create, please let me know. I also maintain a large array of additional scripts via a paid subscription. More details of that can be found at www.ciaopspatron.com.

Need to Know podcast–Episode 243

FAQ podcasts are shorter and more focused on a particular topic. In this episode I speak about what Office 365 ATP is and provide some best practice suggestions.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-243-office-365-atp/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

CIAOPS Patron Community

Office 365 ATP

@directorcia

All the Defenders

knight

Microsoft unfortunately has quite a few products under the ‘Defender’ banner that I see causing confusion out there. Most believe that ‘Defender’ is only an anti-virus solution, but that could not be further from the case. Hopefully, I can show you here how broad the ‘Defender’ brand is here and hopefully give you a basic idea of what each ‘Defender’ product is.

To start off with there are products that are considered ‘Window Defender’ products, although I see the Windows and Microsoft brand intermingled regularly. Here is a list of specific ‘Windows Defender’ products:

Windows Defender Application Control – WDAC was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients.

Windows Defender Firewall – By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device.

Windows Defender Exploit Guard – Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps.

Windows Defender Credential Guard –  Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.

In contrast, here are the ‘Microsoft Defender’ products :

Microsoft Defender Smart screen – Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.

Microsoft Defender Antivirus – Brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your organization.

Microsoft Defender Application Guard – helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet.

Microsoft Defender Security Center – is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.

Microsoft Defender Advanced Threat Protection – is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

Microsoft Defender Browser Protection –  a non Microsoft browser extension helps protect you against online threats, such as links in phishing emails and websites designed to trick you into downloading and installing malicious software that can harm your computer.

So, as you can see, there are quite a lot of ‘Defender’ products out there from Microsoft. How and when you get each of these varies greatly as well as their capabilities, since most will integrate together. That however, is beyond the scope of this article but maybe something I explore in upcoming articles.

For now, just be careful to investigate what is actually meant when it says ‘Defender’ in the Microsoft space!

Audit script update

About two years ago I created a free PowerShell script to report on tenant logins by checking the Unified Audit Log. You’ll find that original article here:

Auditing Office 365 user logins via PowerShell

I’ve now updated the script and added some functionality as well. But before you go off and run the script, make sure you have completed the pre-requisites:

1. You’ll need to ensure that you have enabled your Unified Audit Logs in the tenant. You can see how to do that here:

2. Prior to running the script you will have needed to install the Exchange Online PowerShell module. To set up your PowerShell environment I suggest you check out:

3. Connect to Exchange Online with PowerShell. For that I recommend you use my script:

image

Once you have your PowerShell environment setup, you simply run the o365-connect-exov2.ps1 script as shown above.

image

That should result in you being connected to Exchange Online PowerShell as shown above.

image

At this point you can now run the o365-login-audit.ps1 script which you will find at:

https://github.com/directorcia/Office365/blob/master/o365-login-audit.ps1

image

That should output the list of user logins from the Unified Audit Log for the past day as shown. It will show you both successful and failed login attempts, the time they occurred, the IP that the login came from the user attempting the login as shown above.

image

If you instead run the o365-login-audit.ps1 script with the –fail parameter as shown above,

image

The output will only display failed login attempt details as shown above.

image

If you run the o365-login-audit.ps1 script with the –days parameter as shown above,

image

You will be prompted to enter the number of previous days you wish to check as shown above beyond the default one day. Remember, the more days you specify, the more logs need to be retrieved, and the longer the process will take.

image

The results will be displayed as before. You will notice the message line in the output to the total number of days being checked.

image

If you instead run the o365-login-audit.ps1 script with the –csv parameter as shown above,

image

You will notice the same output but you will also see a line, as shown above, that confirms the total results have also been sent to a CSV file.

image

if you look the parent directory, from where the script ran, you will find the CSV file (o365-login-audit.csv) mentioned previously as well as the script log file (o365-login-audit.txt).

image

The script log file (o365-login-audit.txt), as shown above, contains the output from what was displayed on the screen when you ran the script. This file is always overwritten when the script runs.

image

The CSV file contains all the log file entries for the period specified. This allows you to open the file in Excel and filter, sort and format as needed. A new CSV is created every time the script is run with the –csv option.

Thus, the o365-login-audit.ps1 script has 3 optional parameters, that can be used in any combination:

-fail = display only failed logins

-days = prompt for total number of days to check from current

-csv = output all logs for period to a CSV file in the parent directory. A new CSV file is created for each script execution

The script will also produce a log file (o365-login-audit.txt) in the parent directory, that is overwritten on the each run of the script.

You will find this script and all my publicly available scripts at:

http://github.com/directorcia

Don’t forget to check back there regularly for updates. Also, if you have any feedback or suggestion on this script or what you’d like to see me create, please let me know. I also maintain a large array of additional scripts via a paid subscription. More details of that can be found at www.ciaopspatron.com.