Skip to main content

Want to catch a ghost?

You won't need an EMF for this

If we are after Unauthorized Users that might be lurking in our O365 tenants, here are 5 links that can help us gain visibility into different layers of our infrastructure where they might hide.  The buttons below will fast track you to the view in your tenant – completely private from TargetProof.  We recommend making a playbook for SecOps that makes these routines SOP.

Unauthorized User Playbook

1

Step 1: Review Azure AD Users

Access your Azure AD Users page and review the list of users for any accounts that have been blocked or deleted due to suspicious activity.

Review AAD Users
  • Sign in to the Azure portal with an account that has the Global administrator or Security administrator role.
  • In the Azure AD blade, select Users.
  • Review the list of users, and check for any accounts that have been blocked or deleted due to suspicious activity.
2

Step 2: Review Azure AD Identity Protection

Access Azure AD Identity Protection and review alerts for any suspicious sign-ins or other security issues.

Review AAD Identity Protection
  • Sign in to the Azure portal with an account that has the Global administrator or Security administrator role.
  • Go to Azure AD Identity Protection
  • Review the alerts and investigate any suspicious sign-ins or other security issues.
3

Step 3: Review Azure AD Conditional Access

Access Azure AD Conditional Access and review the policies to ensure they are properly configured to restrict access to Office 365 apps and services based on certain conditions.

Review Conditional Access Policies
  • Sign in to the Azure portal with an account that has the Global administrator or Security administrator role.
  • Go to Azure AD Conditional Access
  • Review the policies and check that they are properly configured to restrict access to Office 365 apps and services based on certain conditions, such as the location or device of the user.
4

Step 4: Review Azure AD Audit Logs

Access Azure AD Audit Logs and review the activities performed by users in your tenant for any suspicious activity.

Review AAD Audit Logs
  • Sign in to the Azure portal with an account that has the Global administrator or Security administrator role.
  • Go to Azure AD audit logs
  • Review the activities performed by users in your tenant and detect any suspicious activity.
5

Step 5: Review Azure ATP

Access Azure ATP and review the alerts for any potential attack and take necessary actions like blocking the IP or disabling the user.

Review Azure ATP
  • Sign in to the Azure portal with an account that has the Global administrator or Security administrator role.
  • Go to Azure ATP
  • Review the alerts, investigate any potential attack, and take necessary actions like blocking the IP or disabling the user.
Close Menu

About TargetProof

(770) 312-6613
info@targetproof.com
Atlanta, GA


Founded 2012