Forum Widgets
Latest Discussions
Azure ATP Webinar Recordings
Below are the links to the Azure ATP webinar recordings. Time & Date Topic Link to the recording July 15, 8:00 AM PT / 11:00 AM ET / 15:00 UTC Detections part 2 of 2 MP4 YouTube June 24, 8:00 AM PT / 11:00 AM ET / 15:00 UTC Unified SecOps Portal MP4 YouTube April 29, 8:00 AM PT / 11:00 AM ET / 15:00 UTC Detections part 1 of 2 MP4 YouTube The slide decks can be found in the same folders as the MP4 files at https://aka.ms/SecurityCommunityFiles. You can sign up for forthcoming webinars at https://aka.ms/AATPWebinar.Join Our Security Community
We want you to speak directly to our engineering teams. We believe that the best way to improve our security products is by having no barriers between you and the people that create them. That's why we need your participation in our security community. As part of our community you can influence our products and get early access to changes by participating in private previews, giving feedback, requesting features, reviewing product roadmaps, joining webinars and calls, or attending in-person events. Join Us To join our community, click here, and then click the join button and the heart icons of the groups your are interested in, as pictured below. Additional Security Groups Here's a list of other security-related groups you may want to join. Azure Azure Security Center Azure Security and Identity Azure Sentinel Enterprise Mobility + Security Azure Advanced Threat Protection and ATA Azure Information Protection Microsoft Cloud App Security Internet of Things Azure Security Center for IoT Microsoft Graph Security API Security, Privacy & Compliance. Windows Defender Advanced Threat Protection Find Us on LinkedIn We have a general discussion group on LinkedIn called the Microsoft Security Community, where I announce highlights from this site. Please join the group and feel free connect with me. Webinars and Calls Several of our product teams hold regular webinars or calls where they introduce the product, do a deep dive, preview forthcoming features, gather feedback, and answer questions. Registration links are posted below: Product Next Webinar Recordings of Past Webinars Azure Security Center for IoT 8/5/2019: Introduction https://aka.ms/ASCIoTRecordings Azure Advanced Threat Protection TBD https://aka.ms/AATPRecordings Azure Sentinel TBD http://aka.ms/AzureSentinelRecordings Azure Information Protection TBD https://aka.ms/AIPRecordings Microsoft Cloud App Security TBD https://aka.ms/MCASRecordings Security Intelligence Report TBD https://aka.ms/SIRRecordings Customer Advisory Council (CAC) We periodically select customers to be part of our Customer Advisory Council (CAC). We form a close relationship with these organizations, inviting them to exclusive, in-person events and giving them access to non-public roadmaps and information. CAC members give in-depth feedback our on products and consequently exert a great deal of influence our plans, priorities, and designs. Part of our criteria for choosing CAC members is how active they are in this community. If you would like to be part of our CAC, join our community, participate heavily, and then reach out to me. Submit Feature Requests In addition to engaging us in the ways listed above, you can also submit and vote on feature requests at https://microsoftsecurity.uservoice.com. We hope to hear from you soon!Enriched NTLM authentication data using Windows Event 8004
Have you previously experienced NTLM authentications activities that came from unknown devices, such as Workstation or MSTSC? Would you like to discover the actual server being accessed inside the network? This information is now available in Azure ATP! Starting from Version 2.96, Azure ATP sensors parse Windows event 8004 for NTLM authentications. When NTLM auditing is enabled and Windows event 8004 are logged, Azure ATP sensors now automatically read the event and enrich your NTLM authentications activities display with the accessed server data. New Resource Access over NTLM activity is now available, showing the source user, source device and the accessed resource: Joye Parsons (1) is accessing CLIENT2 from W10-000100 device over NTLM. Enriched Failed log on activities providing the destination computer the user attempted, but failed to access: Joye Parsons (1) failing to log on to CLIENT2 from W10-000100 device over NTLM. In a future release, this data will also be available directly in authentication based Azure ATP security alerts such as Brute Force and Account Enumeration. Stay tuned for more updates. As always, your feedback and questions are welcome!
Welcome to the ATA TechCommunity!!!
Hi, My name is Michael Dubinsky and I lead the product and security research teams for Microsoft ATA. I'm super excited to start the TechCommunity for ATA. Working together with each and everyone of our customers, partners and the entire community is what helps and drives us to build the future of security! We're here to answer questions, listen to your feedback (good & bad) and share existing news directly with you. I'm really looking forward to making this the home for ATA community! Michael.Upcoming Webinar Series: ITDR
Update: the recordings of the webinar series ITDR can be found here, please scroll down to "MICROSOFT DEFENDER XDR" The Microsoft POC as a Service (POCaaS) Program is a unique service available to our customers to help evaluate and try out our security offerings, we deliver these on a regular basis to customers around the world. They provide a fully managed test environment where customers can get hands-on experience with some of our core security products. Namely, Microsoft Defender for Identity, Defender for Endpoint, Defender for Cloud Apps, Defender for Office 365, and Sentinel. In addition to the hands on elements of the service one of our subject matter experts delivers a deep dive workshop for the relevant service showcasing its end to end capability and providing full education on the product. With this, we are thrilled to announce a new webinar series where we will take the workshop materials from each of our POCaaS programs, share best practices and provide education on each of the products we cover. What to Expect The webinar series will take the educational content from our POC offerings and condense into multipart 1 hour webinars. We will start with a four-part webinar series with Chris Ayres to guide you through ITDR, Identity Threat Detection and Response. Session 1: ITDR Introduction and Prevention Capabilities | April 23, 09:00 AM PST Hear Microsoft's Incident Detection and Response (ITDR) story and understand its critical role in today's dynamic threat landscape. Explore the significance of prevention and adaptive controls. Session 2: Detection | April 24, 09:00 AM PST Discuss the imperative need for robust detection capabilities against advanced identity attacks, whether identities reside on-premises, in hybrid environments, or in the cloud, and discover the comprehensive solutions Microsoft offers to safeguard your entire identity estate effectively. Session 3: Investigation and Hunting | April 30, 09:00 AM PST Learn to empower your SOC with deep visibility into identity entities, context, and telemetry and understand how this capability streamlines efficient investigation and incident triage. Session 4: Response | May 1, 09:00 AM PST Gain insights into native response capabilities seamlessly integrated into the SOC workflow. Learn how to leverage them to effectively respond to identity-related attacks and remediate issues within your environment. We will finish off with a short view on how you can best evaluate the products. Save the Date Reserve your spot for any session or the entire series on the Microsoft Security webinars page: Microsoft Sentinel & Defender XDR Security Public Webinars Don't miss this opportunity to learn directly from our experts and have your questions addressed. We look forward to your participation!
Honeytoken alerts FP
Hi! We do have a lot of "Honeytoken activity" since 23.11.2022 starting in the evening (MET timezone). Normally, in the past this kind of alert only appeared during planed penetration tests and the alert was accurate. But right now, we do have honeytoken activity from around 185 sources (clients) with sam-r queries so far, counting! It seems to be a bug and we will wait for the next releases from Defender for Identity, so far we couldn't find a cause which makes sense that this alert keeps being triggered... (meaning no signs of a real attack, no idea what update or other config changes could have started this behaviour) Maybe someone else experiences the same right now, this is meant as an information... BR
