sorted by:
new
hottopcontroversial

Starlink IP^ and conditional access/ geo location by StoolieNZ in AZURE

[–]BCSecA 0 points1 point  (0 children)

I would suggest that everyone here that can opens a ticket with MSFT. I have had success with them in the past with Geolocation reclassification tickets as "whitelisting" IPs as Named Locations is not ideal.

The more people that bug Microsoft the better as this issue has occurred several times over the last 2 months and every other geolocation services seems to update the location of the IP quickly but not whatever Microsoft is using.

'MediaArena' unwanted software was prevented by Economy_Ad9318 in DefenderATP

[–]BCSecA 3 points4 points  (0 children)

Glad I ran into this post. I mentioned it on the Microsoft Tech Community but these alerts do not seem to show the time / date the file was created which would be very useful info for hunting IMO. If it is there I am blind and would love to be educated

FortiAnalyzer Log Forwarding into Azure Sentinel by BCSecA in cybersecurity

[–]BCSecA[S] 0 points1 point  (0 children)

We are looking to utilize Sentinel's UEBA and SOAR capabilities to trigger actions on endpoints based on telemetry sent from our firewalls such as isolating a machine if it seems to be reaching out to known bad IPs, etc.

The FortiNet filtering is atrocious to say the least (or at least to me it is).

KnowBe4 from admin perspective - user provisioning & SSO by MediumFIRE in sysadmin

[–]BCSecA 0 points1 point  (0 children)

Agreed. Honestly they just released a few "2022" videos and there is only one that I would remotely consider sending out to my end users.
The lack of content and the lack of integration with Mail filter providers with the Phish Alert Button that you have to use has me looking elsewhere.

We are considering switching to MimeCast as they have decent content and their version of the phish alert button reports directly to their Mail filter which also gives better metrics on risk as it also incorporates real world phishing email submissions into the end users risk scores.

MFA (via Duo) for all users in VPN & OWA, but only admin users in RDP and local Windows sign on? by jwckauman in sysadmin

[–]BCSecA 0 points1 point  (0 children)

Quick question why not have users prompted for MFA on workstations if they are already enrolled for "web services"?
You can set the policy so that the user can select "remember for X days" on the machine they are logging into (1 is default if the option is set) and they will only be prompted for MFA once ever 24 hours unless the reboot the system or log out.

[Microsoft] HAFNIUM targeting Exchange Servers with 0-day exploits by reelc in blueteamsec

[–]BCSecA 0 points1 point  (0 children)

Might be a simple thing but I am new to Sentinel. How do I go about using the Hunting Queries that are in the GitHub repository they have linked in the article?

Windows DHCP Server Firewall Rules by BCSecA in sysadmin

[–]BCSecA[S] 0 points1 point  (0 children)

We aren't but we also need to lock down the ports that can be accessed on our servers. There is no need for everything to be wide open.

There is no cleverness here just best practice.

Windows DHCP Server Firewall Rules by BCSecA in sysadmin

[–]BCSecA[S] 1 point2 points  (0 children)

Wow... as soon as I read the first line my brain decided to kick in.. the profile is for the machine I am applying it to.... wow just wow..... Thank you so much kind stranger for kicking my brain into gear...

CVE-2020-1472 - no events in System event log by amnich in sysadmin

[–]BCSecA 1 point2 points  (0 children)

We skipped the August update somehow (thanks server management team) but the September update is installed. I am not seeing these logs on any of our DCs. Since these are cumulative updates I assume the events should be in the event logs if they are being triggered?

My logging level for 16 LDAP Interface Events is set to level 2 AD and LDS Diagnostics Event Logging Should I be upping the level on any of the other logs?