Back to Blog
Cloudapp security6/26/2023 The response time, sometimes, can be very slow. Sometimes it takes two or three hours for that email to be sent. So we create a flow whereby, if an alert is triggered, an email should be sent. I can't stay on the portal all day looking through alerts that have been triggered. Sometimes, there is a delay when it comes to getting an alert policy email. This has been an issue with Microsoft recently. It doesn't actually decrease the time to respond. It's not bad for me because I just have to go to that particular portal and check whatever I have to check. You have a whole lot of products there and it makes the whole portal jumbled. But I've heard about some negative effects as a result, as the portal is now cumbersome. Microsoft has also been able to bring all the security features to a particular portal, so you don't have to look around. Apart from that, it's quite easy to integrate. ![]() We have had some scenarios where some third-party systems were not compatible with them. One challenge is integrating the cloud apps with third-party and on-premises systems. In Sophos, five or six years ago, if it was a SQL Server, they automatically included the rules to exclude certain folders or file extensions when doing on-demand scanning. This is a list of best-practice antivirus rules, but they still have to be implemented manually. There are a lot of things for group policy extensions, exclusion, etc. There is a whole list to exclude the most common things, which could be anything from NTFRS, check folders, temp.DB, or EDBs. If you search Microsoft best practice antivirus exclusions, there are virus scanning recommendations for antivirus computers running Windows or Windows Server. I'd like to see them automate best-practice antivirus rules. It was just an oversight in the design department when they deployed an update to the feature, but I'll live with it. So, you've got to enable them because they keep flagging and blocking products even when they're not configured. ![]() Normally, you'd expect when something is not configured, it doesn't enable itself, but for the purpose of this, apparently, Microsoft has told us to enable them. It's a bit weird that they have to be enabled to be configured, and it's not the other way around. So, you generally have to enable them to exclude, for example, WMI queries or PowerShell because they have a habit of blocking your security scanners. Apparently, it's because ASR rules are not configured. In the Defender portal, it logs a block for WMI processes and PowerShell. In the latest version, you can implement ASR rules, which are quite useful, but you have to enable those because if they're not enabled, they flag false positives. They need to improve the attack surface reduction (ASR) rules. Also, Microsoft should provide more automation features. The alerting mechanism should be more precise when giving you an alert about what activity has been done with the file, whether it was shared or whether it was in a path where an external user had access to it. While giving the alert, if it could be more precise in terms of what happened with that file-why it is giving the alert-it would be more convenient for the investigation and save a lot of time. But you need to check whether anyone has accessed the file and that takes some time. It happens because an external user has access to it but, in reality, he doesn't access it. For example, when a SharePoint path has no file sharing, but there is an external user, it will trigger an alarm that the file has been shared with an external user. Sometimes, we'll get false positive alarms. But there should be more clarity on what is happening with a file. You get all the logs for investigation purposes. The visibility it provides is quite good.
0 Comments
Read More
Leave a Reply. |