Zero Trust (TIC3.0) Workbook & Microsoft Teams

Microsoft provided a powerful new Azure Sentinel Workbook: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-zero-trust-tic3-0-workbook/ba-p/2315195

The Zero Trust (TIC3.0) Workbook has two general aspects. On the one hand, it provides a topic-based overview of Microsoft Security & Compliance features:

This "overview" can be filtered and segmented by topics:

The other aspect is that this is not just static content. Wherever possible, the data from the tenant is displayed for the selected topic:

As shown in the screenshot, it is always possible to jump from the Zero Trust (TIC3.0) Workbook to the underlying KQL Querrey in order to evaluate further details.

Whether data can be viewed from the tenant depends on which services are included in Azure Sentinel. Example:

Microsoft Teams & Zero Trust (TIC3.0) Workbook

With the "Unified Communications & Collaboration" filter, the focus of the Workbook is among other things on the Microsoft Teams service. Here, recommendations and details of a Zero Trust strategy are now also displayed as well as data on the tenant:

The Zero Trust (TIC3.0) Workbook can therefore be used to develop an IT security and compliance strategy on the one hand, and on the other hand provides direct data for each topic that is selected.
The focus is not only on the SaaS solutions around Office 365; with the connectors that can be integrated into Azure Sentinel, a comprehensive overall picture is easily possible.

Showing Azure AD Sign-in locations in a world map

 "We need an overview showing from where people are logging on to our Microsoft Cloud environment."  This requirement came up as part of a project.And the first approach was to use the features that are directly available in Microsoft Cloud solutions:

Azure AD Sign-In Logs:

Here, however, came the request to display this info on a world map to visually see where the login-ins came from. Cloud App Security offers this feature as a standard feature on the dashboard (https://portal.cloudappsecurity.com/#/dashboard).

Cloud App Security:

However, the Cloud App Security feature is not available in all license bundles, and the dashboard can only be filtered by the apps used.

Solution

The Azure AD sign-in logs are also available as a workbook template in Azure Sentinel. And this workbook template can be customized / extended:

To add a world map to the standard workbook with the regions from which the accesses occurred, the following steps are necessary:

• Azure Sentinel -> Workbooks -> Azure AD Sign-in logs -> View saved Workbook. (See screenshot above)
• In the upper left pane, "Select Edit" and then on the "Sign-ins by Location" report, select the "Edit" option for that report:

• In the edit mode the button "Add -> Add Query" is available. In the new query that is created, copy the text from the query "Sign-ins by Location" and select "Map" as visualization:

• The values for "Location Info using" and "Country/Region field" in the Map Settings must be configured at least:

• Result:

The workbook and therefore the map can now be filtered by the following values:

• TimeRange
• Apps
• Users
• Category (Sign-in Logs / Non interactive sign-in logs)

Related topics

• Azure AD activity logs (not Azure AD sign-in logs) can be used in Azure Monitor to use the data in Splunk or QRadar:
• https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor
• https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics
• When access to Azure resources is important, the Azure Network Watcher can be used. Based on Azure Network Security Group, it is not only possible to see which accesses are taking place. Rules can also be created to control accesses or accesses can be blocked. Details:
• https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/azure-network-security-hygiene-with-traffic-analytics/ba-p/2282377
• https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-ip-flow-verify-overview

The Traffic Analytics feature focuses on the following scenarios: https://docs.microsoft.com/en-us/azure/network-watcher/traffic-analytics

• Visualize network activity across your Azure subscriptions and identify hot spots.
• Identify security threats to, and secure your network, with information such as open-ports, applications attempting internet access, and virtual machines (VM) connecting to rogue networks.
• Understand traffic flow patterns across Azure regions and the internet to optimize your network deployment for performance and capacity.
• Pinpoint network misconfigurations leading to failed connections in your network.