Ninja Cat Giveaway: Episode 3 | Sentinel integration
For this episode, your opportunity to win a plush ninja cat is the following - Reply to this thread with: what was your favorite feature Javier presented? Oh and what does UEBA stand for? This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.MITRE ATT&CK Coverage
Morning from the UK! I am trying to better understand how Defender \ Sentinel protect against the MITRE ATT&CK framework. I am particularly interested in mapping to the tactics \ techniques that tools such as Bloodhound and PingCastle highlight for Active Directory \ Azure Active Directory, but am struggling to see what is available in the product and what is still on the roadmap: https://www.pingcastle.com/PingCastleFiles/ad_hc_rules_list.html In terms of what coverage exists within a Tenant, I know there is improvements planned in the roadmap to the current MITRE coverage in Microsoft Sentinel, but is there any way that I could use a Graph query to get what is currently covered?
Unable to apply ASR rules for Windows servers (2012R2,2016, 2019 and 2022) via SCCM
Hi, I have onboarded servers 2012 R2, 2016, 2019 and 2022 into the Microsoft Defender for Endpoint via a unified solution (I am not using MMA or AMA), All statuses are Active and onboarded in the www.security.microsoft.com console. These servers are managing through the SCCM and I could deploy the Antimalware policy for all servers. Still, I am unable to deploy ASR rules for the onboarded servers, I have tried manually configure rules into the servers. Still, when I run Get-MpPreference powershell command there are blank fields for ASR components. Any solution for this? Note: These servers are not joined AAD.
KQL to get user reported emails?
Hi all, I'm looking for a KQL query to pull back email report submissions / user reported emails - is this possible? MS pull this data in a 365 security report: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/reports-email-security?view=o365-worldwide#user-reported-messages-report I'm looking to retrieve the same data. ThanksMicrosoft Azure and Microsoft 365 Security - my defense in depth strategy!
Dear Microsoft Azure and Microsoft 365 security friends, Who is interested in my (small) company? We don't have anything to protect and we don't have any money. Besides, we have a firewall. Furthermore, Mr. Wechsler, you are a bit paranoid with your security thinking. These are the first sentences I always hear when it comes to IT (Cloud) security. But the attacker is also interested in a small company and that is to use their system as a bot. It's not always about money and data. What about the reputation a company has to lose? It takes years to build a good reputation but only one event to damage the reputation. What about the employees, the trust in the company? Do you want to put this at risk as a company, I don't think so! Yes! Extended protection mechanisms always cost extra, I am absolutely aware of that. But I also pay monthly for car insurance and accident and health insurance. I'm grateful every day when I don't need the insurance. That's exactly how it should feel when it comes to IT (cloud) security. Let's start with my IT/Cloud security strategy. I am absolutely aware that this list is not exhaustive. There are so many components to consider, plus every infrastructure/company is always different. I'll try to give you a little help here. We start with Microsoft 365, as a first additional measure, use all policies that start with "Anti-". You can find all the information in the Microsoft 365 Security Center. https://security.microsoft.com/threatpolicy The next step is to use the policies that start with "Safe". You can also find this information in the Microsoft 365 Security Center. Multi factor authentication is a key element to further protect your identities/users. You can set this up per user or with a Conditional Access Policy (my preferred way). Azure Active Directory helps you integrate this protection. https://portal.azure.com If you are subject to a regulatory agency, the Microsoft 365 Compliance Center can help. Here you can set up data loss prevention policies, audits, eDiscovery and much more. https://compliance.microsoft.com/homepage In this day and age of bring your own device and work from home, it's a good idea to include the Endpoint Manager. With it you have the possibility to manage endpoints (Mobile Device Management - MDM) and applications (Mobile Application Management - MAM). https://endpoint.microsoft.com/ Get visibility into your cloud apps using sophisticated analytics to identify and protect against cyberthreats, detect Shadow IT, and control how your data travels. https://portal.cloudappsecurity.com/ The Cloudapp Security Portal provides you with the best possible support. Here you can allow or sanction cloud app, configure anti-ransomware policies, data loss prevention policies and much more. Do you want to know how your Windows Active Directory is doing? Then Microsoft Defender for Identity will help you. With this tool you can transfer the local information to the cloud. With an interface to the CloudApp Security Portal. https://yourtenant.atp.azure.com/timeline No person should always work with elevated rights. Only work with elevated rights when it is really necessary. This is where Azure Privileged Identity Management (PIM) comes in. With this tool you can configure the access as you need it for your needs. https://portal.azure.com With Azure Identity Protection do you have a tool that allows organizations to accomplish three key tasks: 1. Automate the detection and remediation of identity-based risks. 2. Investigate risks using data in the portal. 3. Export risk detection data to third-party utilities for further analysis. https://portal.azure.com Just in time access for administrators, this is also possible for virtual machines with Just in time VM Access. In Microsoft Defender for Cloud you can configure this feature (and much more). Microsoft Sentinel helps you keep track of the health of your organization. A SIEM (Security Information and Event Management) and SOAR (Security Orchestration Automation and Response) tool that should not be missing from your portfolio. The tool offers many connectors (98 at the moment) so that you can connect the most diverse portals to Sentinel. There is still so much to show, I wasn't talking about Role Based Access Control (RBAC) now or Network Security Group (NSG), etc. I know some of you are thinking, hey there is a lot more. I am aware of that. My goal is to give you some positive signals on how you can integrate additional security into your organization. Thank you for taking the time to read this article. Kind regards, Tom WechslerMITRE ATT&CK Technique Coverage
Hi All, I have been mapping our capabilities to the ATT&CK framework to be able to display coverage and where hot spots may exist. I am having a very difficult time finding any reference to what techniques 365 Defender covers. Does anyone know of a way to get this list from the console? I can export the alerts that have fired but I'm looking for a list of all that "could" fire, if that makes sense. ThanksAvoiding duplicates in Sentinel when connecting M365 Defender
Hi, according to the documentation here: https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration To avoid duplicates in incident creation, it's recommended to "turn off all Microsoft incident creation rules for Microsoft 365 Defender-integrated products". Does that mean the Analytics rules shown in the image? Am I correct in this assumption? With those disabled(and the M365 Defender connector enabled), I'll get the incidents coming from all products through M365 Defender and not miss anything without getting duplicates? Thank you in advance. Andrés.
