Basic event capture in Microsoft 365

If you want to be able to find out what has happened in Microsoft 365 you’ll need to ensure that you have enabled the appropriate logs as well as being able to view information there when needed. This video shows you the basic locations for logs in Microsoft 365 as well as the different services that cane be used to query and report on these. It is important to have all your logging enabled well in advance of when you’ll need it. This video should get you started.

Video link – https://www.youtube.com/watch?v=-YSHlo4Cvgo

Introduction to Exchange Online Protection

This video is the technical session from my May 2023 Need to Know webinar that focuses on helping people understand Microsoft 365. The aim is to help viewers get an overview of how Exchange Online Protection secures their environment and where they can go to made additional adjustments if required.

The session was recorded using Microsoft Teams.

You can find the slide deck for this session here – https://www.slideshare.net/directorcia/may-2023-ciaops-need-to-know-webinar

Privileged Identity Management auditing options

Privileged Identity Management or PIM is a way to allow the ability for users to escalate their rights on demand via approvals as well as being audited. This video shows you locations in the Azure portal where these logs are located for both the user escalating and the tenant administrator.

Video link = https://www.youtube.com/watch?v=uXYZXiN8Of8

Connect to Microsoft 365 using PowerShell

Once you have set up your PowerShell environment the next thing is to use it to connect to Microsoft 365 services like Exchange Online and Teams.

I have created several free automation scripts at:

https://github.com/directorcia

to make that process easy.

In this video, I’ll walk you through the steps of using what I have created to make it simple to connect to any Microsoft 365 service using PowerShell quickly and easily.

Here is a direct link to the video:

https://www.youtube.com/watch?v=c1PwAbzM8RI

Windows Defender Application Control (WDAC) basics

Windows Defender Application Control, like Windows AppLocker is a way to control what executes on your Windows 10 Professional and Enterprise workstation. For more information have a look at this article from Microsoft:

Windows Defender Application Control and AppLocker Overview

You can easily configure WDAC using PowerShell and Microsoft provides a number of example policies that you can use to get started. This video will demonstrate that process on a stand alone Windows 10 Enterprise workstation:

https://www.youtube.com/watch?v=Nj5vBloAWy0

Both WDAC and AppLocker can be used together but the recommendation is use WDAC as it is a more modern approach to whitelisting and has greater security controls and enforcements.

You can also deploy WDAC using Intune and Endpoint Manager which I’ll look to demonstrate in an upcoming article.

So, much like AppLocker, you can use WDAC to prevent executables on your Windows 10 environment. This is a great way to minimise the risk of ransomware and should be part of your defence in depth strategy.

Windows AppLocker basics

Windows AppLocker is an inbuilt component of Windows 10 that allows you to do applications whitelisting. This is really good way to help minimise the chances of ransomware infections.

To use it in stand alone more or or with Group policy you are going to need to use Windows 10 Enterprise. However, you can use a tool like Intune to also manage AppLocker with Windows 10 Professional. For more details see:

Requirements to use AppLocker

The video takes you through the basic setup and operation of Windows AppLocker in a stand alone environment so you can get a feel for how it is configured and works.

In an upcoming post I’ll also details how to configure AppLocker using Intune via Microsoft Endpoint Manager.

Security test script walk through video

I’ve create this video to give you a basic walk through of the free security testing PowerShell script I’ve created. You’ll find the script here:

https://github.com/directorcia/Office365/blob/master/sec-test.ps1

In the video you’ll see how to quickly get and run the script as well the results it generates on a stand alone Windows 10 device.

Apart from Windows 10, PowerShell and Word there are no special requirements and it can be used on stand alone, domain or Azure Ad joined, etc. It doesn’t matter. It is designed to help you better evaluate your security posture.