Microsoft SIEM and XDR Weekly Wrap - Issue #8
APIs and Proactivity
Things from Me
Happy Friday everyone!
Welcome to the Latest Edition of Our Cybersecurity Newsletter!
In this issue, we delve into the evolving landscape of cybersecurity, exploring proactive strategies and innovative tools designed to keep your digital environment secure. From the importance of moving away from API keys to the foundations of proactive cybersecurity, we've got insights that will empower you to stay ahead of threats.
Highlights of This Issue:
API Keys: A Security Risk? Discover why it's time to transition away from API keys and embrace more secure authentication methods.
Proactive Cybersecurity: Learn about threat hunting and why a proactive stance is crucial in today's cyber threat environment.
Stay tuned for our expert interviews, tech community discussions, and the latest updates on Microsoft Sentinel, Defender for Cloud, and other cutting-edge security solutions.
…
One personal note, I mentioned a couple issues back about some upcoming new fiction books of mine. For those looking for some material for mental recess, both are now available for pre-order.
https://www.amazon.com/author/rodtrent
…
Talk soon.
-Rod
Things that are Related
Let's move away from API keys! - What's the problem with using API keys? API keys feel great to use right, you get your key, you talk to the API, you're productive, happy days, right? From a developer standpoint it's surely a great experience, it's fast, it just works. There is a security downside though, or several…
The Foundations of Proactive Cybersecurity - Traditional reactive approaches often fall short against sophisticated threats. Malicious actors continuously refine their tactics, rendering signature-based detection methods increasingly ineffective. This predicament has given rise to a proactive security paradigm known as threat hunting, an indispensable strategy for fortifying organizational defenses.
Things to Watch/Listen To
Things in Techcommunity
MDE deployment with Intune and SCCM client - We want to deploy MDE with Intune. All devices are having SCCM client installed and configured. In this scenario, enabling co-management is a must?
Sentinel Solution Deployment via GitHub - Over the past couple years I have been working exclusively with LogRhythm and while I have deployed Sentinel a few times in the past, I have never attempted to do so using GitHub Actions. I seem to be relatively close to getting it deployed but have been struggling for the last couple days and have been unable to find (or overlooked) documentation to guide me in the right direction, so I thought I'd reach out to find out if anyone can help me out.
Defender for Cloud Things
Enable Microsoft Defender for SQL servers on machines at scale - You can now enable Microsoft Defender for SQL servers on machines at scale. This feature allows you to enable Microsoft Defender for SQL on multiple servers at once, saving time and effort. Learn how to enable Microsoft Defender for SQL servers on machines at scale.
Defender for Cloud Apps Things
Large scale export of Activity logs (Preview) - A new user experience dedicated to providing users the option to export from “activity log” page up to six months back or up to 100K events. You can filter the results using time range and various other filters and even hide private activities. For more information, see Export activities six months back
Copilot for Security Things
Copilot Collage: Using Copilot to Build Better Prompts for Copilot for Security - The search engine era defined how we search and research information. But it also inhibited our creativity and our ability to ask informed, fully formed questions. Instead of asking for exactly what we want, search engines forced us to work the way they do. We’d use as few search terms as possible - almost like archaic caveman, guttural phrases - and then have to manually filter through ads, unrelated content, and bad links in the search page results.
Microsoft Copilot for Security Now Covered by HIPAA Business Associate Agreement (BAA) - We are pleased to announce that Microsoft Copilot for Security is now listed and covered by a Business Associate Agreement (BAA), which is crucial for healthcare providers subject to Health Insurance Portability and Accountability Act (HIPAA) regulations. This ensures that all Protected Health Information (PHI) managed by Copilot for Security receives the highest levels of security and confidentiality. Healthcare providers can confidently integrate Copilot for Security into their operations, knowing it meets HIPAA's rigorous PHI protection requirements.
Microsoft Sentinel Things
Sentinel-Auxiliary-Logs-Tools - Everything you need to get started with Auxiliary logs in Sentinel. This template deploys almost everything you need to get started with Auxiliary logs in Sentinel using the AMA.
Sentinel Automation Part 2: Automate CISA Known Exploited Vulnerability Notifications - The CISA Known Exploited Vulnerabilities Catalog helps organizations prioritize vulnerabilities, as an end user you want to be notified when a new vulnerability is added. This blog describes four different solutions in Microsoft Sentinel to automate the notification process, leaving you with the important task of analyzing this new threat.
