Security, Compliance, and Identity topics Security, Compliance, and Identity topics Tue, 26 Oct 2021 12:14:35 GMT SecurityandCompliance 2021-10-26T12:14:35Z New Blog Post | We’re Excited to Announce the Launch of Comms Hub! <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CLO20b_Sabien_office_007-900x360.jpg" style="width: 900px;"><img src=";px=999" role="button" title="CLO20b_Sabien_office_007-900x360.jpg" alt="CLO20b_Sabien_office_007-900x360.jpg" /></span></SPAN></P> <P><SPAN><A href="#" target="_blank" rel="noopener">We’re Excited to Announce the Launch of Comms Hub! – Microsoft Security Response Center</A></SPAN></P> <P><SPAN>We are excited to announce the launch of Comms Hub to the Researcher Portal submission experience! With this launch, security researchers will be able to streamline communication with MSRC case SPMs (case managers), attach additional files, track case and bug bounty status all in the Researcher Portal.</SPAN></P> Mon, 25 Oct 2021 20:07:08 GMT AshleyMartin 2021-10-25T20:07:08Z New Blog Post | Microsoft Digital Defense Report shares new insights on nation-state attacks <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NCSAM-Hero-image-900x360.png" style="width: 900px;"><img src=";px=999" role="button" title="NCSAM-Hero-image-900x360.png" alt="NCSAM-Hero-image-900x360.png" /></span></P> <P><A href="#" target="_blank" rel="noopener">Microsoft Digital Defense Report shares new insights on nation-state attacks - Microsoft Security Blog</A></P> <P><SPAN>Microsoft is proud to promote&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">Cybersecurity Awareness Month</A><SPAN>&nbsp;as part of our ongoing commitment to&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">security for all</A><SPAN>. Year-round, Microsoft tracks nation-state threat activities to help protect organizations and individuals from these advanced persistent actors. We’re constantly improving our capabilities to bring better detections, threat context, and actor knowledge to our customers so they can improve their own defenses. To learn more about how Microsoft responds to nation-state attacks and how to defend your organization, watch the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">Decoding NOBELIUM docuseries</A><SPAN>. Hear directly from the frontline defenders who helped protect organizations against the most sophisticated attack in history.</SPAN></P> Mon, 25 Oct 2021 19:37:31 GMT AshleyMartin 2021-10-25T19:37:31Z New Blog Post | NOBELIUM targeting delegated administrative privileges to facilitate broader attacks <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture1-6175cf463b3e5.png" style="width: 975px;"><img src=";px=999" role="button" title="Picture1-6175cf463b3e5.png" alt="Picture1-6175cf463b3e5.png" /></span></P> <P><A href="#" target="_blank" rel="noopener">NOBELIUM targeting delegated administrative privileges to facilitate broader attacks - Microsoft Security Blog</A></P> <P><SPAN>The Microsoft Threat Intelligence Center (MSTIC) has&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">detected nation-state activity</A><SPAN>&nbsp;associated with the threat actor tracked as NOBELIUM, attempting to gain access to downstream customers of multiple cloud service providers (CSP), managed service providers (MSP), and other IT services organizations (referred to as “service providers” for the rest of this blog) that have been granted administrative or privileged access by other organizations. The targeted activity has been observed against organizations based in the United States and across Europe since May 2021. MSTIC assesses that NOBELIUM has launched a campaign against these organizations to exploit existing technical trust relationships between the provider organizations and the governments, think tanks, and other companies they serve. NOBELIUM is the same actor behind the SolarWinds compromise in 2020, and this latest activity shares the hallmarks of the actor’s compromise-one-to-compromise-many approach. Microsoft has notified known victims of these activities through our nation-state notification process and worked with them and other industry partners to expand our investigation, resulting in new insights and disruption of the threat actor throughout stages of this campaign.</SPAN></P> Mon, 25 Oct 2021 19:27:27 GMT AshleyMartin 2021-10-25T19:27:27Z New Blog Post | Govern multi-cloud sources with Azure Purview <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1635189657157.png" style="width: 669px;"><img src="" width="669" height="239" role="button" title="AshleyMartin_0-1635189657157.png" alt="AshleyMartin_0-1635189657157.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Govern multi-cloud sources with Azure Purview - Microsoft Tech Community</A></P> <P><SPAN>Do you store your organizational data in multiple clouds? Azure Purview offers a unified solution to discover and govern your organizational data residing across different clouds. You can now explore your data and discover sensitive data across your data estate, including both Azure storage services and Amazon S3 buckets, in one centralized place.</SPAN></P> Mon, 25 Oct 2021 19:21:58 GMT AshleyMartin 2021-10-25T19:21:58Z No verification e-mail when i add an alias to my account <P class="">Hi,</P><P>&nbsp;</P><P>I am trying to setup a third party e-mail alias to my Microsoft account. I am able to add it, but I do not get a security verification e-mail to verify my account or when I try to make it primary.</P><P>&nbsp;</P><P class="">I can receive mails from Microsoft, no issue's with the spamfilter on that side. It simply does not send the verification e-mail. I am trying it now for several days, but I do not have a clue why this is broken.</P><P>&nbsp;</P><P>Does anybody know what could be the issue? I see allot of topics on the internet related to this problem, but not a clear fix for it..</P><P>&nbsp;</P><P class="">Thanks</P> Sat, 23 Oct 2021 17:36:15 GMT Robbin Nollen 2021-10-23T17:36:15Z A bug in the sign in with Security Key option for M365 <P>1. Register a pair of keys in M365.</P><P>2. On a PC you are presented with an option to sign in with a security key!</P><P>3. On a MAC you are presented with an option to sign in with a security key!</P><P>4. On ChromeOS you are not presented with that option.</P><P>&nbsp;</P><P><SPAN>ChromeOS supports FIDO2 and it works on many other sites.&nbsp; It is only M365 that has this issue.&nbsp; As a Partner I reached out to Microsoft support, who said Microsoft has dropped all support for ChromeOS.&nbsp; I do not expect to run Word on a Chromebook, but I can run the web version of any of Microsoft tools on a Chromebook.&nbsp; Why then, can I not have the same level of security on my account that I could if I was accessing the site on a PC or Mac?</SPAN></P><P>&nbsp;</P><P><SPAN>Microsoft should fix this bug if they really care about security of their customer's accounts, no matter how they access the site.</SPAN></P><P>&nbsp; &nbsp;</P> Fri, 22 Oct 2021 00:15:10 GMT TrustSDS_Dave 2021-10-22T00:15:10Z AnyTech 365 Intelliguard for Windows 10 <P>&nbsp;</P><P>Newbie here.&nbsp; This is my first post, so I hope I'm in the right place.</P><P>Does anyone know anything about an IT management firm called AnyTech 365?&nbsp; They appear to have a suite of PC protection services and represent Panda anti-virus suite, though they also have their own version.&nbsp; They also offer what they proclaim to be an AI-based protection service called IntelliGuard.</P><P><A href="#" target="_blank" rel="noopener"></A></P><P>I am using Panda, and somehow they found out about issues which compromised my computer and offered their services to get my computer.&nbsp; I was desperate and (probably foolishly) paid several hundred dollars for a 3 year services contract and to get my computer working again.&nbsp; They called recently to see how things were going and to offer to replace Panda w/ their own version.&nbsp;&nbsp;</P><P>I couldn't find them listed on the Better Business Bureau though they appear to be a legit multi-national software/services company.&nbsp; I would appreciate any insights/experience anyone has with them.&nbsp; Thanks!</P><P>&nbsp;</P> Thu, 21 Oct 2021 22:32:55 GMT DocSavage 2021-10-21T22:32:55Z New Blog Post | Defenders wanted—building the new cybersecurity professionals <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture2-616ed336a56b8-900x360.png" style="width: 900px;"><img src=";px=999" role="button" title="Picture2-616ed336a56b8-900x360.png" alt="Picture2-616ed336a56b8-900x360.png" /></span></P> <P><SPAN><A href="#" target="_blank" rel="noopener">Defenders wanted—building the new cybersecurity professionals - Microsoft Security Blog</A></SPAN></P> <P><SPAN>As part of&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">Cybersecurity Awareness Month</A><SPAN>, we published a special blog post earlier this week featuring real-world experiences shared by cybersecurity professionals: people with diverse backgrounds in law, academia, software development, and other seemingly unrelated fields. This topic is near and dear to my heart because I truly believe that diversity—</SPAN><WBR /><SPAN>people with diverse skills, backgrounds, cultures, and life experiences—</SPAN><WBR /><SPAN>is the key element for making the next generation of cybersecurity professionals even more effective.</SPAN></P> Thu, 21 Oct 2021 19:33:05 GMT AshleyMartin 2021-10-21T19:33:05Z New Blog Post | What’s New: Azure Security Benchmark Workbook (Preview) <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1634844547393.png" style="width: 702px;"><img src="" width="702" height="295" role="button" title="AshleyMartin_0-1634844547393.png" alt="AshleyMartin_0-1634844547393.png" /></span></P> <P><A href="" target="_blank" rel="noopener">What’s New: Azure Security Benchmark Workbook (Preview) (</A></P> <P><SPAN>The Azure Security Benchmark (ASB) Workbook provides a single pane of glass for gathering and managing data to address ASB control requirements. The power of this workbook lies in its ability to aggregate data from 25+ Microsoft security products and to apply these insights to relevant controls in the ASB framework. Rather than separately interfacing with Azure Security Center, Azure Sentinel, Azure Resource Graph, Azure Active Directory, Microsoft Defender for Endpoint, and additional products to understand compliance posture, the Azure Security Benchmark Workbook centralizes the relevant data within the context of the ASB controls.</SPAN></P> <P>&nbsp;</P> Thu, 21 Oct 2021 19:30:26 GMT AshleyMartin 2021-10-21T19:30:26Z New Blog Post | Franken-phish: TodayZoo built from other phishing kits <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig4-TodayZoo-credential-harvesting.png" style="width: 624px;"><img src=";px=999" role="button" title="Fig4-TodayZoo-credential-harvesting.png" alt="Fig4-TodayZoo-credential-harvesting.png" /></span></P> <P><A href="#" target="_blank" rel="noopener">Franken-phish: TodayZoo built from other phishing kits - Microsoft Security Blog</A></P> <P class="">A phishing kit built using pieces of code copied from other kits, some available for sale through publicly accessible scam sellers or are reused and repackaged by other kit resellers, provides rich insight into the state of the economy that drives phishing and email threats today. We uncovered this phishing kit while examining an extensive series of credential phishing campaigns that all sent credentials to a set of endpoints operated by the attackers.</P> <P>We named the kit “TodayZoo” because of its curious use of these words in its credential harvesting component in earlier campaigns, likely a reference to phishing pages that spoofed a popular video conferencing application. Our prior research on phishing kits told us TodayZoo contained large pieces of code copied from widely circulated ones. The copied code segments even have the comment markers, dead links, and other holdovers from the previous kits.</P> Thu, 21 Oct 2021 19:27:19 GMT AshleyMartin 2021-10-21T19:27:19Z New Blog Post | Azure Defender for Servers Monitoring Dashboard <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1634844040657.png" style="width: 719px;"><img src="" width="719" height="221" role="button" title="AshleyMartin_0-1634844040657.png" alt="AshleyMartin_0-1634844040657.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Azure Defender for Servers Monitoring Dashboard - Microsoft Tech Community</A></P> <P>Azure Security Center will leverage the Log Analytics agent to scan operating systems for misconfiguration, or to gather evidence for malicious behavior, so security alerts can be created. It will show the “<A title="Azure Security Center recommendations reference" href="#" target="_blank" rel="noopener noreferrer">Log Analytics agent should be installed on ...</A>&nbsp;" recommendation&nbsp;in case there is a server that does not have the agent installed, but there won’t be a warning in case an agent<SPAN>&nbsp;</SPAN><EM>stopped reporting</EM><SPAN>&nbsp;</SPAN>to its Log Analytics workspace.&nbsp; In addition to that, you will see the “Azure Defender for Servers should be enabled” recommendation in case you have not switched the plan on.</P> <P>While, from a CSPM (=Cloud Security Posture Management) perspective, it makes sense to only show the agent installation status ( because agent monitoring is part of operations, not of environment hardening), SOC teams have asked for a capability to easily see machines that are “securely monitored” if three conditions are met:</P> <OL> <LI>the machine is protected by Azure Defender for Servers, which means that the plan has been enabled on the machine’s subscription</LI> <LI>the Log Analytics agent has been installed and is connected to a workspace which has Azure Defender for Servers enabled</LI> <LI>the agent is properly reporting</LI> </OL> <P>&nbsp;</P> Thu, 21 Oct 2021 19:22:20 GMT AshleyMartin 2021-10-21T19:22:20Z New Blog Post | How Microsoft is partnering with vendors to provide Zero Trust solutions <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Untitled.2-900x360.jpg" style="width: 900px;"><img src=";px=999" role="button" title="Untitled.2-900x360.jpg" alt="Untitled.2-900x360.jpg" /></span></P> <P><A href="#" target="_blank" rel="noopener">How Microsoft is partnering with vendors to provide Zero Trust solutions - Microsoft Security Blog</A></P> <P>As workplaces around the world embrace hybrid work,<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">Zero Trust</A><SPAN>&nbsp;</SPAN>provides the guiding strategy that keeps companies secure. However, no two organizations are alike. The Zero Trust journey will look unique for every organization that implements it. This means we must work together to create solutions that support the varied workplaces that exist today.</P> <P>At Microsoft, our mission is to create an amazing Zero Trust platform that protects our customers no matter what solutions they use. We realize that our customers use products that work well for them, and so we strive to meet them where they are. Our solutions are from Microsoft, but not just for Microsoft.</P> Thu, 21 Oct 2021 19:19:14 GMT AshleyMartin 2021-10-21T19:19:14Z New Blog Post | New Microsoft Sysmon report in VirusTotal improves security <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WIN22_HybridWork_001-900x360.jpg" style="width: 900px;"><img src=";px=999" role="button" title="WIN22_HybridWork_001-900x360.jpg" alt="WIN22_HybridWork_001-900x360.jpg" /></span></P> <P><A href="#" target="_blank" rel="noopener">New Microsoft Sysmon report in VirusTotal improves security - Microsoft Security Blog</A></P> <P class="x-hidden-focus">Today, following the 25th year anniversary of<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">Microsoft Sysinternals</A>, we are announcing the general availability of a new Microsoft Sysmon report in&nbsp;<A href="#" target="_blank" rel="noopener">VirusTotal</A>.</P> <P class="x-hidden-focus">Whether you’re an IT professional or a developer, you’re probably already using Microsoft Sysinternals utilities to help you manage, troubleshoot, and diagnose your Windows systems and applications. The powerful logging capabilities of Sysinternals utilities became indispensable for defenders as well, enabling security analytics and advanced detections. The System Monitor (Sysmon) utility, which records detailed information on the system’s activities in the Windows event log, is often used by security products to identify malicious activity.</P> Wed, 20 Oct 2021 20:41:30 GMT AshleyMartin 2021-10-20T20:41:30Z New Blog Post | Announcing Adaptive Policy Scopes for Microsoft 365 Records Management <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1634754275975.png" style="width: 714px;"><img src="" width="714" height="305" role="button" title="AshleyMartin_0-1634754275975.png" alt="AshleyMartin_0-1634754275975.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Adaptive Policy Scopes Microsoft 365 Records Management</A></P> <P>Microsoft Information Governance helps organizations classify and govern data at scale. It retains data and manages records where users collaborate to prevent productivity loss. Microsoft Information Governance allows organizations to keep what they need and delete what they do not need.</P> <P>&nbsp;</P> <P><SPAN>We are excited to announce adaptive policy scopes, which add a new way to deploy retention in Microsoft 365. With this new feature, we can deploy retention policies and labels to groups of users, SharePoint sites and Microsoft 365 Groups (including Microsoft Teams) dynamically using attributes and properties to determine inclusion or exclusion from the policies.</SPAN></P> <P>&nbsp;</P> <P>Adaptive policy scopes also work within our Microsoft Records management solution. Before we dive into the announcement, let us set some context by looking at how retention works today.</P> Wed, 20 Oct 2021 18:34:44 GMT AshleyMartin 2021-10-20T18:34:44Z New Blog Post | Govern your entire data estate with Azure Purview <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1634753955056.png" style="width: 704px;"><img src="" width="704" height="343" role="button" title="AshleyMartin_0-1634753955056.png" alt="AshleyMartin_0-1634753955056.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Govern your entire data estate with Azure Purview - Microsoft Tech Community</A></P> <P><SPAN>Azure Purview allows users to bring over metadata from various data sources. Purview supports Microsoft sources such as Azure Blob, ADLS Gen2, Power BI, on-prem SQL Server and Azure Synapse, along with non-Microsoft sources such as Oracle, Teradata, SAP S/4HANA, SAP ECC, Google BigQuery, Hive Metastore and Cassandra. It does not stop here—there are more on-premises, cloud, and SaaS sources coming soon.</SPAN></P> <P>&nbsp;</P> Wed, 20 Oct 2021 18:21:29 GMT AshleyMartin 2021-10-20T18:21:29Z Auto label (Sensitivity) all documents in a SharePoint library <P>The way I understand Auto-labeling policies in M365 Compliance is that you need to create a rule based on documents containing either an Info Type or is shared.</P><P>&nbsp;</P><P>I simply want to label all documents in a SharePoint library (no exceptions).&nbsp; &nbsp;</P><P>&nbsp;</P><P>The below PowerShell command I tried from <A href="#" target="_self">this article</A> has been running in simulation mode for three days now with zero results:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WarrenGibbs_0-1634714634180.png" style="width: 999px;"><img src=";px=999" role="button" title="WarrenGibbs_0-1634714634180.png" alt="WarrenGibbs_0-1634714634180.png" /></span></P><P>&nbsp;</P><P>Am I missing something?</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P> Wed, 20 Oct 2021 07:28:30 GMT WarrenGibbs 2021-10-20T07:28:30Z Upcoming Security, Compliance, and Identity Training and Certfication webinars - join to learn more! <P>October 20th and 21st, we have 3 Training Partner webinars focused on Cloud Security with Microsoft Speakers! Sign up now!&nbsp;</P> <UL> <LI><STRONG>October 20th: 8AM PT/11AM ET</STRONG>:&nbsp;Learning Tree International, in partnership with Microsoft, is launching a <EM>Women In Technology</EM> series starting with a Security, Compliance and Identity certifications webinar to help you navigate the four Microsoft SCI tracks, and advance security skills according to your current job role, or the job role you wish to achieve.&nbsp;For registration details, and all future Women In Tech events, visit <A href="#" target="_blank"></A>.</LI> <LI><STRONG>Oct 20, 2021 10AM PT / 1PM ET: </STRONG>United Training, in partnership with Microsoft Principal Cloud Architect, Kailash Sawant, will be discussing the current state of cybersecurity in the cloud and what you can do to best prepare your cloud environment. Register here:&nbsp; <P><A href="#" target="_blank">Registration (</A></P> </LI> <LI><STRONG>October 21 at 9AM / 12PM ET</STRONG>: Global Knowledge is offering a webinar focused on Microsoft Security, Compliance, and Identity (SCI). You’ll learn more about the complete portfolio of associate training and certification for Microsoft Security and how it’s designed to meet industry and market needs with roles, skills, and capabilities needed for the job, including specializations, hands-on experience, and practice requirements.&nbsp;<A href="#" target="_blank">Register now</A>.</LI> </UL> <P>&nbsp;</P> Tue, 19 Oct 2021 18:10:51 GMT debbieuttecht 2021-10-19T18:10:51Z New Blog Post | What’s New: Azure Sentinel Threat Intelligence Workbook <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_0-1634660903818.gif" style="width: 999px;"><img src=";px=999" role="button" title="JasonCohen1892_0-1634660903818.gif" alt="JasonCohen1892_0-1634660903818.gif" /></span></P> <P><A href="" target="_blank" rel="noopener">What’s New: Azure Sentinel Threat Intelligence Workbook (</A></P> <P><SPAN>Customers exploring threat intelligence indicators in their cloud workloads today face challenges understanding, aggregating, and actioning data across multiple sources. Threat intelligence is an advanced cybersecurity discipline requiring detailed knowledge of identifying and responding to an attacker based on observation of indicators in various stages of the attack cycle. Azure Sentinel is a cloud native SIEM solution that allows customers to import threat intelligence data from various places such as paid threat feeds, open-source feeds, and threat intelligence sharing communities. Azure Sentinel supports open-source standards to bring in feeds from Threat Intelligence Platforms (TIPs) across STIX &amp; TAXII. Microsoft has released the next evolution of threat hunting capabilities in the Azure Sentinel Threat Intelligence Workbook.