sameer fakhoury
  • Home
  • CTF Writeups
  • Course Summaries
  • Cyber Reports
  • Articles
  • Event Notes
  • About Me
3.0 Pre-Course Essentials: Key Notes and Guide

3.0 Pre-Course Essentials: Key Notes and Guide

This module acts as an additional resource, offering important notes and a quick guide through the Purview portal. To gain a better understanding, you should complete this module before starting the official 4-module course.

Microsoft Purview

image
  • Microsoft Purview is a data governance and compliance solution designed to help organizations manage and secure their data across various platforms.
  • It offers capabilities such as data cataloging, data classification, and risk management to ensure data compliance and protection. By providing a unified view of data assets, it helps organizations maintain control over their data landscape.
    • Data cataloging is listing and describing data
    • Data classification is sorting data by sensitivity or importance.

Data Loss Prevention (DLP) Alerts

  • Purpose: Notify when sensitive information is detected or when DLP policies are violated.
  • Sources: Microsoft Purview Compliance or Microsoft Defender for Cloud Apps.
    • if we deploy in one the other will also be deployed in
  • Usage:
    • Identify and investigate data loss incidents.
    • Monitor and enforce compliance with DLP policies.
    • Educate users about DLP policies and help them stay compliant.
  • Management: View and manage alerts in Microsoft Purview compliance portal or Microsoft Defender for Cloud Apps portal.
  • Features:
    • Alerts can be filtered and sorted.
    • Valuable for security operations analysts to protect sensitive information and comply with regulations.

Definition and Components

DLP Component
Description
Sensitive Information Types
DLP policies identify and protect sensitive information by matching it to predefined or custom types, like credit card numbers, social security numbers, and health records.
Sensitivity Labels
Sensitivity labels classify documents for more granular protection. For instance, "Confidential" documents may have different restrictions than "Public" ones.
Data Loss Prevention Policies
DLP policies define the rules for protecting sensitive information, such as blocking users from sharing such data with external parties.
Defender for Cloud App File Policy
File policies monitor and protect sensitive information in cloud apps, such as alerting when a user attempts to share sensitive documents with public cloud storage.

Insider Risk Management

image
  • Insider Risk Management in Microsoft helps detect, investigate, and respond to potential risks from within an organization, such as data leaks or policy violations. It uses advanced analytics and machine learning to identify unusual behaviors and mitigate insider threats.
  • Example Policy: Departing employee data theft.
  • Policy Settings:
    • Privacy: Anonymize usernames.
    • Indicators: Sharing files from SharePoint Online, downloading content, copying to USB or cloud, printing documents.

Manage Insider Risk In Microsoft Purview

Feature
Description
Policy Templates
Pre-defined templates for insider risk management policies, such as Departing Employee Data Theft and Data Leaks.
Policy Settings
Settings that apply to all policies, including privacy, indicators, monitoring windows, and intelligent detections.
Policy Timeframes
Review periods triggered after policy matches based on events and activities for the insider risk management templates.
Intelligent Detections
Controls for file type exclusions, file volume limits, and offensive language detection sensitivity.
Anomaly Detections
Settings for file type exclusions and file volume limits to identify unusual behavior.
Offensive Language Detections
Adjusts the sensitivity of the offensive language classifier for policies using the Offensive Language in Email template.

Traditional Approaches to Identifying Insider Risks

  • Features:
    • User behavior analytics
    • Monitoring user activity
    • Data loss prevention
  • Limitations:
    • Complex deployment scenarios
    • Limited insights
    • Lack of workload integration beyond SECOPS
      • Security Operations is a collaboration between IT security and operations teams that integrates tools, processes, and technology to keep an enterprise secure while reducing risk.

