Hyperscale ML threat intelligence for early detection & disruption
In today's rapidly evolving cybersecurity landscape, the ability to swiftly identify and mitigate threats is more critical than ever. Attackers are increasingly well-resourced, enabling them to keep adding new components to their toolkits that keep their infrastructure fresh and hard to detect. Traditional labeling methods used to identify and block malicious infrastructure are struggling to keep up. At Microsoft, we recognize the pressing need for innovative solutions that not only keep pace with these threats but stay ahead of them. This past Ignite, we announced Threat Intelligence Tracking via Dynamic Networks (TITAN)—a groundbreaking approach that uses the power of machine learning to transform threat intelligence and attack disruption by automatically neutralizing malicious activity at scale. By leveraging real-time ML-driven analytics, TITAN uncovers previously hidden threat actor infrastructure, enabling the disruption capabilities built into our unified security operations platform to detect and stop attacks significantly earlier in the attack chain (Figure 1). The power of machine-scale threat intelligence TITAN represents a new wave of innovation built on Microsoft threat intelligence capabilities, introducing a real-time, adaptive threat intelligence (TI) graph that integrates first and third-party telemetry from the unified security operations platform, Microsoft Defender for Threat Intelligence, Microsoft Defender for Experts, and customer feedback. This graph employs guilt-by-association techniques to propagate known TI labels to unknown neighboring entities (e.g., IP, file, email) at machine scale. By analyzing relationships between entities, TITAN can identify attacker infrastructure before they are leveraged in attacks, providing an invaluable window of opportunity to prevent harm. Figure 1. Architectural overview of TITAN, comprising four key steps: (1) constructing a graph using telemetry from 1 st and 3 rd party detectors in the Unified Security Operations Platform, (2) integrating known threat intelligence from across Microsoft, (3) applying reputation propagation algorithms to classify previously unknown entities as either benign or malicious, and (4) updating the reputation score for each entity in the graph. By leveraging guilt-by-association methods, TITAN can swiftly identify hidden threat actor infrastructure through cross-organizational associations with known malicious entities within the TI graph. Specifically, we employ a semi-supervised label propagation technique that iteratively assigns reputation scores to nodes based on their neighbors’ scores, refining the graph’s score distribution until convergence. These high-confidence entity reputation scores empower the unified security operations platform to implement proactive containment and remediation actions via attack disruption. A key advantage of our constantly evolving threat intelligence is that we can provide clear and explainable reputation scores for each entity by examining the neighboring entities that contribute to the overall score. Preventing attacks before they happen Consider a scenario where TITAN detects unusual activity from a seemingly benign IP address that has connections to known malicious domains. Traditional systems might not flag this IP until after malicious activity is confirmed. However, TITAN's guilt-by-association techniques elevate the reputation score of the IP address, immediately triggering detection and disruption rules that block the threat before any damage occurs. With an impressive average macro-F1 score of 0.89 and a precision-recall AUC of 0.94, TITAN identifies millions of high-risk entities each week, enabling a 6x increase in non-file threat intelligence. Since its deployment, TITAN has reduced the time to disrupt by a factor of 1.9x while maintaining 99% precision, as confirmed by customer feedback and thorough manual evaluation by security experts—ultimately saving customers from costly security breaches. Dynamic threat intelligence graph construction At the heart of TITAN is a dynamic, time-evolving threat intelligence graph that captures complex relationships between millions of interlinked entities, alerts, and incidents. By combining telemetry across both 1 st and 3 rd party sources in the unified security operations platform, TITAN is uniquely positioned for comprehensive view of the threat landscape, essential for early detection and disruption. Key features include: Real-time updates – In cybersecurity, speed is critical. TITAN operates in real-time, with graph creation and reputation propagation algorithms running every hour. This frequency ensures that security teams receive fresh and active threat intelligence, enabling swift and effective responses to emerging threats. The ability to act quickly can mean the difference between thwarting an attack and being breached. Infusing security domain knowledge via edge weights – Edges in the TI graph carry weights that signify the strength or relevance of the relationships between entities. We introduce edge weight decay functions that automatically reduce edge weights based on the time elapsed since the edge was formed. This ensures that newer and more relevant relationships have a greater impact on reputation assessments, aligning