&nbsp;</SPAN></P> Tue, 19 Oct 2021 16:30:15 GMT JasonCohen1892 2021-10-19T16:30:15Z New Blog Post | MITRE ATT&CK technique coverage with Sysmon for Linux <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_0-1634660643701.png" style="width: 999px;"><img src=";px=999" role="button" title="JasonCohen1892_0-1634660643701.png" alt="JasonCohen1892_0-1634660643701.png" /></span></P> <P><A href="" target="_blank" rel="noopener">MITRE ATT&amp;CK technique coverage with Sysmon for Linux - Microsoft Tech Community</A></P> <P>In this blog, we will focus in on the Ingress Tool Transfer technique (<A href="#" target="_blank" rel="nofollow noopener noreferrer">ID T1105</A>) and highlight a couple of the Sysmon events that can be used to see it. We observe this technique being used against Linux systems and sensor networks regularly, and while we have tools to alert on this activity, it is still a good idea to ensure you have visibility into the host so you can investigate attacks. To look at this technique, we will show how to enable collection of three useful events, what those events look like when they fire, and how they can help you understand what happened. Additionally, we will show what those events look like in Azure Sentinel.</P> Tue, 19 Oct 2021 16:26:43 GMT JasonCohen1892 2021-10-19T16:26:43Z New Blog Post | Expanding Microsoft 365 Privacy Management with API Ecosystem and Extensibility <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_0-1634660438654.gif" style="width: 999px;"><img src=";px=999" role="button" title="JasonCohen1892_0-1634660438654.gif" alt="JasonCohen1892_0-1634660438654.gif" /></span></P> <P><A href="" target="_blank" rel="noopener">Expanding Microsoft 365 Privacy Management with API Ecosystem and Extensibility</A></P> <P>Data privacy regulations such as GDPR or California Consumer Privacy Act (CCPA) grant consumers the right to know the specific pieces of data that organizations have collected about them. Research shows that 64% of the companies handle subject requests manually, 25% have a partially automated process, and only 1% have automated their response. Microsoft’s Privacy Management solution helps organizations automate and manage subject requests at scale. Customers are looking to solve for data privacy needs or their entire data landscape - including Microsoft 365 data.</P> <P>&nbsp;</P> <P>To enable our customers to meet their data privacy-related requirements beyond Microsoft 365 we are building extensibility within our Privacy management platform. Today we are excited to announce the general availability (GA) of Privacy APIs as well as built-in integration with Power Automate workflows to solve for following key scenarios:</P> <P>&nbsp;</P> <UL> <LI><STRONG>Integrate subject rights requests</STRONG><SPAN>&nbsp;</SPAN>with in-house or partner-built privacy solution</LI> <LI><STRONG>Automate Privacy workflows</STRONG><SPAN>&nbsp;</SPAN>and create calendar reminders, search files with specific tags, and track subject requests in ServiceNow</LI> </UL> Tue, 19 Oct 2021 16:21:54 GMT JasonCohen1892 2021-10-19T16:21:54Z New Blog Post | Announcing general availability of Privacy Management for Microsoft 365 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_0-1634660272574.gif" style="width: 999px;"><img src=";px=999" role="button" title="JasonCohen1892_0-1634660272574.gif" alt="JasonCohen1892_0-1634660272574.gif" /></span></P> <P><A href="" target="_blank" rel="noopener">Announcing general availability of Privacy Management for Microsoft 365 - Microsoft Tech Community</A></P> <P>We have heard from our customers that managing the complexity of data privacy is challenging, and often a manual process. To help, we are excited to announce the general availability of Privacy Management for Microsoft 365, enabling customers to safeguard their personal data and build a privacy-resilient workplace.</P> <P>Privacy Management for Microsoft 365 allows organizations to</P> <UL> <LI>Identify critical privacy risks and conflicts</LI> <LI>Automate privacy operations and respond to subject rights requests</LI> <LI>Empower employees to make smart data handling decisions</LI> </UL> Tue, 19 Oct 2021 16:18:58 GMT JasonCohen1892 2021-10-19T16:18:58Z New Blog Post | Simplifying the complex: Introducing Privacy Management for Microsoft 365 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MSC16_slalom_042-900x360.jpg" style="width: 999px;"><img src=";px=999" role="button" title="MSC16_slalom_042-900x360.jpg" alt="MSC16_slalom_042-900x360.jpg" /></span></P> <P><A href="#" target="_blank" rel="noopener">Simplifying the complex: Introducing Privacy Management for Microsoft 365 - Microsoft Security Blog</A></P> <P>With the latest regulation going into effect soon in China, most of&nbsp;the world’s population will soon have its personal data covered under modern privacy regulations. But how organizations manage their regulatory responsibilities with all those laws in mind is often manual, time-consuming, and expensive.</P> <P>Today, we are excited to announce that<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">Privacy Management for<SPAN>&nbsp;</SPAN><SPAN class="brand">Microsoft 365</SPAN></A><SPAN>&nbsp;</SPAN>is generally available to help customers safeguard personal data and build a privacy-resilient workplace. With role-based access controls and data de-identified by default, Privacy Management for<SPAN>&nbsp;</SPAN><SPAN class="brand">Microsoft 365</SPAN><SPAN>&nbsp;</SPAN>helps organizations to have end-to-end visibility of privacy risks at scale in an automated way.</P> Tue, 19 Oct 2021 16:16:00 GMT JasonCohen1892 2021-10-19T16:16:00Z New Blog Post | Microsoft achieves a Leader placement in Forrester Wave for XDR <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SEC20_Security_029-2-900x360.jpg" style="width: 999px;"><img src=";px=999" role="button" title="SEC20_Security_029-2-900x360.jpg" alt="SEC20_Security_029-2-900x360.jpg" /></span></P> <P><A href="#" target="_blank" rel="noopener">Microsoft achieves a Leader placement in Forrester Wave for XDR - Microsoft Security Blog</A></P> <P class="x-hidden-focus">We are excited to share that Microsoft has been named a Leader in The Forrester New Wave™: Extended Detection and Response (XDR), Q4, 2021,&nbsp;receiving one of the highest scores in the strategy category.<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><STRONG>Microsoft 365 Defender</STRONG></A><SPAN>&nbsp;</SPAN>was rated as “differentiated” in seven criteria including detection, investigation, and response, and remediation.</P> <P>Forrester notes that “there is a deep divide in the XDR market between those far along the path and those just starting to deliver on the vision of XDR,” and that of mature providers “combine the best elements of their portfolios, including industry-leading products, to simplify incident response and build targeted, high-efficacy detections.”</P> Mon, 18 Oct 2021 19:19:23 GMT JasonCohen1892 2021-10-18T19:19:23Z New Blog Post | New High Impact Scenarios and Awards for the Azure Bounty Program <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_2-1634577744207.png" style="width: 999px;"><img src=";px=999" role="button" title="JasonCohen1892_2-1634577744207.png" alt="JasonCohen1892_2-1634577744207.png" /></span></P> <P><A href="#" target="_blank" rel="noopener">New High Impact Scenarios and Awards for the Azure Bounty Program – Microsoft Security Response Center</A></P> <P><SPAN>Microsoft is excited to announce new&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">Azure Bounty Program</A><SPAN>&nbsp;awards up to $60,000 to encourage and reward vulnerability research focused on the highest potential impact to customer security. These increased awards are a part of our ongoing investment in partnership with the security research community, and an important part of Microsoft’s holistic approach to defending against security threats.</SPAN></P> Mon, 18 Oct 2021 17:23:15 GMT JasonCohen1892 2021-10-18T17:23:15Z New Blog Post | Get career advice from 7 inspiring leaders in cybersecurity <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image-10-900x360.png" style="width: 999px;"><img src=";px=999" role="button" title="Image-10-900x360.png" alt="Image-10-900x360.png" /></span></P> <P><A href="#" target="_blank" rel="noopener">Get career advice from 7 inspiring leaders in cybersecurity - Microsoft Security Blog</A></P> <P><SPAN>As part of&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">Cybersecurity Awareness Month</A><SPAN>&nbsp;and this week’s theme on cybersecurity careers, we are focusing this blog on top experts in the industry who will share insights on their careers in cybersecurity. In this post, we’ve asked seven cybersecurity leaders six questions about their career experiences to help you navigate and grow your career in the industry and foster new talent. Be sure to also check out our career guidance and&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">educational resources</A><SPAN>&nbsp;to help you navigate your cybersecurity career.</SPAN></P> Mon, 18 Oct 2021 16:37:07 GMT JasonCohen1892 2021-10-18T16:37:07Z AAD Just in time/JIT for Local Administrator group on workstations <P>Sorry if this is the wrong forum.. happy to move to the correct if required.</P><P>Hi! I'm looking to remove all users from having Local Administrator (hang over from an Azure join) on their workstations. Some users do still require/demand this and I have to be able to cater for this so that the business buy into the change.</P><P>My thoughts are to purchase AAD P2 licenses and just Just In Time to grant access to an Azure group that will be within the workstation 'administrators' group. Is this something that anyone has had experience of/has read a blog/question has already been asked and answered please?</P> Mon, 18 Oct 2021 09:17:40 GMT Tim_Earp 2021-10-18T09:17:40Z Alert when Sensitivity Label is changed <P>We have successfully rolled out Unified Sensitivity Labels across our organization.&nbsp; All users an admins subscribe to M365 E3.</P><P>&nbsp;</P><P>I would like create an alert email which fires when a Sensitivity Label is replaced with a lower-order label on any document or email.&nbsp; Ideally the alert should be sent to designated admins as well as the end user who first created the document or email.</P><P>&nbsp;</P><P>The Activity Explorer logs such events, but I am struggling to find a way to create an alert.</P><P>&nbsp;</P><P>Power Automate has an&nbsp;<A href="#" target="_self">M365 Compliance connector</A> but does not offer the triggers I need.</P><P>&nbsp;</P><P>Insider Risk Management 'appears' to offer what I want - but wanted to check if other options exist before upgrading subscriptions.</P><P>&nbsp;</P><P>Thanks</P><P>Warren.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 17 Oct 2021 14:13:05 GMT WarrenGibbs 2021-10-17T14:13:05Z New Blog Post | Congratulations to the Top MSRC 2021 Q3 Security Researchers! <DIV id="tinyMceEditorJasonCohen1892_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shutterstock_563598283-1536x967.jpg" style="width: 999px;"><img src=";px=999" role="button" title="shutterstock_563598283-1536x967.jpg" alt="shutterstock_563598283-1536x967.jpg" /></span></P> <P><A href="#" target="_blank" rel="noopener">Congratulations to the Top MSRC 2021 Q3 Security Researchers! – Microsoft Security Response Center</A></P> <P>Congratulations to all the researchers recognized in this quarter’s<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">MSRC Researcher Recognition Program</A><SPAN>&nbsp;</SPAN>leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.</P> <P>The top three researchers of the 2021 Q3 Security Researcher Leaderboard are:<SPAN>&nbsp;</SPAN><STRONG>BugHunter010 (840 points)</STRONG>,<STRONG><SPAN>&nbsp;</SPAN>Callum Carney (828 points)</STRONG>, and<STRONG><SPAN>&nbsp;</SPAN>Nir Ohfeld (525 points)</STRONG>!</P> Fri, 15 Oct 2021 15:42:54 GMT JasonCohen1892 2021-10-15T15:42:54Z New Blog Post | A Quick Guide on Using Sysmon for Linux in Azure Sentinel <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_0-1634312207858.png" style="width: 999px;"><img src=";px=999" role="button" title="JasonCohen1892_0-1634312207858.png" alt="JasonCohen1892_0-1634312207858.png" /></span></P> <P><A href="" target="_blank" rel="noopener">A Quick Guide on Using Sysmon for Linux in Azure Sentinel - Microsoft Tech Community</A></P> <P><SPAN data-contrast="auto">Today,&nbsp;Linux is&nbsp;one of the fastest growing platforms on Azure. Linux based images&nbsp;form&nbsp;over 60% of Azure Marketplace Images. With Azure's support of common Linux distributions growing&nbsp;every day,&nbsp;the sophistication of&nbsp;cyber-attacks&nbsp;targeting Linux&nbsp;continues to grow.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">As part of the&nbsp;</SPAN><A href="" target="_blank" rel="noopener"><SPAN data-contrast="none">Sysinternals 25</SPAN><SPAN data-contrast="none">th</SPAN><SPAN data-contrast="none">&nbsp;anniversary</SPAN></A><SPAN data-contrast="auto">,&nbsp;the&nbsp;Sysinternals&nbsp;team&nbsp;released a new&nbsp;Sysmon&nbsp;tool&nbsp;supporting&nbsp;Linux.&nbsp;Sysmon for&nbsp;Linux is&nbsp;an open-source&nbsp;Linux system monitoring tool that helps with providing details on process creations, network connections,&nbsp;file creations&nbsp;and deletions among other things.&nbsp;Sysmon for Linux is&nbsp;based on an&nbsp;eBPF (Extended Berkeley Packet Filter)-based technology&nbsp;targeted at in-kernel monitoring without&nbsp;making&nbsp;any changes to the kernel source code.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">By collecting the events it generates using Azure Sentinel&nbsp;and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Sysmon for Linux can be used to&nbsp;analyze&nbsp;pre compromise&nbsp;and&nbsp;post compromise&nbsp;activity&nbsp;and when&nbsp;correlated&nbsp;with Azure Security&nbsp;Center (ASC)/Azure Defender&nbsp;(AzD)&nbsp;Linux detections&nbsp;this&nbsp;helps&nbsp;detecting the end-to-end attacker activity.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">In this blog post we will be taking a quick look at different log events made available by Sysmon for Linux that defenders can use to gather more information on the alerts triggered in Azure Sentinel.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> Fri, 15 Oct 2021 15:38:38 GMT JasonCohen1892 2021-10-15T15:38:38Z New Blog Post | Automating the deployment of Sysmon for Linux & Azure Sentinel in a lab environment <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_0-1634238879640.png" style="width: 999px;"><img src=";px=999" role="button" title="JasonCohen1892_0-1634238879640.png" alt="JasonCohen1892_0-1634238879640.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Automating the deployment of Sysmon for Linux :penguin:</img> and Azure Sentinel in a lab environment 🧪 - Microsoft Tech Community</A></P> <P><SPAN data-contrast="auto">Today, we celebrate&nbsp;</SPAN><A href="" target="_blank" rel="noopener"><SPAN data-contrast="none">25 years of Sysinternals</SPAN></A><SPAN data-contrast="auto">,&nbsp;a set of utilities to analyze, troubleshoot and optimize Windows systems and applications.&nbsp;Also,&nbsp;as part of this special anniversary,&nbsp;we are&nbsp;releasing&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">Sysmon for Linux</SPAN></STRONG><SPAN data-contrast="auto">,&nbsp;an open-source&nbsp;system monitor tool&nbsp;developed&nbsp;to collect security events&nbsp;from Linux environments&nbsp;using&nbsp;eBPF (</SPAN><SPAN data-contrast="none">Extended Berkeley Packet Filter)&nbsp;and</SPAN><SPAN data-contrast="auto">&nbsp;sending&nbsp;them to Syslog&nbsp;for easy consumption.&nbsp;Sysmon for Linux is built on&nbsp;a&nbsp;library also released today named&nbsp;<A href="#" target="_blank" rel="noopener noreferrer">sysinternalsEBPF</A>&nbsp;which is built on&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer"><SPAN data-contrast="none">libbpf</SPAN></A><SPAN data-contrast="auto">&nbsp;including a library of eBPF inline functions used as helpers.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">In this post, we will show you how to automatically deploy a research lab environment with&nbsp;an&nbsp;Azure&nbsp;Sentinel&nbsp;instance and&nbsp;a&nbsp;few Linux virtual machines&nbsp;with Sysmon for Linux&nbsp;already&nbsp;installed and configured to&nbsp;take it for&nbsp;a&nbsp;drive and explore&nbsp;it.</SPAN></P> Thu, 14 Oct 2021 19:16:16 GMT JasonCohen1892 2021-10-14T19:16:16Z New Blog Post | archTIS and Microsoft: Zero Trust information security for Microsoft Teams <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MIP-and-NC-Protect.png" style="width: 999px;"><img src=";px=999" role="button" title="MIP-and-NC-Protect.png" alt="MIP-and-NC-Protect.png" /></span></P> <P><A href="#" target="_blank" rel="noopener">archTIS and Microsoft: Zero Trust information security for Microsoft Teams - Microsoft Security Blog</A></P> <P><A href="#" target="_blank" rel="noopener">Microsoft Teams</A><SPAN>&nbsp;</SPAN>has seen a surge in growth during the pandemic with over 115 million daily active users&nbsp;and growing.<SPAN>&nbsp;</SPAN>With it, customer imperative for enabling safe and trustworthy online collaboration has also increased significantly. The speed and simplicity of Teams business users creating new teams and channels demands that IT and security groups have advanced tools and controls they might need to ensure business-critical information is properly protected.</P> <P><A href="#" target="_blank" rel="noopener">archTIS’ NC Protect</A><SPAN>&nbsp;</SPAN>has integrated with<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">Microsoft Information Protection</A><SPAN>&nbsp;</SPAN>(MIP) to empower IT and business owners to easily create secure teams and channels and enable guest access, enforcing<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">Zero Trust</A><SPAN>&nbsp;</SPAN>policies at the file, chat, and message level to prevent accidental sharing, misuse, and data loss.</P> Thu, 14 Oct 2021 16:18:59 GMT JasonCohen1892 2021-10-14T16:18:59Z New Blog Post | Introducing the Dynamics 365 and Power Platform Bug Bounty Program <DIV id="tinyMceEditorJasonCohen1892_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image.png" style="width: 400px;"><img src=";px=400" role="button" title="Image.png" alt="Image.png" /></span></P> <P><A href="#" target="_blank" rel="noopener">Power Platform is Here! Introducing the Dynamics 365 and Power Platform Bug Bounty Program – Microsoft Security Response Center</A></P> <P>Microsoft is excited to announce the addition of<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">Power Platform</A><SPAN>&nbsp;</SPAN>to the newly rebranded<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">Dynamics 365 and Power Platform Bounty Program.</A></P> <P>Through this expanded program, we encourage researchers to discover and report high impact security vulnerabilities they may find in the new Power Platform scope to help protect customers. We offer awards up to $20,000 USD for eligible submissions. The following products are now eligible for bounty awards:</P> <UL> <LI><A href="#" target="_blank" rel="noopener noreferrer">Power Apps</A></LI> <LI><A href="#" target="_blank" rel="noopener noreferrer">Power Automate</A></LI> <LI><A href="#" target="_blank" rel="noopener noreferrer">Power Virtual Agent</A></LI> <LI>Power Portals</LI> </UL> <P>To learn more about eligible scope and award amounts, please visit the<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">Dynamics 365 and Power Platform Bounty Program</A><SPAN>&nbsp;</SPAN>page.&nbsp;</P> Wed, 13 Oct 2021 17:08:21 GMT JasonCohen1892 2021-10-13T17:08:21Z New Blog Post | Automatically scale your catalog with elastic Data Map in Azure Purview <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_0-1634144605699.png" style="width: 999px;"><img src=";px=999" role="button" title="JasonCohen1892_0-1634144605699.png" alt="JasonCohen1892_0-1634144605699.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Automatically scale your catalog with elastic Data Map in Azure Purview - Microsoft Tech Community</A></P> <P>Azure Purview continues to evolve for customers to help them govern constantly growing data estates with the new elastic Data Map. Customers can provision a Purview account with no upfront commitment for Data Map platform cost and continue to grow elastically based on consumption to fully govern their enterprise data present in analytics, software as a service (SaaS), and operation systems in hybrid, on-premises, and multi-cloud environments</P> <P><STRONG><BR /></STRONG>Customers can provision the new Azure Purview account with Data Map platform size of one capacity unit and elastically grow in increments of one capacity unit based on usage and request load. The elastic Data Map automatically scales up and down the capacity units within the elasticity window based on consumption.</P> Wed, 13 Oct 2021 17:04:52 GMT JasonCohen1892 2021-10-13T17:04:52Z New Blog Post | Azure Defender Alerts Workbook <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_0-1634144299065.png" style="width: 400px;"><img src=";px=400" role="button" title="JasonCohen1892_0-1634144299065.png" alt="JasonCohen1892_0-1634144299065.