https://techcommunity.microsoft.com/t5/azure-sentinel/enhanced-azure-sentinel-alert-remediation-in-the-soc-process/ba-p/2452430

Published On (MM/dd/yyyy): 06/16/2021
Overview:

Microsoft’s Azure Sentinel now provides a Timeline view within the Incident
where alerts now display remediation steps. The list of alerts that have
remediations provided by Microsoft will continue to grow. As you can see in the
graphic below, one or more remediation steps are contained in each alert. These
remediation steps tell you what to do with the alert or Incident in
question. 

 

However, what if you
want to have your own steps, or what if you have alerts without any remediation
steps?

 

Now available to address this is the Get-SOCActions Playbook found in GitHub
(Azure-Sentinel/Playbooks/Get-SOCActions at master ·
Azure/Azure-Sentinel (github.com)). This playbook uses a .csv file uploaded
your Azure Sentinel instance, as a Watchlist containing the steps your
organization wants an analyst to take to remediate the Incident they are
triaging. More on this in a minute.

Below is an example of a provided Remediation from one of the Alerts:

 

Example Remediation
Steps Provided by Microsoft

1. Enforce the use of strong passwords and do not re-use
   them across multiple resources and services
2. In case this is an Azure Virtual Machine, set up an NSG
   allow list of only expected IP addresses or ranges. (see https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)
3. In case this is an Azure Virtual Machine, lock down
   access to it using network JIT (see https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time)

Remediation steps were
added to the Timeline View recently in Azure Sentinel, as shown above

 

We highly encourage you to look at the SOC Process Framework blog, Playbook and the amazing
Workbook; you may have already noticed the SocRA Watchlist which was called out
in that article, it is a .csv file that Rin published, and is the template you
need to build your own steps (or just use the enhanced ones provided by
Rin). 

It’s this .csv file that creates the Watchlist that forms the basis of
enhancing your SOC process for remediation, its used in the Workbook and
Playbook.  The .csv file has been used as it’s an easy to edit format (in Excel
or Notepad etc…), you just need to amend the rows or even add your own rows and
columns for new Alerts or steps you would like.  There are columns called A1, A2  etc… these
are essentially Answer1
(Step1), Answer
2(Step2) etc…
Example of a new Alert that has been added.

You can also in the last column add a DATE (of when the line in the
watchlist was updated).
Note that any URL link will appear its own column in the [Incident Overview]
workbook – we parse the string so it can be part of a longer line of text in
any of the columns headed A1
thru A19
(you can add more answers if required, just inset more columns named A20, A21
etc…after column A19).  Just remember to save your work as a .CSV.

 

How to install the
Watchlist file

You must download the Watchlist file (then edit as required) it’s called
SOCAnalystActionsByAlert.csv (https://github.com/Azure/Azure-Sentinel/blob/master/docs/SOCAnalystActionsByAlert.csv)

Then when you name the Watchlist, our suggestion is “SOC Recommended
Actions”, make sure you set the ‘Alias’ to: SocRA

Important: SocRA is case sensitive,
you need an uppercase S, R and A.

You should now have entries in Log Analytics for the SocRA alias.

The SocRA watchlist .csv file serves both the Incident Overview Workbook and
supports the Get-SOCActions Playbook, should you want to push Recommended Actions
to the Comments
section of the Incident your Analyst is working on. You will want to keep this
in mind when you edit the SocRA watchlist. The Get-SOCActions Playbook
leverages the formatting of the SocRA watchlist, i.e. A1 – A19, Alert, Date
when querying the watchlist for Actions. If the alert is not found, or has not
been onboarded, the Playbook then defaults to a set of questions pulled from
the SOC Process Framework Workbook to help the analyst triage the alert &
Incident.

Important
– Should you decide to add more steps to the watchlist .csv file beyond A1-A19
you will need to edit the Playbooks conditions to include the additional
step(s) you added both in the JSON response, the KQL query, and the variable
HTML formatting prior to committing the steps to the Incidents Comments
section.

 

Incident Overview Workbook

To make Investigation easier, we have integrated the above Watchlist with
the default “Investigation Overview” Workbook you see, just simply click on the
normal link from within the Incident blade:

This will still open Workbook as usual.  Whist I was making changes, I
have also colour coded the alert status
and severity
fields (Red, Amber and Green), just to make them stand out a little, and Blue
for new alerts.

