Need to Know podcast–Episode 275

Join for an episode with MVP Rory Braybrook where we learn more about modern identities, especially Azure including B2B and B2C. Identity is so critical to everything we do in IT these days it is important to have a refresher to understand what’s what and how it can be used effectively. I’ll also bring you the latest news and updates from the Microsoft cloud world so listen in and share your feedback.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020.

Brought to you by www.ciaopspatron.com

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-275-rory-braybrook/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

Rory Braybrook – LinkedIn, Authory

Windows 11: A new era for the PC begins today

Welcome to the new Whiteboard

Mailbox storage limits

Microsoft Ignite

How cyberattacks are changing according to new Microsoft Digital Defense Report

Microsoft Digital Defense Report

Defending Windows Server 2012 R2 and 2016

Add TAXII threat intelligence feeds to Azure Sentinel

image

There a public threat intelligence feeds available that Azure Sentinel can take advantage of. Think of these as providing information around entities that represent threats such as compromised IP addresses, botnet domains and so on. Typically, these feeds will support the TAXII connector inside Azure Sentinel.

Select the Data connectors option from the Azure Sentinel menu on the left. Next search for TAXII. Finally, select Threat Intelligence as shown above, then the Open connector page in the lower right.

image

On the right hand side of the page, you see the Configuration area as shown above. Here you’ll require information on the following items:

– API root URL

– Collection ID

– Username

– Password

If you have a look at the bottom of this article:

Connect Azure Sentinel to STIX/TAXII threat intelligence feeds

you’ll find the details for the free Anomali Limo threat feed, which is:

– API root URL = https://limo.anomali.com/api/v1/taxii2/feeds/

– Collection ID = see list in article (i.e. 107, 135, 136, etc)

For the username and password of all these feeds use:

guest

image

Complete the details for each Collection ID, like what is shown above. When you have completed each feed select the Add button.

image

The feed will be validated and if successful, an alert will confirm this at the top of the page as shown above.

image

The entered feed will appear in a list at the bottom of the page. At this point, feed information will start flowing into your environment depending on the Polling Frequency you selected for the feed.

image

Once the feed has started to import data select the Threat intelligence from the main Sentinel menu as shown above. You should see a range of entries. These entries can now be utilised throughout your Sentinel environment. This is detailed here:

Work with threat indicators in Azure Sentinel

image

This data is stored in a table called ThreatIntelligenceIndicator as shown above, which can be used directly in hunting queries.

Keep in mind that any threat indicator data incurs an ingestion and data storage cost. However, this is not a great amount and the value they provide is well worth that minor cost. You can track threat indicator costs using workbooks that Sentinel provides. You can add more feeds if you wish and details about what is available can be found at:

Threat intelligence integration in Azure Sentinel

Having additional threat data provides more signal information for Sentinel when it examines your environment. If information from these threat indicators is detected in your environment, then alerts will be generated. For a small ingest and storage cost having these threat indicators flow into your Sentinel environment provided a huge amount of value and increase your security.

Testing for CVE-2021-40444 vulnerability

There are current concerns around:

Microsoft MSHTML Remote Code Execution Vulnerability

which is yet to have a patch made available.

I found this excellent article:

CLICK ME IF YOU CAN, OFFICE SOCIAL ENGINEERING WITH EMBEDDED OBJECTS

which provide some PowerShell scripts to create Word documents that can be used to test for the vulnerability.

I have run these scripts to create the actual Word documents and uploaded them for you here:

Office365/example at master · directorcia/Office365 (github.com)

2021-09-11_10-21-14

In both cases, when you open these documents, you should NOT be able to get CALC.EXE to execute on your system unlike what you see above and below.

test2-screen

I have also added these tests to my security testing script which you can download from my GitHub repo here:

Office365/sec-test.ps1 at master · directorcia/Office365 (github.com)

image

When I opened these documents in my production environment, the vulnerability was largely blocked thanks to Windows ASR which I have detailed previously:

Attack surface reduction for Windows 10

You can use the follow KQL query as I did above to view the result of this blocking if you are using something like Azure Sentinel like I am:

Another great security add on for Microsoft 365

KQL:

DeviceEvents
| where ActionType startswith ‘Asr’

Cybercrime reporting poll

pexels-donald-tong-143580

I’ve created an anonymous public poll asking the question:

Are you reporting cybercrime incidents, like ransomware, to government or police authorities?

which is here:

https://forms.office.com/r/mENdwmaXRj

as the results rolling you can see the summary here:

http://bit.ly/ciapoll01

I’m interested to see what people are doing when it comes to reporting incidents to authorities?

