Cloud Detect

8 min. readlast update: 11.07.2024

The ThreatLocker Cloud Detect module allows you to create rules that alert and/or respond to specified events within your Office 365 environment. 

ThreatLocker Cloud Detect Prerequisites

Before policies can be created to monitor and respond to Office 365 activities and events, an Office 365 Connector must be configured. For more information on setting up the connector, please see Office 365 Connector | ThreatLocker Help Center (kb.help)

Cloud Detect can only alert on logs made available by Microsoft Entra, which vary based on license type.  Please ensure that unified audit logging is enabled in Entra for your organization.

ThreatLocker Cloud Detect Policies

ThreatLocker Cloud Detect now includes over 50 policies that are published to the Community that can be quickly applied to your organization, with more policies being published weekly. 

Cloud Detect Policies Currently Available on the Community

* Denotes an Entra P2/E5 license is required 

Account Lockout Threshold Met

Added Owner to Application

App Granted Microsoft Permissions

App Role Added

Azure Owner Removed from Application or Service Principal

Azure Service Principal Created

Azure Service Principal Removed

BitLocker Key Retrieval

Certificate-Based Authentication Enabled

Change to Authentication Method

End User Consent to Application

End User Consent to Application Blocked

Inbox Forwarding Rules Added to User's Account

Login to Disabled Account

Multifactor Authentication Disabled

Multifactor Authentication Interrupted

New Root Certificate Authority Added

Password Reset by User Account

PIM Alert Setting Changed to Disabled

PIM Approvals and Deny Elevation

PIM Settings Changed

Risk Detection: Account Credentials Leaked*

Risk Detection: Activity From Anonymous IP Address*

Risk Detection: Admin Confirmed User Compromised*

Risk Detection: Anomalous Token*

Risk Detection: Anomalous User Activity*

Risk Detection: Attacker in the Middle*

Risk Detection Atypical Travel*

Risk Detection: Entra Threat Intelligence*

Risk Detection: Impossible Travel*

Risk Detection: Login From Anonymized IP Address*

Risk Detection: Malicious IP Address*

Risk Detection: Mass Access to Sensitive Files*

Risk Detection: New Country*

Risk Detection: Password Spray*

Risk Detection: Possible Attempt to Access Primary Refresh Token (PRT)*

Risk Detection: Suspicious API Traffic*

Risk Detection: Suspicious Browser Activity*

Risk Detection: Suspicious Inbox Forwarding*

Risk Detection: Suspicious Inbox Manipulation Rules*

Risk Detection: Suspicious Sending Patterns*

Risk Detection: Token Issuer Anomaly*

Risk Detection: Unfamiliar Sign-In Properties*

Risk Detection: User is at Risk*

Risk Detection: User Reported Suspicious Activity*

Risk Detection: Verified Threat Actor IP*

Security Compliance Center: PST Export Alert Using Content Search

Security Compliance Center: PST Export Alert Using eDiscovery

Temporary Access Pass Added to an Account

Too Many Assigned Global Admins

User Added to Privileged Role(s)

User State Changed From Guest to Member

 

 


Navigating to ThreatLocker Detect

To navigate to the ThreatLocker Cloud Detect module, expand the 'Modules' dropdown menu within the ThreatLocker Portal and select 'ThreatLocker Detect', then select the 'Cloud' tab in the top right corner. 

Configuring the Cloud Response Playbook

For organizations utilizing Cyber Hero Managed Detection and Response, it is important to set up a playbook before implementing policies. Please see the 'Cyber Hero Managed Detection and Response' article for more information.

 

Adding a New Cloud Detect Policy

To add a new policy, navigate to the ThreatLocker Detect module, select 'Cloud' and then '+ New Policy'.

This will open the 'Create Cloud Detect Policy' side panel.

Policy Info 

  1. In the 'Policy Info' section, enter the policy name into the dedicated text field.
  2. Then, select your desired policy icon from the dropdown menu.
  3. A description can be added in the Description textbox.
  4. By default a newly created policy will be active, but can be toggled to inactive.

Source

In the 'Source' section, select the connector, log type and log subtype (where applicable) this policy will be monitoring from the dropdown list.

Please note: This list is dependent on active connectors set up in the Integrations page.

Available Log Type and Log Subtype options will change depending on the Connector selected.

Policy Conditions

First, decide if all conditions must be met before the policy action(s) will occur or if the policy action(s) will occur when any of the conditions are met.

