The ThreatLocker Cloud Detect module allows you to create rules that alert and/or respond to specified events within your Office 365 environment.
ThreatLocker Cloud Detect Prerequisites
Before policies can be created to monitor and respond to Office 365 activities and events, an Office 365 Connector must be configured. For more information on setting up the connector, please see Office 365 Connector | ThreatLocker Help Center (kb.help)
Cloud Detect can only alert on logs that are made available by Microsoft Entra, and those logs vary by license type. A P1 license will provide access to the Microsoft Graph API. To also access the Microsoft 365 API, a P2 license is required.
Coming Soon! ThreatLocker Cloud Detect Policies
ThreatLocker Cloud Detect will include over 115 policies published to the Community that can be quickly applied to your organization.
Community Cloud Detect Policies
Included with Entra P1/E3 License
Azure Active Directory Hybrid Health AD FS New Server
Azure Active Directory Hybrid Health AD FS Service Delete
User Added to an Administrator's Azure AD Role
Azure Application Deleted
Azure Application Gateway Modified or Deleted
Azure Application Security Group Modified or Deleted
Azure Application Credential Modified
Azure Container Registry Created or Deleted
Azure Device No Longer Managed or Compliant
Azure Device or Configuration Modified or Deleted
Azure DNS Zone Modified or Deleted
Azure Firewall Modified or Deleted
Azure Firewall Rule Collection Modified or Deleted
Azure Keyvault Key Modified or Deleted
Azure Key Vault Modified or Deleted
Azure Keyvault Secrets Modified or Deleted
Disabled MFA to Bypass Authentication Mechanisms
Azure Network Firewall Policy Modified or Deleted
Azure Firewall Rule Configuration Modified or Deleted
Azure Point-to-site VPN Modified or Deleted
Azure Network Security Configuration Modified or Deleted
Azure Virtual Network Device Modified or Deleted
Azure New CloudShell Created
Azure Owner Removed From Application or Service Principal
Azure Service Principal Created
Azure Service Principal Removed
Azure Subscription Permission Elevation Via ActivityLogs
Azure Suppression Rule Created
Azure Virtual Network Modified or Deleted
Azure VPN Connection Modified or Deleted
CA Policy Removed by Non Approved Actor
CA Policy Updated by Non Approved Actor
New CA Policy by Non-approved Actor
Account Created And Deleted Within A Close Time Frame
Bitlocker Key Retrieval
Certificate-Based Authentication Enabled
Changes to Device Registration Policy
Guest Users Invited To Tenant By Non Approved Inviters
New Root Certificate Authority Added
Users Added to Global or Device Admin Roles
Application AppID Uri Configuration Changes
Added Credentials to Existing Application
Delegated Permissions Granted For All Users
End User Consent
End User Consent Blocked
Added Owner To Application
App Granted Microsoft Permissions
App Granted Privileged Delegated Or App Permissions
App Role Added
Application URI Configuration Changes
Change to Authentication Method
Azure Domain Federation Settings Modified
User Added To Group With CA Policy Modification Access
User Removed From Group With CA Policy Modification Access
Guest User Invited By Non Approved Inviters
User State Changed From Guest To Member
PIM Approvals And Deny Elevation
PIM Alert Setting Changes To Disabled
Changes To PIM Settings
User Added To Privilege Role
Bulk Deletion Changes To Privileged Account Permissions
Privileged Account Creation
Azure Subscription Permission Elevation Via AuditLogs
Temporary Access Pass Added To An Account
Password Reset By User Account
Invalid PIM License
Roles Assigned Outside PIM
Roles Activated Too Frequently
Roles Are Not Being Used
Roles Activation Doesn't Require MFA
Too Many Global Admins
Account Lockout
Increased Failed Authentications Of Any Type
Measurable Increase Of Successful Authentications
Authentications To Important Apps Using Single Factor Authentication
Discovery Using AzureHound
Azure AD Only Single Factor Authentication Required
Sign-ins from Non-Compliant Devices
Potential MFA Bypass Using Legacy Client Authentication
Use of Legacy Authentication Protocols
Login to Disabled Account
Multifactor Authentication Denied
Multifactor Authentication Interrupted
Azure Unusual Authentication Interruption
Disabling Multi Factor Authentication
Activity from Suspicious IP Addresses
Activity Performed by Terminated User
Activity from Anonymous IP Addresses
Activity from Infrequent Country
Data Exfiltration to Unsanctioned Apps
Microsoft 365 - Impossible Travel Activity
Logon from a Risky IP Address
Microsoft 365 - Potential Ransomware Activity
PST Export Alert Using eDiscovery Alert
PST Export Alert Using New-ComplianceSearchAction
Suspicious Inbox Forwarding
Suspicious OAuth App File Download Activities
Microsoft 365 - Unusual Volume of File Deletion
Microsoft 365 - User Restricted from Sending EmailAccordion body...
Included with Entra P2/E5 License
All of P1/E3 plus
Anomalous Token
Anomalous User Activity
Activity From Anonymous IP Address
Anonymous IP Address
Atypical Travel
Impossible Travel
Suspicious Inbox Forwarding Identity Protection
Suspicious Inbox Manipulation Rules
Azure AD Account Credential Leaked
Malicious IP Address Sign-In Failure Rate
Malicious IP Address Sign-In Suspicious
Sign-In From Malware Infected IP
New Country
Password Spray Activity
Primary Refresh Token Access Attempt
Suspicious Browser Activity
Azure AD Threat Intelligence
SAML Token Issuer Anomaly
Unfamiliar Sign-In Properties
Stale Accounts In A Privileged Role
Navigating to ThreatLocker Detect
To navigate to the ThreatLocker Cloud Detect module, expand the 'Modules' dropdown menu within the ThreatLocker Portal and select 'ThreatLocker Detect', then select the 'Cloud' tab in the top right corner.
