Title: Join in the
Azure Sentinel Hackathon 2021!

URL: https://techcommunity.microsoft.com/t5/azure-sentinel/join-in-the-azure-sentinel-hackathon-2021/ba-p/2466335
Published On: 06/21/2021
Overview:

 

Today, we are announcing the 2^nd
annual Hackathon for Azure Sentinel! This hackathon challenges
security experts around the globe to build end-to-end cybersecurity solutions
for Azure Sentinel that delivers enterprise value by collecting data, managing
security, detecting, hunting, investigating, and responding to constantly
evolving threats. We invite you to participate in this hackathon for a chance
to solve this challenge and win a piece of the $19000 cash prize pool*. This
online hackathon runs from June 21^st to Oct 4^th, 2021,
and is open to individuals, teams, and organizations globally.

Azure Sentinel provides
a platform for security analysts and threat hunters of various levels to not
only leverage existing content like workbooks (dashboard), playbooks (workflow
orchestrations), analytic rules (detections), hunting queries, etc. but also build custom content and solutions  as well.
Furthermore, Azure Sentinel also provides APIs
for integrating different types of applications to connect with Azure Sentinel
data and insights. Here are few examples of end-to-end solutions that
unlocks the potential of Azure Sentinel and drives enterprise value.

• Azure Sentinel Solutions blogpost provides examples of
  end-to-end solutions that deliver product and/or domain and/or industry
  vertical value.

• SOC Prime Sigma integration provides an example
  of API integration.
• Azure Sentinel2Go lab with pre-recorded data
  provides an example of a tool that enables easier onboarding to Azure
  Sentinel. 

 You can discover more examples by reviewing content and solutions in
the Azure
Sentinel GitHub repo and blogs. You can refer to the last year’s Azure Sentinel Hackathon for ideas too!

 

Prizes

In addition to learning more about Azure Sentinel and delivering
cybersecurity value to enterprises, this hackathon offers the following awesome
prizes for top projects:

• First Place (1) – $10,000 USD cash prize  
• Second Place (1) – $4000 USD cash prize
• Runners Up (2) – $1500 USD cash prize each 
• Popular Choice (1) – $1000 USD cash prize
• The first 10 eligible submissions also qualify to
  receive $100 each.

Note: Refer to the Hackathon official rules for details on project types that
qualify for each prize category

In addition, the four winning projects will be heavily promoted on Microsoft
blogs and social media so that your creative projects are widely known to all.
The criteria for judging consist of quality of the idea, value to enterprise
and technical implementation. Refer to the Azure
Sentinel Hackathon website for further details and get started.

 

Judging Panel

Judging commences immediately after the hackathon submission window closes
on October 4^th, 2021. We’ll announce the winners on or before
October 27^th, 2021. Our judging panel currently includes the
following influencers and experts in the cybersecurity community.

• Ann Johnson – Corporate Vice President, Cybersecurity
  Solutions Group, Microsoft
• Vasu Jakkal – Corporate Vice President, Microsoft
  Security, Compliance and Identity
• John Lambert – Distinguished Engineer and General
  Manager, Microsoft Threat Intelligence Center
• Nick Lippis – Co-Founder, Co-Chair ONUG
• Andrii Bezverkhyi – CEO & founder of SOC Prime,
  inventor of Uncoder.IO

 

 Next Steps

• Start by registering for this hackathon at the Azure
  Sentinel Hackathon website and invite your friends to join in the
  fun!
• Build your project by following the Get Started guidance. We have Azure credits for
  eligible participants to help you get started!
• Learn about Azure Sentinel and explore the Azure Sentinel GitHub for
  inspiration.

Let the #AzureSecurityHackathon begin!

 

*No purchase necessary.
Open only to new and existing Devpost users who are the age of majority in
their country. Game ends October 4^th, 2021 at 9:00 AM Pacific Time.
Refer to the official rules for details. 

 

 

Qualcomm has confirmed the bug and fixed the issue and mobile players are notified, according to the researchers.

 

 

 

Title:
Defending against cryptojacking with Microsoft Defender for Endpoint and Intel
TDT
URL: https://www.microsoft.com/security/blog/2021/04/26/defending-against-cryptojacking-with-microsoft-defender-for-endpoint-and-intel-tdt/
Date Published
(MM/dd/YYYY): 04/26/2021
Overview:

With cryptocurrency mining on the rise, Microsoft and Intel have partnered
to deliver threat detection technology to enable EDR capabilities in Microsoft
Defender for Endpoint.

