Blog

How to Onboard Windows Server to Azure Using Azure Arc Managing on-premises Windows Servers efficiently while leveraging the benefits of cloud infrastructure is a challenge for many organizations. With Azure Arc, Microsoft provides a seamless solution to extend Azure services and management to on-premises, multi-cloud, and edge environments. In this blog post, we will guide you through the process of onboarding your Windows Server to Azure using Azure Arc, allowing you to centralize management, governance, and security of your infrastructure across hybrid environments. What is Azure Arc? Azure Arc is a Microsoft Azure technology that extends Azure management to any infrastructure, enabling you to manage resources like Windows Servers, Kubernetes clusters, and databases from within the Azure portal. Whether your workloads are running on-premises, in other clouds, or at the edge, Azure Arc brings the benefits of Azure’s governance, security, and monitoring capabilities to those environments. Why Onboard Your Windows Server to Azure Using Azure Arc? Before diving into the technical steps, let’s explore some key reasons why onboarding your Windows Server to Azure Arc is beneficial: Prerequisites for Onboarding a Windows Server to Azure Using Azure Arc Before you begin, make sure you have the following prerequisites in place according to Microsoft: Step-by-Step Guide to Onboard Your Windows Server to Azure Using Azure Arc Login to Azure Portal, search for Azure Arc in the search bar, and select Azure Arc, as shown below. In the Azure Arc dashboard, click on Add Resources to begin adding your on-premises resources to Azure Arc. For this example, I am going to onboard a Windows Server machine. In the Azure Arc dashboard, click on Azure Arc resources > Machines > + Add/Create, then click Add a machine to begin adding your on-premises resources to Azure Arc. You have the option to add multiple servers to Azure. For this example, I will add a single server. On Add a single server, Click on Generate script. Select your Azure subscription, Select a Resource group, or create a new resource group. Specify your Region and your Operating system, as shown below. Click on the Download and run button. Download and Install the Azure Arc Agent You will need to install the Azure Arc agent on your on-premises server, which is used to connect your on-premises server to Azure. You have the option to either copy the script and run it on your on-premises server using the command prompt or download the script and run It in Powershell. To run the script using the command prompt on your Windows Server, open the Command prompt as an administrator. Copy and paste the command provided in the Azure portal to install the Azure Arc agent. The command will download and install the agent, after which the server will be registered with Azure Arc. For this example, I will download the script. Click on the Download button. Right-click on your downloaded script and click on run in Powershell. It should look similar to the screenshot below. You will be prompted to log in to Azure. Enter your username and password to sign in. Give it about 5 minutes for your on-premises Windows server to show up in Azure. Once the agent installation is complete, return to the Azure portal and verify that the Windows Server appears in the Azure Arc section. In the Azure Arc dashboard, click on Machine in the left-hand side pane. Your dashboard should look similar to the screenshot below. The on-premises server was successfully onboarded to Azure. Once your Windows Server is onboarded and integrated with Azure Arc, you can take advantage of several Azure hybrid capabilities, including: Click on the newly added machine and click on Overview. Here, you will find the lists of services you can add to improve performance, security, and compliance. Conclusion Onboarding your Windows Server to Azure using Azure Arc provides a unified management experience for hybrid cloud environments. By following the steps outlined in this blog, you can now manage, secure, and monitor your on-premises Windows Server alongside your Azure resources, taking advantage of Azure’s governance, security, and cloud-native services. Whether for compliance, security, or operational efficiency, Azure Arc unlocks the full potential of your on-premises infrastructure.

