Robert Schoneman

Being a brave soldier and riding SEPTA out to Subaru Park for the Union game this afternoon

Atlanta is starting a new public transit system near the airport that uses small self-driving electric pods. People can ride these pods on demand, and they travel on a special path without a driver.

The best version of Windows. We still talk about you.

Having responded to probably hundreds of incidents at this point, from ransomware to APT's, in my experience, the lack of knowledge on how to adequately secure Entra applications and service principals continues to be the biggest knowledge gap most defending teams have. You should be able to securely configure apps, detect compromise of apps and understand how to investigate compromise of apps. It seems overwhelming at first, but it isn't. Get started like this Secure them: •Use managed identities where possible - negates the need for credential handling •Limit privilege - reduce both the permissions granted and add additional API specific restrictions (i.e don't grant read/write all to all SharePoint sites, just the ones an application needs to access). This includes pushing back on vendors or internal teams that request privilege not required •High privileged applications should have no direct owners - lower privileged users can be granted direct ownership of an app, don't do this, govern the ability to manage applications via Entra ID roles •Configure credential restrictions such as requiring shorter lived secrets or enforcing use of certificates •Remove unused apps and service principals, this can prevent existing high privileged apps being leveraged and reduces your supply chain compromise footprint for multitenant apps •Monitor risk events for service principals like you would users Detect compromise of them: •Alert on application creation or application credential creation - may be noisy in large environments, but a good starting point •Alert on credentials being added to service principals - credentials generally live on the application object, service principal credential creation should be rare •Alert on permission consent - this can detect not only malicious activity but permission creep •Alert on anomalous resource access - does your app usually access only Azure Storage, and suddenly it accesses Microsoft Graph? - this may indicate a compromised credential •Alert on anomalous ASN or location access - does your app usually access only from a specific ASN or country, and suddenly that changes? - this may indicate a compromised credential Many of these are covered by Defender for Cloud Apps and other tools out of the box, but it is worth ensuring you are covered down and what they actually mean. Investigate compromise of them: Know how to query the following logs and understand the events surfaced •Entra ID sign in data - filter on service principal sign in events via the Entra portal or Kusto in the Defender XDR portal •Entra ID audit logs - filter on events related to the service principal via the Entra portal or Kusto in the Defender XDR portal. Service principals can be used to further establish persistence, such as creation of users or additional service principals, rinse and repeat for any malicious additions to your environment •Microsoft Graph - was the compromised app used to access data via Microsoft Graph? You can query via the Defender XDR portal using Kusto to find these events •Defender for Cloud Apps - did the compromised app access other M365 services? You can query via the Defender XDR portal using Kusto to find these events •Unified Audit Log - you can retrieve the events related to the compromised app via the audit functionality inside the Defender XDR portal