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Azure Defender Alerts Workbook - Microsoft Tech Community</A></P> <P>Azure Defender is an evolution of threat-detection technologies in Security Center protecting Azure, On-premises, and hybrid cloud environments. Security Alerts are the notifications that Security Center generates when it detects threats on your resources. Security Center prioritizes and lists the alerts, along with information needed for you to quickly investigate the problem. Security Center also provides detailed steps to help you remediate attacks. Alerts data is retained for 90 days.<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">Here</A><SPAN>&nbsp;</SPAN>is the list of resource types that Azure Defender secures. Make sure to visit<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">this article</A><SPAN>&nbsp;</SPAN>that lists the security alerts you might get from Azure Security Center and any Azure Defender plans you’ve enabled.</P> <P>&nbsp;</P> <P>Azure Security Center allows you to create custom workbooks across your data, and also comes with built-in workbook templates to allow you to quickly gain insights across your data as soon as you connect a data source. For example, with Secure Score Over Time report, you can track your organization’s security posture. Read more about how workbooks provide rich set of functionalities in our<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">Azure monitor documentation</A><SPAN>&nbsp;</SPAN>and to understand workbooks gallery in Azure Security Center, make sure to<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">review our documentation</A>.</P> <P>&nbsp;</P> <P>With this blog, we are introducing you to another great template that provides representation of your active alerts in different pivots that would help you understand the overall threats on your environment and prioritize between them.</P> Wed, 13 Oct 2021 17:00:52 GMT JasonCohen1892 2021-10-13T17:00:52Z Questions on controlling SKIP UPN behavior on office apps such as Teams. <P><SPAN>Hi Community,</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Customer has &nbsp;below user flow/setup</SPAN></P><P><SPAN>&nbsp;</SPAN></P><OL><LI><SPAN>User signs in to physical/virtual device which is domain joined to&nbsp;</SPAN><SPAN>edu.lcl.</SPAN><SPAN>&nbsp;Their&nbsp;</SPAN><SPAN>edu.lcl</SPAN><SPAN>&nbsp;identity is synced to an Azure AD Tenant via AD Connect (</SPAN><SPAN></SPAN><SPAN>).</SPAN></LI><LI><SPAN>Office, Teams, OneDrive then tries to SSO in to apps using&nbsp;</SPAN><A href="" target="_blank" rel="noopener"><SPAN></SPAN></A></LI><LI><SPAN>The&nbsp;</SPAN><SPAN>;</SPAN><SPAN>account is not licensed for Office services, they need to use&nbsp;</SPAN><A href="" target="_blank" rel="noopener"><SPAN></SPAN></A><SPAN>&nbsp;– The customer has no control over the&nbsp;</SPAN><SPAN></SPAN><SPAN>&nbsp;tenant, its there for licensing purposes.</SPAN></LI><LI><SPAN>We need a solution that allows the users to SSO into apps using &nbsp;</SPAN><A href="" target="_blank" rel="noopener"><SPAN></SPAN></A><SPAN>&nbsp;every time. If this is not possible we need to mask hide and stop login prompts to office services for the&nbsp;</SPAN><SPAN></SPAN><SPAN>&nbsp;domain</SPAN></LI></OL><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Example for OneDrive on each login, how do we get it to remember @</SPAN><SPAN></SPAN><SPAN>&nbsp;credentials?</SPAN><SPAN>&nbsp;</SPAN></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SBV_0-1634140183037.png" style="width: 400px;"><img src=";px=400" role="button" title="SBV_0-1634140183037.png" alt="SBV_0-1634140183037.png" /></span></P><P>&nbsp;</P><P><SPAN>Teams is prepopulated as below (</SPAN><A href="" target="_blank" rel="noopener"><SPAN></SPAN></A><SPAN>&nbsp;</SPAN></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SBV_1-1634140183041.png" style="width: 400px;"><img src=";px=400" role="button" title="SBV_1-1634140183041.png" alt="SBV_1-1634140183041.png" /></span></P><P>&nbsp;</P><P><SPAN>Note:</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>There are registry keys to control a lot of these settings but its unclear to customer that what the optimal setup with dual identities setup in this way. The SkipUpnPrefill option mentioned&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>here</SPAN></A><SPAN>&nbsp;seems temperamental for example.</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Any guidance would be of great help!</SPAN></P> Wed, 13 Oct 2021 15:52:59 GMT SB V 2021-10-13T15:52:59Z Profanity Filter Emails - Matched Content <P>Hi There,</P><P>&nbsp;</P><P>I am trying to create a Profanity Block Policy through the Compliance Centre (policy to pickup bad language in emails and block it).<BR /><BR />I have created a profanity dictionary under Sensitive Information types, and then created a DLP policy.<BR /><BR />As part of the DLP, I would like to send an email to an administrator mailbox about which words in a blocked email matched the profanity dictionary.</P><P>&nbsp;</P><P>Microsoft has the following variables for the notification emails:</P><P>&nbsp;</P><P><STRONG>%%AppliedActions%%</STRONG>: The actions applied to the content.<BR /><STRONG>%%ContentURL%%</STRONG>: The URL of the document on the SharePoint site or OneDrive for Business site.<BR /><STRONG>%%MatchedConditions%%</STRONG>: The conditions that were matched by the content. Use this token to inform people of possible issues with the content.</P><P>&nbsp;</P><P><A href="#" target="_blank" rel="noopener"></A></P><P>&nbsp;</P><P>None of these variables return the actual matched word in the original email.&nbsp;</P><P>&nbsp;</P><P>This makes it very difficult when sorting through false-positive emails. An administrator has no idea why a false positive got caught by the DLP policy.</P><P>&nbsp;</P><P>Has anyone had any success with this? Its a nuisance for other DLP notification email types (not just profanity filter use case) as it makes it difficult to tell what specific Sensitive Information match actually caused the DLP to trigger.</P> Wed, 13 Oct 2021 06:19:41 GMT Ari_R420 2021-10-13T06:19:41Z AIP for MAC - Email Attachment (labelled) opens as 'Read Only' <P>Hi ,</P><P>&nbsp;</P><P>I have a Mac device and my organization has rolled out a policy which does only classification.</P><P>MacOS - Bigslur 11.6&nbsp;</P><P>office - office for Mac 16.53</P><P>&nbsp;</P><P>In below scenarios am facing issues.</P><P>&nbsp;</P><P><U><STRONG>Scenario 1:</STRONG></U> Another user from same domain is emailing a labelled doc. On opening the doc in email, it shows up as 'Read-only' without any label. User needs to save a copy by clicking on ‘Duplicate’ and is prompted to select a label.&nbsp;If the same document is Saved to Desktop and then opened, the document is editable and the applied label is visible.</P><P>&nbsp;</P><P><U><STRONG>Scenario 2:</STRONG></U>&nbsp;Unlabelled document mailed from external domain. If document is opened directly from mail, it shows up as a Read Only document without any label selected. User needs to save a copy by clicking on ‘Duplicate’ and is prompted to select a label.</P><P>&nbsp;</P><P>If the same document is Saved to Desktop and then opened, the document is still Read Only and user is prompted to apply a label manually. Default label is not auto applied.</P><P>&nbsp;</P><P>Please assist on how to overcome this issue. Thanks in advance.</P> Wed, 13 Oct 2021 12:10:35 GMT Maverick1655 2021-10-13T12:10:35Z New Blog Post | Azure network security helps reduce cost and risk according to Forrester TEI study <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MSC19_microsoftInclusion_redmond_081-615c9216444b7-900x360.jpg" style="width: 999px;"><img src=";px=999" role="button" title="MSC19_microsoftInclusion_redmond_081-615c9216444b7-900x360.jpg" alt="MSC19_microsoftInclusion_redmond_081-615c9216444b7-900x360.jpg" /></span></P> <P><A href="#" target="_blank" rel="noopener">Azure network security helps reduce cost and risk according to Forrester TEI study - Microsoft Security Blog</A></P> <P><SPAN>We are excited to share that Forrester Consulting has just conducted a commissioned&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">Total Economic Impact™ (TEI) study</A><SPAN>&nbsp;on behalf of Microsoft, which involved interviewing existing customers who have deployed Azure network security. This study also provides organizations with a framework for evaluating the financial impact on their organizations.</SPAN></P> Tue, 12 Oct 2021 16:48:12 GMT JasonCohen1892 2021-10-12T16:48:12Z New Blog Post | How cyberattacks are changing according to new Microsoft Digital Defense Report <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image-11-900x360.png" style="width: 999px;"><img src=";px=999" role="button" title="Image-11-900x360.png" alt="Image-11-900x360.png" /></span><A href="#" target="_blank" rel="noopener">How cyberattacks are changing according to new Microsoft Digital Defense Report - Microsoft Security Blog</A></P> <P>In 2021, cybercrime has become more sophisticated, widespread, and relentless. Criminals have targeted critical infrastructure—<WBR />healthcare,<SUP>1</SUP><SPAN>&nbsp;</SPAN>information technology,<SUP>2</SUP><SPAN>&nbsp;</SPAN>financial services,<SUP>3</SUP><SPAN>&nbsp;</SPAN>energy sectors<SUP>4</SUP>—<WBR />with headline-grabbing attacks that crippled businesses and harmed consumers. But there are positive trends—<WBR />victims are coming forward, humanizing the toll of cyberattacks and prompting increased engagement from law enforcement. Governments are also passing new laws and allocating more resources as they recognize cybercrime as a threat to national security.</P> <P>Earlier this month, Microsoft published the<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">2021 Microsoft Digital Defense Report</A><SPAN>&nbsp;</SPAN>(MDDR). Drawing upon over 24 trillion daily security signals across the Microsoft cloud, endpoints, and the intelligent edge, the 2021 MDDR expands upon last year’s<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">inaugural report</A><SPAN>&nbsp;</SPAN>and contains input from more than 8,500 security experts spanning 77 countries—<WBR />including insights on the evolving state of ransomware, malicious email, malware, and more.</P> Mon, 11 Oct 2021 17:18:40 GMT JasonCohen1892 2021-10-11T17:18:40Z New Blog Post | Scanning and labeling AWS S3 Buckets with Azure Purview <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_0-1633970876663.jpeg" style="width: 999px;"><img src=";px=999" role="button" title="JasonCohen1892_0-1633970876663.jpeg" alt="JasonCohen1892_0-1633970876663.jpeg" /></span></P> <P><A href="" target="_blank" rel="noopener">Scanning and labeling AWS S3 Buckets with Azure Purview - Microsoft Tech Community</A></P> <P><SPAN>Azure Purview is a unified data governance tool that helps you manage and govern your on-prem, Azure, multi-cloud, and SaaS data. One of the “multi-cloud” features enables customers to scan data stored in their AWS S3 buckets, discovering sensitive information types.</SPAN><BR /><SPAN>This blog post shows how this scan may be configured with a few steps.</SPAN></P> Mon, 11 Oct 2021 16:49:15 GMT JasonCohen1892 2021-10-11T16:49:15Z New Blog Post | Analyzing Endpoints Forensics - Azure Sentinel Connector <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_0-1633970700253.png" style="width: 999px;"><img src=";px=999" role="button" title="JasonCohen1892_0-1633970700253.png" alt="JasonCohen1892_0-1633970700253.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Analyzing Endpoints Forensics - Azure Sentinel Connector - Microsoft Tech Community</A></P> <P><SPAN>The field of Endpoint forensics seeks to help investigators reconstruct what happened during an endpoint intrusion. Did an attacker break in because of a missing definition / signature / policy / setting or a configuration, and if so, how? What havoc did the attacker wreak after breaking in? Tools that help investigators answer these types of questions are still quite primitive and are often hindered by incomplete or incorrect information. Analyzing Endpoints Forensics - Azure Sentinel Connector can enable more-powerful forensic analysis through techniques such as streaming a computer’s EPP (Endpoint Protection) health status, policies, settings, and configuration in addition to IoT vulnerable assets, data events &amp; vulnerabilities.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Devices (IT/OT)&nbsp;</SPAN><SPAN class="hiddenGrammarError">health</SPAN><SPAN>&nbsp;state and security configurations policies and settings (Microsoft Defender for Endpoint &amp; Azure Defender for IoT) are critical to SOC&nbsp;</SPAN><SPAN class="hiddenGrammarError">team</SPAN><SPAN>&nbsp;helping them to address the following use&nbsp;</SPAN><SPAN>cases:</SPAN></P> <P>&nbsp;</P> <UL> <LI>Identifying onboarded devices and their health status</LI> <LI>Activity and a security posture for IT/OT assets</LI> <LI>Viewing the compliance status of the devices based on the security recommendations</LI> <LI>Identifying devices vulnerabilities and hence provide a triage – matrix remediation framework</LI> </UL> Mon, 11 Oct 2021 16:46:10 GMT JasonCohen1892 2021-10-11T16:46:10Z New Blog Post | Announcing Attack Simulation Training Read APIs - Now in Beta! <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SUR20_Headphones2_Contextual_0747-900x360.jpg" style="width: 999px;"><img src=";px=999" role="button" title="SUR20_Headphones2_Contextual_0747-900x360.jpg" alt="SUR20_Headphones2_Contextual_0747-900x360.jpg" /></span></P> <P><A href="" target="_blank" rel="noopener">Announcing Attack Simulation Training Read APIs - Now in Beta! - Microsoft Tech Community</A></P> <P>Since GA of<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">Attack Simulation Training</A><SPAN>&nbsp;</SPAN>earlier this year, one of the most common asks we have heard from our customers and the community has been around exposing APIs to access simulation and reporting information. We are pleased to announce the availability of the Attack Simulation Training Read APIs - currently in Beta!<BR /><BR /></P> <P>Attack Simulation Training APIs are onboarded to the Microsoft Graph, and this provides a unified interface and schema to integrate with security solutions from Microsoft and ecosystem partners. The availability of these APIs lights up various business scenarios such as:</P> <UL> <LI>Monitor, track, and integrate Attack Simulation Training data with downstream reporting systems or tools.</LI> <LI>Integrate the data into existing compliance management or learning management systems to drive user awareness.</LI> <LI>Integrate Attack Simulation Training data with other existing systems for security analytics etc.</LI> </UL> Mon, 11 Oct 2021 16:43:28 GMT JasonCohen1892 2021-10-11T16:43:28Z New Blog Post | Iran-linked DEV-0343 targeting defense, GIS, and maritime sectors <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SEC20_Security_035-1-900x360.jpg" style="width: 999px;"><img src=";px=999" role="button" title="SEC20_Security_035-1-900x360.jpg" alt="SEC20_Security_035-1-900x360.jpg" /></span></P> <P><A href="#" target="_blank" rel="noopener">Iran-linked DEV-0343 targeting defense, GIS, and maritime sectors - Microsoft Security Blog</A></P> <P><SPAN>DEV-0343 is a new activity cluster that the Microsoft Threat Intelligence Center (MSTIC) first observed and began tracking in late July 2021. MSTIC has observed DEV-0343 conducting extensive password spraying against more than 250&nbsp;</SPAN><SPAN class="brand">Office 365</SPAN><SPAN>&nbsp;tenants, with a focus on US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East. Less than 20 of the targeted tenants were successfully compromised, but DEV-0343 continues to evolve their techniques to refine its attacks. MSTIC noted that&nbsp;</SPAN><SPAN class="brand">Office 365</SPAN><SPAN>&nbsp;accounts with multifactor authentication (MFA) enabled are resilient against password sprays.</SPAN></P> Mon, 11 Oct 2021 16:39:47 GMT JasonCohen1892 2021-10-11T16:39:47Z Can't enable "Authentication without password" <P>Friends, I apologize in advance if I chose the wrong topic or the wrong place at all. This is the only place where I found an opportunity to ask real people and possibly company representatives.<BR />And so, I can not enable "Account without password" in the security settings of my account. I have Microsoft Authenticator installed on my phone (Xiaomi MI9T). It receives notifications when you log into your account on the company's services, everything is in order. But when I try to enable "Account without password" I get an error. Unfortunately, I can't even change the language of the page, the button at the bottom left does not work (should it?).<BR />I can only use machine translation, this is what comes out:</P><P>&nbsp;</P><P><FONT color="#FF0000">Request was not sent</FONT><BR /><FONT color="#FF0000">Failed to send notification to phone now. Try again.</FONT></P><P>&nbsp;</P><P>Please help as much as you can.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mystic8b_0-1633962383068.png" style="width: 400px;"><img src=";px=400" role="button" title="Mystic8b_0-1633962383068.png" alt="Mystic8b_0-1633962383068.png" /></span></P><P>&nbsp;</P> Mon, 11 Oct 2021 14:34:21 GMT Mystic8b 2021-10-11T14:34:21Z MDO Attack Simulation - Hybrid/On-Prem <P>Good day community,</P><P>Does the Attack Simulation capabilities extend to on-prem/hybrid Exchange environments as well, or only accounts that have been migrated fully to Exchange Online?</P><P>TIA</P> Fri, 08 Oct 2021 11:02:41 GMT SebastiaanR 2021-10-08T11:02:41Z Webinar Announcement | Microsoft 365 Defender: l33tSpeak: Advanced Hunting in Microsoft 365 Defender <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MSC19_paddingtonOffice_001-900x360.jpg" style="width: 900px;"><img src=";px=999" role="button" title="MSC19_paddingtonOffice_001-900x360.jpg" alt="MSC19_paddingtonOffice_001-900x360.jpg" /></span></P> <P><STRONG><SPAN>Microsoft 365 Defender Webinar | l33tSpeak: Advanced Hunting in Microsoft 365 Defender</SPAN></STRONG></P> <P>In this episode we will cover the latest improvements to advanced hunting, how to import an external data source into your query, and how to use partitioning to segment large query results into smaller result sets to avoid hitting API limits.</P> <P>&nbsp;</P> <P>Monday, October 11, 2021 at 08:00 PT / 11:00 ET / 16:00 GMT</P> <P>&nbsp;</P> <P>Register Here:&nbsp;<A href="#" target="_blank" rel="noopener noreferrer"></A></P> Thu, 07 Oct 2021 18:48:08 GMT AshleyMartin 2021-10-07T18:48:08Z Secure Windows endpoints with on-premise architecture <P>Hello guys,</P><P>&nbsp;</P><P>I'm currently writing a thesis related to Microsoft Security and I'm struggling with all the products offered by Microsoft to find some of them that can be used exclusively in an on-premise environment.</P><P>&nbsp;</P><P>Those products should guarantee the security of Windows endpoints.</P><P>&nbsp;</P><P>For the moment, this is what I have :</P><P>&nbsp;</P><UL><LI>Active Directory with Group Policies</LI><LI>Virtual Dekstop Infrastructure (VDI)</LI></UL><P>&nbsp;</P><P>Can you help me to figure this out ?</P><P>&nbsp;</P><P>Thank you in advance !</P> Thu, 07 Oct 2021 15:18:19 GMT Jacket28 2021-10-07T15:18:19Z Apply sensitivity label to all documents in a Sharepoint <P>Hi,</P><P>&nbsp;</P><P>Currently we have a client that wants to start implementing Information Protection labels.</P><P>(Licenses = M365 E3 + M365 E5 Security)<BR /><BR />What they would like is to apply labels based on what Sharepoint the document is in. So let's say they have a Sharepoint called: 'Management'. What we would like is for all documents created or moved to this Sharepoint to be applied the label called 'Management'.</P><P>&nbsp;</P><P>Currently I only see the possibility of applying it with Cloud App Security. I tried applying a label to the Sharepoint directly, but this does not seem to automatically apply it to the documents within it.<BR /><BR />Am I missing something? Are there any other options?<BR /><BR />Thanks!</P> Thu, 07 Oct 2021 08:00:23 GMT SamTeerlinck 2021-10-07T08:00:23Z GDPR/tenant migration for US company with UK subsidiary <P>Hello we are US company and have multiple companies in Europe( France, Germany, UK).</P><P>&nbsp;</P><P>Each company has its own tenancy but we want to migrate UK company tenancy to US office 365 tenancy. I want to know if it is possible to migrate to US tenancy and still comply with GDPR? If so how can we do it? I learned that OneDrive, Sharepoint, Exchange records should be located in respective region to be GDPR compliant. The reason why we wanted to move their tenancy is to bring all IT into one umbrella as we have many corporate applications with office365 sso to be used by all sister companies.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 07 Oct 2021 04:27:48 GMT STO365user 2021-10-07T04:27:48Z New Blog Post | Microsoft’s 5 guiding principles for decentralized identities <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Ofc17_Lian_003-900x360.jpg" style="width: 900px;"><img src=";px=999" role="button" title="Ofc17_Lian_003-900x360.jpg" alt="Ofc17_Lian_003-900x360.jpg" /></span></P> <P><A href="#" target="_blank" rel="noopener">Microsoft’s 5 guiding principles for decentralized identities - Microsoft Security Blog</A></P> <P>Three years ago, as part of Microsoft’s mission to empower people and organizations to achieve more, we announced that we were incubating a<SPAN>&nbsp;</SPAN><A href="" target="_blank" rel="noopener">new set of decentralized identity technologies</A><SPAN>&nbsp;</SPAN>based on a simple vision:</P> <P><EM>Each of us needs a digital identity we own, one which securely and privately stores all elements of our digital identity. This self-owned identity must be easy to use and give us complete control over how our identity data is accessed and used.</EM></P> <P class="">During this incubation, customers and partners all around the world have helped us understand their challenges and the shortcomings of their existing identity systems. We’ve learned a ton through a set of successful proof of concepts partnering with Keio University,<SUP>1</SUP><SPAN>&nbsp;</SPAN>The National Health Service (UK),<SUP>2</SUP><SPAN>&nbsp;</SPAN>and the Government of Flanders.