New Microsoft Security Features & Highlights of the last 8 Weeks, ish!
A Dive into Recent Updates from the Microsoft Ecosystem! Its been a while!
Hello everyone! It's been a whirlwind couple of months for me both professionally, and in the world of Microsoft's evolving ecosystem. My time has been monopolized by a few intense clients, which explains the radio silence on my blog. I am happy to be back (For a while at least), and what better way to reconnect than with a roundup of the latest and greatest from Microsoft?
In the past two months, we've seen some exciting developments and releases in the Microsoft world that have caught my attention. (There’s nothing like seeing a new feature or update that would have saved you hours or enhanced a piece of work previously!)
Here’s a quick overview of what’s new, bits I’ve experimented with, and what I’m now very eager to dive into:
Microsoft Copilot for Security Ninja Training
How to Become a Microsoft Copilot for Security Ninja: The Complete Level 400 Training - This is super important to take the time to understand the architecture of how CoPilot for security works, from RBAC management to, response architecture and effective prompt book engineering! A blog post in the future will overview specific items such as Cost Managment, MSSP use of Security CoPilot & real-world use cases! Check out my Security Copilot resources post.
Aside from the additional Ninja Training Module there is now a New Revamped Microsoft Certification Poster! - Always a great one to share and highlight the various learning paths towards becoming an expert!
Microsoft Copilot for Security Plugin Overviews
New documentation updates have made these areas, once you have completed the Ninja training, the plugin detail is beneficial to understand in detail based on the products you are utilizing!
Mac OS - Platform Single Sign On
Platform SSO for macOS is available in public preview with Microsoft Entra ID.
See my Blog Post on Setting up Platform SSO for macOS - TBC
Data connectors for Syslog and CEF based on Azure Monitor Agent now generally available (GA)
Microsoft Sentinel has released two more data connectors based on the Azure Monitor Agent (AMA) to general availability. You can now use these connectors to deploy Data Collection Rules (DCRs) to Azure Monitor Agent-installed machines to collect Syslog messages, including those in Common Event Format (CEF).
Introducing a generic way to ingest DCR-based logs into Sentinel custom/basic table: https://lnkd.in/d7Tj3K3c
Filter & Split Firewall/CEF logs into multiple Sentinel tables (analytics/basic tier) to save in ingestion costs: https://lnkd.in/duRg3eMY
Sentinel TableCreator PowerShell tool in GitHub: https://lnkd.in/d85-6mdk
To learn more about the Syslog and CEF connectors, see Ingest Syslog and CEF logs with the Azure Monitor Agent.
AWS Logs to Microsoft Sentinel via S3 Bucket
How to connect to AWS resources to ingest their logs into Microsoft Sentinel using the new S3 based connector! The new Microsoft Sentinel AWS S3 connector can ingest logs from a range of AWS services, such as Amazon Virtual Private Cloud (VPC), Amazon GuardDuty, AWS CloudTrail, and AWS CloudWatch.
The AWS service logs are collected in AWS S3 (Simple Storage Service) buckets, which act as secure repositories for storing various types of objects within the AWS Cloud.
Microsoft notes that administrators can choose to either use a PowerShell script or manually configure the AWS S3 connector.
SOC optimization
Security operations center (SOC) teams constantly seek ways to enhance processes and outcomes, tailored to their unique security challenges and evolving threat landscapes. Microsoft Sentinel’s new SOC Optimization experience and API, now in public preview, provides security teams with personalized, actionable recommendations, ensuring optimal investment and security coverage.
This new feature / tool leverages Microsoft’s advanced research to adapt daily, addressing gaps in data utilization and attack detection, available via Azure portal and a unified security operations platform.
SOC Optimization offers two key types of recommendations: data value optimizations, providing insights and actionable steps to improve data utilization and cost-efficiency; and threat-based optimizations, adding security controls to address specific threats using the MITRE ATT&CK framework.
Integrated seamlessly, these recommendations help SOC teams enhance security without manual effort. An API extends these capabilities, allowing automation and integration with existing systems to manage security operations efficiently across multiple workspaces and tenants.
This comprehensive approach helps maintain a balance between cost and security, ensuring defenses are robust and up-to-date against threats like Business Email Compromise and Human Operated Ransomware.
New SIEM migration experience
Big news for those managing security information and event management (SIEM) systems, thinking about switching but dread the complexity and cost, this might be what you've been waiting for.