New Auxiliary logs retention plan (Preview) - The new Auxiliary logs retention plan for Log Analytics tables allows you to ingest large quantities of high-volume logs with supplemental value for security at a much lower cost. Auxiliary logs are available with interactive retention for 30 days, in which you can run simple, single-table queries on them, such as to summarize and aggregate the data. Following that 30-day period, auxiliary log data goes to long-term retention, which you can define for up to 12 years, at ultra-low cost. This plan also allows you to run search jobs on the data in long-term retention, extracting only the records you want to a new table that you can treat like a regular Log Analytics table, with full query capabilities.
To learn more about Auxiliary logs and compare with Analytics logs, see Log retention plans in Microsoft Sentinel.
For more in-depth information about the different log management plans, see Table plans in the Azure Monitor Logs overview article from the Azure Monitor documentation.
Create summary rules in Microsoft Sentinel for large sets of data (Preview) - Microsoft Sentinel now provides the ability to create dynamic summaries using Azure Monitor summary rules, which aggregate large sets of data in the background for a smoother security operations experience across all log tiers.
Access summary rule results via Kusto Query Language (KQL) across detection, investigation, hunting, and reporting activities.
Run high performance Kusto Query Language (KQL) queries on summarized data.
Use summary rule results for longer in investigations, hunting, and compliance activities.
For more information, see Aggregate Microsoft Sentinel data with summary rules.
Defender XDR Things
BIG NOTE: To ensure a smooth experience while navigating the Microsoft Defender portal, configure your network firewall by adding the appropriate addresses to your allow list. For more information, see Network firewall configuration for Microsoft Defender XDR.
Using Defender XDR Portal to hunt for Kubernetes security issues - As we saw in previous article, the binary drift alert gives you information about where the activity happened like the object namespace, image, cluster, etc. This might or might not be enough information for you to act. Say, if you want to identify “how” this drift came to be for example, did a user logged on to container and downloaded the said binary. To supplement the information provided by the alert we can then use Defender XDR portal (https://learn.microsoft.com/en-us/defender-xdr/microsoft-365-defender-portal)
Microsoft Purview Things
eDiscovery launches a modern, intuitive user experience - The new eDiscovery experience is exclusively available in the Microsoft Purview portal. The new Microsoft Purview portal is a unified platform that streamlines data governance, data security, and data compliance across your entire data estate. It offers a more intuitive experience, allowing users to easily navigate and manage their compliance needs.
Defender Vulnerability Management
Enhancing vulnerability prioritization with asset context and EPSS - Now in Public Preview - We are excited to announce the addition of three crucial factors to our prioritization process in Microsoft Defender Vulnerability Management, aimed at improving accuracy and efficiency. These factors include:
Information about critical assets (defined in Microsoft Security Exposure Management)
Information about internet-facing device
Exploit Prediction Scoring System (EPSS) score
Microsoft Entra Things
Mandatory Microsoft Entra multifactor authentication (MFA) - Microsoft Entra ID - At Microsoft, we're committed to providing our customers with the highest level of security. That's why, starting in 2024, we'll enforce mandatory multifactor authentication (MFA) for all Azure sign-in attempts. This topic covers which applications are affected and how to prepare for mandatory MFA
Face Check is now generally available - Earlier this year we announced the public preview of Face Check with Microsoft Entra Verified ID – a privacy-respecting facial matching feature for high-assurance identity verifications and the first premium capability of Microsoft Entra Verified ID. Today I’m excited to announce that Face Check with Microsoft Entra Verified ID is generally available. It is offered both by itself and as part of the Microsoft Entra Suite, a complete identity solution that delivers Zero Trust access by combining network access, identity protection, governance, and identity verification capabilities.
Updates to Microsoft Copilot to bring enterprise data protection to more organizations - Next month, we are making several updates to the free Microsoft Copilot service for users with a Microsoft Entra account to enhance data security, privacy, and compliance and simplify the user experience. For users signed in with an Entra account, Microsoft Copilot will offer enterprise data protection (EDP) and redirect users to a new simplified, ad-free user interface designed for work and education.