<SUP><A href="#" target="_blank" rel="noopener">3</A></SUP><SPAN>&nbsp;</SPAN>We’ve worked with our partners in the Decentralized Identity Foundation (DIF) and the open standards community to develop standards and demonstrate interoperability.</P> Wed, 06 Oct 2021 20:41:30 GMT AshleyMartin 2021-10-06T20:41:30Z New Blog Post | Get started with Azure Purview in less than 5 minutes <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1633552190932.png" style="width: 693px;"><img src="" width="693" height="442" role="button" title="AshleyMartin_0-1633552190932.png" alt="AshleyMartin_0-1633552190932.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Get started with Azure Purview in less than 5 minutes (</A></P> <P><SPAN>Getting started with Azure Purview for data governance is quick and easy. First, if you don't already have an Azure account, get instant access and&nbsp;$200&nbsp;of credit to try Azure Purview by signing up for a free account.</SPAN></P> <P>&nbsp;</P> Wed, 06 Oct 2021 20:31:08 GMT AshleyMartin 2021-10-06T20:31:08Z Missing alerting policy for when RBAC permissions are changed in M365 Compliance portal. <P>Currently when Exchange Online role groups (RBAC) permissions are changed an alert is generated using the built-in M365 alert policy. However there is no equivalent for when RBAC permissions are changed for the Compliance portal.</P><P>&nbsp;</P><P><STRONG>EDIT:</STRONG> The M365 audit logs actually do show these changes where the Activity is "<FONT face="inherit">Set-RoleGroup" and the workload is tagged as "SecurityComplianceCenter". This seems to be new as 2 weeks ago this activity was not shown. It seems work is being done behind the scenes to make this more visible. However when will we also see an Alert policy for this? It would be nice if this also could be picked up by Azure Sentinel. It would lead to a complete lockdown of permissions to avoid that a privilege escalation attack goes unnoticed on the </FONT>Compliance<FONT face="inherit">&nbsp;portal RBAC system.</FONT></P> Tue, 05 Oct 2021 20:43:32 GMT brlgen 2021-10-05T20:43:32Z Lowering the price of Cyber Insurance <P>As a continuation to the previous <A href="" target="_blank" rel="noopener">article</A>, which touches upon using MS security stack to defend against ransomware, here are some thoughts around ways to get good deals on cyber security insurance using Microsoft security stack. This article is specifically meant to be a general guideline in an attempt to get good insurance rates for protection around damages and liabilities caused by ransomware attacks.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyber Insurance.jpg" style="width: 999px;"><img src=";px=999" role="button" title="Cyber Insurance.jpg" alt="Cyber Insurance.jpg" /></span></P><P>&nbsp;</P><P>As a rule of thumb, cyber insurance cost will vary from organization to organization and depend on factors like business's annual revenue, number of systems, cyber hygiene, the industry business operates in and type of data it processes. In addition, if a business has been attacked before, it will most probably cost more compared to a business that has no history of attack or breach.</P><P>&nbsp;</P><P>If a security incident (caused by a ransomware attack) falls within the insurance policy, the insurance company is dependent on performing a thorough investigation to find out what actually happened. If you don't have tools, competence and resources to show proof of what happened, you are totally dependent on what 3rd-party analysts find out and after the fact. By the time the analysts from 3rd-party scramble the resources and start investigations, the attackers may already have deleted logs, manipulated registry information and hidden their tracks.</P><P>&nbsp;</P><UL><LI><STRONG>Data Reconstruction and Re-installing Systems:</STRONG></LI></UL><P class="lia-indent-padding-left-30px">Cyber Insurance mostly covers the cost of data reconstruction. However, the possibility to reconstruct data depends on many factors, like if the freed up space has been overwritten or not. For example the <A href="#" target="_blank" rel="noopener">N3tw0rm ransomware</A>, uses an usual way to deprive the victim-machine of free space by filling it with temporary files with all zeros in it. This is an attempt to deny the possibility of data reconstruction.&nbsp; Cyber insurance usually also covers the cost for reinstalling the systems and getting your company up to speed, but you must be aware of the maximum downtime your company can tolerate. Arguably, in the best case scenario where you can tolerate the downtime with minimal costs, your company may get bad publicity. However, if the <A href="#" target="_blank" rel="noopener"><STRONG>MTD</STRONG></A> has long gone by the time 3rd party consultants can allocate resources, begin the process, recreate the data and re-install and connect the systems, the losses may already have gone extremely high.</P><P>&nbsp;</P><P class="lia-indent-padding-left-30px">Thinking from an insurance company's perspective, who needs to step in and pay for the financial loss. They will tend to increase the insurance premiums, in case your company is unprepared for such an attack, or generally have bad cyber hygiene combined with ad-hoc routines. This is because when ransomwares hit companies, most of the operations normally come down to a complete halt, making it slightly different than usual security incidents.&nbsp;</P><P>&nbsp;</P><P>It is a common practice, that the insurance companies partner with third party specialist companies for data reconstruction, gathering forensics information, reinstalling systems, finding out what exactly happened and if the data was stolen. Since the third party companies most probably are not already working with your organization, it may take some time for them to assign resources and start their work. Although most of the insurance companies pay for these services, but <STRONG>it must be understood that not all the tangible and intangible loss can be covered by the insurance companies.</STRONG></P><P>&nbsp;</P><P>To get good deals on insurance premiums, the companies must be able to convince cyber insurance companies that they live by the principles of due-diligence and due-care. This would mean that they have effective monitoring and vulnerability management systems in place, have good policies and procedures to maintain IT hygiene, have robust system-patching routines, and have overview of the flow of critical data and protections around it.</P><P>&nbsp;</P><P>Using <A href="#" target="_blank" rel="noopener">Microsoft Azure Security Center</A> we can not only perform security benchmarking, but also get near real time vulnerability assessment. We get information about where the vulnerability is found, and instructions of how to harden those systems and services. It strengthens the security posture and provides advanced threat protection across hybrid workloads and in multi-cloud environment. Using Azure defender, we can use ML-based <A href="#" target="_blank" rel="noopener">Adaptive Application Control</A> (AAC) to only allow white-listed applications to run. This <A href="" target="_blank" rel="noopener">article</A> shows how<A href="" target="_blank" rel="noopener"> AAC maps to MITRE ATT&amp;CK Framework</A>.</P><P>&nbsp;</P><UL><LI><STRONG>Importance of Robust Backup&nbsp;</STRONG></LI></UL><P class="lia-indent-padding-left-30px">The best preventive measure against getting affected by a successful ransomware attack, is having a robust backup solution. If an organization is missing backup solution which can be relied on when push comes to shove, the cost of the insurance will tend to go high. This is because once encrypted with very strong encryption algorithms, decryption may almost be impossible. Your only best hope is to have a robust backup solution in place.</P><P class="lia-indent-padding-left-30px">&nbsp;</P><P class="lia-indent-padding-left-30px">With <A href="#" target="_blank" rel="noopener">Azure backup</A> solution, you can not only backup the cloud workloads but also on-premise files folders, systems, and even entire windows and Linux virtual machines. You can also backup Azure managed disks, file-shares, SQL databases etc. In this setup offered by Azure backup, an attacker has no direct access to backup storage or its contents. Even if the environment is already compromised the existing backups can not be touched or deleted. with built-in monitoring and alerting capabilities and an added layer of security where a pin code is required to modify backups, Azure backups is one of the most robust solutions out there in the market.</P><P>&nbsp;</P><UL><LI><STRONG>Legal Proceedings</STRONG></LI></UL><P class="lia-indent-padding-left-30px">Cyber insurance usually also covers the cost for legal proceedings in case of third-party claims or data breaches. But before indulging in such activities, the insurance company needs to find out if the data has actually been breached.</P><P class="lia-indent-padding-left-30px">&nbsp;</P><P class="lia-indent-padding-left-30px">Consider the example of a typical ransomware attack coming via an email message, containing a link to a malicious downloadable file. When the user clicks on the link, a malware gets downloaded on the system and initiates a CNC connection with the hacker. The attacker now having initial foothold, tries to move laterally, and manages to get hold of sensitive corporate data.</P><P class="lia-indent-padding-left-30px">&nbsp;</P><OL><LI><STRONG>If the threat actor gets insight into your company's financial records, they know how much you are worth.</STRONG></LI><LI><STRONG>If the attacker also gets insight into company's cyber insurance policy, they know that the company has means to pay.</STRONG></LI><LI><STRONG>If attacker manages exfiltrate data, you may be subjected to double-extortion.</STRONG></LI></OL><P class="lia-indent-padding-left-30px">&nbsp;</P><P class="lia-indent-padding-left-30px">They will adjust their demands accordingly. It is therefore important to have an overview of&nbsp; critical and sensitive information as well as where it resides and how it flows. Now if the attacker also successfully exfiltrates the data, you may unfortunately be double-extorted.</P><P>&nbsp;</P><UL><LI><STRONG>How Microsoft Security Can help:</STRONG></LI></UL><P class="lia-indent-padding-left-30px">With Microsoft Security stack we can get forensics evidence exported to <A href="#" target="_blank" rel="noopener">Azure log analytics</A> before attackers can delete logs, in an attempt to hide their tracks. Considering the example, all the events, &nbsp;logs, alerts, entities involved along with complete timeline from email security (using <A href="#" target="_blank" rel="noopener">defender for Office 365</A>), the client machines (using <A href="#" target="_blank" rel="noopener">Windows Defender</A>), the cloud and onPrem servers (using <A href="#" target="_blank" rel="noopener">defender for Endpoints</A>), identity information (using <A href="#" target="_blank" rel="noopener">defender for identity</A> and Azure identity protection), and cloud app security (using <A href="#" target="_blank" rel="noopener">MCAS</A>) can be exported to <A href="#" target="_blank" rel="noopener">Log Analytics</A>. In addition, all of these security tools come pre integrated with Azure <A href="#" target="_blank" rel="noopener">Sentinel</A>, which correlates the information and shows us the complete forensics information in a single pane of glass.</P><P class="lia-indent-padding-left-30px">&nbsp;</P><P class="lia-indent-padding-left-30px">We can tag the data, based on criticality and sensitivity and deploy <A href="#" target="_blank" rel="noopener">DLP</A> policies on the endpoints on the cloud, on emails, MS teams etc. This gives us control of the data flow, and will help us protect sensitive information, which in-turn helps lower cyber insurance premiums.</P><P class="lia-indent-padding-left-30px">&nbsp;</P><P>&nbsp;</P> Tue, 05 Oct 2021 20:43:22 GMT salkhan 2021-10-05T20:43:22Z New Blog Post | Windows 11 offers chip to cloud protection to meet new security challenges <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Untitled-900x360.png" style="width: 900px;"><img src=";px=999" role="button" title="Untitled-900x360.png" alt="Untitled-900x360.png" /></span></P> <P><A href="#" target="_blank">Windows 11 offers chip to cloud protection to meet the new security challenges of hybrid work - Microsoft Security Blog</A></P> <P><SPAN>The expansion of both remote and hybrid workplaces brings new opportunities to organizations. But the expansion of&nbsp;access, increased number of endpoints, and desire for employees to work from anywhere on any device&nbsp;has&nbsp;also introduced new threats and risks.&nbsp;In 2020, Microsoft protected customers from 30 billion email threats, 6 billion threats to endpoint devices, and processed more than 30 billion authentications. Yet most employees still struggle to avoid clicking phishing links in email, spoofed websites, and more. The National Institute of Standards and Technology (NIST) shows a more than five-fold increase in hardware attacks over three years, and Microsoft’s initial&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">Security Signals report</A><SPAN>&nbsp;found that more than 80 percent of Vice Presidents and above admitted to experiencing a hardware attack in the last two years.</SPAN></P> Tue, 05 Oct 2021 18:36:44 GMT AshleyMartin 2021-10-05T18:36:44Z New Blog Post | Practical tips on how to use application security testing and testing standards <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SEC20_Security_029-1-900x360.jpg" style="width: 900px;"><img src=";px=999" role="button" title="SEC20_Security_029-1-900x360.jpg" alt="SEC20_Security_029-1-900x360.jpg" /></span></P> <P><A href="#" target="_blank" rel="noopener">Practical tips on how to use application security testing and testing standards - Microsoft Security Blog</A></P> <P>The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager&nbsp;<A href="#" target="_blank" rel="noopener">Natalia Godyla</A>&nbsp;talks with&nbsp;<A href="#" target="_blank" rel="noopener">Daniel Cuthbert</A>, Global Head of Security Research at Banco Santander. Daniel discusses how to use application security testing and testing standards to improve security.</P> Tue, 05 Oct 2021 18:28:27 GMT AshleyMartin 2021-10-05T18:28:27Z How can we manage resources in other clouds such as aws, google etc using azure features? <P>Currently we have some capabilities such as</P><P>&nbsp;</P><P>Enterprise applications</P><P>App Registration</P><P>Conditional access policies,</P><P>Azure Arc</P><P>Apart from these what are other ways of managing resources in other clouds or on-prem etc.?</P> Tue, 05 Oct 2021 09:39:48 GMT Amin7RDR 2021-10-05T09:39:48Z New Blog Post | Attack Simulation Training: Service Availability in New Regions <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1633375468848.png" style="width: 699px;"><img src="" width="699" height="241" role="button" title="AshleyMartin_0-1633375468848.png" alt="AshleyMartin_0-1633375468848.png" /></span></P> <P><SPAN><A href="" target="_blank" rel="noopener">Attack Simulation Training: Service Availability in New Regions - Microsoft Tech Community</A></SPAN></P> <P><SPAN>Attack Simulation Training is an intelligent phishing risk-reduction tool that measures behavior change and automates the design and deployment of an integrated security awareness training program across an organization. It became generally available at the start of the year and is now available in additional regions. As we continue to expand the regional availability of Attack Simulation Training, it is currently available in NAM, APC, EUR, IND, CAN, AUS, FRA, GBR, JPN, KOR, BRA, LAM, and CHE.&nbsp;</SPAN></P> Mon, 04 Oct 2021 19:25:18 GMT AshleyMartin 2021-10-04T19:25:18Z New Blog Post | #BeCyberSmart: When we learn together, we’re more secure together <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MSFT_Security_NSCAM_Image_Mail-3-900x360.jpg" style="width: 900px;"><img src=";px=999" role="button" title="MSFT_Security_NSCAM_Image_Mail-3-900x360.jpg" alt="MSFT_Security_NSCAM_Image_Mail-3-900x360.jpg" /></span></P> <P><A href="#" target="_blank">#BeCyberSmart: When we learn together, we’re more secure together | Microsoft Security Blog</A></P> <P><SPAN>2021 has been a watershed year in cybersecurity. The pandemic continued to bring new challenges as attackers took advantage of overstretched security teams to unleash new human-operated ransomware</SPAN><SUP>1</SUP><SPAN>, malware, and nation-state attacks like those against Colonial Pipeline</SPAN><SUP>2</SUP><SPAN>&nbsp;and JBS Food</SPAN><SUP>3</SUP><SPAN>. With the move toward hybrid and remote work, security professionals have found themselves with more endpoints to manage and secure. Meanwhile, threat actors are exploiting gaps anywhere they can. Practicing basic cyber hygiene—</SPAN><WBR /><SPAN>applying security patches and updating software and apps—</SPAN><WBR /><SPAN>is a simple way to empower your organization.</SPAN></P> Mon, 04 Oct 2021 19:21:16 GMT AshleyMartin 2021-10-04T19:21:16Z New Blog Post | Become a Microsoft 365 Advanced eDiscovery NINJA <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1633373942441.png" style="width: 697px;"><img src="" width="697" height="358" role="button" title="AshleyMartin_0-1633373942441.png" alt="AshleyMartin_0-1633373942441.png" /></span></P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Become a Microsoft 365 Advanced eDiscovery NINJA - Microsoft Tech Community</A></P> <P>In this blog post, we share the top resources for eDiscovery users to become masters of the Advanced eDiscovery solution in Microsoft 365! After each level, we offer you a&nbsp;<STRONG>knowledge check&nbsp;</STRONG>based on the training material you have just completed. The goal of the knowledge checks is to help ensure understanding of the key concepts that were covered.&nbsp;</P> <P>&nbsp;</P> <P>The training sessions are split into eight different sections in order to better align with the<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="nofollow noopener noreferrer">Electronic Discovery Reference Model</A>:</P> <UL> <LI>Overview</LI> <LI>Getting Started</LI> <LI>Identification</LI> <LI>Preservation</LI> <LI>Collection &amp; Processing</LI> <LI>Review &amp; Analysis</LI> <LI>Production</LI> <LI>Advanced</LI> </UL> Mon, 04 Oct 2021 18:59:55 GMT AshleyMartin 2021-10-04T18:59:55Z Can we have two level of review in Azure Access review? <P>Hi,</P><P>&nbsp;</P><P>we are looking for some additional functionality in Azure Access Review.</P><P>Currently we can assign multiple reviewers, however we want a flow where we can have two level of review. 1st reviewer approves the group membership, app, role or resource role then it should go to the 2nd reviewer for approval.</P><P>&nbsp;</P><P>Is there any way of achieving it thru Azure Functions or Power Automate? working on options with Graph API, but currently we can create, delete and manage it. is there anyway to achieve some customization?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 04 Oct 2021 08:16:43 GMT Amin7RDR 2021-10-04T08:16:43Z Core case creation <P>Hi, I'm trying to create a case whereby I want all email from an external domain, I can't seem to enter this into the&nbsp;<SPAN>Participants area... it only allows selecting an internal user account.</SPAN></P><P>&nbsp;</P><P><SPAN>The documentatons says this... but I can't enter that anywhere</SPAN></P><P><SPAN></SPAN></P><P>&nbsp;</P><P><SPAN>Any ideas?</SPAN></P> Sun, 03 Oct 2021 22:28:30 GMT Chris van der Wal 2021-10-03T22:28:30Z Insider Risk Management - FileSyncDownloadedFull <P>Just getting a handle on 365s Compliances Insider Management Risk and we're getting a lot of notifications about collecting files downloaded from sharepoint, however most of these are just One Drive syncing with their company device, the operation being&nbsp;<SPAN>FileSyncDownloadedFull. Is there any way to hide alerts on this particular operation. We have Endpoint in place so users cannot sync to OneDrive unless they are on a company device so this alert is not necessary.&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Help appreciated. </SPAN></P><P>&nbsp;</P><P><SPAN>Thanks.</SPAN></P> Sun, 03 Oct 2021 19:26:53 GMT Mondas 2021-10-03T19:26:53Z recupérer <P>salut à tous. je me nomme Emmanuel yves, je veux savoir comment récupérer ma boite électronique de l'an 2006 car j'ai été piraté en 2008. j'ai dû le récréer en 2017 au même nom et même domaine. mais il est nouveau et comporte de nouveaux messages . aidez moi a résoudre cette problématique s'il vous plait.</P> Fri, 01 Oct 2021 20:08:53 GMT kytanachou 2021-10-01T20:08:53Z How to: Enabling MFA for Active Directory Domain Admins with Passwordless Authentication <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD width="349"> <P><STRONG>Administer on premise Active Directory </STRONG></P> <P><STRONG>Using Azure Passwordless Authentication </STRONG></P> <P><STRONG>removing Domain Admins passwords</STRONG></P> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Hello Guys,</P> <P>&nbsp;</P> <P>I am here just to demonstrate that today is technically possible (Proof of Concept):</P> <P>&nbsp;</P> <OL> <LI>Configure a modern MFA solution to access on prem Windows 10 PC</LI> <LI>Use that solution to protect privileged accounts passwords</LI> <LI>Eradicate from the domain the password presence for those privileged accounts (make impossible to use a password to log on to domain to prevent some king of password attacks)</LI> <LI>Have the ability to use multiple PAWs (privileged access workstation) with same MFA credential</LI> <LI>Have only one identity with one strong credential</LI> <LI>Same credential can be used on prem and in cloud (if needed)</LI> <LI>Connect to Domain Controller thorough RDP form the PAW using SSO (Single Sign On)</LI> <LI>Obtain above with a sort of simplicity and costs control</LI> </OL> <P>&nbsp;</P> <P>I am not here to discuss if this document in any parts adhere to all principles and best practices of a secure administration environment, I just want to show a feature as a proof of concept. It’s up to you to integer this work into your security posture and evaluate impacts.