Tag: Azure

CheckPoint Firewall & Microsoft Sentinel: Troubleshoot Data Connector Disconnected

Hi everyone, hope you guys are staying safe and keep yourself healthy. Would like to share you another troubleshooting experience of mine.

I noticed that the CheckPoint connection status was disconnected from the data connector in Microsoft Sentinel portal. Hence, I put on my thinking hat to troubleshoot this issue. It was tricky though but luckily the troubleshooting command manage to give me some hints, what was causing this disconnection.

My findings were:

  1. Syslog connector still exist
  2. CheckPoint Firewall forwarder connector was not found

I proceed my next action on troubleshooting it,

  1. I ran the troubleshooting command from the Microsoft Sentinel data connector for CheckPoint in the Syslog connector VM (Centos)
  2. It shows me that I need to change my Syslog’s SELinux mode to permissive
  3. To modify the SELinux mode run the following command, this is where the mode located, is inside the directory/file below “/etc/selinux/config”:
    • vi /etc/selinux/config
  4. Change the SELINUX=enforce to SELINUX=permissive
  5. Click the button “ESC” on your keyboard
  6. Type the command to save and quit: wq!
  7. Click the button “ENTER” on your keyboard
  8. Restart the VM by typing the command sudo reboot

First issue completed but there was a second issue prompt, it mentions that it would require me to disable auto-sync to prevent duplicate records sync to Microsoft Sentinel. Hence, the next action is below,

  1. Type the following command sudo su omsagent -c 'python2 /opt/microsoft/omsconfig/Sripts/OMS_MetaConfigHelper.py --disable'
  2. Restart the VM by typing the command sudo reboot

You might not like my idea of rebooting the Syslog connector VM, no worries you can proceed to follow just by restarting the service instead.

Noted:

Kindly note that the command above may not suit your situation because different Linux Operating System has their own command language. Anyway, the concept is pretty common sense.

References:

  1. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux
  2. https://learn.microsoft.com/en-us/azure/sentinel/troubleshooting-cef-syslog?tabs=cef

Azure AD Connect: Reminder All version 1.x is Retiring this August, 2022

Hi fellow friends, hope you guys are having a good day today, everyday is a brand new day.

Today’s article here is to remind you that the Azure AD Connect all version 1 will be expiring soon, on 31st August 2022, this year this month.

What happen if you don’t upgrade before the due date?

Basically you will face service disruption such as accounts, computers objects and passwords will be affected.

Accounts/User objects:
– New users created in Active Directory will no longer synchronized to Microsoft 365 cloud

– New values added into the accounts/user will no longer reflecting the updates/changes into your Microsoft 365 cloud

– Basically any changes you make towards the accounts/user that you would like to sync to Microsoft 365 would not allowed

Computer objects:

– If your environment has Microsoft Intune or Hybrid join devices then you will have issue onboarding new devices to Microsoft Intune

Passwords:

– If your environment allow users to reset their own password from Microsoft 365 and synchronized back the new password to the Active directory would not be not allowed

– This is affecting the environment that has password writeback feature enabled in the Azure AD Connect

Any concerns should I take in for the current configuration before upgrading?

  1. Remember your Microsoft 365 global administrator credential, because you are require to re-establish the connection when you are performing an upgrade of the Azure AD Connect
  2. Make sure your server’s storage, Operating System and RAM size is still following the best practice
  3. Make sure you are following the new version of Azure AD Connects prerequisite

References:

  1. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history#retiring-azure-ad-connect-1x-versions

Microsoft Sentinel: Things to know before you start migrate to a new resource group in the same tenant

Good morning fellow friends. Hope you are having a fresh start of the day. I would like to write about my journey on Microsoft Sentinel during migration phase.

Microsoft Sentinel is SIEM and SOAR security solution providing corporate the flexibility and better visibility in terms of managing security logs from Microsoft security products and third-party products and threats prevention.

Let’s begin…

Current situation of what I have in my Microsoft Sentinel is,

  1. Solution running on a trial subscription
  2. Resource group 1
  3. Some queries
  4. Some connectors (Microsoft and third-party)
  5. Some Logic app
  6. Some Automation rules

I would like to migrate from the trial subscription to the CSP subscription, this migration would likely be perform by your license provider and request them to provide the appropriate permission so that you can perform your management on the Microsoft Sentinel in the new subscription.

Note: This is not migrating from one tenant to another tenant.

The highlighted in RED are the ones you would need to perform backup, making sure the connection is up and the authentication is establish.

The New resource group has the current resource group resources,

  1. Solution is now running on paid subscription
  2. Resource group 2 (You would need to create a new resource group)
  3. Some queries (Custom queries needs to be regenerate)
  4. Some connectors (Make sure connectors with log forwarder is working else you would have to reestablish)
  5. Some Logic app (Reauthenticate your log workflow)
  6. Some Automation rules
Example of warning in Logic app designer

That is all you would need to know in advance before you start your migration. Hopefully you would find this article knowledgeable for you if you are heading to migrating your Microsoft Sentinel to a new subscription. Is never a waste of time if you are used to double checking or triple checking that all the resources are connecting and working well after migrated.

