by Contributed | Feb 23, 2021 | Technology
This article is contributed. See the original author and article here.
When using Azure Sentinel, you are bound to get some false positives. No detection rule is perfect. In this blog post, we will learn how to handle false positives in scheduled analytics rules.
Understanding false positives
In most cases, false positives stem from specific entities such as users or IP addresses which should be excluded. Common scenarios are:
- During his normal activity, a user may often exhibit a pattern that can be viewed as suspected. This would often be a service principal.
- An intentional security scanning activity coming from known IP addresses is often detected as malicious.
- A rule excludes private IP addresses. However, some internal IP addresses are not private and should also be excluded.
Implementing false positive handling
The solution is to modify the rule queries, either by including the exceptions directly in the rule, or preferably, when possible, including a reference to a watchlist and managing the exception list in the watchlist.
Taking the typical rule preamble, you can add the blue line at the beginning of the query:
let timeFrame = 1d;
let logonDiff = 10m;
SigninLogs
| where TimeGenerated >= ago(timeFrame)
| where IPAddress in (‘10.0.0.8’, ‘192.168.12.1’)
…
The relevant exception is not limited to IP addresses and might be for specific users (using the UserPrincipalName field) or Apps (using the AppDisplayName).
You can also exclude multiple attributes:
| where IPAddress in (‘10.0.0.8’, ‘192.168.12.1’)
| where UserPrincipalName == ‘user@microsoft.com’
Or, to implement a more fine-grained exception when applicable, to reduce the chance for false negatives, by combining attributes:
| where IPAddress == ‘10.0.0.8’ and UserPrincipalName == ‘user@microsoft.com’
Excluding subnets
The third use case described above, excluding IP ranges used by the organization, requires subnet exclusion. The following examples show how to exclude subnets. Note that since the ipv_lookup operator is an enrichment operator and not a filtering operator, the filtering is actually done in the following line by inspecting those events for which a match was not made.
let subnets = datatable(network:string) [ “111.68.128.0/17”, “5.8.0.0/19”, …];
let timeFrame = 1d;
let logonDiff = 10m;
SigninLogs
| where TimeGenerated >= ago(timeFrame)
| evaluate ipv4_lookup(subnets, IPAddress, network, return_unmatched = true)
| where not(isempty(network))
| where ResultType == “0”
…
Using Watchlists to handle false positives outside of the rule itself
You can use a Watchlist to manage the list of IP addresses outside of the rule itself. When applicable, this is the preferred solutions and has several advantages:
- This enables an analyst to add exceptions without editing the rule, which better follows SOC best practices.
- The same watchlist can apply to multiple rules, enabling central exception management.
Using a watchlist is rather similar to using a direct exception:
let timeFrame = 1d;
let logonDiff = 10m;
let allowlist = (_GetWatchlist(‘ipallowlist’) | project IPAddress);
SigninLogs
| where TimeGenerated >= ago(timeFrame)
| where IPAddress in (allowlist)
…
Subnets filtering can also be done using a watchlist by replacing in the subnets example above, the subnets table definition with a watchlist:
let subnets = _GetWatchlist(‘subnetallowlist’);
I hope you found this useful!
by Contributed | Feb 23, 2021 | Technology
This article is contributed. See the original author and article here.
In this installment of the weekly discussion revolving around the latest news and topics on Microsoft 365, hosts – Vesa Juvonen (Microsoft) | @vesajuvonen, Waldek Mastykarz (Microsoft) | @waldekm, are joined by Germany-based MVP, Product owner for the Valo Teamwork tool, and community contributor – Jarbas Horst – working for Finland-based Valo Intranet | @devjhorst.
The discussion touches on role transition from developer to big picture manager, what suggests a successful day, evaluating feedback, the value of being an empathetic leader, proper onboarding, and the challenge of bringing people together in remote work times.
The session was recorded on Monday, February 22, 2021.
Did we miss your article? Please use #PnPWeekly hashtag in the Twitter for letting us know the content which you have created.
As always, if you need help on an issue, want to share a discovery, or just want to say: “Job well done”, please reach out to Vesa, to Waldek or to your Microsoft 365 PnP Community.
Sharing is caring!
by Contributed | Feb 23, 2021 | Technology
This article is contributed. See the original author and article here.
