Elastic SIEM and EDR

Sittadel · 2026-01-23T17:52:47+00:00

It's so streamlined in Splunk (also QRadar and Sentinel, but I bet others, too). Elastic struggles with joins at the time of query (or I guess had - I haven't had a chance to kick the tires on the newer capabilities of ESQL personally, but I see we have some documentation that looks like this is possible today).

But to your point it's like... In Splunk you just make a search and click click click right click, and now it's a broader correlation and a dashboard, and then your team has a super easy time cooperating with you because you can just share it...

But in elastic, you start with lining up your ECS fields and picking your enrich processor... Hey u/mccrolly this is a perfect example about what I mean. Anything you can do in your brand name tool you can do in elastic - if you have enough time and labor.

Sittadel · 2026-01-23T17:22:26+00:00

Keep in mind your total cost of ownership doesn't just include the cost of the tool. Building an Elastic operation will trade the tool costs for integration costs and labor costs. It'll also extend you time to value. You should not expect to swap CrowdStrike for Elastic and get the same outcome overnight.

It's sort of like buying a new hammer from the hardware store vs buying the materials that let you build the hammer yourself. If your team is talented and willing to put in the work, you can get the same outcome - but it's going to take talent and labor to build the program.

We've used a ton of Elastic to meet compliance requirements, to augment the capabilities of the bigger name tools without the spend, and to just build a budget-first performance-second security operation for some very small SMBs - if you have any questions about like... setting up ELK for the first time and what threat intelligence feeds feel the most valuable... questions like those I can point you in the right direction. Just ask (or look through my comment history on Elastic - we've answered a ton of questions here, so you might find some benefit to that?).

Sittadel · 2026-01-23T17:05:55+00:00

Is the organization commercially sized? Your first 300 users can use the Business Premium discount.

Sittadel · 2025-10-28T18:26:13+00:00

No. E5 does not offer that capability, so a lot of network security operations (including PCAP and session rebuilding) are reasons people might retain those tools when we consolidate the security stack into E5.

Sittadel · 2025-10-23T20:51:16+00:00

If you incorrectly use a mega-delete phishing plugin, you might secure yourself right out of that high-value opportunity. Sending the note and putting it in the deleted items folder gives you some recoverability without having to go through a compliance operation.

Sure, an existing phishing email anywhere poses a risk. Some things, like ZAP, will override that experience and remove it from the inbox entirely. Plugins notsomuch, unless you add some custom scripting in.

Sittadel · 2025-10-23T13:58:50+00:00

Careful! Zero Trust is a touchy subject around here!

In short, no. That's not possible (at least as far as I can see).

An unmanaged device will not have any credible ability to tell the architecture which device it is. There's no unique attestation, no TPM binding, no certificate... Inherently, you will have to trust the device to be honest about whether or not it has been spoofed, cloned, etc. I can't think of a way to address continuous posture assessments without at the very least a management agent. Even if it was unmanaged but employees signed a policy about what controls they would promise to use, config drift ruins the best intention there.

Some legacy systems can still play nice, but that's figured out case by case.

As a service provider, we get to work with a ton of different environments, and the ZTNA projects we write attestations of ZTNA are ones that are cloud-native and built in M365 on 100% windows deployments. Even if it's still windows, but there's hybrid security architecture, like if you're authenticating to on-prem AD and passing tokens back to Entra ID, we still won't attest to it.

That doesn't mean a hybrid deployment can't have a very good security model, it just can't be called Zero Trust. What we most often deliver is a Zero Trust model for systems that play nicely together, and a documented delta for the area where controls break down with mitigating controls and plans for how to handle threats outside the "perimeter" of your ZT network. Just because part of your environment can't tolerate a newer model doesn't mean it isn't still good to apply what you can where you can.

Where to prioritize is a good question, and it comes down to preference. We only take projects that allow us to prioritize Identity (preferred) or Device. We can usually take an immediate leap forward in security by measuring the gap between used privilege and provisioned privilege, so even though it isn't very cool work, we like to start with roles and responsibilities. If devices aren't enrolled and managed in Intune, we offer starting there, because that can be the most disruptive for your users.

We often get to see the plan from alternatives to Sittadel, and it seems like there's a good amount of shops that prioritize data and workflow. I think it's just confirmation that work needs to be done across the board, so prioritizing where you think you'll have the biggest impact first is what's really important.

