Microsoft Security Saturday – 6/19/2021

**PSA – Basic Authentication and Exchange Online – June 2021 UpdateIt’s been a few months since our last update on Basic Authentication in Exchange Online, but we’ve been busy getting ready for the next phase of the process: turning off Basic Authentication for tenants that don’t use it, and therefore, don’t need it enabled.

Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaignMicrosoft 365 Defender researchers recently uncovered and disrupted a large-scale business email compromise (BEC) infrastructure hosted in multiple web services. Attackers used this cloud-based infrastructure to compromise mailboxes via phishing and add forwarding rules, enabling these attackers to get access to emails about financial transactions.

New webinar series: Monthly threat insightsWe’re happy to announce a new monthly webinar series called “monthly threat insights”. On the third Wednesday of each month, the Microsoft Defender Threat Intelligence team will dive deep into a selected emerging threat as seen in the threat analytics library available in Microsoft 365 Defender.

Announcing Microsoft Tunnel Gateway GA and Defender for Endpoint with Tunnel client functionalityAlso, as announced at Ignite, we’ve been working on combining the Microsoft Defender for Endpoint and Microsoft Tunnel apps into a single unified Microsoft Defender for Endpoint client. We’re excited to announce that this new version of Microsoft Defender for Endpoint is available today for Android for all our customers and is no longer in preview.

New threat & vulnerability management APIs – create reports, automate, integrateWe are excited to announce the general availability of a new set of APIs for Microsoft threat and vulnerability management that allow security administrators to drive efficiencies and customize their vulnerability management program. 

Azure Secure Score vs. Microsoft Secure ScoreThe purpose of this article is to empower organizations to understand the difference between Secure Score in Azure Security Center and Microsoft Secure Score in Microsoft 365 Security center. This article also touches briefly on the Identity Secure Score in the Azure AD Portal and Microsoft Secure Score for Devices in the Microsoft 365 Security center but going into details on these products is outside of the scope of this article.

Microsoft Defender Security Insights in Azure SentinelMicrosoft Secure score is a security analytics solution that gives you visibility into your security portfolio and how to improve it. Azure Sentinel is a SaaS Security Information and Event Management solution providing visibility and management of the threats in an environment.  The following blog shows how you can leverage Azure Sentinel to gain visibility into Microsoft Secure Score alongside other security data.  

What’s new: Azure Sentinel Information Model DNS Schema and normalized content now publicI’m excited to announce the second step in our normalization journey. Following our networking schema, we now extend our Azure Sentinel Information Model (ASIM) guidance and release our DNS schema. We expect to follow suit with additional schemas in the coming weeks.

Enhanced Azure Sentinel Alert remediation in the SOC Process FrameworkMicrosoft’s Azure Sentinel now provides a Timeline view within the Incident where alerts now display remediation steps. The list of alerts that have remediations provided by Microsoft will continue to grow.

What’s New: Azure Sentinel Watchlist Support for ARM Templates!To add to the list of exciting announcements for Azure Sentinel, we are happy to announce that Watchlists now support ARM templates! Moving forward, users will be able to deploy Watchlists via ARM templates for quicker deployment scenarios as well as bulk deployments.

Cloud App Security: Block TOR Browser (Anonymous IP)During the last few months, I had several customers requesting how to block sign-in from anonymous Ip Addresses. One example would be someone using TOR Browser. I started playing around with CAS and finally found a quick solution. Continue reading to find out more.  

Improve your threat detection and response with Microsoft and WortellWortell provides threat protection with Microsoft Defender and Microsoft Azure Sentinel to collect those individual alerts in a single dashboard. This allows them to get insights across the platform and discover the individual puzzle pieces of an attack before they become a threat.

Azure Purview Integration RuntimeAzure Purview is a unified Data Governance tool used to manage and govern your on-premises, multicloud, and SaaS data. For those of you who have used Azure Purview previously, you will know that to scan sources such as Azure data assets (Blobs, Azure Data Lake Service, etc.) you will need an authentication methodology leveraging either a Purview managed identity or perhaps a service principal.