Purview Provides Protection From Internal Risk

  • Real-Time Native Signals:
    • File activity
    • Communications sentiment
    • Abnormal user behaviors
    • Resignation date
  • Policy Templates, Configurable and tailored for risks such as:
    • Digital IP theft
    • Confidentiality breach
    • HR violations
  • Machine Learning and Intelligence:
    • Correlate signals to identify hidden patterns and risks that traditional or manual methods might miss
  • Insider Risk Leveraged Components:
    • Microsoft Graph
      • Microsoft Graph is a unified API endpoint that provides access to a wide range of data and insights from across Microsoft 365 services. It enables integration with various Microsoft applications, such as Office 365, Azure Active Directory, and more
    • Security services and connectors to human resources (HR) systems like SAP

Table Of Insider Risk Management Role Groups:

Role Group
Description
Insider Risk Management Admin
Configure insider risk management features
Assign permissions to other users
Insider Risk Management Analysts
Access and investigate insider risk management alerts
Access and investigate cases
Insider Risk Management Investigators
Access and investigate all insider risk management alerts
Access and investigate all cases and notices templates
  • Insider Risk Management Admin: Configure features and assign permissions.
  • Insider Risk Management Analysts: Access and investigate alerts and cases.
  • Insider Risk Management Investigators: Access and investigate all alerts, cases, and templates.

Policy Creation and Management

  1. Go to Microsoft Purview Compliance Portal.
  2. Click Insider Risk Management.
  3. Click Policies.
  4. Click Create Policy.
  5. Select Policy Template.
  6. Configure Settings.
  7. Click Create.

Forensic Evidence Management

Key Feature
Description
Visual capturing of security-related user activities
Captures screenshots, screen recordings, and audio recordings of user activity
Customizable triggers and capturing options
Allows you to specify which events should trigger capturing and what types of data should be captured
User-centric policy targeting
Allows you to target specific users or groups of users for capturing
Strong role-based access controls
Ensures that only authorized users can access and manage captured data
Deep integration with insider risk management features
Allows you to correlate captured data with other insider risk signals to identify and investigate potential threats

Create Insider Risk Management Notice Templates

  • Automatically email users when their actions match a policy, confirm an alert, and trigger case creation.
  • Alerts often stem from mistakes or unintentional actions.
  • Notices serve as reminders to exercise caution and include links to training resources or corporate policies.
  • Help create a documented audit trail for users who repeatedly engage in risky behaviors.
  • Notices can only be sent to the email address associated with the specific case.
  • Notice templates can be used with predefined field values or customized as needed.

Investigate threats by using audit features in Microsoft 365 Defender and Microsoft Purview Standard

Differences between Audit (Standard) and Audit (Premium)

  • Audit (Standard): Basic logging capabilities, default enabled.
  • Audit (Premium): Advanced features, long-term retention, forensic investigations.
    • Audit Log Retention Policies: Define how long audit logs are kept to meet regulatory or legal requirements.
    • Forensic Investigations: Use Audit (Premium) to investigate security incidents by searching, filtering, and exporting audit log events.

Searching for Audited Activities:

  • Use the audit log search tool in the Microsoft Purview compliance portal for a unified audit log of Microsoft 365 services.
  • Exporting and Configuring Audit Logs:
    • Export search results to a CSV file.
    • Configure the tool to display specific fields and filter results.
  • Investigating Support Issues:
    • Use audit log searches to address issues with user accounts, permissions, and file access.

Microsoft Purview (Premium):

  • A cloud-based compliance solution for managing data and meeting compliance requirements.
  • Features include audit logging, data loss prevention, and eDiscovery.
    • Content Search: Search mailboxes for imported third-party data, refine results using search queries, and export the findings.
    • eDiscovery (Standard): Build on search and export functions by creating cases, controlling access to case data, and placing holds on relevant mailboxes or data.
    • eDiscovery (Premium): Expands on eDiscovery (Standard) by managing custodians, placing their data on hold, and reviewing it for detailed analysis, including theme detection and duplicate identification.