Key Tips for Improving Your Microsoft 365 Security Microsoft 365 is a powerful suite of tools for productivity, collaboration, and communication within organizations. However, with its expansive features and widespread use, it’s critical to ensure that sensitive data and resources are properly secured. Cybersecurity risks, such as unauthorized access, data leaks, and malware, are a growing concern for many businesses, which is why taking proactive steps to secure your Microsoft 365 environment is essential. In this blog post, I will cover several key ways to enhance Microsoft 365 security, including turning off user consent, restricting non-admin users from creating tenants, controlling access to the Microsoft Entra admin center, and ensuring that SharePoint and OneDrive content can only be shared with people in your organization. 1. Turn Off User Consent for Apps In Microsoft 365, users can grant consent to third-party apps to access their data, including emails, calendar events, and documents. While this can be convenient for users, it can also pose a security risk if unauthorized or malicious apps are given access to sensitive company data. Therefore, one of the most important security practices is to turn off user consent to prevent unapproved apps from gaining access to corporate resources. How to Turn Off User Consent for Applications To turn off user consent for applications to access your organization’s data, log into the Microsoft Entra admin center with administrator credentials. Click on Applications > Enterprise applications. Under the Security session, Click on Consent and permissions. Click on User consent settings, under User consent for applications, select Do not allow user consent. Click Save to save the changes. This setting will block users from granting third-party apps access to their Microsoft 365 data, forcing all app permissions to go through administrators for approval. Why Is It Important to Turn Off User Consent for Applications? Turning off user consent In Microsoft 365 to third-party applications helps prevent malicious apps or unintended permissions from being granted, thereby safeguarding organizational data. This is particularly crucial for organizations in highly regulated industries where data privacy is a top concern. 2. Restrict Non-Admin Users from Creating Microsoft Tenants Another security risk that organizations often overlook is the creation of new tenants by non-admin users. In Microsoft 365, users with the correct permissions can potentially create new tenants, which could be used maliciously or to bypass security controls. By restricting non-admin users from creating new tenants, you add an added layer of security to your Microsoft 365 environment. How to Restrict Tenant Creation Log into the Microsoft Entra admin center with administrator credentials. Click on Users > User settings >User settings. Turn Restrict non-admin users from creating tenants to Yes. Click on Save to save the settings. Why Is It Important to Restrict Non-Admins from Creating Tenants? This security measure ensures that only trusted administrators have the ability to create new tenants, preventing unauthorized tenants from being created within your organization’s Microsoft 365 environment. By enforcing this restriction, you help protect your organization from potential breaches or misuse. 3. Restrict Access to the Microsoft Entra Admin Center The Microsoft Entra admin center (formerly Azure Active Directory) is where administrators can configure access to corporate resources, manage users, and set security policies. If unauthorized users gain access to this portal, they could potentially make changes that impact the security of your Microsoft 365 environment. How to Restrict Access to the Microsoft Entra Admin Center Log into the Microsoft Entra admin center with administrator credentials. Click on Users > User settings >User settings. Turn Restrict access to Microsoft Entra admin center to Yes. This will restrict the creation of Microsoft Entra ID tenants to the global administrator or tenant creator roles. Click on Save to save the settings. Depending on your organization’s risk tolerance, you can choose to allow users to connect their work or school account with Linkedin. For this example, I will select a group of users that may need to use LinkedIn for their job duties, such as Human resources. Disabling persistent browser sessions is a good practice. So, for this example, I will turn Show keep user signed in to No. Why It’s Important to Restrict Access to the Microsoft Entra Admin Center? No allows non-admin users to create Microsoft Entra ID tenants. Anyone who creates a tenant will become the global administrator for that tenant. Restricting access to the Microsoft Entra admin center reduces the risk of unauthorized modification to key security settings or accessing sensitive information. Limiting this access to only trusted administrators ensures that your organization’s security controls are not compromised. 4. Configure SharePoint Content to Only Be Shared with People in Your Organization Sharing content externally can be useful in some cases, but it also exposes your organization to significant security risks. For example, employees may accidentally share confidential documents with external users, or malicious actors could use compromised accounts to leak data. To reduce this risk, it’s important to configure your Microsoft 365 environment so that SharePoint content can only be shared with people within your organization. Login to Microsoft 365 admin center with admin credentials and click on Sharepoint. Click on Policies >Sharing. Change the permissions for Sharepoint and OneDrive to meet your organization’s needs. For this example, I will set the Content can be shared with to New and existing guests. Guests must be signed in or provide a verification code. Under File and folder links, select Only people in your organization. Why Is It Important for Content to Only Be Shared with People in Your Organization? Restricting SharePoint sharing to only internal users helps prevent accidental or unauthorized data leaks, particularly with sensitive information. It ensures that your files remain within the secure boundaries of your organization, reducing the risk of exposing confidential data to third parties. 5. Set View Permission by Default for SharePoint A security best practice is to ensure that only those who absolutely need access to a file or document can view it. By default, SharePoint should be configured to provide