If an alert has NO remediations, nothing will be visible in the
workbook.  However, if the alert has a remediation and there is no
Watchlist called: SocRA then you will be able to expand the menu that will
appear:

This will show the default or basic remediations that the alert has, in this
example there are 3 remediation steps shown.

If you have
the SocRA
watchlist installed, then you will see that data shown instead (as the Watchlist
is the authoritative source, rather than the steps in the alert).  In this
example there is a 4^th step (A4) shown, which is specific to the
Watchlist and the specific alert called “Suspicious authentication activity”.

 

Conclusion

In conclusion, these Workbooks, the Playbook, and Watchlist all work
together in concert to provide you with a customized solution to creating
remediation steps that are tailored to a specific line of business. As you
on-board custom analytics/detections that are pertinent to your business, you will
have actions you will want an analyst to take and this solution provides a
mechanism for delivering the right actions per analytic/use-case.

Thanks for reading!

We hope you found the details of this article interesting. Thanks Clive Watson and Rin Ure for writing this
Article and creating the content for this solution.

And a special thanks to Sarah
Young and Liat
Lisha for helping us to deploy this solution.

Links

 

Content	Link
SOC process Framework Wiki SOC Process Framework · Azure/Azure-Sentinel Wiki (github.com)   Main SOC Process Framework Blog, author Rin Ure	https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-soc-process-framework-workbook/ba-p/2339315
SOC Process Framework Workbook, author Rin Ure	https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/SOCProcessFramework.json
Incident Overview Workbook, amended by Clive Watson for remediation and watchlist integration	https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/IncidentOverview.json
Watchlist, author Rin Ure	https://github.com/Azure/Azure-Sentinel/blob/master/docs/SOCAnalystActionsByAlert.csv

 

 URL: https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-update-watchlist-ui-enhancements/ba-p/2451476

Published On  06/16/2021
Overview:

This blog post is a
collaboration between @Cristhofer
Munoz and @JulianGonzalez 

 

This installment is part
of a broader series to keep you up to date with the latest
features/enhancements in Azure Sentinel. The installments will be bite-sized to
enable you to easily digest the new content.

 

Introduction

 

Security operations (SecOps) teams need to be equipped with the tools that
empower them to efficiently detect, investigate, and respond to threats across
your enterprise. Azure Sentinel watchlists empower organizations to shorten
investigation cycles and enable rapid threat remediation by providing the
ability to collect external data sources for correlation with security events.
Additionally, correlations and analytics help SecOps stay appraised of bad
actors and compromised entities across the environment. Incorporating external
data and performing correlation across analytics allows security teams to get a
better view of their entire infrastructure and take steps to reduce risk.

 

Due to evolving and constant change in the cybersecurity landscape that we
live in, it is very challenging for SecOps to stay appraised of new indicators
of compromise.

 

Azure Sentinel Watchlists provides the ability to  quickly import IP
addresses, file hashes, etc. from csv files into your Azure Sentinel
workspace.  Then utilize the watchlist name/value pairs for joining and
filtering for use in alert rules, threat hunting, workbooks, notebooks and for
general queries.

 

Due to the constant change, security analysts need the flexibility to update
watchlists to stay ahead. With that in mind,  we are super excited to
announce the Azure Sentinel Watchlist  enhancements that empower security
analysts to drive efficiency by enabling the ability to update or add items to
a watchlist using an intuitive user interface.

 

———————————————————————

For additional use case examples, please refer to these relevant blog posts:

 

Utilize Watchlists to Drive Efficiency during Azure Sentinel Investigations:

Utilize Watchlists to Drive Efficiency During Azure Sentinel
Investigations – Microsoft Tech Community

 

Playbooks & Watchlists Part 1: Inform the subscription owner

https://techcommunity.microsoft.com/t5/azure-sentinel/playbooks-amp-watchlists-part-1-inform-the-sub…

 

Playbooks & Watchlists Part 2: Automate incident response

https://techcommunity.microsoft.com/t5/azure-sentinel/playbooks-amp-watchlists-part-2-automate-incid…

 

Please refer to our public documentation for other additional details. 