To investigate threats using audit, follow these steps:

  1. Identify the threat to investigate.
  2. Determine relevant audit logs.
  3. Search audit logs for suspicious activity.
  4. Analyze logs to identify the root cause.
  5. Take action to remediate and prevent recurrence.

What is Content Search?

  • Content search is a tool for searching across Microsoft 365, including email, documents, and instant messaging.
  • It helps investigate threats, troubleshoot issues, and comply with regulations.

eDiscovery Location search

  • Exchange Online
  • OneDrive for Business
  • SharePoint Online
  • Microsoft Teams
  • Microsoft 365 Groups
  • Yammer teams.

Content Search and eDiscovery

  • Content Search: Search for and export imported third-party data in mailboxes using queries.
  • eDiscovery (Standard): Create cases, control access, and place holds on mailboxes or data.
  • eDiscovery (Premium): Manage custodians, place their data on hold, and review it for detailed analysis, including detecting themes and duplicates.

Practical Part

Create a policy from a template policy

  1. opening the purview portal
    2. image
  2. going to the DLP section
      3. image
    1. overview about DLP analytics, alerts, polices, classifiers, etc.
    2. classifiers: to classify data in way DLP polices will use to detect data
      3. image
  3. click on polices then create policy ( we want compliance admin role to create a policy )
    1. templates for the polices
      2. image
    2. check each policy template with it’s related regulations that can be used
        3. image
      1. we need to check what information does its protect, and if it meets our standards
        2. image
  4. let’s start with GDPR
    5. image
  5. select the name and the description
    6. image
  6. restrict the policy to be matched on some users that are registered inside the Entra-ID
      7. image
    1. default is full directory as all the users we have
  7. select the data location to apply the policy on and what is the scope of users
    8. image
    image
  8. Then follow up the steps …

Create a policy as custom policy

  1. select the name and the description
    2. image
  2. select the admin units
    3. image
  3. select the data locations to apply the policy on
    4. image
  4. as we didn’t select a template then we need to make the customization manually as advanced customization DLP rule
    5. image
  5. create new rule
    6. image
  6. select the name, description, conditions
    • confidence means how confidence level am I towards this policy that I’m making
      • image
      image
  7. select the specific action to take when the policy is triggered
    8. image
  8. select the audit action
    9. image
  9. select the severity level to notify the admin
    10. image
  10. overview of the created rule
    11. image
  11. select the policy mode
      12. image
    1. on, off, or simulation
    2. simulation meaning we are going to test the policy without any taken actions, for 14 Days
  12. review and finish the policy
    13. image

Insider Risk Management

  1. select the insider risk management form the portal
      2. image
    1. overview and recommended actions to follow
      2. image
  2. select the name and description
    3. image
  3. select the users
    4. image
  4. exclude users
    5. image
  5. we can make some priorities and how to apply this policy
    6. image
    image
  6. select the priority depend on the sensitivity labels
    7. image
  7. select what alerts we want to receive as depending on the whole policy or sensitivity labels, etc.
    8. image
  8. what action needs to be preformed in order to trigger the policy
    9. image
  9. select the intended IOC
    10. image
    image
  10. at the end we have the IOC threshold, to select when do we get alerts on how many times the policy must be triggered in order to generate an alert or notify about a risky user

Information Protection

image
  1. we select the sensitivity labels in order to classify the data, by user or automatically
    2. image
  2. create a label, with related name, description and priority
    3. image
  3. what does it cover as the scope
    4. image
  4. select the protection settings
    5. image
  5. select the permissions and when does it expires
    6. image
  6. follow up the steps …
  7. how does it shows
      8. image
    1. the user scope with information related type and location

Classifiers

image
  1. classifiers automatically categorize and tag data based on its content and context, helping to organize and identify sensitive information, it should be trained on data in order to know it later, using ML
  2. Policies on the other hand, enforce data governance rules like retention and access controls, ensuring proper data management and compliance with regulations, it uses the classifiers to know the matching data

©sameer fakhoury

GitHubLinkedIn