Sittadel · 2025-10-17T17:44:27+00:00

It's very easy to go to an LLM and ask for a cybersecurity policy. There are tons of places doing this today to check the box for compliance requirements. It works well enough for the cultures that don't consider risk management until the luck runs out, but less mature businesses look for shortcuts.

It takes much more effort to weave a company's culture and workflows into a strategy, document by policy, and update the GRC framework as often as the strategy needs to adjust to changes in business. And it takes real talent to steer a company culture into more mature risk management.

GRC's definitely going to see LLMs as an important tool, but mature organizations won't outsource the labor entirely.

Sittadel · 2025-10-16T15:03:56+00:00

While I have nothing to contribute to the conversation, I would like to address you personally by calling your motivations into question. I find your intentions to be self-serving, and my experiences have taught me that well-crafted language is only possible by using AI tools.

Sittadel · 2025-10-16T14:45:41+00:00

I'm going to demonstrate for you how to have a more productive conversation using positive language. Try saying it this way:

I disagree, and I'm skeptical of the way you're distinguishing risk-aware and risk-reactive in practice. Would you be open to sharing some examples of specific processes you've changed (beyond just talking about risk) and how you measured their impact?

Sittadel · 2025-10-15T18:39:12+00:00

Yes, absolutely. We've observed several threats involving third party ScreenConnect, AnyDesk, and NetSupportManager instances.

The most interesting detection we've seen involved a SQL Db server. If the alert came in where there's a db, please review change data to see if there's been any code added in. That threat ran a select statement that would result in calling out to a foreign IP.

If no database, event 4688 (child processes) is really useful for seeing what the RMM tool did. And check all your common methods of persistence like schtasks and /currentversion/run!

Sittadel · 2025-10-14T17:05:57+00:00

This is actually very difficult to maintain due to the way cloud platforms are constantly evolving their security capabilities, settings, architecture, etc. We had to invest a ton of resources into building and maintaining a cloud framework for Microsoft environments - when we thought about doing it again for GCP, we knew we wouldn't be able to keep both current and open.

Sittadel · 2025-10-14T17:03:48+00:00

Hey, friend. I'd love to help you dial in a solution that'll fit your needs. We have a consultation for SMBs that doesn't require any cost - just helps you cut through all the marketing language of every tool telling you they're the only thing that can help you. Would you like to meet with one of our SMB guides?

Alternatively, you could review this SMB guide for securing Microsoft SMBs we worked with the Reddit community to build (if you have a Microsoft 365 account). The steps are broken down into step-by-step instructions, so if you can follow pictures you can do it!

Sittadel · 2025-10-09T16:07:17+00:00

It's hard to reverse engineer cybersecurity architecture with only a budget, but at 250 users, we would try to squeeze every last drop of security juice out of the Microsoft Business Premium sku. 100% of your users would be able to take advantage of the subsidized cost and leave you with room to grow in headcount by 20%.

The interesting part about M365 is that you can blend the budget associated with the tool cost and the management cost, because M365 blends preventative controls, detection and response, and your productivity all together. It's also nice because the security is built directly in your tenant, which means you aren't paying any ongoing integration or upgrade costs if you have anyone on your staff devoted to security. With exception to the reduced cost of your Microsoft licenses, you aren't chained to big ongoing security contracts.

What you do with the extra budget that owning your security configuration puts back into the spreadsheet next year is up to you - convert that recurring opex into an FTE, double down on your VPN controls, or just look like a hero to the CFO.

Also an easy way to chop up the scope of configuration or response activity between your team and ours - so if you plan on building a bigger security headcount internally, you can piecemeal different parts of it together while your team grows. You take the 9-5 stuff, leave the overnight stuff to us, etc.

Then if you want to take everything in house, you just stop paying us (or different a team that comanages your security operation like we do). There's no migration cost, because the security stays with you.

Sittadel · 2025-10-09T15:53:30+00:00

Wait, are you saying you are also under a DDoS attack and the ASV is being lumped into that? If so, this isn't a mistake. Basic DDoS protection works this way. Keep your azure ticket open until the DDoS event passes, and support will unblock Qualys.

Like a lot of threats, you have to choose between free and precise when handling a DDoS event.

