Searching Cisco ASA Logs using Grep

Get all Login/Logoff events (113039 = Login, 113019 = Disconnect/Logoff)

cat asa_logs.csv | grep -E '113039'\|'113019'

2020-06-19T16:22:23,SENSOR01.asa5505.myorg.local,%ASA-6-113039: Group User IP <78.78.78.78> AnyConnect parent session started.
2020-06-19T17:57:55,SENSOR01.asa5505.myorg.local,”%ASA-4-113019: Group = SSLVPN, Username = jsmith, IP = 78.78.78.78, Session disconnected. Session Type: SSL, Duration: 1h:35m:32s, Bytes xmt: 9406450, Bytes rcv: 5267050, Reason: User Requested”

2020-06-19T18:00:02,SENSOR01.asa5505.myorg.local,%ASA-6-113039: Group User IP <78.78.78.78> AnyConnect parent session started.
2020-06-19T18:00:31,SENSOR01.asa5505.myorg.local,”%ASA-4-113019: Group = SSLVPN, Username = jsmith, IP = 78.78.78.78, Session disconnected. Session Type: SSL, Duration: 0h:00m:29s, Bytes xmt: 178622, Bytes rcv: 180776, Reason: User Requested”

2020-06-22T13:40:26,SENSOR01.asa5505.myorg.local,%ASA-6-113039: Group User IP <78.78.78.78> AnyConnect parent session started.
2020-06-22T20:59:01,SENSOR01.asa5505.myorg.local,”%ASA-4-113019: Group = SSLVPN, Username = jsmith, IP = 78.78.78.78, Session disconnected. Session Type: SSL, Duration: 7h:18m:37s, Bytes xmt: 102232957, Bytes rcv: 30057099, Reason: User Requested”



Exclude all Internal IP Address Ranges:
cat asa_logs.csv | grep -v "10(.[0-9]{1,3}){3}|192.168(.[0-9]{1,3})|172.(1[6-9]|2[0-9]|3[01]).[0-9]{1,3}.[0-9]{1,3}|127.0.0.1"

2020-06-25T21:38:35,SENSOR01.asa5505.myorg.local,%ASA-6-302016: Teardown UDP connection 133046757 for outside:192.168.129.8/49174(LOCAL\jsmith) to inside:192.168.123.6/53 duration 0:00:00 bytes 192 (jsmith)
2020-06-25T21:38:35,SENSOR01.asa5505.myorg.local,%ASA-6-302016: Teardown UDP connection 133046763 for outside:192.168.129.8/49174(LOCAL\jsmith) to inside:192.168.123.7/53 duration 0:00:00 bytes 192 (jsmith)
2020-06-25T21:38:49,SENSOR01.asa5505.myorg.local,%ASA-6-302015: Built inbound UDP connection 133046985 for outside:192.168.129.8/53383 (192.168.129.8/53383)(LOCAL\jsmith) to inside:192.168.123.6/53 (192.168.123.6/53) (jsmith)
2020-06-25T21:38:49,SENSOR01.asa5505.myorg.local,%ASA-6-302015: Built inbound UDP connection 133046986 for outside:192.168.129.8/53383 (192.168.129.8/53383)(LOCAL\jsmith) to inside:192.168.123.7/53 (192.168.123.7/53) (jsmith)
2020-06-25T21:38:50,SENSOR01.asa5505.myorg.local,%ASA-6-302016: Teardown UDP connection 133046985 for outside:192.168.129.8/53383(LOCAL\jsmith) to inside:192.168.123.6/53 duration 0:00:00 bytes 230 (jsmith)
2020-06-25T21:38:50,SENSOR01.asa5505.myorg.local,%ASA-6-302016: Teardown UDP connection 133046986 for outside:192.168.129.8/53383(LOCAL\jsmith) to inside:192.168.123.7/53 duration 0:00:00 bytes 230 (jsmith)