Using Azure Sentinel with Azure Lighthouse

A recent article:

Configure Azure Lighthouse

detailed how to get Azure Lighthouse working across different tenants (a ‘master’ and multiple ‘clients’). It is now time to look at how to use that capability inside the ‘master’ tenant with Azure Sentinel.

image

Log into your ‘master’ Azure tenant. Select the user in the top right and from the menu that is displayed select Switch directory.

image

You’ll typically see only the current ‘master’ tenant listed in Current + delegated directories. Select the pull down arrow on the left of the Current + delegated directories option as shown.

image

You should now see all the ‘client’ tenants you connected with Azure Lighthouse now appear. However, you’ll will notice they are currently not selected.

image

Ensure that all the directories are selected.

image

With All directories now selected in Current + delegated directories, clock on the pull down arrow on the right of Subscription as shown above.

image

Again, you will probably see that the subscriptions in the ‘client’ tenants are not selected.

image

Ensure these are all selected and the Subscription option displays All subscriptions as shown above.

image

With all the ‘client’ tenant selections now complete it means they will be displayed just like any other in the ‘master’ tenant. Navigate to Azure Sentinel in the ‘master’ tenant and look at the list of workspaces that are displayed. If you don’t see ‘client’ Sentinel workspaces, select the Subscription filter at the top of the page and ensure it is set to All as shown.

image

With all the workspaces selected, click the View incidents button from the menu along the top as shown above.

image

You should now see a list of all the incidents across all the tenants. You can see this by looking at the Directory column as shown in the output. You can, of course, view at individual Sentinel workspaces if you want by just clicking on them in the previous screen. This provides the same experience as if you viewed the results inside that ‘client’ tenant but you are doing that now inside the ‘master’ tenant.

This process now provides you a single pane of glass across all your Azure Sentinel environments. Depending on the permissions you have configured in the ‘client’ tenants, you get much the same capability across other Azure resources in the ‘master’ tenant now. This is the benefit of using Azure Lighthouse to manage multiple tenants and exactly how I use it with Azure Sentinel.

Configure Azure Lighthouse

Azure Lighthouse:

“enables cross- and multi-tenant management, allowing for higher automation, scalability, and enhanced governance across resources and tenants.”

In essence, it allows you to manage multiple ‘client’ Azure tenants from a single ‘master’ tenant. There is no cost for Azure Lighthouse and it is simple to enable. However, I would caution you to pay close attention to the permissions you assign the ‘master’ tenant inside the ‘client’ tenants and follow the best practice of least privilege security.

You are going to need a few things before you start configuring Azure Lighthouse.

1. A ‘master’ Azure tenant with a paid subscription

2. ‘Client’ Azure tenants with a paid subscription in each

3. For each ‘client’ Azure tenant you will require a login to that tenant who has the Owner built-in role for the subscription being onboarded. Typically, there is only one subscription in an Azure tenant and the initial administrator has that role. You will use this user, inside each ‘client’ tenant to permit access from the ‘master’ tenant.

4. The Tenant ID of the ‘master’ tenant.

image

You will find that on the front page of the Azure Active Directory blade in the ‘master’ Azure tenant portal as shown above.

5. The Object ID for the controlling entity (user or group) in the ‘master’ Azure tenant. This is basically the individual user or Azure AD security group who you wish to give access rights to the ‘client’ Azure tenants.

image

You will find the Object ID on the front page of that item in Azure AD as shown above. The above example show this for a single user.

image

The above example is for a group.

6. You now need to deicide what permissions you will give this Object ID from the ‘master’ Azure tenant inside the ‘client’ tenants. You can find all the Ids for Azure built-in roles here:

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

So, if you want for the ‘master’ tenant Object ID to have effectively full rights inside the ‘client’ Azure tenants use:

Contributor – ID = b24988ac-6180-42a0-ab88-20f7382dd24c

Remember, best practice is to follow least privilege and as such if you just want to view Azure Sentinel information in the ‘client’ Azure tenant use:

Azure Sentinel Reader – ID = 8d289c81-5878-46d4-8554-54e1e3d8b5cb

but as I said, be very, very careful about the rights you assign the ‘master’ Object ID inside the ‘client’ tenants.

