Microsoft SIEM and XDR Weekly Wrap - Issue #4
Definitive Authors
Things from Me
Happy Friday, folks!
Thanks so much for welcoming this newsletter into your inbox weekly. And, for those that aren’t inbox readers and just read it on the web, welcome back to you, too!
If you find this newsletter interesting, share it with someone. Helping us grow this community through your sharing efforts could also net you new and lasting connections. It’s a great way to build friendships!
…
While I don’t have any new book news this week like I’ve had the past couple issues (my latest fiction book releases on August 2nd), I do have some news about a recent book I helped write, The Definitive Guide to KQL from Microsoft Press. I wanted to make you aware that my co-authors and I are guesting on the weekly security show that I host.
If you’re available to join live on Monday, it will be worth your while as we will be giving away a couple books during the show. Here’s the details…
July 22, 2024 - Episode 219 - The Definitive Guide to KQL- 5PM EST - Join us this episode as we welcome the authors of The Definitive Guide to KQL from Microsoft Press, Mark Morowczynski, Matthew Zorich, and Rod Trent. Learn about the writing process. Hear how this book was put together, why it’s such an important release, and learn how this is not just a book, but a community collaboration. It takes a village. P.S. We'll be giving away 2 copies of the book to the live stream audience.
Just now hearing that I host a weekly show?? The long-running show is hugely popular. Each week my colleagues and I talk with Microsoft people, partners, MVPs, and industry leaders. The show streams live at 5pm on Mondays and then available for replay directly after. You can find the podcast version of the show on all podcast networks.
The show stays booked for months out. Check out our schedule and earmark an episode to join our audience: https://www.microsoftsecurityinsights.com/p/show-schedule
…
That’s it from me.
Talk soon.
-Rod
Things to Attend
Learning Defender XDR group - This learning group will be using the Ru Campbell and Viktor Hedberg’s Mastering Microsoft 365 Defender book as a framework for learning and exploring subject areas encompassing Defender XDR with the M365 Business Premium license. Over the course of six months, starting in August, we’ll be meeting every other week on Thursdays for 10 sessions to discuss chapter content, test configurations and deployments, and work in our lab tenant(s). The sessions will be recorded, and we may build some shared best practice guides and SOPs as an outgrowth of our work together. The instructors will facilitate the learning sessions and will provide supplemental resources to help us go deeper into the content. Each group is limited to about 15 participants.
Zero Trust in the Age of AI - Wednesday, July 31, 2024 10:00 AM–11:00 AM Pacific Time - Cybercriminals have embraced emerging technologies like AI as quickly as the rest of the world. In today’s rapidly evolving threat landscape, your Zero Trust strategy has become more essential than ever.
Things to Watch/Listen To
Things in Techcommunity
Defender advanced hunting, data-grant from Defender for Servers licensing. - When configuring Defender for Servers P2 in Defender for Cloud it states that you would be granted a 500 MB per day free ingestion to a log analytics workspace, such as in Sentinel. However, when looking into the supported data sources I do not find the advanced hunting data that would be my first go-to data source when setting up Sentinel, how come?
Things that are Related
AzMMARemoval.ps1 - This script will cycle through Virtual Machines that have the MMA agent installed and if that VM also has the AMA agent installed, MMA will get removed.
Copilot for Security Things
If you're able when the AI Tour heads your way this fall, I want to personally invite you to join us. The Copilot for Security session will be lots of fun.
The session demo files are being built out here: https://aka.ms/CfSAITour
Keep up to date on all the Copilot for Security information (including updates on the AI Tour) by subscribing to THE PROMPT bi-weekly newsletter.
Microsoft Sentinel Things
Use Cases Mapper - Sentinel workbook & watchlists - This Sentinel workbook and the complementary resources (watchlists) are used to map common Use Cases to the Mitre ATT&CK framework, i.e. the tactics and techniques listed there. This gives you a quick overview of the analysis options available in Sentinel (e.g. Analytic Rules & Hunting Queries) according to these Use Cases.
Defender for Cloud Things
Microsoft Power BI and Microsoft Defender for Cloud - This article is the first in a series of correlated blogs that will explore scenarios and applicability in depth. As an introduction to the series, this article provides the foundation on how to start leveraging Power BI to report and dashboard MDC insights.
Defender for Endpoint Things
New: Microsoft Defender for Endpoint: Removing a recommendation to update Microsoft Secure Score - Microsoft is updating the Microsoft Defender for Endpoint to better reflect security posture by removing the recommendation in SCID-2051. The rollout begins in mid-July 2024 and completes by mid-August 2024, requiring no admin action but suggesting user notification and documentation updates.
Defender XDR Things
Make OT security a core part of your SOC strategy with Microsoft Defender XDR - The convergence of Operational Technology (OT) and Information Technology (IT) has disrupted industries across the globe. However, today’s threat landscape coupled with the developing force of AI have introduced new security challenges—particularly in the realm of industrial processes and critical infrastructure. As a follow up to our announcement at RSA in April, we take a closer look at how security teams can utilize Microsoft Defender XDR to protect OT environments from emerging threats and ensure their safety, productivity, and reliability.
Defender for Cloud Apps Things
The Files page in Microsoft Defender for Cloud Apps will be retired on September 1, 2024. Users should use the Policy Management page for creating, modifying, and exploring Information Protection policies and malware files. This change affects users currently utilizing the Files page.
Microsoft Purview Things
Microsoft reports 200% monthly growth for new data governance solution - The release comes amid surging demand for robust data governance tools, with Microsoft reporting a 200% month-over-month growth in adoption of Purview. This rapid uptake underscores the urgency many organizations face in securing and managing their data assets, particularly as they explore generative AI technologies.
Microsoft Purview integrates with ChatGPT Enterprise Compliance API to support compliance - Our goal is to deliver a comprehensive security platform that offers multi-cloud and multi-platform support. And extensibility plays a key part in our strategy to provide security for all leading generative AI applications. Today, we are excited to integrate some of our discovery and governance Microsoft Purview capabilities to OpenAI’s ChatGPT Enterprise Compliance API in private preview.
Microsoft Entra Things
Securing identity: Exploring application types and authentication flows - Building on the foundation laid out in part one, this blog post delves deeper into the world of application types and authentication flows. Our focus is on helping you navigate the complexities of securing applications through the proper implementation of authentication frameworks. Understanding these different types of authentication flows, how they work, and when to use them is essential for protecting user data and ensuring a seamless user experience.
Microsoft Entra Roles & Application Access - Application Administrator Role & Cloud Application Administrator Role - As Entra ID administrators, we are well aware of the risks associated with user accounts with the 'keys to the kingdom' when assigned the Global Administrator role or one of the other service administrator roles. However, it's equally important to remember that applications and the users delegated to manage these applications are also at risk, and we must remain vigilant to protect them.