Exclude specific public IP addresses
| grep -v 8.4.6.11

2020-06-19T16:22:23,SENSOR01.asa5505.myorg.local,%ASA-6-113003: AAA group policy for user jsmith is being set to GroupPolicy1
2020-06-19T16:22:23,SENSOR01.asa5505.myorg.local,%ASA-6-113011: AAA retrieved user specific group policy (GroupPolicy1) for user = jsmith
2020-06-19T16:22:23,SENSOR01.asa5505.myorg.local,%ASA-6-113009: AAA retrieved default group policy (NOACCESS) for user = jsmith
2020-06-19T16:22:23,SENSOR01.asa5505.myorg.local,%ASA-6-113008: AAA transaction status ACCEPT : user = jsmith
2020-06-19T18:00:02,SENSOR01.asa5505.myorg.local,%ASA-6-113003: AAA group policy for user jsmith is being set to GroupPolicy1
2020-06-19T18:00:02,SENSOR01.asa5505.myorg.local,%ASA-6-113011: AAA retrieved user specific group policy (GroupPolicy1) for user = jsmith
2020-06-19T18:00:02,SENSOR01.asa5505.myorg.local,%ASA-6-113009: AAA retrieved default group policy (NOACCESS) for user = jsmith
2020-06-19T18:00:02,SENSOR01.asa5505.myorg.local,%ASA-6-113008: AAA transaction status ACCEPT : user = jsmith

Filed under: logs

Office 365 hardening tips & tricks

Links open directly to the relevant pages in Office 365

  1. Enable MFA for Administrative Accounts.

2. Configure PIM (Privileged Identity Management) for Admin Accounts​.
Microsoft Documentation – O365 License Requirements
.

3. Enable “Password Hash Sync” when using Azure AD Connect
Microsoft Documentation


“Password hash synchronization helps by reducing the number of passwords, your users need to maintain to just one.”

To use password hash synchronization in your environment, you need to:​

  • Install, or be using Azure AD Connect.​
  • Configure directory synchronization between your on-premises​
    Active Directory instance and your Azure Active Directory instance.​
  • Enable password hash synchronization.

4. Implement and enforce a banned/bad password list.​

You can specify lists of bad passwords to prevent people from utilizing poor passwords. Consider using:

5. Ensure all applications and Employees are using Modern Authentication​.

Ever wonder why people can still authenticate to Office 365 even if you have two-factor authentication setup? This is why. You need to audit who is using what integrations, applications and authentication mechanisms are being used to figure out how to whittle down where basic authentication is occurring. See Microsoft’s Documentation on the subject, and/or this blog post. These screenshots show examples of how to look for user accounts using outdated authentication mechanisms logging into https://portal.azure.com.

Searching Sign-Ins for Legacy Authentication Mechanisms.
Legacy Authentication Mechanisms

A simple way to mitigate this is implementing a conditional control policy, which can block legacy authentication altogether.
You can also enable Modern Authentication in the Office 365 Admin Center.

6. Enable User, Admin, and Mailbox Activity Logging​.
See Microsoft’s Documentation on the Subject.

7. Put “External” on external senders on the subject line of incoming emails.

An example of adding an external message warning.

8. Restrict Logins from Unusual Locations​ using Conditional Access.

Example of adding locations to conditional access.

9. Enable/Purchase Microsoft ATP.
ATP Does the following:

  • Scans e-mails before they reach your user’s inbox to see if they are on known spam lists/reputable lists.
  • Scans attachments before the arrive in a user’s inbox.
  • Puts a wrapper around URL’s to monitor user clicks, and put a stop to some phishing/malware downloaders.
  • Allows tracking for Office 365 administrators to see who clicked what links.
    • Another product that does this is Mimecast.

10. Purge e-mails using Threat Explorer. (May require E3 License)
This allows you to retroactively remove e-mails that have already been sent to the user (in the event of a phishing e-mail being sent out across your organization).

Example of looking for an e-mail using threat explorer.
Actions available, click “Hard Delete” to delete e-mails already in a User’s inbox.

Filed under: Office 365