The 'Condition' dropdown box contains prepopulated condition options, and will also accept free text, making it highly customizable. Click the green '+' icon to add more conditions. If you do not require any additional conditions, move on to the next section of the panel. 

To remove a condition, click the red '-' icon.

Occurrence thresholds can be configured in the bottom section of the 'Policy Conditions' segment. This section can be left blank if no occurrence threshold is needed.

  1. Enter a total number of occurrences.
  2. Enter a number to designate the period of time that the set conditions need to occur within in order to trigger this policy.
  3. Select minutes or hours. 

The example below designates that if the specified conditions occur 5 times within 30 minutes, this policy is met, and any set actions should be triggered.

Policy Actions

  • Call Rest API - Sends information to a Rest API
  • Call Webhook - Sends information to a Webhook
  • Create Alert - Sends an alert to the ThreatLocker Response Center
  • Create Ticket - Sends an alert to integrated PSA
  • Lockout Account—Locks out the target account to block access to the 365 environment. Once an account is locked out, it can be unlocked from the ThreatLocker Response Center > Remediation tab or from within 365. If an account is unlocked from within 365, it will remain in the ThreatLocker Response Center > Remediation tab until it is cleared from there, even though the account is unlocked.
  • Send Email - Sends an email to specified contacts

Expand the Action dropdown menu to select the desired response(s). 

Each action type will have different required fields. Once all fields are completed, click the green '+' icon to add an additional policy action. If you do not require any additional actions, move on to the next section of the panel. 

Please see 'Cyber Hero Managed Detection and Response' for instructions on how to submit policies for Cyber Hero Management approval.

Policy Expiration

Choose if this policy will always be on or set an expiration for this policy.

Create Policy & Deploy Policies

Once you have configured the policy as desired, select the blue 'Create' button.

The new policy will now appear on your policy list.

Cloud Detect policies will automatically be applied within a minute of being created and do not require clicking the 'Deploy Policies' button

Policies with an 'Alert' action will create an alert in the Response Center > Threats tab whenever their conditions are met.

Quickly lock down an account from the Threats tab by selecting the red locked user icon or clear all active alerts for an account by selecting the green slashed circle icon.

Once an account has been locked out, navigate to the 'Remediation' tab to unlock it.

Cloud Detect Alerts

From the Threats tab, click on an alert to open the sidebar, which will contain all alerts for the user account the selected alert pertains to.

  1. This is the name of the policy this alert came from. Click on the policy name to open the policy.
  2. The blue 'Monitored' label denotes that this policy is being monitored by the Cyber Hero MDR team.
  3. This is where the summary of the alert is displayed.
  4. Select View Log to open the details of the log received from the connector.
  5. The Date/Time the alert was created.
  6. The Actions that are specified on the policy that created this alert.
  7. This is the Severity level assigned in the 'Policy Actions' section of the policy.
  8. This is the Threat Level Impact in the 'Policy Actions' section of the policy.
  9. This is the number of times this policy has been matched for this user account.
  10. This is the number of Exclusions set for this policy. Select the blue '+' button to add additional Exclusions.

Exclusions

Exclusions can be set to exclude either a specific user account or all user accounts from selected policy conditions, which will prevent any policy actions from occurring when the specific user accounts and policy conditions are met.  Exclusions can be set permanently or can have an expiration date/time set. Once an exclusion expires, the set user account and conditions will once again be subject to policy actions. 

Exclusion Options:

  1. Select either this user account or the Entire Organization. This will exclude the selected from the policy based on the condition selected in the dropdown box #3 in the screenshot above.
  2. Select a date/time to expire the exclusion or leave it blank for a permanent exclusion.
  3. Select the condition that this exclusion will be set for, which means that when this condition is met by either the user account or any user account in the organization (based on which was selected in #1), this policy will not create an alert.
  4. Click the 'Add Exclusion' button to save this exclusion. 

The exclusion will now be listed in the 'Exclusions' tab on the Alert and Policy sidebars.

These exclusions can be deleted from either area by clicking the red garbage can buttons or from the alert by clicking the blue '-' button.

 

Known Limitation: Microsoft's own documentation states that although most logs are delivered within 30 minutes, in less common circumstances, it can take up to 2 hours for logs to be delivered.

For more information or assistance, please reach out to the Cyber Heroes, who are always available to help.

Was this article helpful?