Monday, April 26, 2021

More Security Blogs from Microsoft


Title: Defending against cryptojacking with Microsoft Defender for Endpoint and Intel TDT
Date Published (MM/dd/YYYY): 04/26/2021

With cryptocurrency mining on the rise, Microsoft and Intel have partnered to deliver threat detection technology to enable EDR capabilities in Microsoft Defender for Endpoint.


Title: Non-interactive logins: minimizing the blind spot
Published On (MM/dd/yyyy): 04/25/2021

Special thanks to   for collaborating on this blog post with me! 


In this blog post, we will review the new Azure Sentinel data streams for Azure Active Directory non-interactive, service principal, and managed identity logins. We will also share the new security content we built and updated in the product, which includes analytics rules for the detection part and workbooks to assist our customers to deal with this blind spot.


The shift to the cloud and the rise of automation tasks and service-to-service integration have contributed to a dramatic increase in the use of managed applications, service principals, and managed identities.

These new security objects perform login activity which is not captured in Azure Active Directory’s traditional sign-in logs.

The updated Azure Active Directory data connector now brings these important sign-in events into Azure sentinel.

 What are non-interactive logins?

Non-interactive user sign-ins are sign-ins that were performed by a client app or an OS component on behalf of a user. Like interactive user sign-ins, these sign-ins are done on behalf of a user. Unlike interactive user sign-ins, these sign-ins do not require the user to supply an Authentication factor. Instead, the device or client app uses a token or code to authenticate or access a resource on behalf of a user. In general, the user will perceive these sign-ins as happening in the background of the user’s activity. 

Some activity that is captured in these logs:

  • A client app uses an OAuth 2.0 refresh token to get an access token.
  • A client uses an OAuth 2.0 authorization code to get an access token and refresh token.
  • A user performs single sign-on (SSO) to a web or Windows app on an Azure AD joined PC.
  • A user signs in to a second Microsoft Office app while they have a session on a mobile device using FOCI (Family of Client IDs).


Why is it so important to monitor and detect activities in this area?


Some examples that highlight why it’s so important to collect, and get visibility into these logs as part of your detections and hunting:


  1. SolarWinds campaign – As part of our learning on the SolarWinds campaign investigation, we used these logs in the hunting phase to check if the malicious actor used a sensitive app to gain “Data Access”.


Title: Best practices for leveraging Microsoft 365 Defender API's - Episode Two
Published On (YYYY-dd-MM):2021-26-04

In the previous episode we provided recommendations about how to use the Microsoft 365 Defender API and, specifically, how to optimize the Advanced hunting query.

In this episode we will demonstrate use cases detailing how to access the API data and use this information in other products. 

One of the most common uses of the API is for visualization in PowerBIThis provides the capability to analyze, visualize, and share your data with others quickly and easily.

If you are not familiar with PowerBi, we suggest you visit the Microsoft PowerBi web site, and download PowerBI desktop. 

We already documented how to use PowerBI to create custom reports using  
Microsoft Defender for Endpoint APIs connection to Power BI - Windows security | Microsoft Docs. 


Title: Best practices for leveraging Microsoft 365 Defender API's - Episode Three
Published On (YYYY-dd-MM):2021-26-04

In the previous episode, we described how you can easily use PowerBi to represent Microsoft 365 data in a visual format. In this episode, we will explore another way you can interact with the Microsoft 365 Defender API. We will describe how to automate data analysis and hunting using Jupyter notebook.

 Automate your hunting queries 

While hunting and conducting investigations on a specific threat or IOC, you may want to use multiple queries to obtain wider optics on the possible threats or IOCs in your network. You may also want to leverage queries that are used by other hunters and use it as a pivot point to perform deep analysis and find anomalous behaviors. You can find a wide variety of examples in our Git repository where various queries related to the same campaign or attack technique are shared.  

In scenarios such as this, it is sensible to leverage the power of automation to run the queries rather than running individual queries one-by-one.  

This is where Jupyter Notebook is particularly useful. It takes in a JSON file with hunting queries as input and executes all the queries in sequence. The results are saved in a .csv file that you can analyze and share. 


Title: March Ahead with Azure Purview: Access management in Azure Purview - Part 3
Date Published (MM/dd/YYYY): 04/22/2021

Hopefully, you have read my previous blog posts about Azure Purview access management Part 1 and Part 2 to find about Azure Purview control plane and data plane roles and tasks. In this post, I will cover the following topic:


  • Overview of dashboards and roles required to extend your M365 Sensitivity Labels to Azure Purview.


By extending M365 Sensitivity Labels to Azure Purview you can automatically assign labels to files and database columns in Azure Purview.


We have a new Azure Purview bog for your consideration. Please remember that Azure Purview is a unified data governance service, and security is one of its pillars.

Title: Azure Purview resource set pattern rules available in Public Preview
Date Published (MM/dd/YYYY): 04/21/2021

At-scale data processing systems typically store a single table in a data lake as multiple files. This concept is represented in Azure Purview by using resource sets. A resource set is a single object in the data catalog that represents a large number of assets in storage. To learn more, see the resource set documentation.


When scanning a storage account, Azure Purview uses a set of defined patterns to determine if a group of assets is a resource set. In some cases, Azure Purview's resource set grouping may not accurately reflect your data estate. Resource set pattern rules allow you to customize or override how Azure Purview detects which assets are grouped as resource sets and how they are displayed within the catalog.


Pattern rules are currently supported in public preview in the following source types:

  • Azure Data Lake Storage Gen2
  • Azure Blob Storage
  • Azure Files

To learn more on how to create resource set pattern rules, see our step-by-step how-to documentation!


Title: eDiscovery in Microsoft 365 One Stop Shop Resource Page
Date Published (MM/dd/YYYY): 04/21/2021


Welcome to the eDiscovery in Microsoft 365 One Stop Shop Resource Page!


We built this page to help you easily find all relevant content and resources relating to the compliance solutions in Microsoft 365. Please bookmark this page for future reference as we will update it on an ongoing basis.