</P> <P>No direct or indirect guarantee is given, and this cannot be considered official documentation. The content is provided “As Is”.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Have look more deeply above points:</P> <P>&nbsp;</P> <UL> <LI>Many customers asked me, after they have used Azure/Office 365 MFA: is it possible to use something like that to log on to the domain/on prem resources. The solution is today present : the use a security key (FIDO2) : <A href="#" target="_blank" rel="noopener">Passwordless security key sign-in to on-premises resources - Azure Active Directory | Microsoft Docs</A>. Please have a look also at <A href="#" target="_blank" rel="noopener">Plan a passwordless authentication deployment with Azure AD | Microsoft Docs</A>.</LI> <LI>I wanted to demonstrate that this solution can protect also Domain Admins group to protect high privileged accounts (important notice about is present in this document : (<A href="#" target="_blank" rel="noopener">FAQs for hybrid FIDO2 security key deployment - Azure Active Directory | Microsoft Docs</A> – “FIDO2 security key sign-in isn't working for my Domain Admin or other high privilege accounts. Why?”).</LI> <LI>After having substituted the password with one MFA credential (private key + primary factor) (here more information : <A href="#" target="_blank" rel="noopener">Azure Active Directory passwordless sign-in | Microsoft Docs</A>) we can configure a way to make the password not necessary for domain administration, very long and complex, and disabled: <A href="#" target="_blank" rel="noopener">Passwordless Strategy - Microsoft 365 Security | Microsoft Docs</A></LI> <LI><SPAN>With other MFA tool (e.g. Windows Hello for Business), if we want to use different PAWs (secured workstations from which the Administrator connects with privileged accounts </SPAN><A href="#" target="_blank" rel="noopener">Why are privileged access devices important | Microsoft Docs</A><SPAN>) we need to configure and enroll the solution machine per machine (create different private keys one for any windows desktop). With the described solution below the enrollment happens only once (the private key is only one per identity and is portable and only present inside the USB FIDO key) and is potentially usable on all secure desktop/PAWs in the domain.</SPAN></LI> <LI><SPAN>The dream is: to have one identity and one strong credential: this credential (private key installed in the FIDO physical key) is protected by a second factor (what you know (PIN) or what you are (biometric), it is portable and usable to consume services and applications on premises and in cloud</SPAN></LI> <LI><SPAN>To connect using RDP to another/third system after this kind of strong authentication is performed on the physical PC a password is needed (but we really want to eradicate the use of a password)….So.. We can use a Windows 10 / Windows 2016 and afterwards feature (Remote Credential Guard </SPAN><A href="#" target="_blank" rel="noopener">Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10) - Microsoft 365 Security | Microsoft Docs</A>)<SPAN> to remove this limitation.</SPAN></LI> <LI><SPAN>If you have a certain hybrid infrastructure already in place (</SPAN><A href="#" target="_blank" rel="noopener">What is hybrid identity with Azure Active Directory? | Microsoft Docs</A>, <A href="#" target="_blank" rel="noopener">Configure hybrid Azure Active Directory join for managed domains | Microsoft Docs</A>, etc.)<SPAN>, the activation of this solution is simple and there are no important added costs (a FIDO key costs around 20 / 30 euros)</SPAN></LI> <LI><SPAN>The solution is based on 3 important features: AzureAD/Fido Keys, Remote Credential Guard and primarily Active Directory SCRIL Feature [&nbsp;<A href="#" target="_blank"></A>&nbsp;:</SPAN> <P><STRONG>"...SCRIL setting for a user on Active Directory Users and Computers.</STRONG></P> <P>When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because:</P> <UL> <LI>the do not know their password.</LI> <LI>their password is 128 random bits of data and is likely to include non-typable characters.</LI> <LI>the user is not asked to change their password</LI> <LI>domain controllers do not allow passwords for interactive authentication ...]</LI> </UL> </LI> </UL> <P>&nbsp;</P> <P>Chapter 1 – Enable Passwordless authentication and create your key</P> <TABLE> <TBODY> <TR> <TD width="283"> <P><STRONG>Enable the use of FIDO Keys for Passwordless authentication. </STRONG>In Azure AD \ Security \ Authentication methods, enable the use of a security key for a specific group and set the keys settings in accordance with the HW provider of the key (in my case Force Attestation and Key Restriction set to off).</P> </TD> <TD width="358"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_0-1633112987876.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_0-1633112987876.png" alt="Dabona_0-1633112987876.png" /></span> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P><STRONG>Confirm Hybrid Device Join.</STRONG> Confirm your Windows 10 2004+ PC are Hybrid Device Joined.</P> </TD> <TD width="358"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_1-1633112987899.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_1-1633112987899.png" alt="Dabona_1-1633112987899.png" /></span> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P><STRONG>Confirm users and all involved groups are hybrid </STRONG>Confirm all involved users or groups are correctly replicated by AD Connect, have Azure Active Directory properly configured and login in cloud works correctly</P> </TD> <TD width="358"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_2-1633112987909.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_2-1633112987909.png" alt="Dabona_2-1633112987909.png" /></span> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>Implement <STRONG>Kerberos Server t</STRONG>o foster on prem SSO (Single Sign On) for on prem resources follow this guidance</P> </TD> <TD width="358"> <P><A href="#" target="_blank" rel="noopener">Passwordless security key sign-in to on-premises resources - Azure Active Directory | Microsoft Docs</A></P> </TD> </TR> <TR> <TD width="283"> <P><STRONG>Enroll the key</STRONG>. Please don’t use Incognito Web Mode (sign out already connected users and use “<STRONG>switch to a different account</STRONG>”)<STRONG>. </STRONG></P> <P>If during enrollment errors come up, check if any user is already signed into the browser (in the new Edge use “Browse as Guest” that is different from “Incognito Mode”).</P> <P>Login to with the user you want to provide the USB KEY &nbsp;and reach My Account page</P> </TD> <TD width="358"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_3-1633112987916.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_3-1633112987916.png" alt="Dabona_3-1633112987916.png" /></span> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_4-1633112987928.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_4-1633112987928.png" alt="Dabona_4-1633112987928.png" /></span> <P>&nbsp;</P> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>In My Account page open Security Info and initialize the USB Key.</P> </TD> <TD width="358"> <P><A href="#" target="_blank" rel="noopener"></A></P> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_5-1633112987935.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_5-1633112987935.png" alt="Dabona_5-1633112987935.png" /></span> <P>&nbsp;</P> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>If not completed before, enable MFA authentication by using a phone (SMS) or Authenticator App (in this case the user was not already provided of MFA , so the systems automatically make you enroll the authenticator app in your phone)</P> </TD> <TD width="358"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_6-1633112987941.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_6-1633112987941.png" alt="Dabona_6-1633112987941.png" /></span> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_7-1633112987945.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_7-1633112987945.png" alt="Dabona_7-1633112987945.png" /></span> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_8-1633112987948.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_8-1633112987948.png" alt="Dabona_8-1633112987948.png" /></span> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_9-1633112987951.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_9-1633112987951.png" alt="Dabona_9-1633112987951.png" /></span> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>Now, because you have an MFA tool, you can create/enroll a security key: add method / USB Key. The browser challenges you to insert a key.. to inject your identity into it</P> <P>Create a new PIN !</P> <P>Confirm touching the key</P> <P>Name the key</P> </TD> <TD width="358"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_10-1633112987955.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_10-1633112987955.png" alt="Dabona_10-1633112987955.png" /></span> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_11-1633112987981.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_11-1633112987981.png" alt="Dabona_11-1633112987981.png" /></span> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_12-1633112987988.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_12-1633112987988.png" alt="Dabona_12-1633112987988.png" /></span> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_13-1633112987991.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_13-1633112987991.png" alt="Dabona_13-1633112987991.png" /></span> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>Done - security Key is enrolled with your identity</P> </TD> <TD width="358"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_14-1633112987993.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_14-1633112987993.png" alt="Dabona_14-1633112987993.png" /></span> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_15-1633112987996.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_15-1633112987996.png" alt="Dabona_15-1633112987996.png" /></span> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P><STRONG>Perform an Office365 Passwordless Authentication</STRONG></P> <P>Verify you are able to sign on to O365 using the Key w/o the use of a password. Please use Microsoft Edge, if already logged click right corner and “browse as a guest”</P> </TD> <TD width="358"> <P>&nbsp;</P> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_16-1633112988019.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_16-1633112988019.png" alt="Dabona_16-1633112988019.png" /></span> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>Please remember to click in “Sign&nbsp; in Options” to trigger key authentication :</P> <P>&nbsp;</P> </TD> <TD width="358"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_17-1633112988051.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_17-1633112988051.png" alt="Dabona_17-1633112988051.png" /></span> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_18-1633112988057.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_18-1633112988057.png" alt="Dabona_18-1633112988057.png" /></span> <P>&nbsp;</P> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_19-1633112988059.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_19-1633112988059.png" alt="Dabona_19-1633112988059.png" /></span> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_20-1633112988065.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_20-1633112988065.png" alt="Dabona_20-1633112988065.png" /></span> <P>&nbsp;</P> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_21-1633112988068.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_21-1633112988068.png" alt="Dabona_21-1633112988068.png" /></span> <P>&nbsp;</P> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>Well done: you are logged in the cloud Passwordless!</P> </TD> <TD width="358"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_22-1633112988085.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_22-1633112988085.png" alt="Dabona_22-1633112988085.png" /></span> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Chapter 2 – Enable on prem multifactor login</P> <TABLE> <TBODY> <TR> <TD width="283"> <P><STRONG>Deploy a GPO – Group Policy Object-</STRONG> to enable FIDO2 on prem login with Windows 10 2004+. In your on prem environment we can enable the use of USB key credential provider (Windows has multiple credential providers: password, usb key, smartcard, et.). Enable and link this setting to your Windows 10 2004+ machines. Restart involved machines.</P> </TD> <TD width="359"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_23-1633112988095.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_23-1633112988095.png" alt="Dabona_23-1633112988095.png" /></span> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>Now you will see a new icon to login to the PC. Clicking on sign in option you can use this new credential provides – FIDO security key - . Insert the Usb key, type the PIN…</P> <P>&nbsp;</P> <P>On some FIDO Keys you can avoid PIN with biometric (fingerprint).</P> <P>&nbsp;</P> <P>You can use the same identity/credential in all the PC with the FIDO credential provider enabled.</P> <P>&nbsp;</P> <P>Remember that currently for on prem sign on only one user per key is available (you can’t have multiple identity on the same usb key).</P> </TD> <TD width="359"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_24-1633112988133.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_24-1633112988133.png" alt="Dabona_24-1633112988133.png" /></span> <P>&nbsp;</P> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_25-1633112988180.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_25-1633112988180.png" alt="Dabona_25-1633112988180.png" /></span> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_26-1633112988199.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_26-1633112988199.png" alt="Dabona_26-1633112988199.png" /></span> <P>&nbsp;</P> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_27-1633112988213.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_27-1633112988213.png" alt="Dabona_27-1633112988213.png" /></span> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_28-1633112988223.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_28-1633112988223.png" alt="Dabona_28-1633112988223.png" /></span> <P>&nbsp;</P> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_29-1633112988239.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_29-1633112988239.png" alt="Dabona_29-1633112988239.png" /></span> <P>&nbsp;</P> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>Please note that this kind of authentication is recognized by Azure/O365 cloud as one already claimed MFA so when you open your preferred application the connection is in SSO (you don’t have to re-authenticate or perform another strong auth).</P> <P>&nbsp;</P> <P>Please note that with the same key you can login to the cloud applications using MFA from external computers w/o any modifications (like kiosks, byod computers, etc).</P> </TD> <TD width="359"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_30-1633112988249.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_30-1633112988249.png" alt="Dabona_30-1633112988249.png" /></span> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>Please note that you have access to all on prem services because the Kerberos server we installed above is useful to foster the obtention of Kerberos tickets for on prem AD service consumption</P> </TD> <TD width="359"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_31-1633112988251.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_31-1633112988251.png" alt="Dabona_31-1633112988251.png" /></span> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Chapter 3 – Use FIDO KEYS to protect privileged users (Domain Admins) and De-materialize their password.</P> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD width="283"> <P>Now we are going to enable a FIDO key for the Domain Admin or configure FIDO KEYS to work with privileged users. The default security policy doesn't grant Azure AD permission to sign high privilege accounts on to on-premises resources.</P> <P>&nbsp;</P> <P>To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (e.g. CN=AzureADKerberos,OU=Domain Controllers,&lt;domain-DN&gt;).</P> <P>&nbsp;</P> <P>Remove all privileged groups you want to use with FIDO KEYS. Consider one user might be member of different groups, so remove all wanted user is member of. I removed all groups with the exception of Domain Controllers ..</P> </TD> <TD width="359"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_32-1633113197899.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_32-1633113197899.png" alt="Dabona_32-1633113197899.png" /></span> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_33-1633113197914.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_33-1633113197914.png" alt="Dabona_33-1633113197914.png" /></span> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_34-1633113197932.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_34-1633113197932.png" alt="Dabona_34-1633113197932.png" /></span> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_35-1633113197937.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_35-1633113197937.png" alt="Dabona_35-1633113197937.png" /></span> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>Make the test user member of Domain Admins group</P> </TD> <TD width="359"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_36-1633113197940.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_36-1633113197940.png" alt="Dabona_36-1633113197940.png" /></span> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>Wait AD Connect Sync Time (normally at least of 30 min)</P> </TD> <TD width="359"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>Now enroll the FIDO Usb Key for the privileged account following Chapter 1 of this guide</P> </TD> <TD width="359"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>Now test the Login with the Domain Admin using the FIDO KEY and check the possibility to be authenticated to onprem services (e.g. Fileshares, MMC - ADUC Consoles, etc.). Try the high privilege like creating a new user….</P> </TD> <TD width="359"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_37-1633113197949.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_37-1633113197949.png" alt="Dabona_37-1633113197949.png" /></span> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_38-1633113197964.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_38-1633113197964.png" alt="Dabona_38-1633113197964.png" /></span> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>Now that we have one alternative way to Sign In on prem and in cloud (instead of password) we can work on password eradication. Obviously, every application we want to use must not use passwords (work in SSO with AD or Azure AD). This is not a problem for a privileged accounts because these should not have any application access nut only accesses to administrative consoles &nbsp;</P> </TD> <TD width="359"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>We will enable SCRIL policy (Smart Card is required for interactive logons) for the privileged &nbsp;user:</P> <P>Smart Card is required for interactive logon = the user password is reset and made random and complex, unknown by humanity, the use of password for interactive login is disabled</P> </TD> <TD width="359"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_39-1633113197966.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_39-1633113197966.png" alt="Dabona_39-1633113197966.png" /></span> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>Test you can’t access with password anymore</P> </TD> <TD width="359"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_40-1633113197976.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_40-1633113197976.png" alt="Dabona_40-1633113197976.png" /></span> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_41-1633113198009.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_41-1633113198009.png" alt="Dabona_41-1633113198009.png" /></span> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>To complete and strengthen the password eradication we want to prevent the use of the password also for network authentications using the NTLM protocol, so we are going to make the user member of “protected users” group</P> <P><A href="#" target="_blank" rel="noopener">Protected Users Security Group | Microsoft Docs</A>. This because if a bad guy reset that user’s password, he/she might use the NTLM protocol to log on using password, bypassing interactive log on. Protected Users disables the entire usability of NTLM protocol that is not needed to common AD administration.</P> <P>&nbsp;</P> </TD> <TD width="359"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_42-1633113198010.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_42-1633113198010.png" alt="Dabona_42-1633113198010.png" /></span> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>If you don’t want to disable NTLM protocol and If you have Domain Functional Level 2016 you can also enable NTLM rolling to make NTLM password hash to cycle every login and improve the password eradication</P> </TD> <TD width="359"> <P><A href="#" target="_blank" rel="noopener">What's new in Credential Protection | Microsoft Docs</A> (Rolling public key only user's NTLM secrets)</P> </TD> </TR> <TR> <TD width="283"> <P>Probably you want to use that user to log in to privileged systems with Remote Desktop. By default, Remote Desktop Protocol requests the use of passwords … &nbsp;Here we don’t have a password to write because the password is unknown by humanity….. so … how to?