A better KQL Query to report failed login by country

The above is an improved version of a KQL query you can use to report on failed logins to Entra ID over the past 30 days. It also excludes a country (here Australia) if desired.

The country codes are here:

https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2

Note: if you copy and paste directly from here you will probably have the change the “ when you paste into your own environment as the wrong “ gets taken across!

Need to Know podcast–Episode 340

I take a look at something many overlook when it comes to security in their Microsoft 365 environment – Exposure score. In essence it is like a targeted Secure Score for a particular threat like Business Email Compromise. There is also news and updates from the Microsoft Cloud so listen along and review the show notes for more information.

Brought to you by www.ciaopspatron.com

you can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-340-exposure-management/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

or Spotify:

https://open.spotify.com/show/7ejj00cOuw8977GnnE2lPb

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

Resources

@directorcia

Join my shared channel

CIAOPS merch store

Become a CIAOPS Patron

The way to control EWS usage in Exchange Online is changing

New Microsoft-managed policies to raise your identity security posture

Storm-2372 conducts device code phishing campaign

Block malicious command lines with Microsoft Defender for Endpoint

Clipchamp: Elevating work communication with seamless video creation in Copilot

Sharing with Microsoft Whiteboard

AI agents at work: The new frontier in business automation

Copilot learning hub

New Certification for Microsoft information security administrators

What is Security Exposure Managenet?

Updated Windows for Endpoint Security Baseline

Microsoft has updated the Windows Security Baseline for Endpoint Security in Intune to 24H2 as shown above. Baselines are an easy way to set a vast array of best practice settings across your Windows devices in a single policy, already pre-configured by Microsoft.

I have extracted the policy to a JSON file and made it available at:

https://github.com/directorcia/bp/blob/main/Intune/Policies/Endpoint/Baselines/win.json

and the previous one is here:

https://github.com/directorcia/bp/blob/main/Intune/Policies/Endpoint/Baselines/Archive/win.json

You can now simply import that directly into your environment programmatically using something like PowerShell.

I will note that when I initially exported the templated and tried to import it back I got the error:

Invalid Reference id found in Policy

after a lot of troubleshooting (and I mean a LOT) I tracked down the issue to be related to id 241:

{
   “id”: “241”,
   “settingInstance”: {
     “choiceSettingValue”: {
       “value”: “device_vendor_msft_policy_config_deviceguard_machineidentityisolation_0”,
       “children”: [],
       “settingValueTemplateReference”: {
         “useTemplateDefault”: false,
         “settingValueTemplateId”: “6a208e4b-0e34-4d12-a821-3173e99f3ce0”
       }
     },
     “@odata.type”: “#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance”,
     “settingDefinitionId”: “device_vendor_msft_policy_config_deviceguard_machineidentityisolation”,
     “settingInstanceTemplateReference”: {
       “settingInstanceTemplateId”: “1fa97457-2a1f-4e33-b3c2-9a4c8930510d”
     }
   }
}

removing that from teh template allowed the rest of the template to import. I’ll have to spend some more time working out the exact settings and hopefully by then Microsoft fixes the issue and I’ll update the JSON in my Best Practices repository. However, for now the JSON at the URL can be imported.

Checking your environment for oversharing

Microsoft now provides the ability to check yoru environment for oversharing my running a data assessment report which you’ll find in DSPM for AI inside Microsoft Purview.

Here’s my video to get you started:

https://www.youtube.com/watch?v=aVUQ6PGnMmE

some documentation to help is here:

Get started with Data Security Posture Management

Hopefully, the reporting will become more details and allow you to take direct action on individual items that are reported. However, for now, it is a handy report to have in your bag of tricks.

New mailbox logging settings

CISA released a Microsoft Expanded Cloud Logs Implementation Playbook that I recommend Microsoft 365 administrators take a look at.

“This playbook provides an overview of the newly introduced logs in Microsoft Purview Audit (Standard), which enable organizations to conduct forensic and compliance investigations by accessing critical events, such as mail items accessed, mail items sent, and user searches in SharePoint Online and Exchange Online. In addition, the playbook also discusses significant events in other M365 services such as Teams. Lastly, administration/enabling actions and ingestion of these logs to Microsoft Sentinel and Splunk Security Information and Event Management (SIEM) systems are covered in detail.”

“Default enablement is defined at a license level. For example, Auditing (Standard or Premium) is enabled by default for E3/E5/G3/G5 licenses. Some licenses, such as M365 Business Basic, M365 Business Standard, M365 Business Premium, and trial license accounts do provide access to Audit but do not currently have auditing enabled by default. These licenses will have Audit enabled by default in the future. If you are leveraging one of these license types, the steps below can be utilized to ensure that all audit features are enabled.”

