(844) 442-9462(844) 442-9462Free TrialFree TrialContact SalesContact SalesSign inSign in
Cygna Labs
<b>IPControl</b> Software
IPControl Software

Advanced DDI software for Linux or Windows

<b>Sapphire</b> Appliances
Sapphire Appliances

Secure, multi-platform DDI appliances

<b>DDI</b> Services
DDI Services

Tiered support and managed DDI services

<b>DDI</b> Security
DDI Security

DDI defense-in-depth protections

<b>DNSSEC</b> Appliances
DNSSEC Appliances

Automated DNS integrity and authentication

<b>IPAM</b> Auditor Appliance
IPAM Auditor Appliance

Rich DDI reporting, auditing, and forensics

<b>ImageControl</b> Software
ImageControl Software

Scalable DOCSIS firmware management

<b>Sapphire</b> Automation Appliances
Sapphire Automation Appliances

Drag-and-drop DDI API automation

<b>IPAM</b> Executive Failover Appliances
IPAM Executive Failover Appliances

DDI management resiliency

Products
IT Managers
IT Managers

Keep your network and business running

DevOps Engineers
DevOps Engineers

Insert DDI automation effortlessly

Security Professionals
Security Professionals

Add a DDI defense-in-depth layer

Business Professionals
Business Professionals

Maximize returns with comprehensive DDI

Cloud Architects
Cloud Architects

Consolidate cloud subnet, IP & DNS data

Solutions
Blog
Blog

Intriguing DDI and Compliance posts

Newsroom
Newsroom

Keep up with our blistering news feed

Webinars
Webinars

Educational technology webinars

Events
Events

Come see us at upcoming industry events

Partners
Partners

View our growing partner integrations

Success stories
Success stories

How real businesses accelerate their growth with us

Resources
About us
About us

Learn what makes us great

Leadership
Leadership

Meet our executive team

Careers
Careers

Come join our rapidly growing team

Company
Book a Demo
shield

Strengthen your organization’s cybersecurity posture with software solutions from Cygna Labs

  1. Home

  2. Blog

  3. Securing Teams and M365 with Cygna Auditor – Looking at Login data

Cloud Computing

Securing Teams and M365 with Cygna Auditor – Looking at Login data

Jeff Melnick

Jeff Melnick

Jul 06, 2023

Securing Teams and M365 with Cygna Auditor – Looking at Login data

Breaches in Teams and M365

The most important part of remediating a breach is realizing that you have one in the first place. The use of Teams and M365 has grown significantly over the past 6 years with Teams exploding from just 2 Million members in 2017, to over 270 million members as of 2022.

Every year membership has doubled or quadrupled, which leaves a large number of users (and undertrained and overworked Admins) open to attack from malicious actors. We can configure Azure Active Directory Auditing to alert and report on this information

Large numbers of Failed Logons

You can be proactive with preventing attempted breaches by blacklisting IP’s that are outside of your organization where you are receiving large numbers of attempted logons.

There isn’t necessarily a need to receive an alert for every event, we want to make sure that we reserve alerts for the most important events to avoid ‘alert fatigue’. For example, a scheduled daily or even a weekly report of all failed logons can help you determine if there is a potential problem without overwhelming you.

However, if you want to receive an alert for very large numbers of failed logons, you can configure our smart alerts to kick off if there are say, 20 or more failed logons within a minute, and then to suppress the alert for 15 minutes as in this example:

Enable Smart Alerts

I’ve actually seen misconfigured alerts crash out Exchange servers for an event that kicks off on a Friday night and floods your inbox or SIEM with millions of alerts so this is a convenient way to limit the volume of alerts you can potentially receive.

Successful Logons outside of expected locations

You can also alert on successful logons that take place from outside of your Organizations standard geographical regions. If they are determined to be legitimate logons, those locations can be excluded from the alerts moving forward

You can utilized the built in reports and alerts in Cygna Auditor as a place to start and then customize them to fit your needs, or go straight to the Auditing tab to customize your query. Using the Location filter and the is not one of condition, you can specify specific locations such as Miami or Philadelphia in the US. Alternatively using the Location, filter and the does not contain condition you can specify just the Country code or state. You can even use a combination of there as in this example, which is configured to ignore any logons from Canada or from the cities of Miami or Philadelphia in the US.

Successful Logons Outside of Expected Locations

In part 2, we’ll detail what to look for during an ongoing breach.