Announcing the CIAOPS Power Automate online course

I have just released my new Introduction to Power Automate course which you can find here:

https://www.ciaopsacademy.com/p/introduction-to-power-automate

The course is designed to give you a kick start into the world of automation with Microsoft 365. You’ll learn what Power Automate and Flows are including how to create the different types as well as use connectors to work with data from a variety of sources.

Inside you’ll find a variety of resources including video tutorials, web references, quizzes, examples and more. Upon completion, you will have the confidence to start automating many processes in your business.

Once you get started with Power Automate you’ll be amazed at how much time you’ll save, all using the tools that come with Microsoft 365.

Start here. Start today. And get more time in your day.

Device actions during an incident

Much of the protection with Microsoft Defender for Endpoint is taken care of for you automatically, but let’s say you want to conduct an investigation/remediation process manually. How would you achieve this?

Step 1

Login to the Microsoft 365 Security admin portal with the appropriate permissions. Select Devices from the Assets menu on the left.

You should see a list of the devices that Defender for Endpoint knows about. Select the machine in question to display it’s detailed information as shown above.

In the top right of this dialog on the right you will see an ellipse (three dots). Select these three dots to reveal an actions menu.

Step 2

Now you need to decide how aggressive you want to be during this investigation as that will have a direct impact on the end users experience on the device.

Level 1

The most aggressive option, that will have the greatest impact on the user is select the Isolate Device from the menu as shown above.

On the dialog that appears, enter a comment and select the Confirm button. Don’t select the option to Allow Outlook, Teams and Skype for Business while device is isolated.

More information – Microsoft Defender for Endpoint device isolation

More information – Defender for Endpoint device execution restrictions

Level 2

This is less impactful to the end user and similar to the previous step.

Select the Isolate Device from the menu as shown above.

Here, select the option to Allow Outlook, Teams and Skype for Business while device is isolated.

Enter a comment and select the Confirm button.

This device isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, which continues to monitor the device. This allow you to initiate a live response session, while preventing an attacker gaining remote access. It will also allow the end user to continue using Outlook, Teams and Skype for Business while you conduct the investigation. However, it does not permit connection to anywhere else, including the Internet.

More information – Microsoft Defender for Endpoint device isolation

More information – Defender for Endpoint device execution restrictions

Level 3

From the menu select Restrict App Execution as shown above.

This applies a code integrity policy remotely that only allows files to run if they are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised devices and performing further malicious activities. Thus, Office applications (Word, Excel, Outlook, etc), Edge browser, etc can now run without restriction. However, non Microsoft signed applications can’t.

Typically, a malicious program on the device can now not execute however the user can still continue to work inside certified Microsoft applications.

Enter a comment and select the Confirm button to complete the restriction process.

More information – Microsoft defender for Endpoint Restrict app execution

More information – Defender for Endpoint device execution restrictions

Step 3

The device will display a notification like that shown above.

Step 4

You can now take whatever actions you need to complete the investigation ready for return to service

Step 5

Remove any restrictions. To do, all you need to do to achieve this is return to the ellipse menu and select option to remove the restriction.

Here that would be Remove app restriction as shown above.

You’ll again simply need to add comment and select the Confirm button to remove the restriction.

So, that’s how you can intervene manually with security incidents if you need to at different impact levels for end users.

Power Automate Email Arrive action file size only 4 bytes

If you create a Power Automate with a trigger of When a new email arrives (V3) and you want to work with attachments in your Flow, ensure you select the Show advanced options as shown above.

If you don’t you’ll end up with saved attachments of only 4 bytes in size as shown above as by default the action doesn’t include attachments.

To work with attachments in your Flow, ensure the Include Attachments option is set to Yes as shown above. Then you’ll be able to do things like save the whole attachment to OneDrive for Business.

CIAOPS Need to Know Microsoft 365 Webinar – June

laptop-eyes-technology-computer

Join me for the free monthly CIAOPS Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at SharePoint Lists.

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite.

You can register for the regular monthly webinar here:

June Webinar Registrations

(If you are having issues with the above link copy and paste – https://bit.ly/n2k2306

The details are:

CIAOPS Need to Know Webinar – June 2023
Friday 30th of June 2023
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

An overview of Winget

I thought I’d break out the session I did on Winget from my last podcast as an easier direct reference to the technology I think people should be paying attention to in Windows to manage applications.

The direct link to the session is here:

https://www.youtube.com/watch?v=2nDpgoOIS6s

Need to Know podcast–Episode 303

Join me for all the news an updates from Microsoft Build as well as a look at the Microsoft Package Manager, Winget.

This episode was recorded using Microsoft Teams and produced with Camtasia 2023.

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-303-winget/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show

Brought to you by www.ciaopspatron.com

Resources

@directorcia

@directorcia@twit.social

Join my shared channel

CIAOPS merch store

Become a CIAOPS Patron

CIAOPS Blog

YouTube edition of this podcast

Microsoft Build

Microsoft Build Book of News

Expanding IT value in Windows 11 Enterprise and Intune

Windows 365 boot

Announcing new Windows 11 innovation, with features for secure, efficient IT management and intuitive user experience

Microsoft Mesh: Transforming how people come together in the modern workplace

Bringing the power of AI to Windows 11 – unlocking a new era of productivity for customers and developers with Windows Copilot and Dev Home

Hardening Windows Clients with Microsoft Intune and Defender for Endpoint

Cyber Signals: Shifting tactics fuel surge in business email compromise

Automatically disrupt adversary-in-the-middle (AiTM) attacks with XDR

Use the winget tool to install and manage applications

Winstall.app

Wingetui

Introduction to Exchange Online Protection

This video is the technical session from my May 2023 Need to Know webinar that focuses on helping people understand Microsoft 365. The aim is to help viewers get an overview of how Exchange Online Protection secures their environment and where they can go to made additional adjustments if required.

The session was recorded using Microsoft Teams.

You can find the slide deck for this session here – https://www.slideshare.net/directorcia/may-2023-ciaops-need-to-know-webinar

May Microsoft 365 Webinar resources

https://www.slideshare.net/directorcia/may-2023-ciaops-need-to-know-webinar

If you are not a CIAOPS patron you want to view or download a full copy of the video from the session you can do so here:

http://www.ciaopsacademy.com.au/p/need-to-know-webinars

Watch out for next month’s webinar.