the dynamic graph with the real-time nature of security incidents. Pruning outdated nodes and edges – To maintain the relevance and efficiency of the TI graph, we implement pruning mechanisms that remove nodes and edges when their weights fall below certain thresholds. This approach keeps the graph focused on the most current and meaningful connections, ensuring optimal performance. Evolving cybersecurity defense with TI TITAN represents a monumental step forward in the mission to protect organizations from cyber threats. By infusing the power of AI with advanced threat intelligence, we are equipping security teams with the tools they need to stay ahead of the attackers. This is only possible with a unified platform that consolidates threat intelligence across 1 st and 3 rd party workloads and products, organizations benefit not only from streamlining their security operations but also gain deeper insights into potential threats and vulnerabilities. TITAN is just one of the many examples of how powerful bringing together the full capabilities of an industry-leading cloud-native security information and event management (SIEM), comprehensive extended detection and response (XDR), and generative AI built specifically for cybersecurity. Integrating all of this data, advanced analysis, threat intel and automation enables an entirely new era of defense for security teams and we’re so energized by the potential. TITAN is just the start – look forward to new capabilities announced in the coming months. Learn More Check out our resources to learn more about our new approach to AI-driven threat intelligence, and our recent security announcements: See TITAN in action in the session delivered at Ignite Read the full paper on the TITAN architecture Read the Copilot for Security Guided Response paper & blog Read the unified security operations platform GA announcementIntroducing SOC Optimization Recommendations Based on Similar Organizations
One of the key challenges that security teams in modern SOCs regularly face is determining which new data sources to onboard and which detections to activate. This ongoing process takes time and requires constant evaluation of the organization’s assets and the value that the data brings to the SOC. "…determining which logs to ingest for better threat coverage is time-consuming and requires significant effort. I need to spend a long time identifying the appropriate logs..." Elie El Karkafi, Senior Solutions Architect, ampiO Solutions Today, we’re excited to announce the public preview of recommendations based on similar organizations - a first-of-its-kind capability for SOC optimizations.Recommendations based on similar organizations use peer-based insights to guide and accelerate your decision-making process. We believe that applying insights learned from the actions of organizations with similar profiles can provide great value. Recommendations based on similar organizations use advanced machine learning to suggest which data to ingest, based on organizations with similar ingestion patterns. The recommendations also highlight the security value you can gain by adding the data. They list out-of-the-box rules that are provided by Microsoft research, which you can activate to enhance your coverage. Use the new recommendations to swiftly pinpoint the next recommended data source for ingestion and determine the appropriate detections to apply. This can significantly reduce the time and costs typically associated with research or consulting external experts to gain the insights you need. Recommendations based on similar organizations are now available in the SOC optimization page, in both the Azure portal and the unified security operations platform: - unified security operations platform Use cases Let’s take a tour of the unified security operations platform, stepping into the shoes of a small tech company that benefited from recommendations based on similar organizations during its private preview phase.In the following image, the new recommendation identifies that the AADNonInteractiveUserSignInLogs table is used by organizations similar to theirs: Selecting View details button on the recommendation card allowed them to explore how other organizations use the recommended table. This includes insights into the percentage of organizations using the table for detection and investigation purposes. By selecting See details hyperlink, the SOC engineer was able to explore how coverage could be improved with respect to the MITRE ATT&CK framework, using Microsoft’s out-of-the box rules: By selecting Go to Content hub, the SOC engineer was able to view all the essential data connectors needed to start ingesting the recommended tables. This page also includes a detailed list of out of the box, recommended analytics rules, which can provide immediate value and enhanced protection for your environment: Finally, by following the recommendation, which uses the security practices of similar organizations as a benchmark, the tech company quickly ingested the AADNonInteractiveUserSignInLogs table and activated several recommended analytics rules. Overall, this resulted in improved security coverage, corresponding to the company's specific characteristics and needs. Feedback from private preview: “I think this is a great addition. Like being able to identify tables