Configuring the Cloud Response Playbook
For organizations utilizing Cyber Hero Managed Detection and Response, it is important to set up a playbook before implementing policies. Please see the 'Cyber Hero Managed Detection and Response' article for more information.
Adding a New Cloud Detect Policy
To add a new policy, navigate to the ThreatLocker Detect module, select 'Cloud' and then '+ New Policy'.
This will open the 'Create Cloud Detect Policy' side panel.
Policy Info
- In the 'Policy Info' section, enter the policy name into the dedicated text field.
- Then, select your desired policy icon from the dropdown menu.
- A description can be added in the Description textbox.
- By default a newly created policy will be active, but can be toggled to inactive.
Source
In the 'Source' section, select the connector, log type and log subtype (where applicable) this policy will be monitoring from the dropdown list.
Please note: This list is dependent on active connectors set up in the Integrations page.
Available Log Type and Log Subtype options will change depending on the Connector selected.
Policy Conditions
First, decide if all conditions must be met before the policy action(s) will occur or if the policy action(s) will occur when any of the conditions are met.
The 'Condition' dropdown box contains prepopulated condition options, and will also accept free text, making it highly customizable. Click the green '+' icon to add more conditions. If you do not require any additional conditions, move on to the next section of the panel.
To remove a condition, click the red '-' icon.
Occurrence thresholds can be configured in the bottom section of the 'Policy Conditions' segment. This section can be left blank if no occurrence threshold is needed.
- Enter a total number of occurrences.
- Enter a number to designate the period of time that the set conditions need to occur within in order to trigger this policy.
- Select minutes or hours.
The example below designates that if the specified conditions occur 5 times within 30 minutes, this policy is met, and any set actions should be triggered.
Policy Actions
- Call Rest API - Sends information to a Rest API
- Call Webhook - Sends information to a Webhook
- Create Alert - Sends an alert to the ThreatLocker Response Center
- Create Ticket - Sends an alert to integrated PSA
- Lockout Account - Locks out the target account to block access to the 365 environment. Once an account is locked out, it can be unlocked from the ThreatLocker Response Center > Remediation tab or from within 365. If an account is unlocked from within 365, the account will remain in the ThreatLocker Response Center > Remediation tab until it is cleared from there even though the account is unlocked.
- Send Email - Sends an email to specified contacts
Expand the Action dropdown menu to select the desired response(s).
Each action type will have different required fields. Once all fields are completed, click the green '+' icon to add an additional policy action. If you do not require any additional actions, move on to the next section of the panel.
Please see 'Cyber Hero Managed Detection and Response' for instructions on how to submit policies for Cyber Hero Management approval.
Policy Expiration
Choose if this policy will always be on, or set an expiration for this policy.
Create Policy & Deploy Policies
Once you have configured the policy as desired, select the blue 'Create' button.
The new policy will now appear on your policy list.
Cloud Detect policies will automatically be applied within a minute of being created and do not require clicking the 'Deploy Policies' button
Policies with an 'Alert' action will create an alert in the Response Center > Threats tab whenever their conditions are met.
Quickly lock down an account from the Threats tab by selecting the red locked user icon or clear all active alerts for an account by selecting the green slashed circle icon.
Once an account has been locked out, navigate to the 'Remediation' tab to unlock it.
Cloud Detect Alerts
From the Threats tab, click on an alert to open the sidebar which will contain all alerts for the user account the selected alert is pertaining to.
- This is the name of the policy this alert came from. Click on the policy name to open the policy.
- The blue 'Monitored' label denotes that this policy is being monitored by the Cyber Hero MDR team.
- This is where the summary of the alert is displayed.
- Select View Log to open the details of the log received from the connector.
- The Date/Time the alert was created.
- The Actions that are specified on the policy that created this alert.
- This is the Severity level assigned in the 'Policy Actions' section of the policy.
- This is the Threat Level Impact in the 'Policy Actions' section of the policy.
- This is the number of times this policy has been matched for this user account.
- This is the number of Exclusions set for this policy. Select the blue '+' button to add additional Exclusions.
Exclusions
Exclusions can be set to exclude either a specific user account or all user accounts from selected policy conditions, which will prevent any policy actions from occurring when the specific user accounts and policy conditions are met. Exclusions can be set permanently, or can have an expiration date/time set. Once an exclusion expires, the set user account and conditions will once again be subject to policy actions.
Exclusion Options:
- Select either this user account or the Entire Organization. This will exclude the selected from the policy based on the condition selected in the dropdown box #3 in the screenshot above.
- Select a date/time to expire the exclusion or leave blank for a permanent exclusion.
- Select the condition that this exclusions will be set for, which means that when this condition is met by either the user account or any user account in the organization (based on which was selected in #1), this policy will not create an alert.
- Click the 'Add Exclusion' button to save this exclusion.
The exclusion will now be listed in the 'Exclusions' tab on the Alert sidebar and the Policy sidebar.
These exclusions can be deleted from either area by clicking the red garbage can buttons, or from the alert by clicking the blue '-' button.
For more information or assistance, please reach out to the Cyber Heroes who are always available to help.