19 Aug 2020

Azure AD: Successful Logins From Unknown Users

By |2020-08-20T09:45:27-07:00Aug 19, 2020 - Wednesday|Microsoft 365, Security, Technology|

The Security Operations Center (SOC) noticed logins to Azure Active Directory (AAD) from yahoo.com and gmail.com email addresses and asked the IT Security team to investigate. At the time, we did not allow many B2B Guest credentials for those domains, but alarmingly, the accounts in question successfully authenticated even though they did not exist in our AAD tenant. Who were those people? Did we have a security breach? What did they access?

1 May 2020

Active Directory: Group And Membership Changes (Splunk)

By |2020-07-31T23:32:12-07:00May 1, 2020 - Friday|Security, Technology|

How do you find out who made a change to an Active Directory or Builtin Local Group? Which users were added to or removed from a group? When was a group deleted? In this post, we look at Group and Membership change Event IDs, and explore how to use Splunk to find relevant information to aid in your investigations.

14 Apr 2020

MS Teams: Who Recorded the Meeting?

By |2020-07-31T23:37:50-07:00Apr 14, 2020 - Tuesday|Microsoft 365, Security, Technology|

A sensitive, internal meeting was held within Microsoft Teams, and someone had accidentally recorded it. The organizer was extremely unhappy when nobody admitted to it, particularly since any attendee was able to download a copy of the recording. An urgent request to the Office 365 and Information Security teams was put out to investigate. How did we go about in doing so?

27 Aug 2019

Google Chrome: Revoked Web Certificates

By |2020-07-31T22:57:47-07:00Aug 27, 2019 - Tuesday|Security, Technology|

Did you know that Google's Chrome browser trusts the majority of revoked web certificates? While the other major browsers support the industry standard, Google continues to pave its own path at the risk of making users of their popular browser vulnerable to attacks.

Go to Top