———————————————————————

 

Watchlist Updating
Functionality

 

The new watchlist UI encompasses the following functionality:

– Add new watchlist items or update existing watchlist items.

– Select and update multiple watchlist items at once via an Excel-like grid.

– Add/remove columns from the watchlist update UI view for better usability.

 

How to update
watchlist

From the Azure portal, navigate to Azure Sentinel > Configuration > Watchlist 

 

 

 

 

Select a Watchlist, then select Edit Watchlist Items

 

 

 

Select > Add
New, update watchlist parameters

 

Get
started today!

 

We encourage you to try out the new Wachlist update UI enhancement to drive
efficiency across your data correlation.

 

 Title:
Choosing an Azure Ledger Technology

URL: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/choosing-an-azure-ledger-technology/ba-p/2451024
Date Published
(MM/dd/YYYY): 06/17/2021
Overview:

At the annual Microsoft Build 2021 Developer Conference, we announced two
new products that are based on blockchain technology.  Azure Confidential
Ledger, now in preview, offers a fully managed service for customers who
need to store sensitive data with high integrity and confidentiality. Azure SQL Database ledger,
also in preview, enables storage of sensitive relational data in a
tamper-evident way.

 

In this blog post, we’ll introduce you to both of these new products as well
as help you understand when it makes sense to use them individually, together,
and even with an existing blockchain system.

 

Azure
Confidential Ledger

Enterprises running sensitive workloads need a secure way to store their
logs and important metadata while collaborating with other parties. 
The Confidential Consortium Framework (CCF) is a
Microsoft-created open framework for building confidential permissioned
blockchain services. By running a confidential blockchain network of nodes in secure enclaves, data remains append-only with immutability
guarantees and the data from the client goes straight to the ledger’s
enclaves. 

 

Building on the CCF framework, Azure Confidential
Ledger (preview) provides the ability to store sensitive data records
with integrity and confidentiality guarantees, all in a highly available and
performant manner. Stored data remains immutable and tamper-proof in the
append-only ledger with the benefits of a fully managed solution that provides
infrastructure and operations so customers can get started quickly. The service
provides these assurances by harnessing the power of Confidential Computing‘s secure enclaves when setting up
the decentralized blockchain network. Microsoft’s access is limited to setting
up and managing the network, and this specialized design means that only the
customer has access to transaction data in the Confidential Ledger.

 

Asking yourself the following questions can help you decide if Azure
Confidential Ledger is right for you:

 

1. Do you need to store unstructured data (i.e. files,
   digests) that must remain intact for recordkeeping purposes?
2. Are you working with sensitive workflows where
   confidentiality must be maintained?
3. Are you in need of a service that has high integrity
   and security with a minimalistic trusted computing base?
4. Are you working with parties that need irrefutable
   evidence that tampering did not occur to the stored data?

If you said yes to one or more of these, Azure Confidential Ledger is right
for you. Customers have been using Azure Confidential Ledger in various
ways. Novaworks,
an e-parliamentary software solution, is using Azure Confidential Ledger to
securely log votes in a tamper-proof ledger for a high-fidelity voting process.

 

Azure
SQL Database ledger

Azure SQL Database
ledger (preview) is a tamper-evident solution for your databases that
provides cryptographic proof of your database’s integrity.  Using a
blockchain data structure implemented as system tables in your database, the
ledger feature ensures that any transaction which modifies relational data in
your database can be tracked, and any potential tampering detected and easily
remediated.  Providing proof that your data has not been tampered with is
as simple as running a stored procedure that compares the calculated
cryptographic hashes in your database against a database digest, which is
published automatically in a secure location, such as Azure Confidential
Ledger. 

 

Ledger is a feature of Azure SQL Database, meaning there is no additional
cost to add tamper-evidence capabilities.  You don’t have to migrate data
from your existing SQL databases to add tamper-evidence capabilities and no
changes are needed to your applications as ledger is an extension of existing
SQL table functionality. 

 

Asking yourself the following questions can help you decide if Azure SQL
Database ledger is right for you.

