One silver lining that has come out of the SolarWinds (Solorigate) incident is the huge amount of new security blogs and content that Microsoft and other vendors have published. Even if your organization was not directly affected by the attack, you are probably having to answer questions about what you and your team are doing to protect your network from this sort of attack. These resources will prepare you to respond appropriately.
Microsoft Solorigate Resource Center
The Microsoft Solorigate Resource Center is an ever-expanding resource of information and investigation techniques. Take the time to review these links. If you are a Microsoft 365 or Azure Active Directory (AD) customer, review the Azure AD workbook to assess SolarWinds risk. You may need to first set up an Azure workspace and then Azure AD logs with Azure Monitor logs to access the workbook. Here’s how:
Sign into the Azure Portal and select “Azure Active Directory”, then “Diagnostic settings”, then “Add diagnostic setting”. You can also select “Export Settings” from the Audit Logs or Sign-ins page to get to the diagnostic settings configuration page. In the “Diagnostic settings” menu, select the “Send to Log Analytics Workspace” check box, and then select “Configure”. Then select the log analytics workspace you want to send the logs to or create a new workspace in the provided dialog box.