not being used, it is useful to understand what tables other organizations are utilizing which could reveal things that so far haven't been considered or missed...” Chris Hoard, infinigate.cloud "In my view, those free recommendations are always welcomed and we can justify cost saving and empowering SOC analysts (that we know are more and more difficult to find)." Cyrus Irandoust, IBM “These recommendations will help us to take a look at the left out stuffs” Emmanuel Karunya, KPMG “Nice overview and insights! Love the interface too - nice and easy overview!” Michael Morten Sonne, Microsoft MVP Q&A: Q1: Why don’t I see these recommendations? A: Not all workspaces are eligible for recommendations based on similar organizations. Workspaces only receive these recommendations if the machine learning model identifies significant similarities between your organization and others, and discovers tables that they have but you don’t. If no such similarities are identified, no extra recommendations are provided. You’re more likely to see these recommendations if your SOC is still in its onboarding process, rather than a more mature SOC. Q2: What makes an organization similar to mine? A: Similarity is determined based on ingestion trends, as well as your organization's industry and vertical, when available in our databases. Q3: Is any of my PII being used to make recommendations to other customers? A: No. The recommendations are generated using machine learning models that rely solely on Organizational Identifiable Information (OII) and system metadata. Customer log content is never accessed or analyzed, and no customer data, content, or End User Identifiable Information (EUII) is exposed during the analysis process. Microsoft prioritizes customer privacy and ensures that all processes comply with the highest standards of data protection. Looking forward Microsoft continues to use artificial intelligence and machine learning to help our customers defend against evolving threats and provide enhanced protection against cyberattacks. This ongoing innovation is a key part of SOC optimization’s commitment to help you maximize your value from your SIEM & XDR. Learn More: SOC optimization documentation: SOC optimization overview ; Recommendation's logic Short overview and demo: SOC optimization Ninja show In depth webinar: Manage your data, costs and protections with SOC optimization SOC optimization API:Introducing SOC Optimization API | Microsoft Community Hub
Go agentless with Microsoft Sentinel for SAP
What a title during Agentic AI times 😂 Dear community, Bringing SAP workloads under the protection of your SIEM solution is a primary concern for many customers out there. The window for defenders is small “Critical SAP vulnerabilities being weaponized in less than 72 hours of a patch release and new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours.” (SAP SE + Onapsis, Apr 6 2024) Having a turn-key solution as much as possible leads to better adoption of SAP security. Agent-based solutions running in Docker containers, Kubernetes, or other self-hosted environemnts are not for everyone. Microsoft Sentinel for SAP’s latest new capability re-uses the SAP Cloud Connector to profit from already existing setups, established integration processes, and well-understood SAP components. Meet agentless ❌🤖 The new integration path leverages SAP Integration Suite to connect Microsoft Sentinel with your SAP systems. The Cloud integration capability of SAP Integration Suite speaks all relevant protocols, has connectivity into all the places where your SAP systems might live, is strategic for most SAP customers, and is fully SAP RISE compatible by design. Are you deployed on SAP Business Technology Platform yet? Simply upload our Sentinel for SAP integration package (see bottom box in below image) to your SAP Cloud Integration instance, configure it for your environment, and off you go. Best of all: The already existing SAP security content (detections, workbooks, and playbooks) in Microsoft Sentinel continues to function the same way as it does for the Docker-based collector agent variant. The integration marks your steppingstone to bring your SAP threat signals into the Unified Security Operations Platform – a combination of Defender XDR and Sentinel – that looks beyond SAP at your whole IT estate. Microsoft Sentinel solution for SAP applications is certified for SAP S/4HANA Cloud, Private Edition RISE with SAP, and SAP S/4HANA on-premises. So, you are all good to go😎 You are already dockerized or agentless? Then proceed to this post to learn more about what to do once the SAP logs arrived in Sentinel. Final Words During the private preview we saw drastically reduced deployment times for SAP customers being less familiar with Docker, Kubernetes and Linux administration. Cherry on the cake: the network challenges don’t have to be tackled again. The colleagues running your SAP Cloud Connector went through that process a long time ago. SAP Basis rocks 🤘 Get started from here. Find more details on our blog on the SAP Community and latestMicrosoft Learn article. Cheers MartinMonthly news - December 2024