 

1. Do you have business-critical data in Azure SQL
   Database where you must ensure data integrity is intact?
2. Can 3^rd parties who interact with your
   data accept a “trust, but verify” model rather than each party having a
   copy of the ledger?
3. Do you need to prove to auditors or regulators that
   your data has not been tampered with?
4. Do you have a need for queryability and strong data
   management capabilities, such as streaming data from a blockchain to an
   off-chain store while maintaining integrity from on-chain to off-chain?

If you can answer “yes” to any of these questions, then Azure SQL Database
ledger is right for you.  Customers like RTGS.global, who provide a
global liquidity network for banks, are already using this capability to
provide a ledger of transactions to regulators to prove that global banking
transactions have not been tampered.  Read our blog to learn
more.

 

Putting
it all together

Trust is foundational in any business process that spans organizational
boundaries.  Microsoft goes beyond traditional blockchains, using the
building blocks of this technology as the underpinning for the distributed
ledger of Azure Confidential Ledger and the consolidated data store of Azure
SQL Database ledger.  These solutions empower our customers to apply the
power of blockchain to sensitive data, simplifying solution development,
reducing cost and providing a new level of digital trust to transactions.

 

Deciding which technology is best for your needs ultimately depends on the
level of trust between parties transacting with the data, and the type of data
being protected.  In addition to the points mentioned above, consider the
following when deciding whether Azure SQL Database ledger or Azure Confidential
Ledger is right for you.

Learn
more

• Read the Azure Confidential Ledger announcement blog and documentation to learn more about how this new
  service is empowering our customers and securing their work.
• Read the Azure SQL Database ledger documentation and whitepaper to
  learn more about how the ledger feature works and how to use it with your
  Azure SQL Database.

 Title:
Announcing Exciting Updates to Attack Simulation Training

URL: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/announcing-exciting-updates-to-attack-simulation-training/ba-p/2455961
Date Published  06/17/2021
Overview:

Simulation
Automations

The modern enterprise, of any size, faces a challenge that the logistics
involved in planning a phishing simulation exercise are often laborious and
time-consuming to implement. So to help address this we are pleased to announce
some extra functionality in Attack Simulation Training that we feel will bring
some added benefits in this space by:

 

• Helping move away from the traditional approach of
  running quarterly or annual simulations, to a more always on ‘educating’
  model, by scheduling simulations to launch at a higher frequency (being
  mindful of simulation and training fatigue of course).

 

• Letting you schedule simulations up to a year in
  advance, so you decide the parameters of your simulations once in advance
  then you are good to go.

 

• Introducing some randomization elements around send
  times and dates to help combat the crowdsource effect that can occur when
  running large simulation exercises.

 

You can access the new functionality by selecting the “Simulation
automations” tab within the main experience.

 

When you create a simulation automation, the experience walks you through a
wizard experience just like creating a manual simulation, with the addition of
a few new steps.

 

• Payload selection – Here we allow you to manually select
  what payloads you would like to be in scope for the simulations, or
  alternatively you can opt to randomize, where we will take a random
  payload from the available library and use that.

 

• Simulation schedule – Here, you get to decide if you
  would like a randomized schedule or a more predictable fixed schedule.
  What is the difference?

 

A randomized schedule
lets you select a start date and end date, the days of the week you would like
to be in scope for delivery and after how many simulation launches would you
like the automation to stop.

 

Once the automation is enabled, the simulations will be launched on random
days between the dates you have specified. You can also choose to randomize the
send times (to negate the water cooler effect of users receiving simulation
messages at the same time and chatting about it).

 

 

A fixed
schedule allows you to run automations in a more controlled manner. We take the
same approach – you specify a start date and end date – however this time you
are prompted to enter the cadence, either weekly or monthly and the parameters
of how often you would like them to launch.

 

For example, you can schedule an automation to run once a week for a period
of 7 weeks starting every Monday, or you can also opt to end the simulations by
a particular date or after a specific number of occurrences that you define.

 

 

 

Government Cloud
and Regional Availability Updates

 

Attack Simulation
Training is now live in GCC:

Starting 15 June 2021, Attack Simulation Training will be generally
available in our Government Community Cloud. If your organization has Office
365 G5 GCC or Microsoft Defender for Office 365 (Plan 2) for Government, you
can use Attack Simulation Training in Microsoft 365 Defender to run realistic
attack scenarios in your organization as described here. Please note that the service is not yet available in
GCC-High or DoD environments and this is part of our future roadmap.

