this post was submitted on 22 Jul 2023
8 points (100.0% liked)

Sysadmin

7682 readers
193 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
!lemmy@lemmy.ml
!lemmyworld@lemmy.world
!lemmy_support@lemmy.ml
!support@lemmy.world

founded 1 year ago
MODERATORS
 

According to Microsoft, the compromised key was inactive and therefore any access token signed by this key must be considered suspicious.

Unfortunately, there is a lack of standardized practices when it comes to application-specific logging. Therefore, in most cases, application owners do not have detailed logs containing the raw access token or its signing key. As a result, identifying and investigating such events can prove exceedingly challenging for app owners.

top 1 comments
sorted by: hot top controversial new old
[–] xylogx@lemmy.world 1 points 1 year ago* (last edited 1 year ago)

Great article, thank you for sharing!

So if I understand, Wiz is saying some apps that use Azure AD might not have sufficient logging to identify the IOCs. But MS apps like Exchange Online and Teams do have sufficient logging?