Identity Protection provides organizations with three reports they can use to investigate identity risks in their environment. These reports are the risky users, risky sign-ins, and risk detections. Investigation of events is key to better understanding and identifying any weak points in your security strategy.

All three reports allow for downloading of events in .CSV format for further analysis outside of the Azure portal. The risky users and risky sign-ins reports allow for downloading the most recent 2500 entries, while the risk detections report allows for downloading the most recent 5000 records.

Organizations can take advantage of the Microsoft Graph API integrations to aggregate data with other sources they may have access to as an organization.

The three reports are found in the Azure portal > Azure Active Directory > Security.

https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security authorizations for Cloud Service Offerings.

What is FedRAMP.pdf

Psycology – why you are who you are.pdf

CEH – Hacker Etico Certificado.pdf

Prepare for the Microsoft 365 Certified – Teams Amin Associate Exam MS-700.pdf

AZ-500 Exam Review.pdf

The Microsoft scanner can use up a lot of a server’s processing capacity, so CISA recommends running the scan during off-peak hours.

"By 12:00 pm Eastern Daylight Time on Monday, April 5, 2021, download and run the current version of Microsoft Safety Scanner (MSERT) in Full Scan mode and report results to CISA using the provided reporting template," it notes.

https://www.zdnet.com/article/exchange-server-attacks-run-this-microsoft-malware-scanner-now-cisa-tells-government-agencies/

The flaws affect BIG-IP versions 11.6 or 12.x and newer, with a critical remote code execution (CVE-2021-22986) also impacting BIG-IQ versions 6.x and 7.x. CVE-2021-22986 (CVSS score: 9.8) is notable for the fact that it’s an unauthenticated, remote command execution vulnerability affecting the iControl REST interface, allowing an attacker to execute arbitrary system commands, create or delete files, and disable services without the need for any authentication.

https://thehackernews.com/2021/03/latest-f5-big-ip-bug-under-active.html

CISA says CHIRP currently looks for:

• The presence of malware identified by security researchers as TEARDROP and RAINDROP;
• Credential dumping certificate pulls;
• Certain persistence mechanisms identified as associated with this campaign;
• System, network, and M365 enumeration; and
• Known observable indicators of lateral movement.

CHIRP is available on GitHub as a compiled executable or as a Python script.

FireEye in January also released a free tool on GitHub called Azure AD Investigator.

Burnt by SolarWinds attack? US releases tool for post-compromise detection | ZDNet

At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.

https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/?utm_campaign=Social%20Engineering&utm_medium=email&_hsmi=114469307&_hsenc=p2ANqtz-_bKqW2UnKiT4v86shQrqETuzit5KlYHbLMg8VA8J9lz-PY0Up0sQlszd40mRPyLGeaBiUzKQIr0ET5L4oSdne2FlBwZgaK6aaIZl-Ne9Kog4tMXVQ&utm_content=114469307&utm_source=hs_email