—————————————————————-

Title:
Non-interactive logins: minimizing the blind spot
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/non-interactive-logins-minimizing-the-blind-spot/ba-p/2287932
Published On (MM/dd/yyyy): 04/25/2021
Overview:

Special thanks to   for
collaborating on this blog post with me! 

 

In this blog post, we will review the new Azure Sentinel data streams for
Azure Active Directory non-interactive, service principal, and managed identity
logins. We will also share the new security content we built and updated in the
product, which includes analytics rules for the detection part and workbooks to
assist our customers to deal with this blind spot.

 

The shift to the cloud and the rise of automation tasks and
service-to-service integration have contributed to a dramatic increase in the
use of managed applications, service principals, and managed identities.

These new security objects perform login activity which is not captured in
Azure Active Directory’s traditional sign-in logs.

The updated Azure Active Directory data connector now brings these important
sign-in events into Azure sentinel.

 What are
non-interactive logins?

Non-interactive user sign-ins are sign-ins that were performed by a client
app or an OS component on behalf of a user. Like interactive user sign-ins,
these sign-ins are done on behalf of a user. Unlike interactive user sign-ins,
these sign-ins do not require the user to supply an Authentication factor.
Instead, the device or client app uses a token or code to authenticate or
access a resource on behalf of a user. In general, the user will perceive these
sign-ins as happening in the background of the user’s activity. 

Some activity that is captured in these logs:

• A client app uses an OAuth 2.0 refresh token to get an
  access token.
• A client uses an OAuth 2.0 authorization code to get an
  access token and refresh token.
• A user performs single sign-on (SSO) to a web or
  Windows app on an Azure AD joined PC.
• A user signs in to a second Microsoft Office app while
  they have a session on a mobile device using FOCI (Family of Client IDs).

 

Why is it so
important to monitor and detect activities in this area?

 

Some examples that highlight why it’s so important to collect, and get
visibility into these logs as part of your detections and hunting:

 

1. SolarWinds
   campaign – As part of our learning on the SolarWinds
   campaign investigation, we used these logs in the hunting phase to check
   if the malicious actor used a sensitive app to gain “Data Access”.

 ————————————————————————-

Title:
Best practices for leveraging Microsoft 365 Defender API’s – Episode Two
URL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/best-practices-for-leveraging-microsoft-365-defender-api-s/ba-p/2198820
Published On (YYYY-dd-MM):2021-26-04
Overview:

In the previous episode we provided recommendations about how to use the Microsoft 365 Defender API
and, specifically, how
to optimize the Advanced hunting query.

In this
episode we will demonstrate use cases detailing how to access the API data and use this information in other products. 

One of the most common uses of the API is for visualization in PowerBI. This provides the capability to analyze, visualize, and share
your data with others quickly and easily.

If you are not familiar with PowerBi, we suggest you visit the Microsoft PowerBi web site, and download PowerBI desktop. 

We already documented how to use PowerBI to create custom
reports using  
Microsoft Defender for Endpoint APIs connection to Power BI –
Windows security | Microsoft Docs. 

——————————————————————–

Title:
Best practices for leveraging Microsoft 365 Defender API’s – Episode Three
URL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/best-practices-for-leveraging-microsoft-365-defender-api-s/ba-p/2290463
Published On (YYYY-dd-MM):2021-26-04
Overview:

In the previous episode, we
described how you
can easily use PowerBi to represent Microsoft 365
data in a visual format. In this episode, we will explore another way
you can interact with the Microsoft 365 Defender
API. We will describe how to automate
data analysis and hunting using Jupyter notebook.

 Automate your hunting queries 

While hunting and conducting investigations on a
specific threat or IOC, you may want to use multiple queries to obtain wider
optics on the possible threats or IOCs in your network. You
may also want to leverage queries that are used by
other hunters and use it as a pivot point to perform deep
analysis and find anomalous behaviors. You can find a
wide variety of examples in our Git repository where various queries related to
the same campaign or attack technique are shared.  

In scenarios such as this, it is sensible to
leverage the power of automation to run the queries rather than running
individual queries one-by-one.  

This is where Jupyter Notebook is
particularly useful. It takes in a JSON file with hunting queries as input and
executes all the queries in sequence. The results are saved in a
.csv file that you can analyze and share. 

