Office 365 – End to End Security – Can you believe We Have 198 Use Case for SOC Monitoring

Home/Tips/Office 365 – End to End Security – Can you believe We Have 198 Use Case for SOC Monitoring

Office 365 – End to End Security – Can you believe We Have 198 Use Case for SOC Monitoring

Cloud Era. Everything becoming Cloud now. But are you really looking into all the settings before you buy? Specially Security Services behind the Cloud ?

Most of the Cloud Service Vendors including Amazon, Google, IBM and Azure gives you the complete cloud services , but are they really come default with Security enhanced ? The answer is NO

Either you need to purchase the Security Solution separately or you need to deploy the security solutions by yourself to protect the Cloud which you purchases. Considering the scenario’s, Does Office 365 gives you complete security for your email?

I would say the answer is YES. But, if you haven’t tuned your security settings, consider that you have already compromised. Before you get compromised, Let’s look into Office 365 Settings you should know & should be monitored.

Microsoft Office 365 – Plan and Subscriptions available for customers:

Check what you have subscribed. Make sure you are using Office 365 Enterprise, which has lot of feature’s including

Feature ATP Plan 1 ATP Plan 2 Office 365 Enterprise E5
Safe Attachments Yes Yes Yes
Safe Links Yes Yes Yes
Anti-Phishing Policies Yes Yes Yes
ATP for SharePoint, Yes Yes Yes
Safe Links in Teams Yes Yes Yes
Real-time reports Yes Yes Yes
Threat Trackers No Yes Yes
Explorer (advanced threat investigation) No Yes Yes
Automated investigation and response No Yes Yes
Attack Simulator No Yes Yes

What can be monitored when you moved to Office 365?

File and page activities Folder activities Sharing and access request activities
Synchronization activities Site administration activities Exchange mailbox activities
Sway activities  User administration activities  Azure administration activities 
Application administration activities  Role administration activities  Directory administration activities 
eDiscovery activities  Power BI activities  Microsoft Workplace Analytics
Microsoft Teams activities  Yammer activities  Microsoft Flow activities 
Microsoft PowerApps activities Microsoft Stream activities  Exchange admin activities

Can you believe, we can create 198 different use cases in your SIEM to monitor you complete Office 365. All the use cases can be customized according to organization environment. Can’t you Believe? Click here to get the complete use Cases list to your organization

If you already migrated to Office 365, Have you ever came across any of your employee email account got compromise ? Do you know how to identify the compromised Account behaviors ?

10 Sign’s Which Confirm’s your Office 365 Email Account Compromised:

  1. Suspicious activity, such as missing or deleted emails from a particular account
  2. Other users might receive emails from the compromised account without the corresponding email existing in the Sent Items folder of the sender.
  3. The presence of inbox rules that weren’t created by the intended user or the administrator. These rules may automatically forward emails to unknown addresses or move them to the Notes, Junk Email, or RSS Subscriptions folders.
  4. The user’s display name might be changed in the Global Address List
  5. The user’s mailbox is blocked from sending email.
  6. The Sent or Deleted Items folders in Microsoft Outlook or Outlook on the web (formerly known as Outlook Web App) contain common hacked-account messages, such as “I’m stuck in London, send money.”
  7. Unusual profile changes, such as the name, the telephone number, or the postal code were updated.
  8. Unusual credential changes, such as multiple password changes are required.
  9. Mail forwarding was recently added and number of emails sent to internally or outside domains.
  10. An unusual signature was recently added, such as a fake banking signature or a prescription drug signature.

What are the Containment Steps you should follow when your Office 365 Email account Compromise?

  1. Disable the email account and user account immediately from the AD and Office 365
  2. Reset the password of the impacted user account immediately and Remove the user from administrative privileges in any of the system associated with email account
  3. Check the rules and email forwarding addresses from suspicious account, export all and save it and delete it from Mailbox
  4. If user has a OWA / Mobile Sync Enabled with his smartphones / laptops / any other systems enabled in Office 365, remove the sync and remove the device authorization
  5. Please check his account for any suspicious contacts / lot of contacts saved apart from local domain. Export all and  save it and delete it from Mailbox  
  6. Verify the Junk Email Option in the Outlook Client to confirm the “Safe Sender” and “Safe Recipients” list. If any other domain remove the senders list
  7. If the changes / compromise suspected to be performed from Microsoft make sure the account is enabled with “Customer Lockbox” option to avoid Microsoft support accessing particular account / entire office 365
  8. Check the user Outlook / Client for any suspicious Rules are enabled to forward / received any specific emails / user accounts from external domains

All the stages of security incident management can be effectively managed from Preparation, Identification, Containment, Mitigation, Lessons Learned are enriched in Office 365. Do you have the enough Skilled resources to enable the Office 365 Monitoring in our environment ?

IF your answer is NO, Please click here to fill the employer Form for Experts to Visit your environment to have the Security Enriched . Let us in & Let you Win !!!

Cloud is Better, But make sure you have guarded and shielded well.

By | 2019-05-05T18:55:31+00:00 May 5th, 2019|Tips|

About the Author:

FirstHackersNews- Identifies Security