Thus, if you are using ANY Microsoft 365 license in my books you want to ensure all the logging available to you is enabled for all user, regardless of Microsoft does.

The playbook will take you what needs to be done. Most of it relates to:

Mailbox actions for user mailboxes and shared mailboxes

with the most important being around the MailItemsAccessed setting, but there are others.

The most important thing to remember is that most of these settings cannot be set in the web portal and can only be set using PowerShell commands like:

Set-Mailbox – @{Add=“SearchQueryInitiated”}

Apart from these settings the playbook has lots of additional handy information that will help with the security of your Microsoft 365 environment and this makes it a recommended read for all administrators.

Distributed Password cracking attempts detected by Sentinel

Over the past couple of days I’ve inundated with failed logins from locations all around the world. You can see a partial list of the those IPs reported in Sentinel above.

But, for the first time I also found this alert had triggered an incident in Sentinel – Distributed Password cracking attempts in Microsoft Entra ID, as seen above.

Here is the list and locations so far:

IP Address	Origin (Country)	Potential Organization (if identifiable)
31.141.37.30	Russia	Provider: Rostelecom
38.222.57.97	United States	Comcast Cable Communications
190.99.43.237	Argentina	Telecom Argentina
187.55.129.25	Brazil	Vivo (Telefônica Brasil)
186.77.198.100	Brazil	Oi S.A.
24.152.24.225	United States	Cox Communications
102.212.239.10	Uganda	Uganda Telecom
131.161.44.200	United States	Microsoft Corporation
177.222.169.132	Brazil	TIM Brasil
31.155.228.215	Romania	UPC Romania
168.228.92.190	Brazil	NET Virtua
186.235.247.106	Brazil	Oi S.A.
177.124.90.249	Brazil	Vivo (Telefônica Brasil)
189.84.180.196	Brazil	Oi S.A.
190.89.30.3	Brazil	Vivo (Telefônica Brasil)
201.77.175.53	Brazil	Oi S.A.
206.0.9.157	United States	Comcast Cable Communications
138.0.25.140	Brazil	Oi S.A.
176.29.230.49	Ukraine	Ukrtelecom
191.99.34.144	Brazil	Claro Brasil
87.116.135.139	France	Orange S.A.
170.82.15.6	Brazil	Claro Brasil
84.54.71.37	Spain	Telefónica
170.231.164.96	Brazil	Oi S.A.
45.231.208.166	Mexico	Megacable
190.14.176.31	Colombia	ETB (Empresa de Telecomunicaciones de Bogotá)
85.106.118.20	Italy	TIM (Telecom Italia)
191.189.9.96	Brazil	Claro Brasil
152.249.19.25	Argentina	Telecom Argentina
189.34.199.125	Brazil	Vivo (Telefônica Brasil)
41.225.129.174	Nigeria	MTN Nigeria
85.96.249.52	Italy	Vodafone Italia
197.26.214.34	South Africa	MTN South Africa
187.183.41.6	Brazil	Claro Brasil
177.126.234.232	Brazil	Vivo (Telefônica Brasil)
149.86.137.85	United States	AT&T

Always nice to have Sentinel on the job letting me know what’s going on!

Viewing Copilot prompt and responses across the organisation

To explore Copilot activity in your environment open:

https://purview.microsoft.com

with a user with appropriate access. Select Solutions on the left and then DSPM for AI as shown above.

Then select Activity Explorer and from the list that appears on the right select an entry that says AI interaction as shown above.

You should now see a panel appear from the right with a range of details about that session. Towards the bottom you will find

both the Prompt and Response as shown above. You will also see an resources, for example files or links, used in that session.

A little further up you will also find where that session took place, in this case from inside an Office app.

The Data Security Posture Security Management (DSPM) for AI has many other resources that you can also take advantage of but the above is the simplest method I’ve found to quickly see what a Microsoft 365 Copilot prompt and response in the environment was.

Configuring DLP with Microsoft 365 Copilot

Here is a video that takes you through the process of setting up a Data Loss Prevention Policy (DLP) that protects content when used in Microsoft 365 Copilot.

To achieve this you need to set up Data Labelling in your Microsoft 365 environment which is not covered in this video. Documentation from Microsoft on DLP with Microsoft 365 Copilot can be found here:

Learn about the Microsoft 365 Copilot policy location (preview)