One silver lining that has come out of the SolarWinds (Solorigate) incident is the huge amount of new security blogs and content that Microsoft and other vendors have published. Even if your organization was not directly affected by the attack, you are probably having to answer questions about what you and your team are doing to protect your network from this sort of attack. These resources will prepare you to respond appropriately.Microsoft Solorigate Resource CenterThe Microsoft Solorigate Resource Center is an ever-expanding resource of information and investigation techniques. Take the time to review these links. If you are a Microsoft 365 or Azure Active Directory (AD) customer, review the Azure AD workbook to assess SolarWinds risk. You may need to first set up an Azure workspace and then Azure AD logs with Azure Monitor logs to access the workbook. Here\u2019s how:Sign into the Azure Portal and select \u201cAzure Active Directory\u201d, then \u201cDiagnostic settings\u201d, then \u201cAdd diagnostic setting\u201d. You can also select \u201cExport Settings\u201d from the Audit Logs or Sign-ins page to get to the diagnostic settings configuration page. In the \u201cDiagnostic settings\u201d menu, select the \u201cSend to Log Analytics Workspace\u201d check box, and then select \u201cConfigure\u201d. Then select the log analytics workspace you want to send the logs to or create a new workspace in the provided dialog box. Send the audit logs to the log analytics workspace by selecting the \u201cAuditLogs\u201d check box, or you can send sign-in logs to the log analytics workspace by selecting the \u201cSignInLogs\u201d check box. To export the sign-in data, you must have an Azure AD P1 or P2 license. Now choose to send the information to a log analytics workspace. Select \u201cSave\u201d to save the setting. You may need to wait a short time for the SigninLogs to realize that your subscription has a P1 license attached.Then go to sign into the Azure Portal and navigate to \u201cAzure Active Directory\u201d, then to \u201cMonitoring\u201d and then to \u201cWorkbooks\u201d. Look for the sensitive operations report. Susan BradleyYou may need to wait for data to be pulled into the workbook for analysis, but eventually you can review the following reports:Modified application and service principal credentials\/authentication methods. This part of the report lists all new credentials added to apps and service principals, including the credential type, top actors, and the amount of credentials modifications they performed and a timeline for all credential changes.Modified federation settings. This includes changes performed to existing domain federation trusts and the addition of new domains and trusts.Azure AD STS refresh token modifications by service principals and applications other than DirectorySync. When reviewing the data in this section, the admin should check new token validation time period with high values and investigate whether this was a legitimate change or an attempt to gain persistence by the attacker.New permissions granted to service principals. This section includes a breakdown of the AppOnly permissions grants to existing service principals. Admins should investigate any instances of excessive high permissions being granted, including, but not limited to, Exchange Online, Microsoft Graph and Azure AD Graph.Directory role and group membership updates for service principals. This section includes an overview of all changes made to service principal memberships and should be reviewed for any additions to high privilege roles and groups.CISA Sparrow.ps1The US Cybersecurity and Infrastructure Security Agency (CISA) has released its\u00a0free tool, Sparrow.ps1, for \u201cdetecting unusual and potentially malicious activity that threatens users and applications in an Azure\/Microsoft O365 environment.\u201d It helps to detect possible compromised accounts and applications in an Azure and Microsoft 365 environment. The tool \u201cwill check and install the required PowerShell modules on the analysis machine, check the unified audit log in Azure\/M365 for certain indicators of compromise, list Azure AD domains, and check Azure service principals and their Microsoft Graph API permissions to identify potential malicious activity. The tool then outputs the data into multiple CSV files in a default directory.\u201dCISA also released a recap site listing emergency directives, alerts and guidance as well as third-party tools to identify weaknesses.CrowdStrike Reporting Tool for AzureThe\u00a0free CrowdStrike Reporting Tool (CRT) for Azure\u00a0identifies and helps mitigate risks in Azure AD. CrowdStrike identified that attackers often attempt to go after a Microsoft 365 customer by going through the vendors that sell, provide, or manage Microsoft 365 subscriptions on behalf of clients. They stated that \u201cCrowdStrike was contacted by the Microsoft Threat Intelligence Center on December 15, 2020. Specifically, they identified a reseller\u2019s Microsoft Azure account used for managing CrowdStrike\u2019s Microsoft Office licenses was observed making abnormal calls to Microsoft cloud APIs during a 17-hour period several months ago. There was an attempt to read email, which failed as confirmed by Microsoft.\u201dTo start your investigation, review what third-party vendors have access to your Microsoft 365 subscription. Review with those partners as to what rights and privileges they have with your account.Next, review CrowdStrike\u2019s suggestions and use its tool to review additional configurations. At a minimum, you should have several log files enabled and captured in a log storage process. The following logs should be enabled:Unified Audit LogAzure Activity LogsAzure Services LogsAzure NSG Flow LogsAzure AD Logs:Azure AD Audit LogsAzure AD Sign-In LogsAzure AD Managed Identity Sign-In Logs (Preview)Azure AD Non-Interactive User Sign-In Logs (Preview)Azure AD Service Principal Sign-In Logs (Preview)Azure AD Provisioning LogsAzure AD Risky Sign-In eventsAs a preventative measure, enable multi-factor authentication (MFA) and ensure that it is fully enforced for all users. Then review the log files for any new unknown MFA and restrict service accounts from MFA registrations and monitor MFA use. To ensure that third-party tools and applications aren\u2019t used by attackers to bypass MFA, set the MFA access policy to \u201cDo not allow users to create app passwords to sign into non-browser apps\u201d.Then review and enforce Conditional Access policies. Set up geofencing or trusted locations. Also review the trusted locations that you have set up are the locations that you intended to trust and that no attacker has added an exclusion in this area.Next, enforce modern authentication and blocking of legacy authentication. Make sure that IMAP and POP are blocked and limited in use. Block \u201crisky sign-ins\u201d with medium or higher severity and monitor authentication requests from unknown identity providers. Monitor for credentials being added to service principals. Finally, enable self-service password reset (SSPR) requests to notify users when their passwords are changed.