Read: 22 mins. Splunk is a GREAT tool to aggregate and correlate information from a variety of sources, and its SPL queries can help surface what you may need. In this post, we extend our previous Active Directory Account Lockout Troubleshooting article with Splunk Dashboards. SimpleXML source codes are provided to create visual representations of Windows Security event log data to aid with lockout investigations. They can also help identify data or behavior patterns and how many accounts are failing authentication over a specific time period.
Read: 3 mins. Configuring Single-Sign on (SSO) for Proofpoint Targeted Attack Protection (TAP) with Azure Active Directory (AD) was not a simple task as documentation was lacking. This article will guide you how to configure SAML with Service Provider-initiated login.
Read: 3 mins. The Security Operations Center (SOC) noticed logins to Azure Active Directory (AAD) from yahoo.com and gmail.com email addresses and asked the IT Security team to investigate. At the time, we did not allow many B2B Guest credentials for those domains, but alarmingly, the accounts in question successfully authenticated even though they did not exist in our AAD tenant. Who were those people? Did we have a security breach? What did they access?
Read: 3 mins. A sensitive, internal meeting was held within Microsoft Teams, and someone had accidentally recorded it. The organizer was extremely unhappy when nobody admitted to it, particularly since any attendee was able to download a copy of the recording. An urgent request to the Office 365 and Information Security teams was put out to investigate. How did we go about in doing so?