如何建立Azure的AD察觉危险的用户

我是CSOOnline的苏珊·布拉德利。今天的主题是为什么你可能想要查看Azure Active Directory的不同级别。有几个基本的层次，免费的，基本的，高级的p1和p2。为什么要溢价p。我将给你们一个例子来说明为什么你们可能想要为它寻求一个许可。在Azure最佳实践检查表中，你可以做很多事情但是在这个检查表中提到的一件事是在风险政策和用户风险政策中设置一个标志。用户风险策略所做的就是查看用户的活动，并标记用户是否在做有风险的事情。如果他们使用泄露的证书，它将其比作通过与研究人员、执法人员和安全团队合作来监控公共和黑暗网站。它会实时查看来自匿名IP地址的信息。所以它会检查是否有人在使用tor浏览器或匿名vpn。 It looks to see if somebody is logging in such a manner that just doesn't make sense. Like for example they've logged in from say the Pacific Coast an hour later they're logging in from the East Coast. Now we don't have the fast airplanes anymore so that's virtually impossible. It looks at signings from unusual locations or anything that just. Isn't familiar to the system. And it flags you with a report. To get started with it with this you have to go to the user marketplace and enable Azure identity protection. While there check out the other modules that are up there too. You want to then go to the dashboard of the user identity protection. Already on this test account you can see it sees that my user does not have multi factor authentication and it's flagging it as risky activity. So now we want to set up a sign in risk policy. Now I've already set up a sample policy. I've select a user. The condition I'm picking is sign in risk. And I'm choosing high risk. Now this takes a little bit of an explanation. High risk doesn't mean what you might think it means. High risk means that the events they're seeing means that the identities are already being compromised. That there's a high risk that the person has been already been taken over. If you choose low risk it means it's going to have potentially much more false positives. So you probably want to start out setting your policy with a high sign in risk. Now going back to our versions of Azure A.D.. If you have the free and basic. You will get just limited reports. You have to purchase a P1 or P2 before you get the advanced reports. And for identity protection you need that P2. If you want privileged identity management you also need to P2. Now you can mix and match. You can purchase just a P2 just for your global administrator accounts and then a P1 for the rest of the users in your in your domain. Once you've set up the report you can then click on the preview and see if there's anyone impacted. Now in my sample case obviously there's no one impacted but if you had someone doing risky activity or unusual signings you'd have a listing there. While you're in this identity section you also want to take a look at something called the Identity secure score and it lets you know what additional things you can do. You want to get that score as high as you can and kind of balance it out between usability and security. In my case I'm only at a really low 27 and there's a lot more things I can do. So again you'll want to take a look at that and look at the things that you can turn on in your organization. Until the next time it's Susan Bradley. And I'd highly recommend that you sign up for the IDG tech talk, Go over there on YouTube and sign up for daily videos on topics. Until the next time this is Susan Bradley.