One of the issues that some of my larger customers have been dealing with is the lack of tooling and planning around moving legacy Exchange Online In-Place eDiscovery & Holds to the new(ish) Security & Compliance Center. Our direction has been to either let them age out or manually recreate them the Security & Compliance Center.… [ Continue reading ]
Yesterday, I participated in an escalation for a customer where one or more users had been successfully phished and had given up their credentials. While we were walking through some remediation steps, we started a discussion about data exfiltration attempts.
Many moons ago, I put together a few scripts that can be used to check mailbox forwarding and transport rule forwarding configurations, specifically looking for actions that send mail (forward, redirect, bcc) to recipients outside of the domains verified in your tenant. … [ Continue reading ]
I had a customer recently raise some questions about how to provide further enhancements and protections around their OneDrive for Business deployments. Suppose this scenario exists:
- Users are site collection administrators over their OneDrive for Business sites (default configuration)
- Retention policies are configured, but may only be configured to provide a very minimal amount of data protection (such as 90 days from creation or last modification of data) due to organizational legal compliance
- No retention policies are in effect for the target data (as all the data we’re concerned with is technically older than 90 day creation or last modified date)
- Malicious or disgruntled user deletes OneDrive data
- Deletes data in OneDrive
- Empties recycle bin
- Empties second stage recycle bin
At this point, for any data older than 90 days, it is lost.… [ Continue reading ]
You can do most of the effort of creating a data classification here, although if you want to use any of our built in functions (such as credit card Luhn check), you’ll need to export/modify/import, use the sensitive information type package that I created (referenced earlier) or use one of our native DLP classifications.… [ Continue reading ]
Over the course of your Office 365 administration duties, you may be called to locate data matching particular data patterns (such as matching a particular regular expression or a Sensitive Information Type), either for eDiscovery or data classification purposes. The good news is you can actually do that. … [ Continue reading ]
So, this is an entry that has been long in the making. I have had several customers over the last few years give feedback about our Data Loss Prevention’s (DLP) matching requirements, mostly around how they require too much corroborating evidence (in the form of patterns or keywords) to meet their organization’s very restrictive policies.… [ Continue reading ]
While working with a customer last week, it came to my attention that the Get-UserHoldPolicies script I had put together to enumerate retention policies and eDiscovery cases that put a hold on content wasn’t displaying policies that were global. The types of policies I checked for were enumerated in a user’s InPlaceHolds mailbox property, but apparently, that field is populated only if a Security & Compliance retention policy explicitly specifies the mailbox.… [ Continue reading ]
In my previous post, I discussed using the new Attack Simulator for crafting phishing campaigns against your users. If you haven’t tried it out yet, I’d heartily recommend it. It’s more fun than a barrel of monkeys.
For this post, we’re going to shift into slightly more traditional attack strategies. … [ Continue reading ]
Over the last few weeks, we’ve released some great new features for Office 365 Advanced Threat Protection users. The Attack Simulator has three core components, each of which I’ll cover in a series:
- Spear Phishing (Credential Harvest)
- Brute Force Password (Dictionary Attack)
- Password Spray Attack
For this post, I want to focus on the Spear Phishing campaign.… [ Continue reading ]
Picking up where I left off on part 1 of this post, I wanted go into what it would take to refine some roles for managing eDiscovery for larger organizations.
In this scenario, we’re going to:
- Remove users from any existing eDiscovery roles or groups
- Create a security group to hold users that will perform eDiscovery searches
- Create a custom role group that has the appropriate eDiscovery roles and add the security group as a member
If you didn’t read the previous blog post on this topic, I’d encourage you to go back and do so, since I’m going to continue using the same users and compliance filters.… [ Continue reading ]
Diving deeper into the Security & Compliance Center, I decided to embark on trying to scope eDiscovery permissions to meet a certain set of requirements that we see when multiple business units want or need to maintain independence from a content search and discovery perspective.… [ Continue reading ]
UPDATE: This tool has been updated to include implicit policies created in the Security and Compliance Center.
Last week, I was asked by a few people for information on displaying holds applied to mailboxes.
Holds come in several varieties:
- In-Place Holds created via the Exchange Admin Center or eDiscovery case
- Retention Policies (either as Retention or Label policies)
- Litigation Hold set as a mailbox property
- Legacy Exchange MRM policies
When viewed programmatically from PowerShell, you’ll notice that In-Place Holds and Retention Policies are somewhat inverse relationships like the legacy MRM policies–that is, the various policies in the Security & Compliance Center don’t have lists of objects applied to them. … [ Continue reading ]
Recently, a customer asked for clarification on the difference between Content Search (Security & Compliance center | Search & investigation | Content search) and the Content Search feature in an eDiscovery case (Security & Compliance center | Search & investigation | eDiscovery). … [ Continue reading ]