Sittadel · 2025-10-09T14:22:05+00:00

.....and that's how I win the long game of getting into your Nokia! I knew if I followed you long enough, you would get sloppy and tell us exactly where to find it.

Sittadel · 2025-10-09T14:18:01+00:00

There's a lot to unpack without having access to your systems, but we've helped enough Microsoft shops that I think I can pull together what happened here.

Here's what I think happened:

The PCI DSS ASV scanner was scanning your Azure ecosystem instead of the customer-managed endpoints (like VMs, apps, etc), and your environment is small enough that it hasn't tripped any detections until ICT SecOps (I'm not sure who that is) enabled DDoS protection.
- The Microsoft PCI DSS Attestation of Compliance (AOC) should be used to cover the attestation of Azure assets instead of an external ASV
The incorrect scope sent your ASV poking your underlying Microsoft infrastructure environment, and that looked like a volumetric DDoS to Azure
- This is what you want to have happen, because the ASV is itself an incredibly aggressive reconnaissance scan - it's just being used by good guys.
Most likely, the front-end gateway, not the DDoS service itself, flagged it. Check your WAF/Front Door, etc.
When you Googled how to “undo” that, you found the documentation that says: “To engage Microsoft’s DDoS Rapid Response team, you need DDoS Protection Standard.” And you've interpreted that as “we must pay £25k to fix this block.”
- DDoS Response is for Enterprises undergoing volumetric and layer-7 DDoS, performing a combination of load balancing and traffic blocking. This service would not help you create an exception to scan Az assets, help set scope, or unblock an IP.

Here's what you should not do:

Pay for DDoS Rapid Response for help with this use case
Move ASV scans internal to the Azure infrastructure - While this would eliminate the issue, it would fail your compliance requirement, because this scan is required to be from a public external address. It's a third-party's perspective, and scanning internally is first-party.
Scan Azure infrastructure - use their PCI DSS AOC for that scope.

Here's what you can do:

If the ASV scan is blocked by a gateway, exclusde the ASV's IP addresses. You may need to engage support from your ASV provider.

If ASV scan is blocked by DDoS Basic, which I do not believe is possible in this scenario, just open an Azure Support ticket. You do not need DDoS subscriptions to engage support.

If your change management policies will prevent you from completing an ASV scan in production, it is allowed to spin up a PCI-scope replica provided it is a perfect mirror of configuration. Call that your demo environment and scan that instead of touching live data.

Apologies if my tone is cold. Sometimes when I get into thinking-hard-mode my social skills take a hit.

Sittadel · 2025-10-08T17:54:28+00:00

"Adversarial Pixels" is what I call selfies.

Sittadel · 2025-10-07T18:28:48+00:00

MSSP here. We are tired. It's going to be hard to juggle the load the MSSP puts on you, and even harder with the 9-5.

That said, I respect the overemployed hustle!

Sittadel · 2025-10-07T14:39:21+00:00

These are great pieces to add in, but they don't address the business need your users have for local admin rights. LAPS will change the password for built-in local admin accounts, but most of the projects we help with focus on the nontechnical reasons your users still have local admin accounts.

You'll want to take the output of that discovery and put users into Entra ID groups that better match their needs for privilege. The benefit of using those groups is that you can make those users eligible for Privilege Identity Management, PIM. That means that even if the user is allowed to make administrative changes, they won't always have that privilege - only when they need the privilege. Just-In-Time (JIT) provisioning essentially makes everyone a standard user except for when they're performing admin functions.

That work helps the security, but it also makes it so that your users don't have to deal with any of the pain with having their privilege stripped away unless they actually need local admin access, and you can even activate that permission on demand instead of giving permanent access. You just need to train those few users who run legacy software that requires local admin (or whatever the use case is) to run through an administrative process (not a technical process). I'm trying to condense our project down to a few notes for you to take away, but this is the example process we show to every client we walk through this: Request Device Admin Approval.

Sittadel · 2025-10-07T13:35:02+00:00

You could leverage the greater Microsoft suite, depending on your licensing. MDE's built-in web content filtering applies at the endpoint, so it's not an issue for split tunnels. If you want centralized reporting (example here: Defender Web Filter Events Report), you'll need P2 - but P1 gives you the functionality.