 

Attack Simulation
Training is now live in new regions:

Starting 16 June 2021, Attack Simulation Training will be generally
available to tenants in Latin America, Brazil, and Switzerland that have
Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2. For any guidance
on running simulations, please start here. For frequently asked questions, please refer to our FAQ page.

 

We hope you find the enhancements useful as you continue your journey of
end-user education and behavior change. If you have any comments or feedback be
sure to let us know.

 

 Title: Join in the
Azure Sentinel Hackathon 2021!

URL: https://techcommunity.microsoft.com/t5/azure-sentinel/join-in-the-azure-sentinel-hackathon-2021/ba-p/2466335
Published On: 06/21/2021
Overview:

 

Today, we are announcing the 2^nd
annual Hackathon for Azure Sentinel! This hackathon challenges
security experts around the globe to build end-to-end cybersecurity solutions
for Azure Sentinel that delivers enterprise value by collecting data, managing
security, detecting, hunting, investigating, and responding to constantly
evolving threats. We invite you to participate in this hackathon for a chance
to solve this challenge and win a piece of the $19000 cash prize pool*. This
online hackathon runs from June 21^st to Oct 4^th, 2021,
and is open to individuals, teams, and organizations globally.

Azure Sentinel provides
a platform for security analysts and threat hunters of various levels to not
only leverage existing content like workbooks (dashboard), playbooks (workflow
orchestrations), analytic rules (detections), hunting queries, etc. but also build custom content and solutions  as well.
Furthermore, Azure Sentinel also provides APIs
for integrating different types of applications to connect with Azure Sentinel
data and insights. Here are few examples of end-to-end solutions that
unlocks the potential of Azure Sentinel and drives enterprise value.

• Azure Sentinel Solutions blogpost provides examples of
  end-to-end solutions that deliver product and/or domain and/or industry
  vertical value.

• SOC Prime Sigma integration provides an example
  of API integration.
• Azure Sentinel2Go lab with pre-recorded data
  provides an example of a tool that enables easier onboarding to Azure
  Sentinel. 

 You can discover more examples by reviewing content and solutions in
the Azure
Sentinel GitHub repo and blogs. You can refer to the last year’s Azure Sentinel Hackathon for ideas too!

 

Prizes

In addition to learning more about Azure Sentinel and delivering
cybersecurity value to enterprises, this hackathon offers the following awesome
prizes for top projects:

• First Place (1) – $10,000 USD cash prize  
• Second Place (1) – $4000 USD cash prize
• Runners Up (2) – $1500 USD cash prize each 
• Popular Choice (1) – $1000 USD cash prize
• The first 10 eligible submissions also qualify to
  receive $100 each.

Note: Refer to the Hackathon official rules for details on project types that
qualify for each prize category

In addition, the four winning projects will be heavily promoted on Microsoft
blogs and social media so that your creative projects are widely known to all.
The criteria for judging consist of quality of the idea, value to enterprise
and technical implementation. Refer to the Azure
Sentinel Hackathon website for further details and get started.

 

Judging Panel

Judging commences immediately after the hackathon submission window closes
on October 4^th, 2021. We’ll announce the winners on or before
October 27^th, 2021. Our judging panel currently includes the
following influencers and experts in the cybersecurity community.

• Ann Johnson – Corporate Vice President, Cybersecurity
  Solutions Group, Microsoft
• Vasu Jakkal – Corporate Vice President, Microsoft
  Security, Compliance and Identity
• John Lambert – Distinguished Engineer and General
  Manager, Microsoft Threat Intelligence Center
• Nick Lippis – Co-Founder, Co-Chair ONUG
• Andrii Bezverkhyi – CEO & founder of SOC Prime,
  inventor of Uncoder.IO

 

 Next Steps

• Start by registering for this hackathon at the Azure
  Sentinel Hackathon website and invite your friends to join in the
  fun!
• Build your project by following the Get Started guidance. We have Azure credits for
  eligible participants to help you get started!
• Learn about Azure Sentinel and explore the Azure Sentinel GitHub for
  inspiration.

Let the #AzureSecurityHackathon begin!

