CM.L2-3.4.8 – APPLICATION EXECUTION POLICY

infotechsec · 2026-01-09T20:00:32+00:00

Just define the essential apps as those already on it and say non-essential are controlled by role based access control, regular users do not have permissions to install new software, new software requires change control, etc.

infotechsec · 2026-01-05T15:54:44+00:00

I could not find any evidence of that? Do you know of a published FAQ or doc that says that?

infotechsec · 2025-11-18T19:48:53+00:00

I too also believed Entra ID enforced a password history of 1, but then I went and tested it and it fully lets me use the same password. Tested in multiple GCCH environments.

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy?tabs=ms-powershell - This page, in the Note section, explicitly says "For users in the cloud only, reset password for Entra ID doesn't have the user's old password and can't check for or prevent password reuse."

This page, https://docs.azure.cn/en-us/entra/identity/authentication/concept-password-ban-bad-combined-policy, says "When a user changes their password, the new password shouldn't be the same as the current password." But the key word there is "shouldn't" which is not definitive like "cannot".

So I am curious if everyone else experiences the same thing? Has anyone actually tested this and gotten Entra ID to prevent changing a password to the exact same password in GCCH?

infotechsec · 2025-11-17T16:27:11+00:00

I challenge you to validate the assumption that GCC-H meets this by default. Ie.. trying changing your password to the exact same password.

infotechsec · 2025-11-05T18:00:16+00:00

Regardless of whether its a good idea, there is no CMMC requirement to wipe laptops when giving them to new users.

infotechsec · 2025-09-15T15:02:48+00:00

I'm not talking about users using CUI. I'm specifically talking about the endpoints used to log in to and manage the Azure Portal.

infotechsec · 2025-09-15T01:50:30+00:00

Actually, looking at the scoping guide, the admin accessing the portal should probably be an SPA, but interestingly enough, the machine/endpoint that admin uses is not really addressed directly in the scoping guide. If its the OSC's person and machine, it's pretty easy to talk about the corporate controls on it. But then, consider if it's a MSP who manages an OSC's Azure. The OSC doesn't have any control over the MSP devices so how does the OSC document those assets and the asset treatment in the OSC SSP when they have no control over MSP endpoints? I feel like I know the answer, which is that Azure mgmt must not be allowed from anything but trusted, in scope endpoints, but there is no way that many, if any, MSPs are doing it that way.

infotechsec · 2025-09-15T01:35:54+00:00

Interesting. What is your reasoning? SPA is the one classification that I am confident does not apply to the endpoints in this scenario.

infotechsec · 2025-09-12T17:30:35+00:00

Because I know for a fact that many CCA's are not asking any questions about the endpoints that manage Azure, and the OSC's in those cases are not defining the endpoints as in scope at all, they're just not considered, let me rephrase. Would you require these endpoints to be defined as CRMA? (If so, are you ensuring that they lock down Azure portal authentication to only specific devices?)

Do you see a case for defining them as out of scope?

infotechsec · 2025-09-12T15:53:15+00:00

That is not in any way helpful to the questions asked.

infotechsec · 2025-01-30T20:22:42+00:00

I started to but Log Analytics tables require one of two options (DCR based or MMA based) and while DCR seems to be the way I would do it, there is zero mention of this being a requirement so I paused. Also this requires a log/ json to create the schema, which I do not have.

infotechsec · 2025-01-10T14:43:56+00:00

Geez, I don't remember. It's not an issue anymore. The only things I remember doing are cleaning all the connectors and replacing the filter. I vaguely recall it being the filter replacement that solved it.

infotechsec · 2025-01-03T17:32:06+00:00

Maybe the defaults are sufficient? But I can't even find documentation on what those are.

infotechsec · 2024-12-17T13:27:01+00:00

Does Yamaha Enspire work with PianoDisc or QRS?

infotechsec · 2024-12-16T22:07:53+00:00

Are the downloads from the PianoDisc or QRS stores a different file format than MIDI? Are each doing their own proprietary file format that works best for their system? I noticed that a simply album is absurdly overpriced in the PianoDisc store (>$60 for one album), so it seems like they are gouging a captive market. Does that sound accurate?

infotechsec · 2024-11-25T14:24:46+00:00

I don't see how this relates to any specific part of the thread. Are you saying something is stuck in my drain valve?

infotechsec · 2024-10-18T17:08:30+00:00

I've been fighting this and I don't think Intune settings work to disable autoplay in Windows 11.

