Using response actions in supported Microsoft and Azure findings

Overview

After successfully configuring your response connector in the app, you can test the response actions by triggering a detection that creates a finding where you can see and use the available response actions. Follow the instructions below to complete one of these sample tests and read about the available actions here.

Note: In accounts with more than one Microsoft tenant, if a Cloud Connector's tenant that has not yet been configured with a threat response connector generates a finding, the response action appears but is disabled.

This action is available because the Cloud Connector the logs came through is configured for Threat Response:

This action is not available because the Cloud Connector the logs came through does not have a Threat Response connector configured:

Testing response actions in a Blumira finding

To trigger the "Microsoft 365: Creation of External forwarding/redirect rule in Exchange" detection and use response actions from the relates finding, do the following:

1. Log in to outlook.office.com.
2. Navigate to Settings > Mail > Rules.
3. Configure a forwarding rule that sends mail to an external domain.
   Note: Rule behaviors that keep mail internal to your organization will not generate a finding.
4. In Blumira, navigate to Reporting > Findings and locate the newly created finding
5. In the finding detail page, click Disable User & Revoke Session.
6. In the Response Actions window, within the row of the user you want to lock out, click Disable User & Revoke Session.
7. Click Yes, I’m sure to confirm the action.
8. A success message appears if the action is completed successfully.

About the response actions taken

Below, you can find details about the actions Blumira can perform, including the impacts, permissions, and other considerations.

Disable a user

• Effects: Terminates all active sessions for the user across all devices and applications
• Considerations: User will need to re-authenticate on all devices and applications
• Permissions needed: User.EnableDisableAccount.All, Directory.ReadWrite.All, User.ReadWrite.All

Revoke all active sessions for a user

• Effects: Terminates all active sessions for the user across all devices and applications
• Considerations: User will need to re-authenticate on all devices and applications
• Permissions needed: User.ReadWrite.All

Additional action Blumira performs

An additional action being performed on your behalf is checking if the user is a member of the Global Administrators or Directory Synchronization Accounts. These are not included in the users that will be disabled from Blumira.

Implications to consider in a hybrid Azure environment

When you disable a user and remove their sessions in a hybrid Azure environment (i.e., Azure AD and on-premises AD), consider these important implications:

• Authentication and access:
  
  • Azure resources: Immediate termination of access to all Azure-based resources and applications.
  • Office 365: Access blocked to email, SharePoint, Teams, and other Microsoft 365 services.
  • On-premises resources: Delayed effect until AD sync occurs (typically within 30 minutes, depending on sync schedule).
  • Active sessions: On-premises active sessions may continue until credential validation is required again.
• Synchronization:
  
  • Azure AD Connect Sync: Changes propagate based on your sync cycle (typically every 30 minutes).
  • Sync conflicts: The on-premises account may reactivate the cloud account if not also disabled on-premises.
  • Attribute flow: Changes made in Azure may be overwritten by on-premises AD during the next sync cycle.