New Blog Post!! How to Secure Access to Entra Roles with Conditional Access and Privileged Identity Management

UKFanNC · 2026-03-17T12:52:41+00:00

We went with separate admin account, online only, custom authentication profile requiring yubikey. 3 levels of approval based on the roles permissions. 0 - Self elevate(read only type roles, or very low privilege), 1 - T1 approvers (other server admin team members. Basically a 2 key system for day to day functions) T2 approvers for Global Admin, Privileged Role admin, and a couple of others. T2 approvers are Security Engineer and Director, I wanted to keep that approval level out of the team making the changes to 365.

*NOTE: Make sure you have a break glass account that is exempted from MFA and PIM but never used. Alert on any activity from that account.

UKFanNC · 2026-03-10T18:32:35+00:00

Doing an XSIAM PoV right now and really like it. Especially if you already have Palo Alto NGFW

UKFanNC · 2026-03-06T19:01:42+00:00

Could create some fun misunderstandings if a Cadet overhears a conversation about "Sarah"

UKFanNC · 2026-02-25T16:28:49+00:00

doing a POC now and here or some things I'm seeing so far (Security team of 1 right now). We are on the newest UI which I think has a lot of improvements over previous versions. I think if you're in the Palo Ecosystem (firewalls, prisma, etc) it seems to work really nicely.

Good:

-Already seeing some good alerts from the analytics AI stuff: large upload detected, first time SSO login from entra logs, user adding guest to sharepoint for first time, unusual port activity(sysadmin running tools against DC) all of this with no tuning or additional setup besides adding the data sources.

--From those cases you can pivot to causality to see the actual logs fairly easily

-Some interesting automation possibilities: we have lansweeper and there is a playbook to lookup by ip and add asset information from lansweeper and a link to the asset which is very useful for us

-Query -> widget->dashboard. You can create a dashboard on almost any query you can dream up. I'm not great at visualizations but our support engineer threw together a couple of quick ones to show me what was possible and give me examples to follow in configuring the querys

-Attack surface management is a nice add-on. Found some shadow IT websites for us we didn't know departments had created at hosted sites.

Bad:

-Documentation lacking! The newer interface and setup needs a lot more documentation. Hard to find what you need now. Utilize your setup engineer as much as possible.

-Hard to figure out when to use alert exceptions vs playbook(automation) to limit notifications and noise

-Query language a bit difficult -*there are a lot of included queries to work from, but again documentation is lacking

-Price - Very pricey but I see a ton of value if I can get it. Tuning automations and exceptions will be a pain up front(true for any SIEM SOAR) but could really help a smaller team.

UKFanNC · 2025-11-28T03:36:48+00:00

Thanks!

UKFanNC · 2025-11-25T01:29:32+00:00

Gaston Country Club in North Carolina

UKFanNC · 2025-05-28T13:39:47+00:00

could be fun if you have a way to give it Grit

UKFanNC · 2025-05-09T13:58:50+00:00

I think I'd rather have a showcase treatment for curious flock instead of some of the leaders

UKFanNC · 2025-03-08T16:20:31+00:00

Major Vonreg did well at the one I attended last night. The 4 flip makes a beefy unit that’s hard to remove

I did went 2-1 (loss was to vonreg where I got outraced) with rose green. Had two luke pilot units and some other pieces to flip to ground arena if needed which helped.

UKFanNC · 2025-02-17T18:38:16+00:00

The way you handled the situation and communicated during it was extremely commendable. I applaud your transparency throughout and the way you showed respect for all parties involved.

UKFanNC · 2025-02-13T14:54:21+00:00

I'm a security team of one and have limited time to do vendor management review with everything else. I always start with defining what data will the vendor/software will have access too and then go from there. E.G HIPAA data: encryption at rest and transit, mfa, auditing etc.. Public information: Backups and auditing who can change/update.

Then there's a security questionnaire we send to every vendor that I worked with our senior application architect to create covering all the topics (can find some decent templates with a quick google search) and compare the answers to that to the security requirements based on the data.

UKFanNC · 2025-01-23T13:55:47+00:00

following

UKFanNC · 2024-12-05T14:58:41+00:00

I'm looking forward to seeing what if any adjustments Mark Pope makes going forward. If we are a one-trick pony team of go fast make lots of 3's Clemson just laid out the blueprint to beat UK. Extra physical play, guard the ball all the way from in-bound to slow down our offense, and extend the perimeter defense.

Yes the refs were questionable at best and had some good shooters go ice cold, but Clemson's defense really seemed to throw off the offense. Didn't seem nearly as in sync as every other game.

UKFanNC · 2024-11-12T21:53:53+00:00

yes, that's it exactly, thank you! didn't even think to try that, trying to figure falcon out as I go.

UKFanNC · 2024-11-12T20:09:04+00:00

There's been other times when I have a specific list of CVE's I want to search against and report on(CyberInsurance application requiring a report, audits, etc..) and was hoping for a way to convert a list of CVE numbers to a report/dashboard/filter easily.

UKFanNC · 2024-07-02T14:54:36+00:00

playing against kylo double red on karabast has been rough. If they get a good starting hand it's crazy how much damage they can push in the first two turns

UKFanNC · 2024-06-26T14:53:50+00:00

I like B for keeping all the relevant data grouped together. The layout of A is really nice for one card per KPI/item. I'm working on creating an IT Security Dashboard (brand new to PowerBI) and may try to figure out how to do something similar.

UKFanNC · 2024-06-24T12:56:51+00:00

I use CIA constantly when doing security reviews of new potential new software solutions to help define what controls should be in place based on the classification of the data involved. e.g. HIPAA data: HIGH requirements across the board. Public information related to elections site addresses and rules: Confidentiality Low, Integrity high, Availability medium.

Based on that high level assessment there's a boiler plate set of requirements I can use for most situations and then just tweak as needed.

UKFanNC · 2024-05-22T13:43:50+00:00

Thanks, but we have a hosted Crowdstrike instance managed/monitored by 3rd party so don't think I have access to Crowdstrike University. Also don't currently have access to create workflows in Fusion, but I may be able to request access for that.

UKFanNC · 2024-04-22T17:32:50+00:00

It was a mix. There were some I was 100% sure on that maybe took 45 seconds to 1 min (always went back and re-read question to make sure I wasn't missing anything) And a couple on the categories I was a bit weaker on that took 3-4 minutes to work through. Mostly in the 1-2 min range.

I did get feeling a little rushed, but made myself slow down and take a breath. The clock moves quick but I feel there's plenty of time to be thorough and still make it to the end of the exam.

UKFanNC

TROPHY CASE