Configure Conditional Access to Require Multi-Factor Authentication (MFA) Before Joining Microsoft Entra ID In today’s rapidly evolving security landscape, Multi-Factor Authentication (MFA) has become a crucial method to safeguard sensitive data and systems. Microsoft Entra Identity is a robust platform for identity and access management, allowing businesses to maintain tight control over user access. A key feature within Entra ID is the ability to configure Conditional Access policies to ensure that MFA is required before a user can join the organization’s Entra ID. This can help stop unauthorized access and ensure that only legitimate users can access corporate resources. In this post, I will walk you through the step-by-step process of configuring Conditional Access to request MFA before allowing users to join your Microsoft Entra ID. What is Microsoft Entra ID? Before diving into the setup, let’s briefly cover what Microsoft Entra ID is. Microsoft Entra ID (formerly Azure Active Directory) is an identity management service provided by Microsoft that helps organizations manage users, groups, devices, and access to various applications securely. It provides features such as single sign-on (SSO), self-service password reset, and Conditional Access. What is Conditional Access? Conditional Access is a security feature in Microsoft Entra ID that enforces policies based on specific conditions. With Conditional Access, administrators can define rules to block or allow access to resources based on factors like: Conditional Access helps improve security by enforcing policies that require additional checks before granting access, reducing the attack surface for potential security breaches. Prerequisites Before we get into configuring Conditional Access, make sure you have the following: Why Use Conditional Access to Require MFA Before Joining Entra ID? Configuring Conditional Access to require MFA before allowing a user to join your Entra ID is a critical security measure. It ensures that only authenticated, legitimate users are allowed to register and access organizational resources, providing additional protection against credential theft and unauthorized access. In particular, requiring MFA before joining helps to stop a malicious actor from gaining unauthorized access by simply enrolling a device without first verifying their identity through a second factor of authentication. Steps to Configure Conditional Access for MFA Before Joining Microsoft Entra ID You can access the Microsoft Entra ID admin center from Azure or Microsoft Office 365 admin center. To access the Microsoft Entra ID admin center from Azure, click on Microsoft Entra ID from the left-hand pane or search for Microsoft Entra ID in the search box. To access the Microsoft Entra ID admin center from the Microsoft Office 365 admin center, click on Show all, then click on Identity. You can configure conditional access from the Microsoft Entra ID admin center or from the Microsoft Intune admin center. To configure conditional access from the Microsoft Intune admin center, Click on Endpoint Security In the left-hand menu and click Conditional access. To configure conditional access from the Microsoft Entra ID admin center, click on Protection >Conditional access in the left-hand menu. Click on Policies > +New policy to create a new Conditional Access policy. Under the Assignments section, name the policy something descriptive, such as MFA Before Joining Entra ID, for easy identification. Click on Users and select All users to apply the policy to all users. Click on Target resources to select the resources that the policy should apply to. Select User actions, then check the box next to Register or join devices. Under Access control, click on Grant, select Grant access and check the box for Require multi-factor authentication. This action will ensure that users must complete MFA before they can join the Entra ID. Set Conditions for MFA (Optional) You can further refine when MFA is required. For example: Enable and Test the Policy After configuring your desired conditions and controls, review your policy, making sure it meets your organization’s needs. It is important to test your policy before turning it on. Set the policy to Report-only if you are doing this in a production environment to avoid disruption. Otherwise, select On to enable the policy. Click on the Create button to create the policy and test it by attempting to join an Entra ID with a user account. The MFA prompt should appear before the user can complete the process. Monitor the Policy’s Effectiveness Once your Conditional Access policy is live, use the Sign-ins log in Entra ID to monitor how it is being applied. You can view reports on users who have triggered MFA and those who have successfully joined Entra ID. Best Practices for Conditional Access Policies Conclusion Configuring Conditional Access to require MFA before joining Microsoft Entra ID adds a crucial layer of security for your organization. By requiring MFA upfront, you ensure that only verified users can gain access to your Entra ID and the associated resources, reducing the risk of unauthorized access. With the easy-to-follow steps outlined in this guide, you can easily configure a policy tailored to your organization’s needs, ensuring a secure and excellent user experience. If you want to learn more about how Conditional Access and MFA work together to protect your organization, check out our other resources on Microsoft Entra ID security features.