Microsoft Defender XDR Monthly news December 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from November 2024. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel Ignite news: What's new in Microsoft Defender XDR? This blog summarizes Ignite news related to Defender XDR. Security Copilot: A game changer for modern SOC We have enhanced numerous features and introduced new skills that significantly improve the efficiency and effectiveness of SOC teams. (Preview)Attack pathsin the incident graph are now available in the Microsoft Defender portal. The attack story now includes potential attack paths that show the paths that attackers can potentially take after compromising a device. This feature helps you prioritize your response efforts. For more information, seeattack paths in the attack story. (Preview) Microsoft Defender XDR customers can now export incident data to PDF. Use the exported data to easily capture and share incident data to other stakeholders. For details, seeExport incident data to PDF. (GA) Thelast update timecolumn in theincident queue is now generally available. (Preview) Cloud-native investigation and response actions are now available for container-related alerts in the Microsoft Defender portal. Security operations center (SOC) analysts can now investigate and respond to container-related alerts in near real-time with cloud-native response actions and investigation logs to hunt for related activities. For more information, seeInvestigate and respond to container threats in the Microsoft Defender portal. (GA) Thearg()operator inadvanced huntingin Microsoft Defender portal is now generally available. Users can now use thearg() operator for Azure Resource Graph queries to search over Azure resources, and no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if already in Microsoft Defender. (Preview) TheCloudProcessEvents table is now available for preview in advanced hunting. It contains information about process events in multicloud hosted environments. You can use it to discover threats that can be observed through process details, like malicious processes or command-line signatures. (Preview) Migrating custom detection queries toContinuous (near real-time or NRT) frequencyis now available for preview in advanced hunting. Using the Continuous (NRT) frequency increases your organization's ability to identify threats faster. It has minimal to no impact to your resource usage, and should thus be considered for any qualified custom detection rule in your organization. You can migrate compatible KQL queries by following the steps inContinuous (NRT) frequency. Ninja Show Episodes: Defender XDR’s Data Security Context with Insider Risk Management Join us as product experts Maayan Magenheim and Sravan Kumar Mera showcase the Public Preview of Microsoft Purview Insider Risk Management (IRM) integration into Defender XDR. Learn how Insider Risk and SOC analysts can now distinguish internal and external threats and gain critical insights, including exfiltration context and user activity tracking. Through a valuable demo, we explore the benefits for incident investigation, threat hunting, the correlation of IRM alerts with other DLP and identity protection alerts and more. Follow up LIVE AMA session Unlocking Advanced Cloud Detection & Response capabilities for containers Learn how the Microsoft Cloud Detection & Response solution empowers SOCs with faster, deeper investigations through near real-time detections, new cloud-native responses, and rich log collection. In this episode Product Managers Maayan Magenheim and Daniel Davrayev demo a real container related incident to show how these new capabilities enhance the entire incident response process, bridging knowledge gaps and proactively securing containerized workloads across multi-cloud environments. Microsoft Sentinel Microsoft Sentinel availability in Microsoft Defender portal! (Preview) Now Microsoft Sentinel is also available in the Defender portal even without Microsoft Defender XDR or a Microsoft 365 E5 license. For more information, see: Microsoft Sentinel in the Microsoft Defender portal Connect Microsoft Sentinel to the Microsoft Defender portal Upcoming Ninja Show Episode Dec 10, 9AM PT: Microsoft Sentinel Data tiering best practices In this episode product experts Yael Bergman and Maria de Sousa-Valadas introduce the powerful new Auxiliary Logs tier, now in Public Preview and explain how to use Summary rules to aggregate data from any log tier in Microsoft Sentinel and Log Analytics. Tune in to learn the full potential of these features, as well as practical tips and use cases to help you reduce ingestion costs and gain more insights from your verbose logs. Upcoming webinar Feb 20, 9AM PT:Mastering API Integration with Sentinel & Unified Security Platform Learn how to effectively integrate APIs with Sentinel and Unified Security Platform. This webinar will cover when to use APIs, how to set them up, potential challenges, and feature live demos to guide you through the process. Microsoft Defender Vulnerability Management Upcoming webinar Jan 14, 9AM PT: How to Get the Most Out of Microsoft Defender for Vulnerability Management Join us to learn about the Defender Vulnerability Management capabilities, business use cases and best practices to develop and implement posture & risk management in your organization. During this session, the engineering team will guide you through the recent released features and capabilities as well as product vision and roadmap. The deprecation process of the