 ————————————————————————

Title:
March Ahead with Azure Purview: Access management in Azure Purview – Part 3
URL: https://techcommunity.microsoft.com/t5/azure-purview/march-ahead-with-azure-purview-access-management-in-azure/ba-p/2262722
Date Published
(MM/dd/YYYY): 04/22/2021
Overview:

Hopefully, you have read my previous blog posts about Azure Purview access
management Part 1 and Part 2 to find about Azure Purview control plane and data
plane roles and tasks. In this post, I will cover the following topic:

 

• Overview of dashboards and roles required to extend
  your M365 Sensitivity Labels to Azure Purview.

 

By extending M365 Sensitivity Labels to Azure Purview you can
automatically assign labels to files and database columns in Azure Purview.

——————————————————————

We have a new Azure Purview bog for your consideration. Please remember that
Azure Purview is a unified data governance service, and security is one of its
pillars.

Title:
Azure Purview resource set pattern rules available in Public Preview
URL: https://techcommunity.microsoft.com/t5/azure-purview/azure-purview-resource-set-pattern-rules-available-in-public/ba-p/2275399
Date Published (MM/dd/YYYY):
04/21/2021
Overview:

​At-scale data
processing systems typically store a single table in a data lake as multiple
files. This concept is represented in Azure Purview by using resource sets. A
resource set is a single object in the data catalog that represents a large
number of assets in storage. To learn more, see the resource set documentation.

 

When scanning a storage account, Azure Purview uses a
set of defined patterns to determine if a group of assets is a resource set. In
some cases, Azure Purview’s resource set grouping may not accurately reflect
your data estate. Resource set pattern rules allow you to customize or override
how Azure Purview detects which assets are grouped as resource sets and how
they are displayed within the catalog.

 

Pattern rules are currently supported in public preview
in the following source types:

• Azure Data Lake Storage Gen2
• Azure Blob Storage
• Azure Files

To learn more on how to create resource set pattern
rules, see our step-by-step
how-to documentation!

———————————————————————–

Title:
eDiscovery in Microsoft 365 One Stop Shop Resource Page
URL: https://techcommunity.microsoft.com/t5/security-compliance-identity/ediscovery-in-microsoft-365-one-stop-shop-resource-page/ba-p/2262529
Date Published
(MM/dd/YYYY): 04/21/2021
Overview:

Welcome to the eDiscovery in Microsoft 365 One Stop Shop Resource
Page!

 

We built this page to help you easily find all relevant content and
resources relating to the compliance solutions in Microsoft 365. Please
bookmark this page for future reference as we will update it on an ongoing
basis.

 

 Original
release date: April 26, 2021

A software supply chain attack—such as the recent SolarWinds Orion
attack—occurs when a cyber threat actor infiltrates a software vendor’s network
and employs malicious code to compromise the software before the vendor sends
it to their customers. The compromised software can then further compromise
customer data or systems.

To help software vendors and customers defend against these attacks, CISA
and the National Institute for Standards and Technology (NIST) have released Defending
Against Software Supply Chain Attacks. This new interagency
resource provides an overview of software supply chain risks and
recommendations. The publication also provides guidance on using NIST’s Cyber
Supply Chain Risk Management (C-SCRM) framework and the Secure Software
Development Framework (SSDF) to identify, assess, and mitigate risks.

CISA encourages users and administrators to review Defending
Against Software Supply Chain Attacks and implement its recommendations.

 

 Forescout Research Labs, partnering with JSOF Research, disclose NAME:WRECK, a set of nine vulnerabilities affecting four popular TCP/IP stacks (FreeBSD, Nucleus NET, IPnet and NetX). These vulnerabilities relate to Domain Name System (DNS) implementations, causing either Denial of Service (DoS) or Remote Code Execution (RCE), allowing attackers to take target devices offline or to take control over them.

The widespread use of these stacks and often external exposure of vulnerable DNS clients lead to a dramatically increased attack surface. This research is further indication that the community should fix DNS problems that we believe are more widespread than what we currently know.

This research uncovered vulnerabilities on very popular stacks:

1. Nucleus NET is part of the Nucleus RTOS. The Nucleus RTOS website mentions that more than 3 billion devices use this real-time operating system, such as ultrasound machines, storage systems, critical systems for avionics and others. The most common device types running Nucleus RTOS include building automation, operational technology and VoIP.

