Bulk Pre-Register MFA For Users Without Forcing MFA

We’ve been asked many times to do a bulk pre-registration for Azure Active Directory MFA to provide our customers’ users more Seamless Single Sign on and smooth for MFA rolling out.
This script helping you to:

  1. Configure MFA Strong Authentication Methods
  2. Set a default MFA authentication method for all users or number of users.
  3. Update Mobile Number for a List of users.
  4. Update Strong Authentication Methods for List of users
  5. Get MFA Strong Authentication Details for all users.
  6. Get MFA Authentication contact info where the phone number is Null
  7. Update Mobile Number Only If user Mobile is not exist

NOTE : Before we proceed with MFA and SSPR Enablement and configuration, Users will be able to change their Authentication mobile phone number whenever they need to, Admins won’t have a control on Authentication mobile phone number however they can pre-define them but still users will be able to change it.

Keep in mind:

  • If you have provided a value for Mobile phone or Alternate email, users can immediately use those values to reset their passwords, even if they haven’t registered for the service. In addition, users see those values when they register for the first time, and they can modify them if they want to. After they register successfully, these values are persisted in the Authentication Phone and Authentication Email fields, respectively.
  • If the Phonefield is populated and Mobile phone is enabled in the SSPR policy, the user sees that number on the password reset registration page and during the password reset workflow.
  • The Alternate phonefield isn’t used for password reset.
  • If the Emailfield is populated and Email is enabled in the SSPR policy, the user sees that email on the password reset registration page and during the password reset workflow.
  • If the Alternate emailfield is populated and Email is enabled in the SSPR policy, the user won’t see that email on the password reset registration page, but they see it during the password reset workflow.

Download here.

from 3tallah’s Blog https://ift.tt/38afKrt

Deploying Dependency, MMA Agents and Update Microsoft Monitoring Agent Configuration

This script was created to help our customer needs to Install ServiceMap and MMA Agents then Update this Agent with Azure OMS workspaceID And workspaceKey, optionally Configure Proxy
I had customer requirement to push MMA and Dependency Agent automatically on 530 VMs with specific configuration as the already have SCOM in place, for that purpose I created two scripts one for just modifying current MMA agent and configure to push their logs to SCOM as well as OMS gateway and the second one is just to replace the current MMA agent with the new MMA one and its configuration.  then added both to SCCM for normal deployment.
Here I’m sharing with you a kind of combined script which includes both functionalities with clear NOTES,  hence you have the right to just use the script as-is or remove region which not part of your target.
For more information on the script and to download it, please check TechNet Post; here.

from 3tallah’s Blog https://ift.tt/395dgLX

Azure Sentinel: Fundamentals and Quick Start

Azure Sentinel: Fundamentals and Quick Start

What is Azure Sentinel?

Azure Sentinel is a SIEM (security information event management) and SOAR (security orchestration automated response) system in Azure. This means that incidents and security threats can be detected and alerted. You can use it to investigate and mitigate threats. You can gain insight into collected data, events and potential harmful incidents through overviews, dashboards and custom queries. Once an accident occurs, you can choose to launch the Azure Sentinel Playbook, a logical application that begins the automatic mitigation process.

Azure Sentinel four crucial areas or stages:

  • Collect. Collecting data from multiple sources and clouds, on-premises, applications, infrastructure, users, services, and others.
  • Detect. Detect threats to protected and monitored resources as they happen, minimizing the time to react to threats.
  • Investigate. Powered with artificial intelligence, search for and discover malicious activities across all protected assets.
  • Respond. Once a threat is known, avoid manual actions and respond to threats with automating tasks.

What does it cost?

  • Capacity Reservation based pricing
    • Capacity Reservation is a fixed-fee license, where you pay for capacity (and receive discounts based on the amount of capacity you purchase).
    • Purchasing capacity for 100 GB per day will cost you 109.63 € ($123)/day
  • Pay-As-You-Go
    • The first 5 GB is free, then per GB you’d pay 2.522 € ($2.99).
    • Pay-As-You-Go is based on Log Analytics pricing, and it’s set at 2.20 € ($2.60)/GB.

What about Azure Security Center?

  • ASC is more about getting and understanding how to best configure your Azure assets
  • Azure Sentinel is all about detecting bad actors from accessing your data.

Data Retention

Once Azure Sentinel is enabled on your Azure Monitor Log Analytics workspace, every GB of data ingested into the workspace can be retained at no charge for the first 90 days. Retention beyond 90 days will be charged per the standard Azure Monitor Log Analytics retention prices.

Advanced multistage attack detection in Azure Sentinel

  • Anomalous login leading to O365 mailbox exfiltration
  • Anomalous login leading to suspicious cloud app administrative activity
  • Anomalous login leading to mass file deletion
  • Anomalous login leading to mass file download
  • Anomalous login leading to O365 impersonation
  • Anomalous login leading to mass file sharing
  • Anomalous login leading to ransomware in cloud app

On-board Azure Sentinel

To on-board Azure Sentinel, you first need to enable Azure Sentinel, and then connect your data sources. Azure Sentinel comes with a number of connectors for Microsoft solutions, you’ll need to create a new Log Analytics-based workspace. If you have any existing ones, you can choose to use one of those, or just create a new empty one.