Block Sharing of Financial Information Using DLP Policies in Microsoft Purview In today’s digital landscape, ensuring the confidentiality and security of financial information is critical for organizations. Financial data such as credit card details, bank account numbers, transaction records, and other sensitive financial information must be protected from unauthorized access or accidental sharing. Microsoft Purview provides a robust solution for enforcing Data Loss Prevention (DLP) policies that block the sharing of financial information, ensuring compliance with regulations like PCI-DSS (Payment Card Industry Data Security Standard), and protecting the organization from potential financial data breaches. In this guide, I will walk you through the process of creating and configuring DLP policies in Microsoft Purview to block the sharing of sensitive financial information across Microsoft 365 applications like SharePoint, OneDrive, Teams, and Exchange. What is Microsoft Purview DLP? Data Loss Prevention (DLP) in Microsoft Purview is a security feature designed to help organizations detect, prevent, and manage the sharing of sensitive data. By setting up DLP policies, organizations can automatically enforce rules to protect sensitive information, including financial data, across Microsoft 365 services. Key Benefits of Using DLP for Financial Information: What are DLP Policies in Microsoft Purview? DLP policies in Microsoft Purview allow organizations to identify, monitor, and protect sensitive data. With these policies in place, you can prevent the accidental sharing of confidential information, such as personally identifiable information (PII), credit card details, or corporate secrets. These policies help ensure compliance with legal and regulatory requirements, as well as improve internal data governance. Microsoft Purview offers two primary ways to create DLP policies: Let’s explore both methods in detail. How to Create DLP Policies in Microsoft Purview Manually Creating a DLP policy manually provides you with full control over the types of sensitive information you wish to protect, where that information is located, and how the policy should react to violations. Sign in to Microsoft Purview using your admin credentials. In the left-hand pane, click Solutions and click on Data Loss Prevention, as shown below. Click on Policies in the top menu and select Create Policy. Select Custom >Custom policy to create a manual DLP policy from scratch. Click on the Next button to proceed. Enter a meaningful name for your policy. For example, let’s say you want to create a DLP policy to prevent the sharing of credit card information via email, Teams, or SharePoint. I will name my policy Custom Financial Data Protection Policy. Add a description to clarify the purpose of the policy. Click on the Next button. Choose locations where you want the policy to apply, as shown below. Click on the Next button. Choose Create or customize advanced DLP rules, as shown below. Click on the Next button. Click on + Create rule Enter a meaningful name for your rule. Add a description to clarify the purpose of the policy rule. Under Conditions, click on +Add condition. Choose Content Contains, and give it a meaningful name as shown below. Click on +Add and select Sensitive Info types. Select your sensitive info type and click Add. For this example, I will select the sensitive info type created previously. Click here to learn how to create a Sensitive info type for financial data in Microsoft Purview. Click on the Next button. Your rule should look similar to the screenshot below. Click on + Add an action and select Restrict access or encrypt the content in Microsoft 365 locations. Choose what should happen when the conditions are met. For this example, I will choose Block everyone, as shown below. Turn user notification on. Use notifications to inform the users and help educate them on the proper use of sensitive information. Select who will be notified based on your organization and click on the Save button. Decide if you want your users to be able to override policy restrictions based on your organization’s needs. Decide if you want to receive alerts when conditions are met and how often. Decide who the alert should go to and through what medium based on your organization’s needs, and click on the Save button. The custom policy rule was created successfully and turned on. Click on the Next button. It is important to run the policy in simulation mode to test your policy before turning it on in a production environment. This is my lab tenant, so I will turn the policy on immediately for this example. If you want, you can select Run the policy in simulation mode to test it before turning it on. To learn how to turn the policy on later, scroll down to the next example where I will show the step-by-step. Review your policy and click on the Submit button. The policy was created successfully as shown below. How to Create DLP Policies in Microsoft Purview Using Templates If you want to save time or if you are unsure