Listen to this Post
One common issue in Azure and Microsoft 365 environments is the Unified Audit Logs not being enabled. This can hinder incident response efforts and make it difficult to track activities within your environment. To check if Unified Audit Logs are enabled, use the following PowerShell command:
Get-AdminAuditLogConfig | Select UnifiedAuditLogIngestionEnabled
If the output is False, you need to enable it using:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
This ensures that all audit logs are ingested and available for investigation, which is crucial for incident response teams.
What Undercode Say
Unified Audit Logs are a critical component of any cybersecurity strategy, especially in cloud environments like Azure and Microsoft 365. They provide a centralized way to monitor and investigate activities across your organization. Enabling them ensures that your Incident Response team has the necessary data to respond to threats effectively.
In addition to enabling Unified Audit Logs, here are some other useful commands and practices for securing your environment:
1. Check Sign-In Logs in Azure AD:
Get-AzureADAuditSignInLogs -Top 100
This command retrieves the last 100 sign-in logs, which can help identify suspicious activities.
2. Enable Multi-Factor Authentication (MFA):
Set-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationRequirements @{State="Enabled"}
MFA adds an extra layer of security to user accounts.
3. Monitor Mailbox Activities in Exchange Online:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -Operations "MailItemsAccessed"
This command helps track mailbox access over the past week.
4. Check for Misconfigured Permissions:
Get-AzureADDirectoryRole | ForEach-Object { Get-AzureADDirectoryRoleMember -ObjectId $_.ObjectId }
This script lists all members of Azure AD roles, helping you identify overly permissive roles.
5. Export Audit Logs for Analysis:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -ResultSize 5000 | Export-Csv -Path "C:\AuditLogs.csv"
Exporting logs allows for deeper analysis using tools like Excel or Power BI.
6. Enable Alert Policies in Microsoft 365:
New-ProtectionAlert -Name "Suspicious Activity" -Description "Alerts for suspicious activities" -Operation "UserLoggedInFromNewCountry" -Severity "High"
This creates an alert policy for suspicious logins.
7. Check for Unused Licenses:
Get-MsolAccountSku | ForEach-Object { $<em>.ActiveUnits - $</em>.ConsumedUnits }
This helps identify unused licenses that can be reallocated or removed.
8. Review Conditional Access Policies:
Get-AzureADMSConditionalAccessPolicy
Ensure that your conditional access policies are properly configured to block unauthorized access.
9. Monitor SharePoint and OneDrive Activities:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -Operations "FileDownloaded"
This command tracks file downloads from SharePoint and OneDrive.
10. Enable Data Loss Prevention (DLP) Policies:
New-DlpCompliancePolicy -Name "Protect Sensitive Data" -Comment "Policy to protect sensitive data" -ExchangeLocation "All" -SharePointLocation "All"
DLP policies help prevent the accidental sharing of sensitive information.
By implementing these practices, you can significantly enhance your organization’s security posture. Unified Audit Logs, combined with proactive monitoring and configuration management, are essential for detecting and responding to threats in a timely manner. For further reading, refer to the official Microsoft documentation on Unified Audit Logs.
Remember, cybersecurity is an ongoing process, and staying vigilant is key to protecting your digital assets.
References:
initially reported by: https://www.linkedin.com/posts/stephan-berger-59575a20a_one-topic-that-pops-up-regularly-unified-activity-7302399517079818240-3XvD – Hackers Feeds
Extra Hub:
Undercode AI
