Configuration

DLP for Bitcoin Addresses

Rate this post

One of the up-and-coming combination phish-ransom attacks is to trick the mark into thinking that you’ve got access to their data, and then get them to send money to a Bitcoin address to protect them from data leakage. … [ Continue reading ]

Scripting

Creating a Teams “New Channel” notification

Rate this post

One of my customers recently asked for a solution to checking a particular Microsoft Team multiple times a day for new channel additions.  In their organization, someone is responsible for creating a new channel every time new item for review is published, and then all of the communications, files, and data related to that item is stored in that particular time.… [ Continue reading ]

Information

Update to Get-SCCDataExport

Update to Get-SCCDataExport
5 (100%) 1 vote

I’ve been tinkering around a little with this, hoping to bring some better updates (so maybe you can see who is generating your data exports and go smack them around).

I’ve got a few updated fields added to the tool, so be sure to go check it out!… [ Continue reading ]

Information

WhoAmI for Office 365

WhoAmI for Office 365
4.3 (85%) 4 votes

If you’ve ever struggled to find out who your current session is logged in as when you connected to Office 365, here’s a tidbit to shed some light on it:

(Get-PSSession |?{$_.ComputerName -like “*outlook.com”})[0].RunSpace.ConnectionInfo.Credential.UserName

You can also use RunSpace.… [ Continue reading ]

Information

Calculating your Daily Export for the Security & Compliance Center

Calculating your Daily Export for the Security & Compliance Center
4.7 (93.33%) 3 votes

One of the lesser-known boundaries of Office 365’s Security & Compliance Center is that we only allow 2TB per day export volume.  When we talk about exports, we’re talking about the idea of taking content that has been identified via a content search mechanism (content search, eDiscovery case search, etc) and then staged for download.… [ Continue reading ]

Scripting

Searching the Office 365 Unified Audit Log for Specific Activities, Sites, and Users

Rate this post

Last week, I was working with a large government customer in a consolidated tenant (read: all agencies in a single, centrally-managed tenant).  One of the questions that was presented was how to search and filter the audit log for entries relating to the following categories:

  • Files shared by an agency or department’s users
  • Files accessed in an agency’s SharePoint site collection

To that end, I based together this script. … [ Continue reading ]

Scripting

Iterating hash values to a log file

Rate this post

While working on my last script, I was trying to figure out the best way to write the values stored in a hash table for the purposes of splatting out to a log file.

Consider:

$parameters = @{}
$parameters.Add("Parameter1","Value1")$parameters.Add("Parameter2","Value2")$parameters.Add("Parameter3","Value3")

$parameters = @{}; $parameters.Add("Parameter1","Value1"); $parameters.Add("Parameter2","Value2"); $parameters.Add("Parameter3","Value3")

I was using a modified version of my logging function, which is basically a wrapper for Add-Content with parameters for log detail/types, colors, and output display.… [ Continue reading ]

Configuration

Migrating from Exchange Online eDiscovery and In-Place Hold to the Security & Compliance Center

Rate this post

One of the issues that some of my larger customers have been dealing with is the lack of tooling and planning around moving legacy Exchange Online In-Place eDiscovery & Holds to the new(ish) Security & Compliance Center.  Our direction has been to either let them age out or manually recreate them the Security & Compliance Center.… [ Continue reading ]

Scripting

Checking for compromised email accounts

Checking for compromised email accounts
5 (100%) 4 votes

UPDATE: I have posted the script to check against haveibeenpwned.com at the bottom in the TechNet Gallery. https://gallery.technet.microsoft.com/PwnCheck-HaveIBeenPwned-d65cf5f1 

Yesterday, I participated in an escalation for a customer where one or more users had been successfully phished and had given up their credentials. … [ Continue reading ]

Configuration

Alerting on OneDrive Deleted Item Activity

Alerting on OneDrive Deleted Item Activity
5 (100%) 3 votes

I had a customer recently raise some questions about how to provide further enhancements and protections around their OneDrive for Business deployments.  Suppose this scenario exists:

  • Users are site collection administrators over their OneDrive for Business sites (default configuration)
  • Retention policies are configured, but may only be configured to provide a very minimal amount of data protection (such as 90 days from creation or last modification of data) due to organizational legal compliance
  • No retention policies are in effect for the target data (as all the data we’re concerned with is technically older than 90 day creation or last modified date)
  • Malicious or disgruntled user deletes OneDrive data
    • Deletes data in OneDrive
    • Empties recycle bin
    • Empties second stage recycle bin

At this point, for any data older than 90 days, it is lost.… [ Continue reading ]