</P> </TD> <TD width="359"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_43-1633113198016.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_43-1633113198016.png" alt="Dabona_43-1633113198016.png" /></span> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>The simplest way to solve the above problem is to use Remote Credential Guard feature if you have the needed requirements (..Windows 10, version 1607 or Windows Server 2016.. or above)</P> </TD> <TD width="359"> <P><A href="#" target="_blank" rel="noopener">What's new in Credential Protection | Microsoft Docs</A></P> </TD> </TR> <TR> <TD width="283"> <P>To enable it on the server we want to connect to, just add this registry key using the example command</P> </TD> <TD width="359"> <P>reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD</P> </TD> </TR> <TR> <TD width="283"> <P>From the client where we used the FIDO login, just run RDP with the parameter /RemoteGuard</P> </TD> <TD width="359"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_44-1633113198017.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_44-1633113198017.png" alt="Dabona_44-1633113198017.png" /></span> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>Now also the RDP remote authentication performs well without passwords!!!</P> </TD> <TD width="359"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_45-1633113198019.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_45-1633113198019.png" alt="Dabona_45-1633113198019.png" /></span> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_46-1633113198081.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_46-1633113198081.png" alt="Dabona_46-1633113198081.png" /></span> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>Now we signed in a Domain Controller using a MFA key and is no more possible to use a password for domain administration.</P> </TD> <TD width="359"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="283"> <P>Update1: using temporary access password might be possible to never assign even a beginning password to a Domain Admin neither need a phone authentication.</P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods | Microsoft Docs</A></P> <P>&nbsp;</P> <P>As detailed above, create a Domain Admin on prem, immediately enable SCRIL and Protected Users, wait AD connect sync time, create a temporary password for that admin user (the temporary password can only be used to enable an MFA credential w/o using a Phone and w/o the risk of someone else accessing applications during the configuration phase).</P> <P>&nbsp;</P> <P>We recommend to maintain Azure Global Admins and Active Directory Domain Admins identities separately, so don't make synced Domain Admins member of Azure Global Admins role.</P> <P>&nbsp;</P> </TD> <TD width="359"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_47-1633113198089.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_47-1633113198089.png" alt="Dabona_47-1633113198089.png" /></span> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_48-1633113198092.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_48-1633113198092.png" alt="Dabona_48-1633113198092.png" /></span> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_49-1633113198096.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_49-1633113198096.png" alt="Dabona_49-1633113198096.png" /></span> <P>&nbsp;</P> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dabona_50-1633113198098.png" style="width: 400px;"><img src=";px=400" role="button" title="Dabona_50-1633113198098.png" alt="Dabona_50-1633113198098.png" /></span> <P>&nbsp;</P> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 07 Oct 2021 07:56:12 GMT Dabona 2021-10-07T07:56:12Z HELP! Former IRM setup keeps a complete document library on lock (SharePoint Online) <P>A customer of ours is working in SharePoint Online with a document library.</P><P>This library once was protected with Information Rights Management.</P><P>&nbsp;</P><P>The settings were disabled years ago and even the policies are removed later on.</P><P>&nbsp;</P><P>A while back some users discovered that all older files are still protected with IRM and are unable to open any of these older documents. New documents are working normally.</P><P>&nbsp;</P><P>Is there any way on how to unprotect these documents in bulk?</P><P>We already started a supportcase without a solution, i have a Partner Manager reaching out within Microsoft but havent had any luck on cracking those documents.</P><P>&nbsp;</P><P>We also tested creating a similar situation on a new sitecollection by enabling IRM on a library. We copied some of these protected files and some new files in it, and disabled IRM. Alle regular files are unprotected but the previously protected files are still locked.</P><P>&nbsp;</P><P>Anyone any suggestions?</P> Fri, 01 Oct 2021 13:26:36 GMT Randy Nieraeth 2021-10-01T13:26:36Z New Blog Post | Microsoft Cloud App Security (MCAS) Ninja Training | September 2021 <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sarah_Young_0-1629780482350.png" style="width: 710px;"><img src="" width="710" height="552" role="button" title="Sarah_Young_0-1629780482350.png" alt="Sarah_Young_0-1629780482350.png" /></span></SPAN></P> <P><SPAN><A href="" target="_blank" rel="noopener">Microsoft Cloud App Security (MCAS) Ninja Training | September 2021 - Microsoft Tech Community</A></SPAN></P> <P><SPAN>Have you been wanting to secure your cloud resources? Do you have agreements with non-Microsoft cloud applications? Do you want to share your cloud security knowledge and experience with others? Wait no longer, the Microsoft Cloud App Security (MCAS) Ninja training is here!</SPAN></P> <P>&nbsp;</P> <P><SPAN>MCAS has hundreds of amazing videos available&nbsp;and it can sometimes be overwhelming with determining where to start and how to progress through different levels. We've gone through all these and created this repository of training materials -&nbsp;</SPAN>all in one central location!&nbsp; Please let us know what you think in the comments.</P> Thu, 30 Sep 2021 19:12:54 GMT AshleyMartin 2021-09-30T19:12:54Z New Blog Post | 3 key resources to accelerate your passwordless journey <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SUR22_Go3_Contextual_611_RGB-900x360.png" style="width: 900px;"><img src=";px=999" role="button" title="SUR22_Go3_Contextual_611_RGB-900x360.png" alt="SUR22_Go3_Contextual_611_RGB-900x360.png" /></span></P> <P><A href="#" target="_blank" rel="noopener">3 key resources to accelerate your passwordless journey | Microsoft Security Blog</A></P> <P><SPAN>Every organization today faces password-related challenges—</SPAN><WBR /><SPAN>phishing campaigns, productivity loss, and password management costs to name just a few. The risks now outweigh the benefits when it comes to passwords. Even the strongest passwords are easily phish-able and vulnerable to attacks, such as password spray and credential stuffing. People don’t like them either—</SPAN><WBR /><A href="#" target="_blank" rel="noopener">a third of people surveyed</A><SPAN>&nbsp;say they’d rather abandon a website than reset their password. “I don’t have any more passwords left in me,” is becoming an all-too-common feeling. It’s time to look at password alternatives that are both highly secure and convenient. Here’s a few key resources that can help you as you plan for and&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">deploy passwordless</A><SPAN>&nbsp;for your organization.</SPAN></P> Thu, 30 Sep 2021 19:01:02 GMT AshleyMartin 2021-09-30T19:01:02Z New Blog Post | The Azure Sentinel Anomalies Simulator <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1633027591188.png" style="width: 708px;"><img src="" width="708" height="370" role="button" title="AshleyMartin_0-1633027591188.png" alt="AshleyMartin_0-1633027591188.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Azure Sentinel Anomalies Simulator (</A></P> <P><SPAN>We are pleased to announce the “Unusual Mass Downgrade AIP Label” anomaly simulator, the first in a series of simulators for Azure Sentinel Anomalies. This simulator will populate the table in Azure Sentinel monitored by the relevant anomaly rule with simulated data. This simulated data will trigger an anomaly. You can review the anomaly by querying the Anomalies table for the anomaly rule’s name. These simulators will enable users to validate that an anomaly rule works in their Sentinel workspace.</SPAN></P> Thu, 30 Sep 2021 18:48:46 GMT AshleyMartin 2021-09-30T18:48:46Z Defending Against Ransomware With Microsoft Security <P>Even if your organization has good backups, and has been affected by ransomware to a limited scope, it may take from a few days to weeks to fully recover from the attack. Most of the preparations for protecting against a successful ransomware attack happen&nbsp;<STRONG>before getting infected</STRONG>. Doing a threat-analysis for identifying possible threat actors who could potentially target your systems would be a nice start. But it is not possible to identify all threat actors. It is therefore important to analyze the steps, the kill-chain, attack-vectors, and proceed with possible defenses on <STRONG>strategic, tactical and operational level</STRONG>.</P><P>&nbsp;</P><P><EM>Typical Ransomware Activities Flow</EM></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Ransomare.jpg" style="width: 999px;"><img src=";px=999" role="button" title="Ransomare.jpg" alt="Ransomare.jpg" /></span></P><P>An important factor in defending against any malware and specially against ransomware is to monitor all the domains (identities, emails, endpoints, applications etc.), both on-premises and in cloud. A malicious OAuth application can trick the user to log on to their cloud apps and encrypt, exfiltrate or destroy the data in cloud.</P><P>&nbsp;</P><P>Ransomwares incidents are occurring more often than before, and this trend seems to be continuing. Few reasons contributing to this are:</P><P>&nbsp;</P><OL><LI>Digitalization and cloud adoption - which in-turn has increased attack surface.</LI><LI>Identity has become central perimeter.</LI><LI>Lack of end-users training and awareness.</LI><LI>MFA can be bypassed if legacy protocols are enabled</LI><LI>The ease of deploying ransomware where no coding or technical knowledge is required to deploy ransomware. Attackers can rent ransomware as a service.</LI><LI>Anonymous payment channels (crypto currencies)</LI><LI>Dependency on legacy systems, unpatched / vulnerable systems, insider threats etc.</LI><LI>Weak cyber security architecture and/ or management focus</LI></OL><P>&nbsp;</P><P><STRONG>Target Assets:</STRONG></P><P>The easiest, cheapest and hence the most common attack method is through social engineering. Emails bypass all the traditional security choke-points at perimeters like firewalls. If crafted well enough, even the most security-aware users may fall victim to such attacks. Similarly, compromised identities, open vulnerabilities, misconfigurations can be exploited to deliver ransomware. Allowing identities to authenticate via legacy protocols, can bypass MFA. While users (being the weakest link and first line of defense) are targeted the most, system hardening is equally important so that attackers do not find an open way in via exploiting vulnerabilities. Encryption is the last layer of defense, and if the attack is successful, secure backup is our safest bet.</P><P>&nbsp;</P><P><STRONG>The Importance of Having a Ransomware Policy:</STRONG></P><P>But before going deeper into attack vectors, a very important (and often missing) part of preparation is having an enterprise-wide policy for ransomware, <STRONG>before ransomware hits</STRONG>. It is important to decide as a policy if we are willing to pay the ransom or not. If we decide to pay as the last resort, we must be aware of the following:</P><P>&nbsp;</P><OL><LI>The decryption key we get after paying may actually not work.</LI><LI>The attackers' businesses depend on these payments.</LI><LI>They may ask for more money (after we have paid for decryption-key) for not leaking your sensitive data on internet - a phenomenon called double-extortion.</LI></OL><P>If we plan not to pay the ransom, we must ensure a rock-solid backup strategy, a way to ensure business continuity and the ability to recover from the disaster. <A href="#" target="_blank" rel="noopener">Azure backups</A>&nbsp;can be considered, which cover both on-premises and cloud workloads. It also provides MFA capability for sensitive operations, in addition to policy management, access control, monitoring and reporting. A contact point in case crises happens should already be communicated in advance. It should be understood that once ransomware is deployed, it will be more than a usual incident response process. There has to be a way to communicate with employees when emails and other communication systems are infected, or rendered useless. It should ideally be out-of-band. There would most probably be a need for inclusion of cyber insurance (if we have one), legal counsel and public relations in addition.</P><P>&nbsp;</P><P><STRONG>Time Between Infection and Detection:</STRONG></P><P>It can take some time (a few days) between initial foothold and deploying ransomware. During this time attackers look for interesting data, try to move laterally and stay dormant. Ransomware has become an industry, where threat actors deploy ransomware to make money. Just like normal companies, they need to show increase in yearly profits. Their hope is that victims pay. To increase the chances that victims will pay, the attackers look for most valued data, most critical systems, exfiltrate the data, delete or deny access to back-up data, remove volume shadow copies, delete restore points etc, before encrypting the data and leaving the note for end-users. However, deleting or rendering executables useless, encrypting DLL files or other files which critical for running the system like windows directory files defeats the purpose of deploying ransomware. This is because the user will be left with no choice other than to restore the system from scratch.</P><P>&nbsp;</P><P><STRONG>Common IOCs that EDR looks for:</STRONG></P><P>To understand common Indicators of Compromise, we need to understand how a typical ransomware works. If ransomware needs to connect to a C&amp;C-server to download encryption key, the chances of it failing increase. This is because the communication to C&amp;C-server can be blocked before it can connect to the C&amp;C-server. So it is more common for ransomwares to keep the encryption key stored locally on the system.</P><P>&nbsp;</P><P>To ensure that antivirus, anti-malware and other security solutions do not stop ransomware in its track, it tries to stop these services first. As mentioned earlier, ransomwares do not encrypt or otherwise destroy entire systems. It encrypts files that typically contain important data, like Microsoft office documents, pdf files, databases, zip-files etc. While it is the typical behavior, it can change based on attackers choice of files to encrypt.</P><P>&nbsp;</P><P>Some ransomwares also create temporary files with garbage information to fill up available space.&nbsp; To prevent system recovery, ransomware will typically delete volume shadow copies. This can be done using tools like "wmic", "vssadmin", powershell, or by resizing the amount of space used for shadow copy storage. Ransomwares also delete system restore points for similar purposes. During the process of infection, we typically see one process starting another process. Like a word document containing embedded macro spawning a powershell process.</P><P>&nbsp;</P><P><STRONG>The Bigger Picture - Using Microsoft XDR:</STRONG></P><P>It is crucial to monitor all the domains (identities, emails, endpoints, applicaitons etc) for IOCs. This not only ensures that security professionals receive signals from all these domains, but it is equally important to be able to correlate all this information at machine speed. The power of Microsoft's XDR lies in the pre-integrated architecture, where security professionals do not need to scramble resources and manually check each system for detailed analysis. All the alerts can be aggregated in single view by <A href="#" target="_blank" rel="noopener">Azure Sentinel</A>. <A href="#" target="_blank" rel="noopener">Azure Security Center</A> can help you harden the PAAS-workloads, machines, data services, and apps. An advanced machine learning based feature that ASC provides is called <A href="" target="_blank" rel="noopener">Adaptive Application Controls</A>. How this maps to MITRE ATT&amp;CK Framework, can be found <A href="" target="_blank" rel="noopener">here</A>. The different building blocks of Microsoft XDR are as follows:</P><P>&nbsp;</P><UL><LI>Defender for Identity &amp; Azure Identity Protection</LI><LI>Defender for Endpoint</LI><LI>Cloud Apps Security (MCAS)</LI><LI>Email Security (Defender for O365)</LI><LI>Data Loss Prevention</LI><LI>SQL</LI><LI>Servers&nbsp;</LI><LI>Containers</LI><LI>Network</LI><LI>IoT</LI><LI>Azure App Service</LI></UL><P><STRONG>Importance of Backup Strategy:</STRONG></P><P>Regular and effective backups are critical best practices. We need to regularly perform backups and restore to ensure that the service is running as expected. Using Azure backup as a storage service has multiple benefits, where backups are situated apart from primary networks. They are protected against ransomware.&nbsp;</P> Thu, 30 Sep 2021 17:31:47 GMT salkhan 2021-09-30T17:31:47Z What is the maximum number of sensitive Information types which can be applied to a rule? <P>Is there a maximum number of sensitive information types that can be applied to a single DPL rule?</P> Thu, 30 Sep 2021 00:52:48 GMT Redman_red 2021-09-30T00:52:48Z New Blog Post | Querying WHOIS/RDAP with Azure Sentinel and Azure Functions <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1632948598939.png" style="width: 716px;"><img src="" width="716" height="365" role="button" title="AshleyMartin_0-1632948598939.png" alt="AshleyMartin_0-1632948598939.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Querying WHOIS/Registration Data Access Protocol (RDAP) with Azure Sentinel and Azure Functions - Microsoft Tech Community</A></P> <P><SPAN>With the amazing increase in domains and top-level domains (TLD's) on the Internet, it's difficult to know just where our users are going. Newly registered domains, domain generation algorithms, and typo-squatting are all tactics used by adversaries to compromise users. Recently I was talking with a customer about Azure Sentinel and they had a question about if and how they could raise an alert when a user received an email from a newly registered domain (by their definition this was any domain that had been registered in the last thirty days).&nbsp; While we don't have a built-in feature for this in Sentinel, it is possible to extend Sentinel to include this type of functionality. This blog post is about one way that such an extension could be created.&nbsp;</SPAN></P> Wed, 29 Sep 2021 20:54:26 GMT AshleyMartin 2021-09-29T20:54:26Z New Blog Post | Monitoring Azure Sentinel Analytical Rules – Push Health Notifications <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1632948085475.png" style="width: 730px;"><img src="" width="730" height="205" role="button" title="AshleyMartin_0-1632948085475.png" alt="AshleyMartin_0-1632948085475.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Monitoring Azure Sentinel Analytical Rules – Push Health Notifications - Microsoft Tech Community</A></P> <P>Azure Sentinel Analytical rules help Security Teams discover threats and anomalous behaviors to ensure full security coverage for your environment</P> <P>&nbsp;</P> <P>After connecting our data sources to Azure Sentinel, first we enable Analytical rules. Each data source comes with built-in, out-of-the-box templates to create threat detection rules.</P> <P>&nbsp;</P> <P>Analytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are reached, generate incidents for SOC to triage and investigate, and respond to threats with automated tracking and remediation processes<SPAN>.</SPAN></P> <P>&nbsp;</P> Wed, 29 Sep 2021 20:44:36 GMT AshleyMartin 2021-09-29T20:44:36Z New Blog Post | Defend against zero-day exploits with Microsoft Defender Application Guard <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SUR22_LaptopStudio_Contextual_128_RGB-900x360.jpg" style="width: 900px;"><img src=";px=999" role="button" title="SUR22_LaptopStudio_Contextual_128_RGB-900x360.jpg" alt="SUR22_LaptopStudio_Contextual_128_RGB-900x360.jpg" /></span></P> <P><A href="#" target="_blank" rel="noopener">Defend against zero-day exploits with Microsoft Defender Application Guard | Microsoft Security Blog</A></P> <P>Zero-day security vulnerabilities—<WBR />known to hackers, but unknown to software creators, security researchers, and the public—<WBR />are like gold to attackers. With zero-days, or even zero-hours, developers have no time to patch the code, giving hackers enough access and time to explore and map internal networks, exfiltrate valuable data, and find other attack vectors.</P> <P>Zero-days has become a great profit engine for hackers due to the imperil it poses to the public, organizations, and government. These vulnerabilities are often sold on the dark web for thousands of dollars, fueling nation-state and ransomware attacks and making the cybercrime business even more appealing and profitable to attackers.