Security

EntraFIDOFinder: Web Version now available

October 2, 2024 by ClaytonT Leave a Comment

Yes, I know it may seem counter productive to make a web version of it, but I wanted to have an interactive web version so that it is easier for people to use then Microsoft’s version. The data is the same as the PowerShell version and will be updated at the same time as they are pulling from the same source.

Functionality:

Search by Vendor
Filter by USB, NFC, BIO, and BLE

Web Version: EntraFIDOFinder
PowerShell Version: EntraFIDOFinder

Let me know what you think, and have a great day!

EntraFIDOFinder – New PowerShell Module

September 30, 2024 by ClaytonT Leave a Comment

After so much interest from my post on Friday, I figured I’d do one better and make a PowerShell module that does it for you. So now you will be able to find which FIDO2 keys are attestation compatible with Entra right from your terminal. In the very near future I will have individual functions for exporting to Excel, CSV, Markdown, and PDF, but know a lot of people like to customize that themselves. I even put a few quick pointers on GitHub for it too, but will be doing tutorials shortly as well.

I’m still cleaning up the GitHub, but it is in the PowerShell Gallery and on GitHub at the links below.

You are able to search by Brand and/or device type such as USB, NFC, BLE, or BIO. These values are all parameter validated so if you do not see a brand that you have, then currently it is not compatible. Here is also the original link I shared on Friday Microsoft Learn FIDO2 Hardware Attestation.

Let me know what you think and do you find it useful. There are a few other features I want to add, but open to any other suggestions or do you think it is good as is?

And don’t forget the mid Oct deadline is coming up quickly for Entra admin portals, good luck!

PowerShell Gallery: EntraFIDOFinder
GitHub: EntraFIDOFinder

Why did I get this email?

March 25, 2024 by ClaytonT Leave a Comment

Here’s the scenario…

An executive forwards an email to your ticketing system and asks why they are receiving it. Then sends another from the day before. There is a Microsoft 365 distribution list(DL) in both emails, but not one they would be on. What do you do?

Check and see if there are any tickets for that DL, and you see there haven’t been any tickets for that DL or even that person. You then check the DL, and indeed see they are in it…. but how?

PowerShell to the rescue! Have you ever used “Search-UnifiedAuditLog” which is a cmdlet for Exchange Online PowerShell? It is a great for one off investigations in 365, but here we will use it to find any admin activity for that user in the past week. Full disclosure, I’ve used it a handful of times and had never really dug into which was a mistake on my part. Knowing more of what it can do now would have saved me so much time on other resolutions where I had gone through the 365 portal. Don’t be me, start using this now and create your own functions as well Purview to save you time and headaches. Enable it now, as it can’t be backdated.

# See if you have it enabled
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

# If not enabled, run this
Enable-OrganizationCustomization

# Enable Audit logs - this can take up to 60 mins
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Hopefully you already have it enabled, or you enabled it right now and can wait for it to start ingesting the logs so when you do need it, it is available.

Back to our executive incident. How do we find out what happened. The quick way is to run:

# Check for all admin activity for named user
Search-UnifiedAuditLog -StartDate 2/1/2024 -EndDate 3/16/2024 -ObjectIds execuser@domain.com

And this is the way I originally did it to get the answer I needed. That’s it! Then you will see in “AuditData” which groups they were added/removed from and any operations that happened with the groups they are in. This broad search will show even more, but only mentioning parts related to this task. At the end of this post I’ll have a list of great resources on how to get granular on your searches.

Now you can see that another engineer accidentally added them(after confirming with engineer), and you can just remove them from the list. This is best case scenario, as if I hadn’t looked and just removed the executive without searching and asking the engineer, they could have been added by a compromised account seeing what kind of privileges they had.

There is a way clean up the audit data so it is easier to view, but that will be in a longer blog post coming soon. Again, I’ll have some links at the end to give you a head start. Honestly, this was only supposed to be a quick one liner post, that definitely grew, and I’ve spent more time than I would like to admit researching it. It has given me more ideas on how to use it and I’ll put together functions in a repository or possibly a module of most useful commands.

One function I’ll be creating is one to check to see if a user has changed their password recently, has multiple failed attempts, and/or if they have locked themself out. How nice would that be for you or your help desk if the function sees who submitted the ticket, runs the function then gives you that feedback? To go one step farther, if they aren’t blocked out, automatically send them the password reset portal to reset their password?

If you already use this, what scripts/functions have you created? I’d love to hear about them, and I can create a repository for us to keep them in one spot.

Useful Links:

Search-UnifiedAuditLog – Microsoft Learn Cmdlet
How it works – Services that support auditing
Detailed info – Detailed Microsoft Script

Hope this helps saving you from headaches and can’t wait to hear how you use it! Have a great day!

Module Monday March 20, 2023

March 20, 2023 by ClaytonT Leave a Comment

Hope you had a great weekend, and are ready for today’s Module Monday. Are you using Duo security? Or looking at Duo for your company? Then you need this module. It’s called DuoSecurity.

Why not automate the process of onboarding/terminating employees or removing old phone authenticators? What about reporting on who is in which groups, how many phones they have, or filtering event logs?

So many more things to automate with this module and make your life easier as well as make your company more secure.

If you have used this module before, let me know how you are using it.

PowerShell Gallery:
Duo Security

GitHub:
Duo Security

Read-Only Friday Nov 11, 2022

November 11, 2022 by ClaytonT Leave a Comment

With today being a holiday, and more holidays coming up in the last days of the year, send out reminders to your users to keep be extra careful when clicking on links. Attacks have been more minor so far this year, which makes me feel it’s going to ramp up shortly. For the parents, think of it when your child is quiet for too long by themselves… it usually means they are planning something or doing something they shouldn’t be doing. That’s how I feel about bad actors currently.

A few things to remind them:
- Do you normally get emails from that company service? (ie UPS, FedEx, PayPal, etc)
  - If not, don’t open it, and definitely don’t click on links or download an attachment
- Does that person normally send you links to click on? If they do, are they the type the current email is asking you to open?
  - I’ve seen it before when a company you normally work with gets compromised so spam/virus/malware protection doesn’t pick it up as it is coming from a real email, but the bad actor over took that users account and is sending links/attachments from it.
- Is the email the real identities email?
  - I know the name says it’s your president or CFO, but what is the real email sending it? It can be tougher seeing it quickly on a mobile device, but have them double check. Have them check those headers.
- Don’t respond to the email
  - When responding, you are showing them that the account is live, and they will keep on attempting to compromise that email address.
- If it looks real, contact the person/company from known number
  - If the email looks mostly real, but they don’t normally send you links, call the person/company from a known number. Nothing from that current email. If you normally contact them check previous emails or ask a coworker if they have a direct number. I would say check their website, but that could be compromised as well, so not always the best spot to get their number.

I’m sure all of these are pretty common, but it’s a great reminder for your users, especially with the end of the year rush starts happening.

What are some tips you would give to your end users?

One-Liner Wednesday October 19, 2022

October 19, 2022 by ClaytonT Leave a Comment

New-TenantAllowBlockListItems -ListType Sender -Block -Entries emailaddress

Here is a super useful one liner that has come in handy more recently.

What this does is adds a user or domain to the tenant block list as it’s written below. If you need to add someone to the allow list, you can change -Block to -Allow. You can even change set a duration for both Blocking and Allowing.

Command:
New-TenantAllowBlockListItems

Example with Parameters:

Add-365Blocklist