how to start, Microsoft Purview provides pre-built DLP templates that can be applied with just a few clicks. These templates are designed for common data protection scenarios. Go to Microsoft Purview and sign in with your admin credentials. In the left-hand pane, click on Data Loss Prevention. Click on Policies in the top menu and select Create policy. Under Categories, select based on the country where your business operate, type of data you are trying to protect and the regulation your company must comply with. For this example, The company operate in United States, I am trying to protect financial data in compliance with PCI Data Security Standard (PCI DSS). I will select United States of America for the country, Financial under the Categories section and PCI Data Security Standard (PCI DSS) under the Regulations. You can rename your policy or leave it as is. If you like, you can select the admin units to assign the policy to. I will leave it as default for this example. Choose the locations where the policy should be applied. For this example, I will choose Exchange email, OneDrive accounts, SharePoint sites, Teams chat and channel messages, and Devices. You can apply the policy across all locations or specific ones, depending on your

Create a Sensitive Info Type for Financial Data in Microsoft Purview In the age of digital transformation, managing and protecting sensitive financial data has become more crucial than ever. Financial data includes information related to banking, credit cards, transactions, and more, which are highly sensitive and must be protected against unauthorized access and potential breaches. Microsoft Purview provides an effective solution for identifying and classifying such sensitive data across your organization’s digital landscape. In this guide, we’ll show you how to create a Sensitive Info Type (SIT) for financial data in Microsoft Purview, enabling you to implement strong data protection, stay compliant with regulatory standards, and ensure that your financial information remains secure. What is Microsoft Purview? Microsoft Purview is a unified data governance solution that allows organizations to manage, classify, protect, and govern their data across on-premises, hybrid, and cloud environments. It provides comprehensive compliance and risk management capabilities, such as classification of sensitive information, including financial data, based on predefined or custom patterns. By using Microsoft Purview, organizations can mitigate the risks associated with handling sensitive financial information and enforce strong compliance measures across their entire organization. Why Create a Sensitive Info Type for Financial Data? Financial data is a category of highly sensitive information. This includes personal financial records, credit card information, bank account numbers, and even transaction details. With strict compliance requirements like PCI-DSS (Payment Card Industry Data Security Standard) and GDPR (General Data Protection Regulation), creating a Sensitive Info Type for financial data ensures that organizations: By implementing a Sensitive Info Type specifically designed for financial data, organizations can automate the identification and classification of sensitive financial information, reducing the risk of data breaches and non-compliance. Step-by-Step Guide to Creating a Sensitive Info Type for Financial Data Log in to Microsoft Purview using your admin credentials. Click on Solutions in the left-hand pane, and click on Data Loss Prevention, as shown below. LClick on Classifiers > Sensitive info types > + Create sensitive info type. Name your Sensitive Info Type. Click on +Create pattern to create a new pattern. Click on +Add primary element and select Keyword list. If you like, you can select from existing keyword lists. I will create a new list for this example. Enter an ID for your keyword list. Enter the keywords separated by a new line. It is not case sensitive, click Done. Check the box next to Anywhere in the document to select it, as shown below. Click on Create and click on the Next button. For the recommended confidence level, choose High confidence level and click on the Next button. Review the settings and click on the Create button. Click on Done. The Sensitive Info type for Financial data was created successfully, as shown below. Click here to learn how to create DLP Policy. Best Practices for Creating Sensitive Info Types for Financial Data Conclusion Creating a Sensitive Info Type for financial data in Microsoft Purview is a vital step toward ensuring the security and compliance of your organization’s sensitive financial information. By following the steps outlined in this guide, you can create an effective system for classifying and protecting financial data, ensuring that it remains secure and that your organization adheres to regulatory standards. With Microsoft Purview’s powerful data governance features, you can confidently protect your sensitive financial data and maintain compliance in an ever-evolving digital landscape.