 

*No purchase necessary.
Open only to new and existing Devpost users who are the age of majority in
their country. Game ends October 4^th, 2021 at 9:00 AM Pacific Time.
Refer to the official rules for details. 

 

 

Qualcomm has confirmed the bug and fixed the issue and mobile players are notified, according to the researchers.

 

 

 

Title:
Defending against cryptojacking with Microsoft Defender for Endpoint and Intel
TDT
URL: https://www.microsoft.com/security/blog/2021/04/26/defending-against-cryptojacking-with-microsoft-defender-for-endpoint-and-intel-tdt/
Date Published
(MM/dd/YYYY): 04/26/2021
Overview:

With cryptocurrency mining on the rise, Microsoft and Intel have partnered
to deliver threat detection technology to enable EDR capabilities in Microsoft
Defender for Endpoint.

—————————————————————-

Title:
Non-interactive logins: minimizing the blind spot
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/non-interactive-logins-minimizing-the-blind-spot/ba-p/2287932
Published On (MM/dd/yyyy): 04/25/2021
Overview:

Special thanks to   for
collaborating on this blog post with me! 

 

In this blog post, we will review the new Azure Sentinel data streams for
Azure Active Directory non-interactive, service principal, and managed identity
logins. We will also share the new security content we built and updated in the
product, which includes analytics rules for the detection part and workbooks to
assist our customers to deal with this blind spot.

 

The shift to the cloud and the rise of automation tasks and
service-to-service integration have contributed to a dramatic increase in the
use of managed applications, service principals, and managed identities.

These new security objects perform login activity which is not captured in
Azure Active Directory’s traditional sign-in logs.

The updated Azure Active Directory data connector now brings these important
sign-in events into Azure sentinel.

 What are
non-interactive logins?

Non-interactive user sign-ins are sign-ins that were performed by a client
app or an OS component on behalf of a user. Like interactive user sign-ins,
these sign-ins are done on behalf of a user. Unlike interactive user sign-ins,
these sign-ins do not require the user to supply an Authentication factor.
Instead, the device or client app uses a token or code to authenticate or
access a resource on behalf of a user. In general, the user will perceive these
sign-ins as happening in the background of the user’s activity. 

Some activity that is captured in these logs:

• A client app uses an OAuth 2.0 refresh token to get an
  access token.
• A client uses an OAuth 2.0 authorization code to get an
  access token and refresh token.
• A user performs single sign-on (SSO) to a web or
  Windows app on an Azure AD joined PC.
• A user signs in to a second Microsoft Office app while
  they have a session on a mobile device using FOCI (Family of Client IDs).

 

Why is it so
important to monitor and detect activities in this area?

 

Some examples that highlight why it’s so important to collect, and get
visibility into these logs as part of your detections and hunting:

 

1. SolarWinds
   campaign – As part of our learning on the SolarWinds
   campaign investigation, we used these logs in the hunting phase to check
   if the malicious actor used a sensitive app to gain “Data Access”.

 ————————————————————————-

Title:
Best practices for leveraging Microsoft 365 Defender API’s – Episode Two
URL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/best-practices-for-leveraging-microsoft-365-defender-api-s/ba-p/2198820
Published On (YYYY-dd-MM):2021-26-04
Overview:

In the previous episode we provided recommendations about how to use the Microsoft 365 Defender API
and, specifically, how
to optimize the Advanced hunting query.

In this
episode we will demonstrate use cases detailing how to access the API data and use this information in other products. 

One of the most common uses of the API is for visualization in PowerBI. This provides the capability to analyze, visualize, and share
your data with others quickly and easily.

If you are not familiar with PowerBi, we suggest you visit the Microsoft PowerBi web site, and download PowerBI desktop. 

We already documented how to use PowerBI to create custom
reports using  
Microsoft Defender for Endpoint APIs connection to Power BI –
Windows security | Microsoft Docs. 

——————————————————————–

Title:
Best practices for leveraging Microsoft 365 Defender API’s – Episode Three
URL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/best-practices-for-leveraging-microsoft-365-defender-api-s/ba-p/2290463
Published On (YYYY-dd-MM):2021-26-04
Overview:

In the previous episode, we
described how you
can easily use PowerBi to represent Microsoft 365
data in a visual format. In this episode, we will explore another way
you can interact with the Microsoft 365 Defender
API. We will describe how to automate
data analysis and hunting using Jupyter notebook.