Microsoft's latest update targets those looking to migrate from Splunk to Microsoft Sentinel. Whether you use Splunk Enterprise or Splunk Cloud, this tool supports you. The migration tool is now generally available (GA) and focuses on transferring Splunk detections to Microsoft Sentinel as analytics rules. These are based on simple, single-table queries that use Splunk’s Common Information Model (CIM).
The migration tool isn't just about moving data from one place to another. It includes several features to enhance the process:
Built-in Editor: Before you finalize your migration, you can use the built-in editor to tweak the queries. This helps ensure that they perform as expected in their new environment.
Migration Success Levels: You can see how well each detection has been transferred. The tool categorizes detections into Fully Translated, Partially Translated, Not Translated, and Manually Translated states. This helps you understand what needs more attention.
Ready to make the switch? Here’s how to begin:
Prepare Your Data: First, ensure you have admin access to your Splunk system. Export all your alerts into a JSON file.
Set Up Microsoft Sentinel: Install and configure the necessary data connectors and parsers from Microsoft Sentinel’s content hub.
Upload and Configure: Upload your JSON file to Microsoft Sentinel and start configuring your rules based on the migration analysis.
Future Enhancements
Microsoft isn't stopping here. They plan to expand this tool’s capabilities, including better translation support, the ability to handle more complex queries, and more. This is just the start, and the aim is to make SIEM migrations as painless as possible.
General Availability - Microsoft Graph activity logs
The Microsoft Graph activity logs is now generally available! Microsoft Graph activity logs give you visibility into HTTP requests made to the Microsoft Graph service in your tenant. With rapidly growing security threats, and an increasing number of attacks, this log data source allows you to perform security analysis, threat hunting, and monitor application activity in your tenant. For more information, see: Access Microsoft Graph activity logs.
This also now means you can hunt for Compromised or Malicious applications in your tenant! Compromised and malicious applications investigation
Microsoft Defender Threat Intelligence (MDTI) Ninja training update!
Microsoft Defender Threat Intelligence (MDTI) level 400 training - Updated April 24
Azure Arc site manager
Azure Arc site manager allows you to manage and monitor your on-premises environments as Azure Arc sites. Arc sites are scoped to an Azure resource group or subscription and enable you to track connectivity, alerts, and updates across your environment. The experience is tailored for on-premises scenarios where infrastructure is often managed within a common physical boundary, such as a store, restaurant, or factory.
Azure Arc Site Manager Now in Public Preview!
This tool is designed for those managing solutions on the adaptive cloud and need a clear view of their resources based on physical locations like stores and factories. With Site Manager, you can create Arc sites representing your on-premises environments and access centralized monitoring across your edge infrastructure.
Navigate to Site Manager within Azure Arc and begin creating sites on a resource group or subscription level. It currently supports Azure Stack HCI, Azure Arc-enabled servers & VMs, Kubernetes, and Azure IoT Operations assets.
Once your site is up, you’ll have access to aggregated connectivity, alerts, and updates. Access automatic connectivity status for supported resources, update status via Azure Update Manager, and alerts through Azure Monitor.
Coming Soon:
Ability to create sites on a subset of resources in multiple resource groups and/or subscriptions.
Support for more resource types, including Arc-enabled SQL servers, Arc-enabled VMware vSphere, and some cloud resources.
Expansion to security and health monitoring
Azure ARC Jumpstart
Azure Arc Jumpstart has been launched with detailed guides, automation, code samples—everything you need to get going with Azure ARC onboarding quickly!
Updated Defender XDR Graphic!
Professional Updates
On a personal note, the last eight weeks have been intense but rewarding. Working with large complex clients has not only kept me busy but also pushed boundaries and enhanced my skills. This period of intensity has been challenging but extremely fruitful, reaffirming my passion for what I do.
Looking Ahead
As we move forward, I plan to share more detailed blogs on each new feature and insight from the Microsoft ecosystem. I’m excited to dive deeper and bring you along on this journey of discovery and learning thru the rest of 2024!
InfoSec 24 anyone ?
Stay tuned for more updates and thank you for sticking around during my brief absence. Your support means much to me, and I look forward to engaging with anyone in the UK at InfoSec 2024 in London.
#MicrosoftSecurity
#MicrosoftLearn
#CyberSecurity
#MicrosoftSecurityCopilot
#Microsoft
#MSPartnerUK
#msftadvocate