Create a Sensitive Info Type for Medical Data in Microsoft Purview In today’s world, protecting sensitive data is more important than ever, especially in the healthcare industry, where privacy is paramount. Microsoft Purview provides a powerful way to manage and safeguard sensitive information. In this blog post, I will walk you through the process of creating a Sensitive Info Type for medical data within Microsoft Purview, targeting medical keywords, and ensuring that you meet the regulatory requirements and keep patient data secure. What is Microsoft Purview? Microsoft Purview is a comprehensive data governance, compliance, and risk management solution that allows organizations to classify, protect, and manage their data across various environments. It helps identify sensitive information, such as Personally Identifiable Information (PII) and regulatory data and gives you the tools to apply data protection policies accordingly. Creating a Sensitive Info Type (SIT) for medical data in Microsoft Purview is one of the critical steps in ensuring healthcare organizations are compliant with data privacy standards like HIPAA (Health Insurance Portability and Accountability Act) or GDPR (General Data Protection Regulation). Why Create a Sensitive Info Type for Medical Data? Medical data includes sensitive personal information such as medical records, diagnoses, treatment information, and payment details. By creating a Sensitive Info Type specifically for medical data, you can: Now, let’s dive into how to create a Sensitive Info Type for medical data in Microsoft Purview step by step. Sign in to Microsoft Purview using your admin credentials. In the left-hand pane, click Solutions and click on Data Loss Prevention, as shown in the screenshot below. Click on Classifiers > Sensitive info types > + Create sensitive info type. Give your Sensitive info type a descriptive name and a description so you can easily identify it later. Click on the Next button. Click on +Create pattern to create a new sensitive info pattern. Click on +Add primary element and choose Keyword list. If you like, you can choose from existing keyword lists. But I will create a new list for this example. Enter an ID to identify your keyword list. Enter the keywords separated by a new line. It is case insensitive. Click Done. Check the box next to Anywhere in the document to select it, as shown in the screenshot below. Click on Create and click on the Next button. Choose a High confidence level for the recommended confidence level, and click on the Next button. Review the settings of your Sensitivity info type and click on the Create button. Click on Done. The Sensitive Info type for Medical data was created successfully, as shown below. Click here to learn how to create a DLP Policy using the Sensitive info type just created. Best Practices for Creating Sensitive Info Types for Medical Data Conclusion Creating a Sensitive Info Type for medical data in Microsoft Purview is an essential step in protecting sensitive healthcare information. By following this step-by-step guide, you can ensure that your organization is equipped with the tools to classify, protect, and monitor medical data effectively. Implementing strong data governance practices not only helps achieve compliance but also ensures that patient privacy is maintained at all times.

How to Send PfSense Logs to Splunk Enterprise (Windows and Linux Server Setup) PfSense is a popular open-source firewall and router solution that provides a valuable set of features for network monitoring and management. One of the most important aspects of any firewall is its ability to generate logs for tracking network traffic, security events, and system performance. These logs can be critical for troubleshooting, auditing, and security analysis. Splunk Enterprise, on the other hand, is a powerful tool for searching, monitoring, and analyzing machine-generated data via a web-based interface. By sending pfSense logs to Splunk, you can centralize log collection, analyze traffic patterns, and create useful reports and alerts for your network. In this post, I will walk you through the process of sending PfSense logs to Splunk Enterprise running on both Windows and Linux servers. Why Send pfSense Logs to Splunk? Before we start the process of sending Pfsense logs to Splunk, let’s briefly discuss why you might want to send your pfSense logs to Splunk: Create Index and Input configuration files to receive PfSense logs on the Windows Splunk Enterprise Server Step 1 Create an index configuration file On your Windows Splunk Server, navigate to C:\Program Files\Splunk\etc\system\local. You can copy and paste the path below into your File Explorer. Create a file and name it index. Open the newly created index file, copy and paste the command below, then save.  Step 2 Create an input configuration file On your Windows Splunk Server, navigate to C:\Program Files\Splunk\etc\system\local. You can copy and paste the path below into your File Explorer. Create a file and name it inputs. Open the newly created inputs file, copy and paste the command below, then save.   