The Microsoft 365 Developer tenant is an amazing feature to learn and experiment in the Microsoft 365 universe (actually I’m talking about your personal development “sandbox” of the Microsoft 365 developer program. If you have no idea, what a “dev tenant” is, read the article “What is a “Dev tenant” and why would you want one” from Julie Turner). But there are limitations if it comes to experience the full potential of the Power Platform. Power Platform licensing is a bit complex, but to simplify things: You may use standard connectors within most Microsoft 365 licenses (like E3 or E5), but you can’t you can’t use premium connectors, or on prem data gateways, or add Microsoft Dataverse to your environments. Since the dev tenant gives only you a Microsoft 365 E5 license, you would need to purchase a standalone license., Which is not ideal if you just want to learn and decide later on if you want to dig deeper into the Power Platform.
Luckily there is the Power Apps Community Plan and you can add this plan to your developer tenant.
What are the advantages of the Power App Community Plan?
With the Community plan, you get a developer environment for free which gives you the possibility to learn and develop your skills (check out the Power Platform Apps plan docs article for more information). Developer environments are exclusively for the Community Plan , you can learn more here in the environments overview documentation. In this environment you get a lot of possibilities which are not included in the Power Apps license seeded in the Microsoft 365 E5 license:
- You can use premium connectors (only for datasources within Power Apps)
- You can build unlimited custom connectors
- You can use Dataverse
- You’re able to export your apps and flows to AppSource for others to test
You see, if you want to learn more about the Power Platform and develop your skills, this is a huge benefit for you. And it comes for free.
What is included in the Power Apps Community Plan
How to join the Community Plan?
Let me walk you through the process. You need your log in data for the developer tenant: Mail address and password.
Go to the Power Apps Community Plan website and click on Get started free.
The overview page of the Power Apps Community Plan
In the next step you need to insert the mail address of your dev tenant. That is very important, do not use a different mail address, since you want the Community Plan to be linked to your dev tenant. After that click on Sign Up.
The sign in page of the Power Apps Community Plan
You will get a notification that says, that you’re using this address with another Microsoft Service already. Of course, you do, you use it for your developer tenant, right? So click on Sign In.
a pop up mentioning, that you already use the address for a Microsoft Service
The next window is a confirmation that you’re signed in and you can (important, you don’t have to) decide to get promotion and offers send to your address.
You can also decide to share your information with partners in order to get more relevant information.
You don’t have to, so choose wisely.
And naturally by clicking on Start you confirm that you’ve read the terms and conditions and the Microsoft Privacy Policy. So maybe it’s a good point to read them ;)
A pop up asking you to agree to the terms and conditions and decide if you want to share your information and get email offers from Microsoft
Don’t you worry, you’re almost done. In order to start with the Power Apps Community Plan you need to choose the country you’re using the Power Platform in. There are various legal conditions, which differ depending on the country. Once again you can choose the get the latest Power Apps tips and information, yet this is no mandatory field.
If you hit that Accept button you’re done.
A pop up asking you to choose your country to begin.
If you check the Power Platform Admin Center you will recognize, that there is another environment, next to the default one.
Congratulations, you’ve just joined the Power Apps Community Plan and can now see your new Developer environment.
A picture of two different environments in the Power Platform Admin Center
Now you can start developing apps and flows in this specific environment.
But there is one more thing you need to pay attention to: If you open Power Automate or Power Apps, make sure that you’re in the correct environment. In the upper right corner of your browser you can see, what environment you’re currently in. Click on the button Environments to see a list of all your available environments. Now select you newly created Developer environment (in my case it’s Michael Roth’s Environment). Now you’re using the newly created Developer environment with all the benefits from the Power Apps Community Plan.
A picture showing the button the select the right environment in the Power Tools
![You Own M365, Now What? [M365 Meetup for Government]](https://www.drware.com/wp-content/uploads/2021/02/large-1021)
by Contributed | Feb 22, 2021 | Technology
This article is contributed. See the original author and article here.
Microsoft 365 takes a “best-of-suite” approach to allow for organizations to securely enable collaboration, communication, and productivity without compromises. This session features a series of presenters who will help you understand the scope of the Microsoft 365 offerings and features, and how organizations can rapidly and effectively utilize and consolidate their investment in Microsoft 365.
WHEN: Tuesday, March 23rd, 2021 @ 5:00PM ET
REGISTER NOW: You Own M365, Now What? | Meetup
Speakers:
Presentation 1 – Understanding Office 365
Bob Ballard – Planet Technologies Principal Cloud Strategist
https://www.linkedin.com/in/bobballard/
Presentation 2 – M365 Security & Compliance Planning Considerations
Jay Bhalodia – Microsoft Specialist
https://www.linkedin.com/in/jbhalodia/
Marialino Bello – Managing Architect
https://www.linkedin.com/in/marialina/
Recent Comments