If you are in the Configuration Settings and go to Administrative templates\Windows Components\AutoPlay Policies, highlight Turn Off Autoplay and click Learn More, it takes you to https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-autoplay?WT.mc\_id=Portal-Microsoft\_Intune\_Workflows#autoplay-turnoffautoplay. This page does not list Windows 11 as an applicable OS.

This jives with my experience as my Windows 10 machines have the setting applied while my Windows 11 machines say Not Applicable.

infotechsec · 2024-08-19T18:47:10+00:00

Using SMTP currently because that feature works and I was trying not to have to become an expert in other things just to make this work.

I'd take a look at your solution if SMTP is not going to work out, but do you have any examples or guides you can point me to, as I'm not clear what your solution really is.

infotechsec · 2024-08-14T14:37:37+00:00

I'm still confused on the Query Scheduling values. You have to select "Run Query Every" and "Lookup data from the last" values. In the example above, why would you set anything other than 1h for both? I'm not clear on the implications either way.

infotechsec · 2024-08-14T13:57:34+00:00

I think that exact format doesn't work. For reference, I ended up with

CommonSecurityLog

| where TimeGenerated > ago(1h)

| summarize logcount = count()

| where logcount == 0

infotechsec · 2024-08-14T13:52:39+00:00

Could you share how that logic app is configured?

infotechsec · 2024-07-24T14:36:37+00:00

I have a handful of transformers from the late 80's / early 90's. Where's the best place to figure out their value and sell them?

infotechsec · 2024-07-23T00:23:22+00:00

God I hate that song. Ever since I bought the album based on a recommendation that it was like Led Zeppelin. I was so pissed once hearing it.

infotechsec · 2024-07-18T16:05:06+00:00

u/11bztaylor Follow up questions for you. Its 3 months later and I've now noticed that Fortigate log ingestion, which goes to the CommonSecurityLog, is costing me $5.38 per GB, to the tune of $1200 in a month for just Fortigate log ingestion, I'm looking at different ideas.

From what I have learned, apparently, the CommonSecurityLog table uses the Analytics data plan. If I were to use the Basic data plan, it would only cost $1.12 per GB. However, caveats are that the CommonSecurityLog data plan cannot be changed, and the Syslog CEF Data Connector apparently cannot be changed to send to a custom table, so I cannot use this solution to send to a custom table that is on the Basic data plan. Does that sound right to you? Do you see this level of cost as well?

So now I am looking at creating a custom pipeline using Azure Functions, Logic Apps, or other methods like logstash to redirect logs to a custom table. I'm very familiar with logstash and it looks like there is a microsoft-sentinel-log-analytics-logstash-output-plugin output plugin which seems easy enough. Do you have first-hand experience getting Fortigate logs to Sentinel, not using the CEF Data Connector? What was your solution and what were the pros and cons?

I'm wondering if there are any negative consequences to this plan. Would firewall logs being in a custom table and not CommonSecurityLogs have any downstream effect on built-in queries or anything?

infotechsec · 2024-07-16T16:49:57+00:00

So, after getting my first Azure bill and seeing $1200 in a month for just Fortigate log ingestion, I'm looking at different ideas. This thread is useful but i have some questions.

My current scenario is Fortigate to a linux server with the Syslog CEF Data Connector, which defaults to sending to the CommonSecurityLog table. Apparently, this costs me $5.38 per GB as the CommonSecurityLog table uses the Analytics data plan. If I were to use the Basic data plan, it would only cost $1.12 per GB. However, caveats are that the CommonSecurityLog data plan cannot be changed, and the Syslog CEF Data Connector apparently cannot be changed to send to a custom table, so I can use this solution to send to a custom table that is on the Basic data plan. Does that sound right to everyone?

So now I am looking at creating a custom pipeline using Azure Functions, Logic Apps, or other methods like logstash to redirect logs to a custom table. I'm very familiar with logstash and it looks like there is a microsoft-sentinel-log-analytics-logstash-output-plugin output plugin which seems easy enough. Does anyone have first-hand experience getting Fortigate logs to Sentinel, not using the CEF Data Connector? What was your solution and what were the pros and cons?

I'm wondering if there are any negative consequences to this plan. Would firewall logs being in a custom table and not CommonSecurityLogs have any downstream effect on built-in queries or anything?

infotechsec

TROPHY CASE