Windows authenticated scan will begin on November 2024 and concludes on November 30, 2025. For more information, seeWindows authenticated scan deprecation FAQs. We are aware of issues affecting data collection in several versions of CIS, STIG, and Microsoft benchmarks. We are actively working on a fix and will provide an update when the issue is resolved. For more information, seeKnown issues with data collection. Microsoft Defender for Identity Seamless protection for your on-prem identities with Defender for Identity. This blog summarizes various exciting announcements made at Ignite that simplify how customers deploy and manage their identity threat landscape: One platform, one agent:Streamline your deployment and protection with a single agent across endpoint, OT, identity, and DLP Easily manage your sensors via API:Automate deployment, configuration and monitoring of sensors in your environment Integrate Privileged Access Management solutions:Microsoft Entra Privileged Identity Management, BeyondTrust, CyberArk, and Delinea Ninja Show episode: Microsoft Defender for Identity for Entra Connect In this episode, product experts Lior Shapira and Ayala Ziv explain how Microsoft Defender for Identity sensor for Entra Connect servers enables comprehensive monitoring of synchronization activities between Entra Connect and Active Directory, providing critical insights into potential security threats. Tune in to explore the latest detections and posture recommendations for Entra Connect by learning the importance of protecting hybrid identities and exploring real-world scenarios. Microsoft Security Exposure Management Announcing the General Availability of Microsoft Security Exposure Management! We are excited to announce the general availability of Microsoft Security Exposure Management. This powerful tool helps organizations focus on their most critical exposures and act swiftly. We made enhancements to the Attack path Hybrid attack paths: On-Prem to Cloud DACL-based path analysis to learn more about those, please visit our documentation. External data connectors We have introduced new external data connectors to enhance data integration capabilities, allowing seamless ingestion of security data from other security vendors. Learn more on our docs. Discovery sources available in the inventory and attack surface map The Device Inventory and Attack Surface Map now display the data sources for each discovered asset. This feature provides an overview of which tools or products reported each asset, including Microsoft and external connectors like Tenable or ServiceNow CMDB. Learn more on our docs. Microsoft Security Exposure Management is now supported in Microsoft Defender XDR Unified role-based access control (RBAC). Access control to Microsoft Security Exposure Management can now be managed using Microsoft Defender XDR Unified Role-Based Access Control (RBAC) permissions model with dedicated and granular permissions. Learn more on our docs. OT security initiative The new Operational Technology (OT) security initiative equips practitioners with a powerful tool to identify, monitor, and mitigate risks across the OT environment, ensuring both operational reliability and safety. This initiative aims to identify devices across physical sites, assess their associated risks, and provide faster, more effective protection for OT systems. For more information, see,Review security initiatives Content versioning notifications The new versioning feature in Microsoft Security Exposure Management offers proactive notifications about upcoming version updates, giving users advanced visibility into anticipated metric changes and their impact on their related initiatives. A dedicated side panel provides comprehensive details about each update, including the expected release date, release notes, current and new metric values, and any changes to related initiative scores. Additionally, users can share direct feedback on the updates within the platform, fostering continuous improvement and responsiveness to user needs. For more information on exposure insights, seeOverview - Exposure insights Exposure history for metrics User can investigate metric changes by reviewing the asset exposure change details. From the initiative'sHistorytab, by selecting a specific metric, you can now see the list of assets where exposure has been either added or removed, providing clearer insight into exposure shifts over time. For more information, see,Reviewing initiative history SaaS security initiative The SaaS Security initiative delivers a clear view of your SaaS security coverage, health, configuration, and performance. Through metrics spanning multiple domains, it gives security managers a high-level understanding of their SaaS security posture. For more information, see,SaaS security initiative Microsoft Defender for Cloud Apps Secure your SaaS landscape with the latest Defender for Cloud Apps innovations. This blog summarizes the following innovations in Defender for Cloud Apps announced at Ignite to help address these challenges: SaaS security initiative: Microsoft Security Exposure Management empowers security teams to reduce risks and limit exposure of the most critical assets with unified exposure management. We are introducing a new SaaS security initiative within Exposure Management to provide best practice