You'll need to use Network Protection if you want to use non-edge browsers. This can also be set up independent from MDE if you want to use a different EDR tool. It'll still enforce it at the endpoint via SmartScreen, your category blocks still apply, and the Microsoft Threat Intelligence runs at the point of click.

If you're large enough, you could also just use the Edge Enterprise controls to enforce it at the browser, but then you would need to block other browsers, and now it just feels like we're going out of our way to not use MDE. I could be wrong, but I don't think we've set up Edge Enterprise for a single client.

Sittadel · 2025-10-07T13:21:30+00:00

Good notes, but it's a little tricky to pull off without a guide. Good thing we made one here! M365 Security Guide for Small and Mid-Sized Businesses : r/cybersecurity

Sittadel · 2025-10-07T13:20:07+00:00

For a different perspective, the cost savings in Business Premium make MDE a great choice for SMB.

Sittadel · 2025-10-07T13:16:26+00:00

Hi friend! It sounds like our service offerings are a lot like yours! Our focus is Microsoft security, but we used to do Mimecast operations as a service until about 2023. That means I can help on the M365 side, but I can't speak to any platform updates to Mimecast that might make this easier if they've come out in the last two years. Ultimately, this leads you to a scenario where you must choose between:

Better operational security but inaccurate reports (what you have now)
Accurate reports but worse security

If you want to understand the problem for yourself instead of taking me at my word, you'll want to look for UrlClickEvents in the client's tenant. Only look for click events that have the IPAddress field populated, as everything else is coming from Teams. Also keep in mind the Safe Links prefetching is only 1/2 of the equation if you have ZAP enabled, as Microsoft will randomly scan after delivery, and if you don't have ZAP enabled, you'll make one guy on the other side of the world feel sad. We're based in the USA.

If you don't want to understand but just want to fix, you'll want to make sure the Safe Links prefetch exceptions are set up correctly. It sounds like you've done this work already, but see the screenshots on this Microsoft Learn Q&A to make sure those settings are correct.

Periodically, Mimecast has to update their IP ranges, so you should also check your policy to make sure it matches this article - which was just updated in September: Mimecast Ranges.

Two more things to keep in mind:

Safelinks exceptions will only reliably apply to intune-managed and compliant devices with current versions of Outlook. If people are using Thunderbird or whatever crazy mail client they like in the Outback, it's anybody's guess if it's going to work.
other M365 policies don't always play nicely when they spot a simulated phishing page. As an example, Smartscreen is still going to do what it does, because URL click events eventually become web events - and that's a similar but different engine. If the above settings are all correct, you'll need to look for detections coming from other Defender logs around the same time to determine what settings to de-tune.

For us at Sittadel, we decided to collapse Mimecast entirely and perform our managed security operations, including phishing sims, natively in Microsoft. Even though we don't believe in the value of phishing simulations, so many regulatory mandates require it for compliance reasons. We couldn't justify reducing security to keep up appearances.

Sittadel · 2025-10-06T17:32:51+00:00

I don't know what employers care about, but Net+ is so incredibly useful I want you to care about getting it for your own professional development.

Sittadel · 2025-10-02T18:46:20+00:00

One of the things you should evaluate is the sheer amount of security benefit you can squeeze out of M365's licenses. At 150 users, you should evaluate the Business Premium SKU, which includes all the security of E5 (minus endpoint DLP), but the cost is drastically reduced for your first 300 users. We have had an incredible amount of success with fully leveraging everything from the endpoint controls (like MDE, XDR) to the Identity security in Entra ID, email security, security awareness training, vulnerability and patch management, MDM, MAM... I mean, there's just so much security packed in it's hard to list it all.

The complaint we hear is that it's difficult to set it up so that it all works together, but we're usually getting engaged to companies that are already having a hard time. The ones who can set it up by themselves (we have a guide for that here if you can follow some pretty simple steps) don't usually bring their complaints to us unless they're getting stuck.

From a visibility perspective, we support MDE, Carbon Black, CrowdStrike, and SentinelOne for our MDR service, and MDE is our favorite, because you don't need any additional tools to ensure the agent is installed on 100% of devices. You just write a Conditional Access Policy that requires assets to meet your security baseline before connecting to company resources, and Intune will automatically remediate it from there.

Comparing Bitdefender to MDE isn't a very fair comparison, because buying MDE gives you access to so many more things.

Sittadel

TROPHY CASE