 Automate your hunting queries 

While hunting and conducting investigations on a
specific threat or IOC, you may want to use multiple queries to obtain wider
optics on the possible threats or IOCs in your network. You
may also want to leverage queries that are used by
other hunters and use it as a pivot point to perform deep
analysis and find anomalous behaviors. You can find a
wide variety of examples in our Git repository where various queries related to
the same campaign or attack technique are shared.  

In scenarios such as this, it is sensible to
leverage the power of automation to run the queries rather than running
individual queries one-by-one.  

This is where Jupyter Notebook is
particularly useful. It takes in a JSON file with hunting queries as input and
executes all the queries in sequence. The results are saved in a
.csv file that you can analyze and share. 

 ————————————————————————

Title:
March Ahead with Azure Purview: Access management in Azure Purview – Part 3
URL: https://techcommunity.microsoft.com/t5/azure-purview/march-ahead-with-azure-purview-access-management-in-azure/ba-p/2262722
Date Published
(MM/dd/YYYY): 04/22/2021
Overview:

Hopefully, you have read my previous blog posts about Azure Purview access
management Part 1 and Part 2 to find about Azure Purview control plane and data
plane roles and tasks. In this post, I will cover the following topic:

 

• Overview of dashboards and roles required to extend
  your M365 Sensitivity Labels to Azure Purview.

 

By extending M365 Sensitivity Labels to Azure Purview you can
automatically assign labels to files and database columns in Azure Purview.

——————————————————————

We have a new Azure Purview bog for your consideration. Please remember that
Azure Purview is a unified data governance service, and security is one of its
pillars.

Title:
Azure Purview resource set pattern rules available in Public Preview
URL: https://techcommunity.microsoft.com/t5/azure-purview/azure-purview-resource-set-pattern-rules-available-in-public/ba-p/2275399
Date Published (MM/dd/YYYY):
04/21/2021
Overview:

​At-scale data
processing systems typically store a single table in a data lake as multiple
files. This concept is represented in Azure Purview by using resource sets. A
resource set is a single object in the data catalog that represents a large
number of assets in storage. To learn more, see the resource set documentation.

 

When scanning a storage account, Azure Purview uses a
set of defined patterns to determine if a group of assets is a resource set. In
some cases, Azure Purview’s resource set grouping may not accurately reflect
your data estate. Resource set pattern rules allow you to customize or override
how Azure Purview detects which assets are grouped as resource sets and how
they are displayed within the catalog.

 

Pattern rules are currently supported in public preview
in the following source types:

• Azure Data Lake Storage Gen2
• Azure Blob Storage
• Azure Files

To learn more on how to create resource set pattern
rules, see our step-by-step
how-to documentation!

———————————————————————–

Title:
eDiscovery in Microsoft 365 One Stop Shop Resource Page
URL: https://techcommunity.microsoft.com/t5/security-compliance-identity/ediscovery-in-microsoft-365-one-stop-shop-resource-page/ba-p/2262529
Date Published
(MM/dd/YYYY): 04/21/2021
Overview:

Welcome to the eDiscovery in Microsoft 365 One Stop Shop Resource
Page!

 

We built this page to help you easily find all relevant content and
resources relating to the compliance solutions in Microsoft 365. Please
bookmark this page for future reference as we will update it on an ongoing
basis.

 

 Original
release date: April 26, 2021

A software supply chain attack—such as the recent SolarWinds Orion
attack—occurs when a cyber threat actor infiltrates a software vendor’s network
and employs malicious code to compromise the software before the vendor sends
it to their customers. The compromised software can then further compromise
customer data or systems.

To help software vendors and customers defend against these attacks, CISA
and the National Institute for Standards and Technology (NIST) have released Defending
Against Software Supply Chain Attacks. This new interagency
resource provides an overview of software supply chain risks and
recommendations. The publication also provides guidance on using NIST’s Cyber
Supply Chain Risk Management (C-SCRM) framework and the Secure Software
Development Framework (SSDF) to identify, assess, and mitigate risks.

CISA encourages users and administrators to review Defending
Against Software Supply Chain Attacks and implement its recommendations.