Once you have all the above information, you’ll need to login to the ‘client’ Azure tenant with the user account in step 3 above (i.e. an owner of the ‘client’ Azure tenant).

In the same browser session open a new tab and navigate to:

https://github.com/Azure/Azure-Lighthouse-samples/

and select the Auto-deployment button in the first row as shown:

image

A custom deployment template should launch

image

and look like the above. Here, select the Subscription and Region appropriate in the ‘client’ Azure tenant. You can put any custom text you wish into the Msp Offer Name and Msp Offer Description field.

Into the Managed by Tenant Id field enter the value you recorded in step 4 above (i.e. the Tenant ID of the ‘master’ Azure subscription).

The Authorizations field needs to be in the format of:

[{“principalId”:”ee8f6d35-15f2-4252-b1b8-591358e8a244″,”roleDefinitionId”:”acdd72a7-3385-48ef-bd42-f606fba81ae7″,”principalIdDisplayName”:”PIM_Group”},{“principalId”:”ee8f6d35-15f2-4252-b1b8-591358e8a244″,”roleDefinitionId”:”91c1777a-f3dc-4fae-b103-61d183457e46″,”principalIdDisplayName”:”PIM_Group”}]

where the principalId field will be the item you obtained in step 5 above (i.e. who in the ‘master’ Azure tenant do you want to have rights to the ‘client’ Azure tenant) and roleDefinitionId will be the information obtained in step 6 above (i.e. what permissions you want to gibe inside the ‘client’ Azure tenant). You can assign the principalIdDisplayName field any meaningful text you wish.

As you can see from the example you can chain multiple permission assignments together. So in this example, let’s say that I want to assign my one user full contributor rights and a security group only Azure reader rights. The entry would then look like:

[{“principalId”:”b75e7296-a058-4000-0000-000000000000″,”roleDefinitionId”:”b24988ac-6180-42a0-ab88-20f7382dd24c”,”principalIdDisplayName”:”User_contributor”},{“principalId”:”8d3a5c5a-0d1e-4639-0000-000000000000″,”roleDefinitionId”:”8d289c81-5878-46d4-8554-54e1e3d8b5cb”,”principalIdDisplayName”:”Group_Sentinel_reader”}]

It is very, very important that you get the formatting of the Authorizations field correct. I suggest you compose it in something like Notepad (with word wrap = off) and paste it in. If you see any errors during deployment, double check you have this field EXACTLY correct!

image

Once you have entered all the information, select the Review + create button an the bottom of the screen.

Your options will then be validated, and if passed, select the Create button at the bottom of the screen.

image

You should then see the deployment commence as shown above. The deployment will take a few minutes to complete, after which it take at least another 15 minutes for the Azure Lighthouse configurations to appear in the ‘master’ and ‘client’ tenants, so be patient.

image

After the 15 minutes, navigate to Azure Lighthouse in the ‘client’ tenant and look at Service Provider offer as seen above. This basically tells you that this ‘client’ tenant has single delegation (i.e connect to a ‘master’ Azure tenant).

image

Now head over to the ‘master’ Azure tenant and view Azure Lighthouse there, but look at the My customers then Customers option as seen above. Here you should see the ‘client’ Azure tenant just added to the current ‘master’ Azure tenant. Again remember, this takes around 15 minutes to appear once configured.

Congratulation you have successfully used Azure Lighthouse to link a ‘client’ Azure tenant to a ‘master Azure tenant. Look out for upcoming articles on what you can now do once you have enabled Azure Lighthouse.

Register your interest for a hands on, deep dive Microsoft 365 Security event

pexels-pixabay-356065

If you are interested in attending a hands on in person 2 day deep dive event into Microsoft Security including:

– Exchange Online

– Windows 10 hardening

– Effective incident monitoring

– Identity security

– Data protection

and more then I encourage you to register your interest now for CIAOPS Secwerks 1 in Melbourne CBD over 2 days, Thursday the 5th and Friday the 6th of August 2021. I expect demand to be extremely high for this event and I will have more to share when I have confirmed all the details. However, feel free to reach out to me if you want more information. Please register your interest here to be kept up to date with the event:

http://bit.ly/ciaopsroi

The theme of this event will be to help you understand all the technologies that the Microsoft Cloud provides, how to configure them appropriately and get your Microsoft Secure Secure above 80%. The material covered will be technical and cover all the basics but then to extend beyond Level 400. The course is specifically designed for those who need to provide security for environments connected to Microsoft 365.

I hope to see you there.