</P> Wed, 29 Sep 2021 18:25:59 GMT AshleyMartin 2021-09-29T18:25:59Z New Blog Post | How nation-state attackers like NOBELIUM are changing cybersecurity <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SEC20_Security_035-900x360.jpg" style="width: 900px;"><img src=";px=999" role="button" title="SEC20_Security_035-900x360.jpg" alt="SEC20_Security_035-900x360.jpg" /></span></P> <P><SPAN><A href="#" target="_blank" rel="noopener">How nation-state attackers like NOBELIUM are changing cybersecurity | Microsoft Security Blog</A></SPAN></P> <P><SPAN>In many ways, the NOBELIUM nation-state cyberattack realized the deepest fears of United States cybersecurity experts, according to&nbsp;</SPAN><SPAN class="brand">Microsoft 365</SPAN><SPAN>&nbsp;Security Corporate Vice President Rob Lefferts. It was a supply chain attack. It was methodically planned and executed. And it impacted multiple world-class companies with strong security teams. Perhaps, your company was one of them—</SPAN><WBR /><SPAN>or perhaps you know someone who works at a company that was affected. As we begin Cybersecurity Awareness Month in October, the far-reaching nature of such attacks is ever-present on our minds, which is one reason why more than 3,500 Microsoft security experts actively defend and protect organizations from cyberattacks every day.</SPAN></P> Wed, 29 Sep 2021 18:21:11 GMT AshleyMartin 2021-09-29T18:21:11Z eDiscovery Content Search - Query <P>I am currently working on a project whereby we're looking at removing ~5,000 deprecated users but will need to retain their data for compliance purposes. Therefore, we have set up retention policies, and labels to ensure data remains stored for our required timelines.&nbsp;</P><P>&nbsp;</P><P>To support our retention work, we're implementing an eDiscovery reference model and I need some clarification on the following, please:&nbsp;</P><P>&nbsp;</P><UL><LI><A href="#" target="_blank"></A>&nbsp;suggests that data is stored in users EXOL mailboxes for live data, which makes sense.&nbsp;&nbsp;</LI><LI>Yet&nbsp;<A href="#" target="_blank"></A>&nbsp;explains that<UL><LI><P>For SharePoint and OneDrive sites: The copy is retained in the<SPAN>&nbsp;</SPAN><STRONG>Preservation Hold</STRONG><SPAN>&nbsp;</SPAN>library.</P></LI><LI><P>For Exchange mailboxes: The copy is retained in the<SPAN>&nbsp;</SPAN><STRONG>Recoverable Items</STRONG><SPAN>&nbsp;</SPAN>folder.</P></LI><LI><P>For Teams and Yammer messages: The copy is retained in a hidden folder named<SPAN>&nbsp;</SPAN><STRONG>SubstrateHolds</STRONG><SPAN>&nbsp;</SPAN>as a subfolder in the Exchange<SPAN>&nbsp;</SPAN><STRONG>Recoverable Items</STRONG><SPAN>&nbsp;</SPAN>folder.</P></LI></UL></LI></UL><P>So, does eDiscovery also look in the listed data retention storage libraries and folders for information that might be retained for compliance purposes/litigation requirements? Logically this would make sense but I cannot find it documented anywhere.&nbsp;</P><P>&nbsp;</P><P>Thanks</P><P>Thomas.&nbsp;</P> Wed, 29 Sep 2021 08:44:50 GMT BeagleMarauder 2021-09-29T08:44:50Z New Blog Post | A simpler, more integrated approach to data governance <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SUR22_Go3_Contextual_888_RGB-900x360.png" style="width: 900px;"><img src=";px=999" role="button" title="SUR22_Go3_Contextual_888_RGB-900x360.png" alt="SUR22_Go3_Contextual_888_RGB-900x360.png" /></span></P> <P><A href="#" target="_blank" rel="noopener">A simpler, more integrated approach to data governance | Microsoft Security Blog</A></P> <P class="x-hidden-focus">It’s no secret that the volume of data created by organizations and people multiplies daily. And, in the digital—<WBR />and hybrid work—<WBR />world we live in, that data is spread across more tools, platforms, devices, and clouds than ever before, creating regulatory challenges and security risks.</P> <P>Organizations must understand what data they have and where it lives, how it is used, and critically, how it’s all governed.&nbsp;How an organization stores its data and how long it is kept is not just a regulatory compliance issue, but also a security issue.</P> <P class="x-hidden-focus">Today, I’m excited to share the general availability of<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">Microsoft Azure Purview</A>, giving organizations that holistic understanding of their data that is so critically important. Azure Purview addresses the need for full visibility across all the places where your data lives, making it easier to manage, glean insights, and govern.</P> Tue, 28 Sep 2021 17:21:08 GMT AshleyMartin 2021-09-28T17:21:08Z New Blog Post | FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig2-FoggyWeb-NOBELIUM.png" style="width: 975px;"><img src=";px=999" role="button" title="Fig2-FoggyWeb-NOBELIUM.png" alt="Fig2-FoggyWeb-NOBELIUM.png" /></span></P> <P><A href="#" target="_blank" rel="noopener">FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor | Microsoft Security Blog</A></P> <P><SPAN>Microsoft continues to work with partners and customers to track and expand our knowledge of the threat actor we refer to as NOBELIUM, the actor behind the&nbsp;</SPAN><A href="#" target="_blank">SUNBURST backdoor, TEARDROP malware, and related components</A><SPAN>. As we stated before, we suspect that NOBELIUM can draw from significant operational resources often showcased in their campaigns, including custom-built malware and tools. In March 2021, we profiled NOBELIUM’s&nbsp;</SPAN><A href="#" target="_blank">GoldMax, GoldFinder, and Sibot malware</A><SPAN>, which it uses for layered persistence. We then followed that up with another post in May, when we analyzed the actor’s early-stage toolset comprising&nbsp;</SPAN><A href="#" target="_blank">EnvyScout, BoomBox, NativeZone, and VaporRage</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P><SPAN>This blog is another in-depth analysis of newly detected NOBELIUM malware: a post-exploitation backdoor that Microsoft Threat Intelligence Center (MSTIC) refers to as&nbsp;<STRONG>FoggyWeb</STRONG>. As mentioned in previous blogs, NOBELIUM employs multiple tactics to pursue credential theft with the objective of gaining admin-level access to Active Directory Federation Services (<A href="#" target="_blank">AD FS</A>) servers. Once NOBELIUM obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools. NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted&nbsp;<A href="#" target="_blank">token-signing certificate</A>, and&nbsp;<A href="#" target="_blank">token-decryption certificate</A>, as well as to download and execute additional components. Use of FoggyWeb has been observed in the wild as early as April 2021.</SPAN></P> Tue, 28 Sep 2021 17:13:47 GMT AshleyMartin 2021-09-28T17:13:47Z New Blog Post | Azure Sentinel Threat Intelligence in Public and Azure Government Cloud <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1632846077617.jpeg" style="width: 718px;"><img src="" width="718" height="352" role="button" title="AshleyMartin_0-1632846077617.jpeg" alt="AshleyMartin_0-1632846077617.jpeg" /></span></P> <P><A href="" target="_blank" rel="noopener">General Availability of Azure Sentinel Threat Intelligence in Public and Azure Government&nbsp;cloud - Microsoft Tech Community</A></P> <P><SPAN data-contrast="auto">In today’s era of growing cyber-attacks, Cyber Threat Intelligence (CTI) is a key factor to help Security Operations Center (SOC) analyst&nbsp;triage and respond to incidents. Azure Sentinel is a cloud native SIEM solution that allows&nbsp;customers&nbsp;to import threat intelligence data from various&nbsp;places such as paid threat feeds, open-source feeds,&nbsp;and from various threat intelligence sharing communities like ISAC’s.&nbsp;Today we are announcing the&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">General availability&nbsp;(GA)</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;of&nbsp;<STRONG>Azure Sentinel&nbsp;</STRONG></SPAN><STRONG><SPAN data-contrast="auto">Threat Intelligence&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">in Public cloud and&nbsp;<SPAN class="TextRun SCXW174353307 BCX0" data-contrast="auto"><SPAN class="NormalTextRun SCXW174353307 BCX0">Azure Government cloud</SPAN></SPAN>&nbsp;within 30 days from today.&nbsp;</SPAN></P> <P>&nbsp;</P> Tue, 28 Sep 2021 16:28:35 GMT AshleyMartin 2021-09-28T16:28:35Z Feature request - Azure Information Protection - read .pfiles from iOS and protect .mp3 files <P>I hope this message will land to the Microsoft Product Development that goes about the feature requests of Azure Information Protection. I have a use case where a famous artist wants to share .mp3 files with Azure Information Protection configured on the file. He wants to prevent forwards of this file (on e.g. WhatsApp). I would say these are two apart requests since .mp3 files aren’t supported file types (yet?), and the iOS app can’t handle the use of .pfile extensions.<BR /><BR />Can someone provide me some feedback if this feature will be implemented in the (near) future?</P> Tue, 28 Sep 2021 10:11:31 GMT BilalelHadd 2021-09-28T10:11:31Z Powering the Modern Workplace with Microsoft + Zscaler <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="zscaler-modern-workplace-webinar-social-card-1200x628-1 (1) (1).png" style="width: 999px;"><img src=";px=999" role="button" title="zscaler-modern-workplace-webinar-social-card-1200x628-1 (1) (1).png" alt="zscaler-modern-workplace-webinar-social-card-1200x628-1 (1) (1).png" /></span></STRONG></P> <P>&nbsp;</P> <P>Join us <STRONG>Mandana Javaheri</STRONG>, Global Senior Director, Cybersecurity Strategist with Microsoft along with <STRONG>Steve House</STRONG>, SVP of Product Management with Zscaler as they discuss helping your people and teams thrive, protect sensitive data, and propel the business forward. We will take a dive deep into the integrations between Microsoft and Zscaler.&nbsp;</P> <P>&nbsp;</P> <DIV><STRONG>Webinar Dates:</STRONG></DIV> <UL> <LI><STRONG>Americas:</STRONG><SPAN>&nbsp;</SPAN>Wednesday, October 27, 2021 | 11:00 AM PT | 2:00 PM ET</LI> <LI><STRONG>EMEA:<SPAN>&nbsp;</SPAN></STRONG>Thursday, October 28, 2021 | 10:00 AM BST | 11:00 AM CEST</LI> <LI><STRONG>APAC:</STRONG><SPAN>&nbsp;</SPAN>Thursday, October 28, 2021 | 9:30 IST | 3:00 PM AEDT</LI> </UL> <P>For more information and to register for the webinar, please click <A href="#" target="_self">here</A>.&nbsp;</P> Mon, 27 Sep 2021 22:37:35 GMT Kacy_Johnson 2021-09-27T22:37:35Z New Blog Post | AI security risk assessment using Counterfit <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MSC19_paddingtonOffice_001-900x360 (1).jpg" style="width: 900px;"><img src=";px=999" role="button" title="MSC19_paddingtonOffice_001-900x360 (1).jpg" alt="MSC19_paddingtonOffice_001-900x360 (1).jpg" /></span></P> <P><A href="#" target="_blank" rel="noopener">AI security risk assessment using Counterfit | Microsoft Security Blog</A></P> <P>Today,<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">we are releasing Counterfit</A>, an automation tool for security testing AI systems as an open-source project. Counterfit helps organizations conduct AI security risk assessments to ensure that the algorithms used in their businesses are robust, reliable, and trustworthy.</P> <P class="">AI systems are increasingly used in critical areas such as healthcare, finance, and defense. Consumers must have confidence that the AI systems powering these important domains are secure from adversarial manipulation. For instance, one of the recommendations from Gartner’s<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">Top 5 Priorities for Managing AI Risk Within Gartner’s MOST Framework</A><SPAN>&nbsp;</SPAN>published in Jan 2021<SUP>1</SUP>&nbsp;is that organizations “Adopt specific AI security measures against adversarial attacks to ensure resistance and resilience,” noting that “By 2024, organizations that implement dedicated AI risk management controls will successfully avoid negative AI outcomes twice as often as those that do not.”</P> Mon, 27 Sep 2021 19:08:44 GMT AshleyMartin 2021-09-27T19:08:44Z New Blog Post | A guide to combatting human-operated ransomware: Part 2 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CLO20b_Sylvie_office_night_001-900x360.jpg" style="width: 900px;"><img src=";px=999" role="button" title="CLO20b_Sylvie_office_night_001-900x360.jpg" alt="CLO20b_Sylvie_office_night_001-900x360.jpg" /></span></P> <P><A href="#" target="_blank" rel="noopener">A guide to combatting human-operated ransomware: Part 2 | Microsoft Security Blog</A></P> <P><SPAN>In&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">part one</A><SPAN>&nbsp;of this blog series, we described the process and execution used in our customer engagements to provide perspective on the unique issues and challenges regarding human-operated ransomware. We also explained how Microsoft’s Detection and Response Team (DART) leverages Microsoft solutions to help combat this threat. In this post, we will tackle the risks of human-operated ransomware and detail DART’s security recommendations for tactical containment actions and post-incident activities in the event of an attack.</SPAN></P> Mon, 27 Sep 2021 18:01:51 GMT AshleyMartin 2021-09-27T18:01:51Z New Blog Post | The Attack Simulation Training landing page is now customizable <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1632763398991.png" style="width: 722px;"><img src="" width="722" height="894" role="button" title="AshleyMartin_0-1632763398991.png" alt="AshleyMartin_0-1632763398991.png" /></span></P> <P><A href="" target="_blank" rel="noopener">The Attack Simulation Training landing page is now customizable - Microsoft Tech Community</A></P> <P>Attack Simulation Training is an intelligent phish risk reduction tool that measures behavior change and automates design and deployment of an integrated security awareness training program across an organization. The landing page, where targeted users are notified that they fell prey to a phishing simulation, is a key learning moment.</P> <P>&nbsp;</P> <P>The previous landing page offered a generic header and body, with limited customization capabilities. We’re pleased to announce the availability of a new landing page experience that allows customers to easily tailor the landing page to suit the requirements of their enterprise and include their own branding<SPAN>.</SPAN></P> <P>&nbsp;</P> Mon, 27 Sep 2021 17:26:49 GMT AshleyMartin 2021-09-27T17:26:49Z DLP policy matches report <P>Hello Guys,</P><P>&nbsp;</P><P>We recently set up 3 DLP policies in test mode with 1 rule each . However we observed as below</P><P>&nbsp;</P><P>1. The number of matches changes each time we refresh the report . Also the number vary a lot , sometimes it increases by 200 and sometimes decreases too. What could be the cause for same</P><P>&nbsp;</P><P>2. The report shows a particular file matching multiple rules in the report . As per my understanding in case of multiple matches a file will match to only one rule/policy based on priority set</P><P>&nbsp;</P><P>3. When i filter DLP policy matches report by a specific rule/ policy i still see rules appearing other than i have filtered.</P><P>&nbsp;</P><P>Have you guys also observed the same and what is the logic behind the same&nbsp;</P> Mon, 27 Sep 2021 11:37:00 GMT Mansi_Dathena 2021-09-27T11:37:00Z MCAS or 365 Security <P>Hey all,</P><P>&nbsp;</P><P>I'm relatively new into the industry and been tasked with championing some of our E5 platforms.</P><P>We have both MCAS and MS 365 Security which I'm going to call MDE... My questions are:</P><P>1. Which one should I be using to manage alerts?</P><P>&nbsp; &nbsp; a. Why can't I manage alert policies in MDE and I can in MCAS.&nbsp;</P><P>2. What are the differences between the two?</P><P>3. Should we even be using both of them?</P> Fri, 24 Sep 2021 15:56:25 GMT SDB8519 2021-09-24T15:56:25Z A Label in information protection not work correct <P>Dear All,</P><P>&nbsp;I have a problem with my label. I defined a label call with name is "Personal" an config it is "Let user assign permission", last month i using it normal, but now when i label a document with "Personal", it open a different windows ( i have attach screenshot in thist discussion). Can anyone help me to slove it!</P><P>More information:</P><P>&nbsp;1. I using EMS E5 license</P><P>&nbsp;2. My office is 2019 and Office 365 Apps for Business</P><P>Thank very much!<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Untitled.png" style="width: 617px;"><img src=";px=999" role="button" title="Untitled.png" alt="Untitled.png" /></span></P> Fri, 24 Sep 2021 02:48:00 GMT Thang_Le 2021-09-24T02:48:00Z An example of how you can use a custom Sensitive Info Type in the Microsoft 365 compliance center! <P>&nbsp;</P> <P>Dear Microsoft 365 Security and Compliance Friends,</P> <P>&nbsp;</P> <P>Collaboration in today's world, with a wide variety of Microsoft cloud services, is here to stay. As in all situations, there are pros and cons. For this reason, in this article I will show you how to work with Sensitive Info Types. But I won't use the "general" classic with the credit card numbers, but a real situation with a customer.</P> <P>Here's the scenario I encountered with a customer. Technical manuals are created by engineers, including PowerShell blocks that are used for various configurations. These documents are the precious asset for the company/organization. These documents cannot simply "leave" the company or be shared. This is where "our" Sensitive Info Type comes into play. But how exactly does a Sensitive Info Type work? I will show you in a moment in the Microsoft 365 compliance center (and yes with the example of credit card numbers ;-).&nbsp;After that, we create our own Sensitive Info Type.</P> <P>&nbsp;</P> <P>We start by navigating to the Micosoft 365 Compliance Center. <A href="#" target="_blank" rel="noopener"></A></P> <P>&nbsp;</P> <P><STRONG>In the menu click on "Data classification" and navigate to "Sensitive info types" to the right you will see the search box, enter "cred". Then the Sensitive Infos Type "Credit Card Number"appears.</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen1.JPG" style="width: 999px;"><img src=";px=999" role="button" title="_Sen1.JPG" alt="_Sen1.JPG" /></span></P> <P>&nbsp;</P> <P><STRONG>Click on "Credit Card Number. A new "Card" will open. Click on "Test".</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen2.JPG" style="width: 999px;"><img src=";px=999" role="button" title="_Sen2.JPG" alt="_Sen2.JPG" /></span></P> <P>&nbsp;</P> <P><STRONG>Select "Upload file", I have prepared a text file with a fake credit card number.</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen3.JPG" style="width: 600px;"><img src=";px=999" role="button" title="_Sen3.JPG" alt="_Sen3.JPG" /></span></P> <P>&nbsp;</P> <P><STRONG>Now click on "Test".</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen4.JPG" style="width: 520px;"><img src=";px=999" role="button" title="_Sen4.JPG" alt="_Sen4.JPG" /></span></P> <P>&nbsp;</P> <P><STRONG>We see there is a match. This is how a Sensitive Info Type works (for example, in a policy). Click Finish.</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen5.JPG" style="width: 544px;"><img src=";px=999" role="button" title="_Sen5.JPG" alt="_Sen5.JPG" /></span></P> <P>&nbsp;</P> <P><STRONG>Now we create our own Sensitive Info Type. We go back to Sensitive Info Type, delete keyword in the search box and click on "Create sensitive info type". </STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen6.JPG" style="width: 999px;"><img src=";px=999" role="button" title="_Sen6.JPG" alt="_Sen6.JPG" /></span></P> <P>&nbsp;</P> <P><STRONG>Assign a name and description.</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen7.JPG" style="width: 950px;"><img src=";px=999" role="button" title="_Sen7.JPG" alt="_Sen7.JPG" /></span></P> <P>&nbsp;</P> <P><STRONG>Click on "Create pattern".</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen8.JPG" style="width: 999px;"><img src=";px=999" role="button" title="_Sen8.JPG" alt="_Sen8.JPG" /></span></P> <P>&nbsp;</P> <P><STRONG>Confidence level: High Convidence.</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen9.JPG" style="width: 558px;"><img src=";px=999" role="button" title="_Sen9.JPG" alt="_Sen9.JPG" /></span></P> <P>&nbsp;</P> <P><STRONG>Click "Add primary element" and select "Regular expression".</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen10.JPG" style="width: 465px;"><img src=";px=999" role="button" title="_Sen10.JPG" alt="_Sen10.JPG" /></span></P> <P>&nbsp;</P> <P><STRONG>At "ID" you assign a name and at "Regular expression" you enter the following example and click on "Done".</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen11.JPG" style="width: 561px;"><img src=";px=999" role="button" title="_Sen11.JPG" alt="_Sen11.JPG" /></span></P> <P>(RegEx:&nbsp;New-[a-zA-Z]+|Remove-[a-zA-Z]+|Get-[a-zA-Z]+|Add-[a-zA-Z]+|Set-[a-zA-Z]+)</P> <P>&nbsp;</P> <P><STRONG>Click on "Supporting elements" and select "Regular expression" again.</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen12.JPG" style="width: 561px;"><img src=";px=999" role="button" title="_Sen12.JPG" alt="_Sen12.JPG" /></span></P> <P>&nbsp;</P> <P><STRONG>Enter a name at "ID" and enter the following example and click "Done".</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen13.JPG" style="width: 566px;"><img src=";px=999" role="button" title="_Sen13.JPG" alt="_Sen13.JPG" /></span></P> <P>(RegEx: \s-[a-zA-Z]+\s)</P> <P>&nbsp;</P> <P><STRONG>We will create a second "pattern". Click on "Create pattern".</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen14.JPG" style="width: 999px;"><img src=";px=999" role="button" title="_Sen14.JPG" alt="_Sen14.JPG" /></span></P> <P>&nbsp;</P> <P><STRONG>This time with a "Confidence level" of Medium. Click "Add primary elemtent" again.</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen15.JPG" style="width: 544px;"><img src=";px=999" role="button" title="_Sen15.JPG" alt="_Sen15.JPG" /></span></P> <P>&nbsp;</P> <P><STRONG>At "ID" you assign a name and at "Regular expression" you enter the following example and click on "Done".</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen11.JPG" style="width: 561px;"><img src=";px=999" role="button" title="_Sen11.JPG" alt="_Sen11.JPG" /></span></P> <P>&nbsp;</P> <P><STRONG>Now we have two patterns, we click on "Next".