References:

  1. https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription

Azure: Troubleshoot Azure Information Protection installer via Intune

What’s up ladies and dudes!

Today’s topic is about the Azure Information Protection installer, yes is the MSI installer, AzInfoProtection_UL.msi.

Every MSI application you would need to use this following command to install them into the machine “msiexec /i <application name> /quiet“, but somehow for this case YOU DON’T NEED IT!

Basically you would just leave the command-line arguments empty.

References:

  1. https://www.microsoft.com/en-us/download/details.aspx?id=53018

Azure: Troubleshooting Conditional Access App Control for iOS

Good day everyone. Even with the Covid-19 is rising drastically in Malaysia, kind of brings my hopes down. Anyway, I still have to keep going with life.

Today’s topic is about the Azure’s conditional access policy. We found a bug in conditional access for iOS device platform. So basically our situation is that, if we would need the conditional app control to be functioning in the Cloud App Security, we would need to setup a conditional access policy. Our setup was only to achieve monitoring mode only. However, after enabling the policy we retrieve reports saying that all iOS devices are having trouble accessing their exchange online. Users are receiving an email notification, stating that their exchange online access is being blocked. We had to disable the policy temporary to troubleshoot it.

This was the email notification:

No Exchange Server, just Exchange Online
  • This was our configuration for the conditional access policy;
    • Assignment: Include a test group, Exclude the VIP accounts
    • Cloud apps: All cloud apps
    • Conditions: None
    • Session: Use conditional app control (Monitor Only)

So this is the Microsoft article shows how the configuration/enablement is being setup in the conditional access in order for the app control to work, as you can see there weren’t any conditions being setup. Hence, it should not be doing any requirements checking or blocking.

There are not enough explanation
As you can see the condition shows zero

To be honest, I had raise ticket to MCAS, Exchange Online and Azure team, and none of them able to get back to me an answers. MCAS team state that “no conditions are setup it SHOULD NOT be performing blocking”.

I had to stop relying the Microsoft Support for this case, as I had to find a way to identify it. So based on the image above, we can see that the article is not mature enough, because there weren’t any solid references or notes stating the limitations/restriction of monitor only of conditional app control.

Upon further checking, I had to analyze the logs of Azure Sign-in activity and Cloud App Security Activity log of that user whom experience the issue. We notice that the sign-in was shown as “Interrupted” and there was no failure sign in status. For your information, the iOS version is 14.

Error code 1: This is not an error – this is an interrupt that triggers device authentication when required due to a Conditional Access policy or because the application or resource requested the device ID in a token. This code alone does not indicate a failure on your users part to sign in. The sign in logs may indicate that the device authentication challenge was passed succesfully or failed.

Error code 2 : This is an expected part of the login flow, where a user is asked if they want to remain signed into this browser to make further logins easier. For more details, see https://techcommunity.microsoft.com/t5/Azure-Active-Directory/The-new-Azure-AD-sign-in-and-Keep-me-signed-in-experiences/td-p/128267

Error code 3: 50097

Another finding was that there weren’t any Exchange mobile device access policy/rules being configure to perform the blocking.

I do know that once this conditional app control is enabled there will have this prompt page before entering into the Exchange online, this is my iPad Air by the way, running on the latest version. The prompt page can be turn off though. Anyway, that is not the case here. I ran a test to mimic the situation but I didn’t experience any email notification send to me stating my exchange online access is being blocked. There is no MFA or Biometric setup on my iPad.

The questions still lies is there a pre-requisites for iOS devices for conditional access policy, even though there is no conditions being set?

Below is image from web browser;

Below image from my iOS outlook app;

Azure ATP: How to Remediate Enumeration activities or other attacks?

Hey every good evening, and hope you guys are having a nice day today. Just another topic about Azure ATP here, a.k.a Microsoft Defender for Identity.

If you come across this before and then you would already know what is it for. If you are new here, then let’s just have a brief explanation what is it about. Azure ATP is basically a cloud-service that leverages your on-premises to perform identifying, detection and monitoring of your domain controller’s user objects activities and behaviors.

Newly deploy Azure ATP in your environment would take 48 hours to 72 hours for the Azure ATP to study the behaviors of each accounts, but this is also depend how large is your objects in your environment.

Anyway, a bit of side track just now. This blog post objective here is that if you ever encounter the 5 types of attacks, Reconnaissance, Compromised credentials, lateral movements, domain dominance and exfiltration alerts from the Azure ATP.

You may refer to this link here to learn how to remediate and understand how to manage the alerts.

Azure ATP: Does Admin’s actions recorded by Office 365 Audit?

Hey everyone, hope you guys are having a nice evening. Today’s blog post is about Azure ATP and Office 365 audit.