You should have something similar to the screenshot below. Create Index and Input configuration files to receive PfSense logs on the Linux Splunk Enterprise Server Change your working directory using the cd command. you can copy the command below. Create index.conf file. Copy and paste the data below and save your file using Ctrl + O to save the file and Ctrl + X to exit. Create inputs.conf file. Copy and paste the data below and save your file using Ctrl + O to save the file and Ctrl + X to exit. Create a firewall Rule Log in to your pfSense Web Interface. Click on Firewall > Rules. Click on the green Add arrow to create a new firewall rule to allow traffic on port 7001. Select Pass for Action. Select the interface you want to monitor. For this example, I selected WAN. Select UDP for Protocol. Select (others) for Destination Port Range and enter 7001 for From and To. Enter a meaningful description as shown in the screenshot below. Click on the Save button then click the Apply Changes. Enable Remote Logging on pfSense Before PfSense can send logs to your Splunk server, you need to configure pfSense to forward its logs. Follow the steps below to enable remote logging. Click on the Status > System Logs Click on Settings Scroll down to the Remote Logging Options. On the Enable Remote Logging, check the box next to Send messages to remote syslog server. Select LAN for the Source Address. Select IPv4 for the IP Protocol Enter your Splunk Enterprise IP address and the port number for the Remote log server. For this example, 192.168.11.112:7001. Click on the Save button to apply the changes. Verify pfSense Logs in Splunk Once pfSense is configured to forward logs and Splunk is set up to receive them, it’s time to verify that everything is working as expected. Login to your Splunk instances and click on Search & Reporting to search. Run a search query to view the logs from pfSense. For example, you can use a search like index=”pfsense_log.” Splunk has started receiving logs from Pfsense, as shown below. Click here to download TA-pfsense. Log in with your Splunk credential and click on the Download button. By default, visibility is set to No. Click on Edit properties and set the visibility to Yes. Click on the Save button to save the changes, as shown in the screenshots below. Notice the app is now visible.

How to Send CrowdStrike Logs to Splunk: A Step-by-Step Guide Integrating CrowdStrike Falcon logs with Splunk is an effective way to enhance your organization’s security monitoring and incident response capabilities. By sending CrowdStrike logs to Splunk, you can leverage Splunk’s powerful data analytics and visualization features to have valuable insights into your security posture. In this post, I will walk you through the process of sending CrowdStrike logs to Splunk for effective security event monitoring. Why Send CrowdStrike Logs to Splunk? Before diving into the process, it’s important to understand the benefits of integrating CrowdStrike Falcon with Splunk: Prerequisites Before starting the integration process, ensure you meet the following prerequisites: Set Up CrowdStrike API Access To send CrowdStrike logs to Splunk, you need access to the CrowdStrike API to extract the logs. Log into the CrowdStrike Falcon Console. Navigate to Support and Resources > Resources and Tools > API Clients and Keys, as shown below. Click Create API Client to generate a new API client. Give your new API a name and a meaningful description. Assign API Scopes by selecting scopes based on your needs. For this example, select Alert, Hosts, and Event streams. You can also select just the Event Stream if you want and the Read capability. Click the Create button. A new API was created with Client ID and Secret. Take note of the Client ID and Client Secret, as these will be used to authenticate API requests. This is the only time you will get the secret, so please copy it to a safe place and click Done. Next, we are going to create a new index (Optional) Log in to the Splunk instance using your administrator credentials. Go to Settings > Indexes. Click on the New Index button to create a new index. Give your new index a name, leave everything else as default, and click the Save button to save it. Using the Splunk Add-on for CrowdStrike Splunk offers a pre-built add-on for CrowdStrike, making it easier to integrate and send logs from CrowdStrike to Splunk. Click here to download the add-on. Log in with your Splunk.com credentials and click on the Download button to download. Log in to the Splunk instance using your administrator credentials. Go to Apps > Manage Apps. Click on Install app from file. Click on Choose File and select the downloaded add-on file. Click on the Upload button to upload it. Click on Apps > CrowdStrike Falcon Event Streams. Click on Configuration > Proxy. Check the box next to Enable to enable the add-on. Select http, enter port number 8080, enter your username and password, and click the Save button. Click on the Account tab and click Add to add a new account. Give the account a name and enter the CrowdStrike API credentials (Client ID, Client Secret) to allow the add-on to pull data. Click the Add button. Click on the Inputs tab > Create New Input. Give the input a name, and select the index created or a default index. Select the API credential and click on the Add button. The input was added successfully, as shown below. Click on Reports tab > CrowdStrike Event Stream Data Indexed vs Event Time to view the logs. Now that your logs are flowing into Splunk, you can start creating dashboards, reports, and alerts based on the data. Conclusion Integrating CrowdStrike Falcon logs with Splunk provides you with powerful tools for proactive security monitoring and incident response. Splunk add-on for CrowdStrike allows you to centralize your log data and leverage Splunk’s advanced capabilities to detect, analyze, and respond to security threats more effectively. By following the steps outlined in this guide, you’ll be well on your way to enhancing your organization’s security infrastructure and improving visibility into endpoint activity.