</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen16.JPG" style="width: 999px;"><img src=";px=999" role="button" title="_Sen16.JPG" alt="_Sen16.JPG" /></span></P> <P>&nbsp;</P> <P><STRONG>Now we can determine the recommended confidence level.</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen17.JPG" style="width: 999px;"><img src=";px=999" role="button" title="_Sen17.JPG" alt="_Sen17.JPG" /></span></P> <P>&nbsp;</P> <P><STRONG>We get the summary and click on "Create".</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen18.JPG" style="width: 536px;"><img src=";px=999" role="button" title="_Sen18.JPG" alt="_Sen18.JPG" /></span></P> <P>&nbsp;</P> <P><STRONG>Perfect, click on "Done".</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen19.JPG" style="width: 915px;"><img src=";px=999" role="button" title="_Sen19.JPG" alt="_Sen19.JPG" /></span></P> <P>&nbsp;</P> <P><STRONG>Back to the "Sensitive Info Type", we navigate to the search field again and enter "power". Now our new Sensitive Info Type appears. Click on the Sensitive Info Type.</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen20.JPG" style="width: 999px;"><img src=";px=999" role="button" title="_Sen20.JPG" alt="_Sen20.JPG" /></span></P> <P>&nbsp;</P> <P><STRONG>Click on "Test".</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen21.JPG" style="width: 507px;"><img src=";px=999" role="button" title="_Sen21.JPG" alt="_Sen21.JPG" /></span></P> <P><STRONG>Now you need to upload a file again. I have prepared a Word document which is a guide for deploying a VM in Azure using PowerShell. After that click again on "Test".</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen22.JPG" style="width: 560px;"><img src=";px=999" role="button" title="_Sen22.JPG" alt="_Sen22.JPG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="_Sen23.JPG" style="width: 558px;"><img src=";px=999" role="button" title="_Sen23.JPG" alt="_Sen23.JPG" /></span></P> <P>&nbsp;</P> <P>Jackpot!!&nbsp;<SPAN style="font-family: inherit;">So we know for sure that our Sensitive Info Type will work in a policy!</SPAN></P> <P>&nbsp;</P> <P>Sure this wasn't super exciting, but I still wanted to share this information with you.</P> <P>&nbsp;</P> <P>I hope this article was helpful for you? Thank you for taking the time to read this article.</P> <P>&nbsp;</P> <P>Best regards, Tom Wechsler</P> Thu, 23 Sep 2021 12:28:44 GMT TomWechsler 2021-09-23T12:28:44Z New Blog Post | Microsoft Defender for Identity - new exclusion settings now in Public Preview <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1632341650813.png" style="width: 711px;"><img src="" width="711" height="526" role="button" title="AshleyMartin_0-1632341650813.png" alt="AshleyMartin_0-1632341650813.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Microsoft Defender for Identity - new exclusion settings now in Public Preview - Microsoft Tech Community</A></P> <P><SPAN>As part of ongoing efforts to make all experiences and features from Microsoft Defender for Identity available in Microsoft 365 Defender, the product group took the opportunity to not just lift and shift the exclusion configuration page, but to revamp the experience and make some new functionality available for security teams. This announcement confirms that these features are now available in public preview and will be made generally available soon.</SPAN></P> <P>&nbsp;</P> Wed, 22 Sep 2021 20:15:23 GMT AshleyMartin 2021-09-22T20:15:23Z New Blog Post | Azure Sentinel To-Go! A Linux Lab with AUOMS - Learn About the OMI Vulnerability <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1632334732117.png" style="width: 700px;"><img src="" width="700" height="436" role="button" title="AshleyMartin_0-1632334732117.png" alt="AshleyMartin_0-1632334732117.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Azure Sentinel To-Go! A Linux :penguin:</img> Lab with AUOMS Set Up to Learn About the OMI Vulnerability :collision:</img> - Microsoft Tech Community</A></P> <P><SPAN data-contrast="auto">Last week, on September 14</SPAN><SPAN data-contrast="auto">th</SPAN><SPAN data-contrast="auto">, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer"><SPAN data-contrast="none">CVE-2021-38645</SPAN></A><SPAN data-contrast="none">,&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer"><SPAN data-contrast="none">CVE-2021-38649</SPAN></A><SPAN data-contrast="none">,&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer"><SPAN data-contrast="none">CVE-2021-38648</SPAN></A><SPAN data-contrast="none">,&nbsp;</SPAN><SPAN data-contrast="auto">and one unauthenticated Remote Code Execution (RCE) vulnerability&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer"><SPAN data-contrast="none">CVE-2021-38647</SPAN></A><SPAN data-contrast="auto">&nbsp;.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">These vulnerabilities affect the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer"><SPAN data-contrast="none">Open Management Infrastructure (OMI)</SPAN></A><SPAN data-contrast="none">,&nbsp;an open-source project&nbsp;to further the development of a production quality implementation of the DMTF CIM/WBEM standards. The OMI&nbsp;Common Information Model Object Manager (CIMOM)&nbsp;is also designed to be portable and highly modular. It is written in C and the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer"><SPAN data-contrast="none">code is available in GitHub</SPAN></A><SPAN data-contrast="none">.</SPAN></P> <P>&nbsp;</P> Wed, 22 Sep 2021 18:20:57 GMT AshleyMartin 2021-09-22T18:20:57Z New Blog Post | Azure Defender PoC Series - Azure Defender for Servers <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1632247370230.jpeg" style="width: 682px;"><img src="" width="682" height="412" role="button" title="AshleyMartin_0-1632247370230.jpeg" alt="AshleyMartin_0-1632247370230.jpeg" /></span></P> <P>&nbsp;</P> <P><A href="" target="_blank" rel="noopener">Azure Defender PoC Series - Azure Defender for Servers - Microsoft Tech Community</A></P> <P>This article is part of our Azure Defender PoC Series which provides you with guidelines on how to perform a successful proof of concept for a specific Azure Defender plan. For a more holistic approach where you need to validate Azure Security Center and Azure Defender, please read&nbsp;<A href="" target="_blank" rel="noopener">How to Effectively Perform an Azure Security Center PoC</A>.</P> <P>&nbsp;</P> <P>Azure Defender is the Cloud Workload Protection Platform (CWPP) built into Azure Security Center, which provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network, and more.</P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener noreferrer">Azure Defender for Servers</A><SPAN>&nbsp;</SPAN>adds threat detection and advanced defenses for your Windows and Linux machines.</P> Tue, 21 Sep 2021 18:08:55 GMT AshleyMartin 2021-09-21T18:08:55Z New Blog Post | Catching the big fish: Analyzing a large-scale phishing-as-a-service operation <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig7_BPL_Docusign-1024x652.png" style="width: 999px;"><img src=";px=999" role="button" title="Fig7_BPL_Docusign-1024x652.png" alt="Fig7_BPL_Docusign-1024x652.png" /></span></P> <P><A href="#" target="_blank" rel="noopener">Catching the big fish: Analyzing a large-scale phishing-as-a-service operation | Microsoft Security Blog</A></P> <P class="">In researching phishing attacks, we came across a campaign that used a rather high volume of newly created and unique subdomains—<WBR />over 300,000 in a single run. This investigation led us down a rabbit hole as we unearthed one of the operations that enabled the campaign: a large-scale phishing-as-a-service operation called BulletProofLink, which sells phishing kits, email templates, hosting, and automated services at a relatively low cost.</P> <P>With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today. BulletProofLink (also referred to as BulletProftLink or Anthrax by its operators in various websites, ads, and other promotional materials) is used by multiple attacker groups in either one-off or monthly subscription-based business models, creating a steady revenue stream for its operators.</P> Tue, 21 Sep 2021 17:55:45 GMT AshleyMartin 2021-09-21T17:55:45Z New Blog Post | Azure Sentinel Notebooks Ninja Part 3: Overview of the Pre-built Notebooks <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1632246318485.png" style="width: 698px;"><img src="" width="698" height="480" role="button" title="AshleyMartin_0-1632246318485.png" alt="AshleyMartin_0-1632246318485.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Azure Sentinel Notebooks Ninja Part 3: Overview of the Pre-built Notebooks - the Grand List - Microsoft Tech Community</A></P> <P>Through<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener nofollow noreferrer">Part 1</A><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener nofollow noreferrer">Part 2</A><SPAN>&nbsp;</SPAN>of this Azure Sentinel Notebook Ninja series, we’ve discussed the concepts and activities to best become acclimated with Jupyter notebooks for Azure Sentinel. The next step in our process is understanding the value of having ready-made notebooks ready for use as part of the solution.</P> <P>&nbsp;</P> <P>When a customer stands-up Azure Sentinel for the first time, there are a number of additional pieces of ready-to-use collateral that are provided<SPAN>&nbsp;</SPAN><EM>out-of-the-box</EM><SPAN>&nbsp;</SPAN>including Analytics Rules, Hunting queries, Connectors, Solutions, Workbooks – and – you guessed it –<SPAN>&nbsp;</SPAN><STRONG>Notebooks</STRONG>.</P> <P>&nbsp;</P> Tue, 21 Sep 2021 17:50:39 GMT AshleyMartin 2021-09-21T17:50:39Z New Blog Post | 3 trends shaping identity as the center of modern security <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MSC21_Getty_office_1041512966-900x360.jpg" style="width: 900px;"><img src=";px=999" role="button" title="MSC21_Getty_office_1041512966-900x360.jpg" alt="MSC21_Getty_office_1041512966-900x360.jpg" /></span></P> <P><A href="#" target="_blank" rel="noopener">3 trends shaping identity as the center of modern security | Microsoft Security Blog</A></P> <P>I recently returned from Kenya, where I visited our Microsoft Nairobi development center. Like many of you, I’ve mostly worked from home for the past year and more, so it was refreshing to meet members of our global team and inspiring to feel their passion for our mission: delivering<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">identity solutions</A><SPAN>&nbsp;</SPAN>that secure access to everything for everyone.</P> <P class="x-hidden-focus">This mission has never been more important, given that identity has become the focal point of our digital society. Identity enabled us to rapidly shift to remote models when the pandemic first hit, and identity will help sustain the trend toward more permanent remote and hybrid models moving forward. But other emerging trends will also have a major impact on our digital society. Our team at Microsoft, as well as the identity community at large, is working hard to make sure you have the tools and technologies you need to navigate them safely and securely.</P> Tue, 21 Sep 2021 17:41:24 GMT AshleyMartin 2021-09-21T17:41:24Z New Blog Post | Microsoft Continues to Enhance DLP Customer Value with New Capabilities <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_0-1632167764758.png" style="width: 999px;"><img src=";px=999" role="button" title="JasonCohen1892_0-1632167764758.png" alt="JasonCohen1892_0-1632167764758.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Microsoft Unified DLP update September 2021</A></P> <P>Microsoft’s unified Data Loss Prevention solution provides a simple and unified approach to protecting sensitive information from risky or inappropriate sharing, transfer, or use.</P> <P>&nbsp;</P> <P>In the past few months, Microsoft has introduced a wide range of new capabilities in General Availability and Public Preview that are designed to provide new ways of protecting data across a wider breadth of use cases and workloads and provide greater visibility into how sensitive content is used, stored and shared. These include:</P> <UL> <LI>Customizable DLP policy violation justifications</LI> <LI>Protect sensitive data when it is shared across Bluetooth</LI> <LI>Protect sensitive data when it is shared across Remote Desktop Protocol (RDP) sessions</LI> <LI>Automatically quarantine sensitive files when they’re accessed by an unallowed app</LI> <LI>Displaying of cloud DLP policy events from Exchange, SharePoint-OneDrive, and Teams in Activity explorer</LI> <LI>Displaying of sensitivity label activity from Office native (Word, Excel, PowerPoint, Outlook) in Activity explorer</LI> <LI>Displaying of sensitive information, sensitivity label, and retention label detection events for files and documents from OneDrive in Activity Explorer</LI> </UL> Mon, 20 Sep 2021 19:56:52 GMT JasonCohen1892 2021-09-20T19:56:52Z New Blog Post | A guide to combatting human-operated ransomware: Part 1 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CLO20b_Sabien_office_007-900x360.jpg" style="width: 900px;"><img src=";px=999" role="button" title="CLO20b_Sabien_office_007-900x360.jpg" alt="CLO20b_Sabien_office_007-900x360.jpg" /></span></P> <P><A href="#" target="_blank" rel="noopener">A guide to combatting human-operated ransomware: Part 1 | Microsoft Security Blog</A></P> <P><SPAN>Microsoft’s Detection and Response Team (DART) has helped customers of all sizes, across many industries and regions, investigate and remediate human-operated ransomware for over five years. This blog aims to explain the process and execution used in our customer engagements to provide perspective on the unique issues and challenges regarding human-operated ransomware. We will also discuss how DART leverages Microsoft solutions such as&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">Microsoft Defender for Endpoint</A><SPAN>,&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">Microsoft Defender for Identity</A><SPAN>, and&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">Microsoft Cloud App Security</A><SPAN>&nbsp;(MCAS) within customer environments while collaborating with cross-functional threat intelligence teams across Microsoft who similarly track human-operated ransomware activities and behaviors.</SPAN></P> Mon, 20 Sep 2021 18:35:21 GMT AshleyMartin 2021-09-20T18:35:21Z New blog Post | Unusual MIRAI variant looks for mining infrastructure <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1632161284642.png" style="width: 693px;"><img src="" width="693" height="381" role="button" title="AshleyMartin_0-1632161284642.png" alt="AshleyMartin_0-1632161284642.png" /></span></P> <P>&nbsp;</P> <P><A href="" target="_blank" rel="noopener">Unusual MIRAI variant looks for mining infrastructure - Microsoft Tech Community</A></P> <P>At Microsoft the data from attacks that we see against our cloud services informs our security research and investments. Microsoft uses this data, and other sources, to track emerging threats as well as to improve the detection coverage of our security offerings. The results of this benefits customers through products such as Azure Defender and Azure Sentinel.</P> <P>&nbsp;</P> <P data-unlink="true">Microsoft works with a range of partners including academia to develop new ways of analyzing and exploring big data sets. We’ve even<SPAN>&nbsp;</SPAN><A href="" target="_self">released large dumps of this kind of data</A><SPAN>&nbsp;</SPAN>in the past to help other security researchers not affiliated with Microsoft.&nbsp;This year Microsoft has worked with MSc student Philip Thiede, supervised by Francesco Sanna Passino and Nick Heard at Imperial College. Where they have been developing innovative clustering approaches to explore this data for Philip's MSc thesis.</P> Mon, 20 Sep 2021 18:29:33 GMT AshleyMartin 2021-09-20T18:29:33Z New Blog Post | Microsoft Continues to Enhance DLP Customer Value with New Capabilities <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1632158972124.png" style="width: 711px;"><img src="" width="711" height="400" role="button" title="AshleyMartin_0-1632158972124.png" alt="AshleyMartin_0-1632158972124.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Microsoft Unified DLP update September 2021</A></P> <P>Microsoft’s unified Data Loss Prevention solution provides a simple and unified approach to protecting sensitive information from risky or inappropriate sharing, transfer, or use.</P> <P>&nbsp;</P> <P>In the past few months, Microsoft has introduced a wide range of new capabilities in General Availability and Public Preview that are designed to provide new ways of protecting data across a wider breadth of use cases and workloads and provide greater visibility into how sensitive content is used, stored and shared. These include:</P> <UL> <LI>Customizable DLP policy violation justifications</LI> <LI>Protect sensitive data when it is shared across Bluetooth</LI> <LI>Protect sensitive data when it is shared across Remote Desktop Protocol (RDP) sessions</LI> <LI>Automatically quarantine sensitive files when they’re accessed by an unallowed app</LI> <LI>Displaying of cloud DLP policy events from Exchange, SharePoint-OneDrive, and Teams in Activity explorer</LI> <LI>Displaying of sensitivity label activity from Office native (Word, Excel, PowerPoint, Outlook) in Activity explorer</LI> <LI>Displaying of sensitive information, sensitivity label, and retention label detection events for files and documents from OneDrive in Activity Explorer</LI> </UL> <P>&nbsp;</P> Mon, 20 Sep 2021 17:33:21 GMT AshleyMartin 2021-09-20T17:33:21Z New Blog Post | Enhanced Malicious OAuth Activity Detection Capabilities in App Governance <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="App Governance Screen.png" style="width: 999px;"><img src=";px=999" role="button" title="App Governance Screen.png" alt="App Governance Screen.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Announcing Enhanced Malicious OAuth Activity Detection Capabilities in App Governance - Microsoft Tech Community</A></P> <P>With the increase in popularity of global cloud platforms, the number of cloud applications developed by Service Providers, Independent Service Vendors (ISVs), and Citizen developers have been on a steep incline. This growth has, in turn, attracted malicious actors seeking to exploit the platform and its users to gain access to valuable data and resources resulting in an uptick of security incidents involving apps, both in terms of frequency and impact.</P> <P>&nbsp;</P> <P>These incidents span a wide range, including malicious apps engaging in<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">OAuth consent phishing</A>, as well as apps in good standing that are vulnerable to being exploited by bad actors. With hundreds to thousands of apps in an organization capable of accessing data, administrators find it even more challenging to audit the apps running in their environment and to ensure they are protected from malicious or non-compliant apps.</P> Mon, 20 Sep 2021 17:27:19 GMT AshleyMartin 2021-09-20T17:27:19Z New Blog Post | Hunting for OMI Vulnerability Exploitation with Azure Sentinel <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1632158001259.png" style="width: 719px;"><img src="" width="719" height="302" role="button" title="AshleyMartin_0-1632158001259.png" alt="AshleyMartin_0-1632158001259.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Hunting for OMI Vulnerability Exploitation with Azure Sentinel - Microsoft Tech Community</A></P> <P><SPAN>Following the September 14</SPAN><SUP>th</SUP><SPAN>, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (</SPAN><A href="#" target="_blank" rel="noopener noreferrer">CVE-2021-38645</A><SPAN>,&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">CVE-2021-38649</A><SPAN>,&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">CVE-2021-38648</A><SPAN>) and one unauthenticated Remote Code Execution (RCE) vulnerability (</SPAN><A href="#" target="_blank" rel="noopener noreferrer">CVE-2021-38647</A><SPAN>) in the Open Management Infrastructure (OMI) Framework, analysts in the Microsoft Threat Intelligence Center (MSTIC) have been monitoring for signs of exploitation and investigating detections to further protect customers. Following the&nbsp;</SPAN><A href="#" target="_self" rel="noopener noreferrer">MSRC guidance</A><SPAN>&nbsp;to block ports that you aren't using and to ensure the OMI service is patched are great first steps. In this blog, we have some things to share about current attacks in the wild, agents and software involved, indicators for defenders to look for on host machines, and to share new detections in Azure Sentinel.</SPAN></P> Mon, 20 Sep 2021 17:16:08 GMT AshleyMartin 2021-09-20T17:16:08Z New Blog Post | ASC to find machines affected OMI vulnerabilities in Azure VM Management Extension <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1632157489239.gif" style="width: 705px;"><img src="" width="705" height="476" role="button" title="AshleyMartin_0-1632157489239.gif" alt="AshleyMartin_0-1632157489239.gif" /></span></P> <P><A href="" target="_blank" rel="noopener">Using ASC to find&nbsp;machines affected by OMI vulnerabilities in Azure VM Management Extensions - Microsoft Tech Community</A></P> <P>Two weeks ago,&nbsp;Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework:&nbsp; CVE-2021-38645, CVE-2021-38649, CVE-2021-38648, and CVE-2021-38647, respectively.&nbsp;&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>OMI is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. Several Azure Virtual Machine (VM) management extensions use this framework to orchestrate configuration management and log collection on Linux VMs. The remote code execution vulnerability,&nbsp;CVE-2021-38647,&nbsp;only impacts customers using a Linux management solution (on-premises SCOM or Azure Automation State Configuration or Azure Desired State Configuration extension) that enables remote OMI management.&nbsp;&nbsp;</P> <P>&nbsp;</P> Mon, 20 Sep 2021 17:07:23 GMT AshleyMartin 2021-09-20T17:07:23Z