SaaS posture recommendations, along with an easy way for security teams to prioritize the most important controls. Enhanced visibility into OAuth apps: Get expanded visibility into OAuth apps to give security teams deeper insights into app origins, privilege levels, and permissions, while allowing them to set controls to mitigate risks more effectively. Streamlined SaaS security operations: To further enhance operational efficiency for SaaS security management, Defender for Cloud Apps now uses the unified role-based access control (RBAC) model in Defender XDR to enable central permission management, alongside a new discovered apps Graph API, and the ability to customize the block page experience. (Preview) Defender for Cloud Apps support for Graph API Defender for Cloud Apps customers can now query data about discovered apps via the Graph API. Use the Graph API to customize views and automate flows on theDiscovered appspage, such as applying filters to view specific data. The API supportsGETcapabilities only. For more information, see: Work with discovered apps via Graph API Microsoft Graph API reference for Microsoft Defender for Cloud Apps SaaS Security initiative in Exposure Management Microsoft Security Exposure Managementoffers a focused, metric-driven way of tracking exposure in specific security areas using securityinitiatives. The "SaaS security initiative" provides a centralized location for all best practices related to SaaS security, categorized into 12 measurable metrics. These metrics are designed to assist in effectively managing and prioritizing the large number of security recommendations. This capability is General Availability (Worldwide) - Note Microsoft Security Exposure Management data and capabilities are currently unavailable in U.S Government clouds - GCC, GCC High and DoD For more information, seeSaaS security initiative. Internal Session Controls application notice The Enterprise application “Microsoft Defender for Cloud Apps – Session Controls” is used internally by the Conditional Access App Control service. Please ensure there is no CA policy restricting access to this application. For policies that restrict all or certain applications, please ensure this application is listed as an exception or confirm that the blocking policy is deliberate. For more information, seeSample: Create Microsoft Entra ID Conditional Access policies for use with Defender for Cloud Apps. (Preview) Visibility into app origin Defender for Cloud Apps users who use app governance will be able to gain visibility into the origin of OAuth apps connected to Microsoft 365. You can filter and monitor apps that have external origins, to proactively review such apps and improve the security posture of the organization. For more information, seedetailed insights into OAuth apps. (Preview) Permissions filter and export capabilities Defender for Cloud Apps users who use app governance can utilize the newPermissionsfilter and export capabilities to quickly identify apps with specific permissions to access Microsoft 365. For more information, seefilters on app governance. (Preview) Visibility into privilege level for popular Microsoft first-party APIs Defender for Cloud Apps users who use app governance can now gain visibility into privilege level for all popular Microsoft first-party API permissions. The enhanced coverage of privilege level classification will enable you to view and monitor apps with powerful permissions into legacy and other non-Graph APIs that have access to Microsoft 365. For more information, seeOAuth app permission related details on app governance. (Preview) Granular data usage insights into EWS API access Defender for Cloud Apps users who use app governance can now get granular insights into data accessed by apps using legacy EWS API alongside Microsoft Graph. The enhanced coverage of data usage insights will enable you to get deeper visibility into apps accessing emails using legacy EWS API. For more information, seeOAuth app data usage insights on app governance. Microsoft Defender for Endpoint Ninja Show Episode: Defender for Endpoint RDP Telemetry In this episode Cyber Security Researcher Danielle Kuznets Nohi and Senior Product Manager Saar Cohen join us to discuss the importance of Remote Desktop Protocol in Human Operated Attacks considering the current threat landscape. Through a demo, witness critical visibility enhancements made to this important layer of telemetry and learn the powerful capabilities of this tool to identify vulnerable assets and provide deeper threat insights. Intune ending support for Android device administrator on devices with GMS in December 2024. Microsoft Intune and Defender for Endpoint are ending support for Device Administrator enrolled devices with access toGoogle Mobile Services(GMS), beginning December 31, 2024. For devices with access to GMS After Intune and Defender for Endpoint ends support for Android device administrator, devices with access to GMS will be impacted in the following ways: Intune and Defender for Endpoint won’t make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions. Intune and Defender for Endpoint technical support will no longer support these devices. For more information, seeTech Community blog: Intune ending support for Android device administrator on devices with GMS in December 2024.