How to Install CrowdStrike Agent on Windows: A Step-by-Step Guide In today’s world of cybersecurity, protecting your sensitive data and devices from online threats is paramount. One of the leading tools in endpoint protection is CrowdStrike, a cloud-native platform that provides advanced security for businesses and individuals alike. If you’re looking to install the CrowdStrike Falcon Agent on a Windows machine, this guide will walk you through the process in a simple, step-by-step manner. What is CrowdStrike Falcon Agent? CrowdStrike Falcon is a robust endpoint protection software that leverages cloud-native technology to detect, prevent, and respond to cyber threats. The Falcon Agent is installed on each endpoint (such as a Windows PC or server) and communicates with CrowdStrike’s cloud platform for real-time threat intelligence and protection. Prerequisites for Installing the CrowdStrike Falcon Agent on Windows Before we begin the installation, ensure that you meet the following requirements: Step-by-Step Guide: How to Install CrowdStrike Falcon Agent on Windows Step 1: Log in to Your CrowdStrike Account Step 2: Download the Falcon Agent Installer Click on Ready to install, as shown below. Step 3: Run the Falcon Agent Installer Locate the downloaded installer file in File Explorer, as shown in the screenshot below. Double-click to run it, or right-click on the installer and select Run as administrator to begin the installation process. This ensures the necessary permissions are granted for a smooth installation. If you’re prompted with a User Account Control (UAC) notification, click Yes to allow the installer to make changes to your computer. Check the box next to I accept the Sensor Terms of Use and Privacy Notice. Paste your customer ID from earlier and click the Install button to proceed. Wait for the installation to complete. CrowdStrike Falcon sensor has been successfully installed. Click on the Close button to close the CrowdStrike Falcon Sensor Setup. VerifyThe Installation Once the installation is complete, the Falcon Agent will automatically start running in the background. You can verify its installation by: For this example, I stalled the Falcon agent on Windows Server 2022. By default, Windows Defender is enabled. To use Falcon to protect your endpoint, Windows Defender must be disabled. Use the Powershell command below to disable Defender: If that doesn’t work, you can use Group Policy Editor to disable Windows by following these steps: Press Win+R, type in gpedit.msc, and press Enter to open the Local Group Policy Editor. Navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus. Double-click on Turn off Microsoft Defender Antivirus in the right pane and choose the Enabled option. Click Apply to apply the changes, and click on OK. Conclusion Installing the CrowdStrike Falcon Agent on a Windows machine is a straightforward process that helps secure your endpoint against a wide range of cybersecurity threats. By following the steps above, you can ensure that your Windows system is protected with real-time monitoring and advanced threat detection. FAQs About Installing CrowdStrike on Windows 1. How long does it take to install the CrowdStrike Agent? Depending on your system performance and internet connection speed. The installation is fast and typically takes just a few minutes. 2. Can I install CrowdStrike Falcon on a Windows Server? Yes, CrowdStrike supports various versions of Windows Server. Ensure you download the appropriate agent. 3. Is it necessary to reboot the system after installation? In most cases, a reboot is not required, but it may help resolve certain issues and ensure all components are running properly. 4. Does the CrowdStrike Falcon Agent slow down my system? CrowdStrike Falcon is designed to have minimal impact on system performance, with cloud-based detection ensuring that local resources aren’t overly taxed.