Defending against cryptojacking with Microsoft Defender for Endpoint and Intel
With cryptocurrency mining on the rise, Microsoft and Intel have partnered
to deliver threat detection technology to enable EDR capabilities in Microsoft
Defender for Endpoint.
Non-interactive logins: minimizing the blind spot
Published On (MM/dd/yyyy): 04/25/2021
Special thanks to
collaborating on this blog post with me!
In this blog post, we will review the new Azure Sentinel data streams for
Azure Active Directory non-interactive, service principal, and managed identity
logins. We will also share the new security content we built and updated in the
product, which includes analytics rules for the detection part and workbooks to
assist our customers to deal with this blind spot.
The shift to the cloud and the rise of automation tasks and
service-to-service integration have contributed to a dramatic increase in the
use of managed applications, service principals, and managed identities.
These new security objects perform login activity which is not captured in
Azure Active Directory’s traditional sign-in logs.
The updated Azure Active Directory data connector now brings these important
sign-in events into Azure sentinel.
Non-interactive user sign-ins are sign-ins that were performed by a client
app or an OS component on behalf of a user. Like interactive user sign-ins,
these sign-ins are done on behalf of a user. Unlike interactive user sign-ins,
these sign-ins do not require the user to supply an Authentication factor.
Instead, the device or client app uses a token or code to authenticate or
access a resource on behalf of a user. In general, the user will perceive these
sign-ins as happening in the background of the user’s activity.
Some activity that is captured in these logs:
- A client app uses an OAuth 2.0 refresh token to get an
- A client uses an OAuth 2.0 authorization code to get an
access token and refresh token.
- A user performs single sign-on (SSO) to a web or
Windows app on an Azure AD joined PC.
- A user signs in to a second Microsoft Office app while
they have a session on a mobile device using FOCI (Family of Client IDs).
Why is it so
important to monitor and detect activities in this area?
Some examples that highlight why it’s so important to collect, and get
visibility into these logs as part of your detections and hunting:
campaign – As part of our learning on the SolarWinds
campaign investigation, we used these logs in the hunting phase to check
if the malicious actor used a sensitive app to gain “Data Access”.
Best practices for leveraging Microsoft 365 Defender API’s – Episode Two
Published On (YYYY-dd-MM):2021-26-04
In the previous episode we provided recommendations about how to use the Microsoft 365 Defender API
and, specifically, how
to optimize the Advanced hunting query.
episode we will demonstrate use cases detailing how to access the API data and use this information in other products.
One of the most common uses of the API is for visualization in PowerBI. This provides the capability to analyze, visualize, and share
your data with others quickly and easily.
If you are not familiar with PowerBi, we suggest you visit the Microsoft PowerBi web site, and download PowerBI desktop.
We already documented how to use PowerBI to create custom
Microsoft Defender for Endpoint APIs connection to Power BI –
Windows security | Microsoft Docs.
Best practices for leveraging Microsoft 365 Defender API’s – Episode Three
Published On (YYYY-dd-MM):2021-26-04
In the previous episode, we
described how you
can easily use PowerBi to represent Microsoft 365
data in a visual format. In this episode, we will explore another way
you can interact with the Microsoft 365 Defender
API. We will describe how to automate
data analysis and hunting using Jupyter notebook.
Automate your hunting queries
While hunting and conducting investigations on a
specific threat or IOC, you may want to use multiple queries to obtain wider
optics on the possible threats or IOCs in your network. You
may also want to leverage queries that are used by
other hunters and use it as a pivot point to perform deep
analysis and find anomalous behaviors. You can find a
wide variety of examples in our Git repository where various queries related to
the same campaign or attack technique are shared.
In scenarios such as this, it is sensible to
leverage the power of automation to run the queries rather than running
individual queries one-by-one.
This is where Jupyter Notebook is
particularly useful. It takes in a JSON file with hunting queries as input and
executes all the queries in sequence. The results are saved in a
.csv file that you can analyze and share.
March Ahead with Azure Purview: Access management in Azure Purview – Part 3
Hopefully, you have read my previous blog posts about Azure Purview access
management Part 1 and Part 2 to find about Azure Purview control plane and data
plane roles and tasks. In this post, I will cover the following topic:
- Overview of dashboards and roles required to extend
your M365 Sensitivity Labels to Azure Purview.
By extending M365 Sensitivity Labels to Azure Purview you can
automatically assign labels to files and database columns in Azure Purview.
We have a new Azure Purview bog for your consideration. Please remember that
Azure Purview is a unified data governance service, and security is one of its
Azure Purview resource set pattern rules available in Public Preview
Date Published (MM/dd/YYYY):
processing systems typically store a single table in a data lake as multiple
files. This concept is represented in Azure Purview by using resource sets. A
resource set is a single object in the data catalog that represents a large
number of assets in storage. To learn more, see the resource set documentation.
When scanning a storage account, Azure Purview uses a
set of defined patterns to determine if a group of assets is a resource set. In
some cases, Azure Purview’s resource set grouping may not accurately reflect
your data estate. Resource set pattern rules allow you to customize or override
how Azure Purview detects which assets are grouped as resource sets and how
they are displayed within the catalog.
Pattern rules are currently supported in public preview
in the following source types:
- Azure Data Lake Storage Gen2
- Azure Blob Storage
- Azure Files
To learn more on how to create resource set pattern
rules, see our step-by-step
eDiscovery in Microsoft 365 One Stop Shop Resource Page
Welcome to the eDiscovery in Microsoft 365 One Stop Shop Resource
We built this page to help you easily find all relevant content and
resources relating to the compliance solutions in Microsoft 365. Please
bookmark this page for future reference as we will update it on an ongoing