So the situation is like this;

Majority Office 365 tenant has more then 1 global administrators. Whenever, a global administrator would like to capture other administrators actions, they would query those events from Office 365 audit. So for Azure ATP, I notice it is not available in Office 365 audit, but for Defender Endpoint it exist in the audit. Summary, you can’t audit actions being taken in Azure ATP portal.

Scenario: If a global administrator, deletes an alerts from Azure ATP, it would remain deleted and there is no recycle bin to restore the alert back unless you regenerate the same situation to trigger the detection. This delete action is not recorded into the Office 365 audit.

Office 365 audit
Azure ATP on deleted alerts

I do not see this as a show stopper, I am still testing other ways to get this working. Stay tune…

References:

  1. https://docs.microsoft.com/en-us/defender-for-identity/working-with-suspicious-activities
  2. Search the audit log in the Security & Compliance Center – Microsoft 365 Compliance | Microsoft Docs
  3. DefenderATP Audit logs – Microsoft Tech Community

Azure ATP: What is the Retention Period of Reports?

Hey Hey everyone, good morning, is Saturday here in Malaysia. Hope you guys are doing well. This week blog post is about another Microsoft Defender for Identity, a.k.a Azure ATP. The terms are up to your suit and understanding.

I think is very reasonable to know what is the retention period that the Azure ATP’s Reports. Why? Because of Auditors

Upon researching to gather articles from Microsoft site and there weren’t an article talking about how long the reports store in Azure ATP. I do know that the reports in Microsoft security max are either 30, 60 or 90 days.

Thus, I had to raised a case to Microsoft Support and they return the answer that the retention period is 180 days. I did request whether they were able to locate any article from Microsoft that state it but none.

To locate Reports in Azure ATP, simply go to https://portal.atp.azure.com , select the 2nd Icon on the left taskbar.

Azure ATP: How to do exclusion detection?

Hi and good weekend to you. I haven’t been writing blog post for 1 week due to Chinese New Year holiday, 1 week off from doing YouTube videos and writing blog post, and spending quality time with my family. This is the first Chinese New Year celebration without visiting friends or other family members. E-angpao has become our replacement of physical AngPao. Seeing how this pandemic pushes technology forward and forcing people from all different generation to use technology, is amazing.

Anyway, this blog post I’m going to be talking about how you as administrator you can exclude certain situation from the Azure ATP detection. Azure ATP stands for Microsoft Defender for Identity. There are few situation you can exclude from Azure ATP detection such as Backup accounts and replication accounts. Take note this is only based on my experience or Microsoft recommendation but is not a MUST to exclude them.

How the alerts works in Azure ATP, is that when ever the account is behaving one of the detection it will notify an alert to the Azure ATP portal and to administrator’s email. So imagine if you have Azure AD Connect in your environment, your Azure AD Connect service account is notifying your administrator every 30 minutes, because the default replication time is every 30 minutes. Annoying right? Once you confirmed that this is the service account used only for replication, here is how you could whitelist it from the Azure ATP detection;

*This is for replication account, for others situation the exclude value may differ, these steps below is mainly to gain understanding how to exclude and where to locate the exclude.

  1. Login to https://portal.atp.azure.com
  2. Select Settings
  3. Under the Detection category
  4. Select Exclusion
  5. Locate the detection type and select it
  6. There you would see 3 sections for your choices on how you want to exclude it
  7. You can exclude based account name, hostname, IP addresses, subnets and etc..
  8. Key in the value and remember to save it
  9. This changes apply immediately

Recommended that you monitor 24 hours. For your information, email notification doesn’t have to be send to same tenant users, it could be external party domain but beware of your auditors.

The portal is a simple user interface, not as confusing as the Security and Protection portal.

References:

  1. https://docs.microsoft.com/en-us/defender-for-identity/configure-detection-exclusions

Azure ATP: gMSA limitation for single label domain

Good afternoon everyone, and Happy Holiday to you all. Today’s blog post is another Azure ATP, or you could say Microsoft Identity Defender or MDI for short.

As you might know that gMSA is a type of service account for Windows Server 2012 and above. For some reason it failed to establish authentication between a Windows Server 2016 and Azure ATP portal for this particular environment. This environment is running single label domain on a Windows Server 2016. It was migrate from Widows Server 2008 R2 to Windows Server 2016.

To locate the logs in the server that you installed the sensor to further identify the cause and issue,

C:\ProgramFiles\Azure Advanced Threat Protection\<sensor version> \Logs

In the server where your sensor installed, if you notice the Azure ATP services keeps stopping and starting, from the services.msc, then it means there is problem with the sensor trying to establish the connection to the Azure ATP.

There wasn’t much article found to prove that gMSA limitation with single label domain, so I go ahead and proceed a testing. I created a managed service account with no special permission included, and add the credential to the Azure ATP > Directory Service. Upon monitoring, there wasn’t any alert prompt from Azure ATP, Azure ATP alert is pretty instant when detected failure on authentication.

So the resolution was to use managed service account instead of the gMSA account for this situation. The sensor start to working well with managed service account.