Global prerequisites

  • Active Azure Subscription
  • Log Analytics workspace. 
  • Contributor permissions

Connect data sources

  • Machines and virtual machines: you can install the Azure Sentinel agent that collects the logs and forwards them to Azure Sentinel.
  • Firewalls and proxies: Azure Sentinel utilizes a Linux Syslog server. The agent is installed on it and from which the agent collects the log files and forwards them to Azure Sentinel.

Once a connector has been configured, you can click on Next steps to see additional guidance on how to best utilize the connector. For Azure Active Directory, the options include additional workbooks, and a few query samples using Log Analytics’ query language, KQL (also sometimes known as Kusto).

Azure Sentinel: Incidents

Azure Sentinel can collect data from all sorts of data sources, like the Azure Security Center, Azure Active Directory, Office 365, Amazon Web Services, CyberArk and more. It can detect incidents in the data from those data sources and alert you that something needs your attention. Once an accident occurs, you can choose to launch the Azure Sentinel Playbook, a logical application that begins the automatic mitigation process.

Azure Sentinel: Hunting

Hunting in this context means that investigators run queries, investigate and use playbooks (known as notebooks in Azure Sentinel lingo) to proactively look for security threats.

Azure Sentinel: Detecting threats

After you connected your data sources to Azure Sentinel, you want to be notified when something suspicious happens. To enable you to do this, Azure Sentinel provides you with out-of-the-box built-in templates.

  • Use out-of-the-box detections
  • Automate threat responses

You can choose between Azure Security Center, Cloud App Security, Azure ATP, and Azure AD Identity Protection.

If you want more freedom, use Scheduled query rule when creating the rule. This will allow you to select which tactics to watch for, and what severity level we’re interested in.
To build your detection rules, click Azure Sentinel > Analytics. Click + Create to add a new rule.

With the use of Scheduled query ruleyou have to create a custom query, and set your scheduling as well as alerts threshold.
Also, you can execute a playbook based on the triggered alert.

Azure Sentinel – Analytic rule 

You can create a rule based on a scheduled query (using the query language in Log Analytics), or use a pre-defined service-triggered rule – such as an alert from Azure Security Center. I’ll choose the latter – Microsoft incident creation rule –as it’s a bit more explanatory to what happens when detecting a threat.

Azure Sentinel: Playbooks 

After creating your detection rules and alerts, now it’s time to start creating your playbooks constructing logic app workflows. Also, you would be able to create an automated response to those detected threads.

Azure Sentinel – Workbooks Templates:

  • AWS Network Activities
  • AWS User Activities
  • Azure Activity
  • Azure AD Audit logs
  • Azure AD Sign-in logs
  • Azure Firewall
  • Azure Information Protection
  • Azure Network Watcher
  • Check Point Software Technologies
  • Cisco
  • CyberArk Privileged Access Security
  • DNS
  • Exchange Online
  • F5 BIG-IP ASM F5
  • FortiGate
  • Identity & Access
  • Insecure Protocols
  • Juniper
  • Linux machines
  • Microsoft Web Application Firewall (WAF)
  • Office 365
  • Palo Alto Networks
  • Palo Alto Networks Threat
  • SharePoint & OneDrive
  • Symantec File Threats
  • Symantec Security
  • Symantec Threats
  • Symantec URL Threats
  • Threat Intelligence
  • VM insights

from 3tallah’s Blog https://ift.tt/2T4T8nX

Protect your files and folders using Azure Backup Agent Recovery Services vault

Back up Windows machines files and folders with the Azure Backup MARS Agent, by Running it directly on on-premises Windows machines so that they can back up directly to a backup Recovery Services vault in Azure.

The steps in this tutorial are::

  1. Create a Recovery Services vault 
  2. Download the MARS agent 
  3. Install and register the agent 
  4. Create a backup policy 
  5. Run an on-demand backup 
  6. Varify Backup

Step by step Protect your files and folders using Azure Backup Agent Recovery Services vault Video

from 3tallah’s Blog https://ift.tt/38fZt4P

Block Downloads with Microsoft Cloud App Security (CAS) Conditional Access App Control

Conditional Access App Control uses a reverse proxy architecture and enables user app access and sessions to be monitored and controlled in real-time based on access and session policies. Access and session policies are used within the Cloud App Security portal to further refine filters and set actions to be taken on a user. With the access and session policies

Deploy Conditional Access App Control for featured apps


  • To deploy Conditional Access App Control for Azure AD apps, you need a valid license for Azure AD Premium P1 as well as a Cloud App Security license.
Deployment Steps
  1. Step 1: Go to the Azure AD portal and create a conditional access policy for the apps and route the session to Cloud App Security
  2. Step 2: Sign in to each app using a user scoped to the policy
  3. Step 3: Verify the apps are configured to use access and session controls
  4. Step 4: Test the deployment

Step by step Block Downloads with CAS Conditional Access App Control Video

from 3tallah’s Blog https://ift.tt/37dF670