Information Security

 We recently switched from using Microsoft's built-in application AllowListing technology Applocker to a 3rd party product named Airlock. The reason for switching was due to a change Microsoft made in Intune that limited the amount of XML which could be posted for the policy config. We couldn't get around it and didn't want to switch back to using Group Policy to manage Applocker so we made the switch. We've been very pleased with the switch for several reasons which include ease of management and speed of applying policy changes. We didn't like having to monitor the GUI for blocked executables and wanted to be able to quickly allow a blocked executable from our phones without having to log into the Airlock console. We ended up creating a nice solution using a combination of the following: Airlock Restful API Syslog Collector Azure Sentinel SIEM Azure Sentinel Syslog Connector Azure Sentinel Playbook/Logic App Airlock Server is configured to export Syslog events to

I'm putting this out there because it took me some time to figure out and at the time I couldn't find any documentation on how to use the Graph API to post a mention to a Teams channel: GET Team ID: https://graph.microsoft.com/beta/me/joinedTeams GET Channel ID: https://graph.microsoft.com/beta/teams/{team-id}/channels GET User ID: https://graph.microsoft.com/v1.0/me/people/?$search="Firstname Lastname" POST https://graph.microsoft.com/beta/teams{Team ID}/channels/{Channel ID}/messages (Include the BODY of the POST as below) Minimum JSON needed for body of the POST: {   "body": {     "contentType": "html",     "content": "<at id=\"0\">Firstname Lastname</at>Boo"   },   "attachments": [],   "mentions": [     {       "id": 0,       "mentionText": "Firstname Lastname",       "mentioned": {         "application": null,         "

We use the built-in Windows VPN client to provide access to legacy applications that don't meet the security or usability requirements to be exposed to the internet. One of those applications just didn't work well over a VPN for various reasons but worked great over the internet. The application's network traffic was encrypted but the authentication was only username/password so just publishing it on the internet wasn't a good enough solution. Allowing access to the resource over the internet from a specific IP address would meet the security requirements of the application but keeping up with manually adding everyone's home IP address to the Azure Network Security Group (NSG) would be impossible. My solution in this case was to use a combination of the following resources to automate the process of adding a user's IP address to the NSG on a temporary basis: Microsoft Power Automation (Flow) Azure Automation Accounts Powershell Microsoft Graph API Si

I wanted an easy way to keep track of changes made to our NSGs in Azure and through a combination of a few offerings in Azure I settled on what I feel is a pretty good solution. The runbook is on a schedule to run every day and performs the following: Get the current configuration of the Network Security Group (NSG) Push the current configuration of the NSG to a DevOps repository Compare the current configuration against the previous configuration If there are any changes, send an email Resources needed: Azure Automation Runbook Azure DevOps license (Basic Plan for access to use Repos) Powershell Azure Keyvault (for storing the DevOps API key) Runbook code:

I wanted to try to prevent someone from bringing in an unapproved device onto our local network by simply plugging it into an Ethernet jack and pulling an IP address using DHCP. Microsoft's DHCP server service has a feature named DHCP Filters  included with the Windows Server DHCP Server service which allows for MAC address white/black listing. I was able to use a combination of various Microsoft and Azure features to automate the process of approving and adding MAC addresses to our whitelist. Below is an explanation of how I was able to achieve this. Resources needed: Azure Automation Hybrid Worker agent installed on DHCP server Azure Automation Runbook with a webhook to start it Microsoft Power Automation Flow (formerly Microsoft Flow) Powershell Windows Task Scheduler Microsoft Office 365 Outlook and SharePoint The first step is to configure your Windows Server DHCP service scope so that IP addresses are only provided to computers with MAC addresses in the Allow List.

We've always struggled with installers that create temporary exe files in various locations alongside Applocker. Sometimes we're able to grab a copy of the temporary file and whitelist it so the installation can continue but other times the installer bombs out too quickly and we just can't get the file. One solution is to whitelist the %OSDRIVE%\USERS\TEMP\APPDATA\LOCAL\TEMP directory but for security that's a terrible idea. I created a process which I'd like to share that uses Microsoft Power Automation (Flow), Azure Automation, and the Microsoft Graph API to achieve the following: Admin clicks a Flow button on their phone The Flow button takes user input in the form of Active Directory username (ex. rellington) and passes it to a webhook to an Azure Automation job Azure Automation job starts which removes the user from the Applocker enforced Active Directory Security Group (Applocker policy is enforced using Intune) Azure Automation job forces an Intune s