2. FreeBSD is widely known to be used for high-performance servers in millions of IT networks and is also the basis for other well-known open-source projects, such as firewalls and several commercial network appliances. The most common device types on Device Cloud running FreeBSD include computers, printers and networking equipment.

3. NetX is usually run by the ThreadX RTOS. Typical applications include medical devices, systems-on-a-chip and several printer models. ThreadX was known to have 6.2 billion deployments in 2017, with mobile phones (probably in baseband processors), consumer electronics and business automation being the most common product categories. The most common device types running ThreadX include printers, smart clocks and energy and power equipment in Industrial Control Systems.

Organizations in the Healthcare and Government sectors are in the top three most affected for all three stacks. If we conservatively assume that 1% of the more than 10 billion deployments discussed above are vulnerable, we can estimate that at least 100 million devices are impacted by NAME:WRECK.

The details of these vulnerabilities are described in our technical report and will be presented at Black Hat Asia 2021.

Helping the community to fix DNS vulnerabilities

Disclosing these vulnerabilities to vendors provides much-needed information and education on the impacted products and continues the dialogue in the research community:

1. We urge developers of TCP/IP stacks that have yet to be analyzed to take the anti-patterns available in our technical report, check their code for the presence of bugs and fix them. To help with this process, we are releasing open-source code developed for the Joern static analysis tool. This code formalizes the anti-patterns we identified, allowing researchers and developers to automatically analyze other stacks for similar vulnerabilities.

2. We invite researchers, developers and vendors to reach out to us if they are interested in a set of small proof-of-concept crashing network packets for the identified anti-patterns. These packets can be used to automatically test intrusion detection rules.

3. We realized that many vulnerabilities exist because RFC documents are either unclear, ambiguous or too complex. To help prevent such issues from reappearing in the future, we have submitted to the IETF an informational RFC draft where we list the anti-patterns we identified and how to avoid them while implementing a DNS client or server.

Recommended Mitigation

Complete protection against NAME:WRECK requires patching devices running the vulnerable versions of the IP stacks. FreeBSD, Nucleus NET and NetX have been recently patched, and device vendors using this software should provide their own updates to customers.

However, patching devices is not always possible, and the required effort changes drastically depending upon whether the device is a standard IT server or an IoT device.

Given the challenges of patching, we also recommend the following mitigation strategy:

1. Discover and inventory devices running the vulnerable stacks. Forescout Research Labs has released an open-source script that uses active fingerprinting to detect devices running the affected stacks. The script is updated constantly with new signatures to follow the latest development of our research. Forescout customers using eyeSight can also automatically identify devices using FreeBSD, Nucleus RTOS, ThreadX or VxWorks.

2. Enforce segmentation controls and proper network hygiene to mitigate the risk from vulnerable devices. Restrict external communication paths, and isolate or contain vulnerable devices in zones as a mitigating control if they cannot be patched or until they can be patched.

3. Monitor progressive patches released by affected device vendors and devise a remediation plan for your vulnerable asset inventory, balancing business risk and business continuity requirements.

4. Configure devices to rely on internal DNS servers as much as possible and closely monitor external DNS traffic since exploitation requires a malicious DNS server to reply with malicious packets.

5. Monitor all network traffic for malicious packets that try to exploit known vulnerabilities or possible 0-days affecting DNS, mDNS and DHCP clients. Anomalous and malformed traffic should be blocked, or its presence should be at least alerted to network operators. To exploit NAME:WRECK vulnerabilities, an attacker should adopt a similar procedure for any TCP/IP stack. This means that the same detection technique used to identify exploitation of NAME:WRECK will also work to detect exploitation on other TCP/IP stacks and products that we could not yet analyze. In addition, Forescout eyeInspect customers that enabled the threat detection SD script delivered as part of AMNESIA:33 can detect exploitation of NAME:WRECK.

For more information, visit our NAME:WRECK resources page

 

Microsoft has released security updates: Exchange Server 2013,  Exchange Server 2016,  Exchange Server 2019

Vulnerabilities addressed in the April 2021 security updates were responsibly reported to Microsoft by a security partner. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.

These vulnerabilities affect Microsoft Exchange Server. Exchange Online customers are already protected and do not need to take any action.

For additional information, please see the Microsoft Security Response Center (MSRC) blog. More details about specific CVEs can be found in Security Update Guide (filter on Exchange Server under Product Family).

Forr details go here

Released: April 2021 Exchange Server Security Updates – Microsoft Tech Community