Microsoft Security Saturday – 02/26/2022

The federal Zero Trust strategy and Microsoft’s deployment guidance for allZero Trust is now vitally relevant for every organization for two reasons. First, the shift to remote work and the accompanying cloud migration is here to stay. Gartner® estimates that 47 percent of knowledge workers will work remotely in 2022.6 

Run Microsoft Sentinel playbooks from workbooks on-demandMicrosoft Sentinel now supports the running of  playbooks from a workbook for incidents on-demand! With this feature, you can add an option to trigger a playbook within workbooks that have an incident context. The workbook only needs to supply the incident ARM Id and Logic App workflow ARM Id.

Microsoft Defender for IoT – General Release UpdateIn addition to our December announcement for the recent version of Microsoft Defender for IoT. Today we are excited to announce that our first General Availability (GA) release, version 22.1, is now available with additional Public Preview features via Azure portal to scale large environments and control the security components from a single pane of glass. 

Reduce time to response with classificationClassifying an alert or incident means you tag it as representing true malicious activity or a false alarm as part of the initial triage process. This process lets your team know that a potential threat has been investigated and determined to be true or false. It’s also a feedback channel for Microsoft to learn about the quality of our detections and continuously improve them. With the new classification capabilities we introduce today, you can be more efficient in managing your incident and alert queues and reduce your overall mean time to resolution (MTTR).  

What’s Next in Microsoft Sentinel?As the volume of security data continues to grow exponentially across increasing distributed digital estates, Microsoft is reinventing the economics of SIEM and delivering new ways to access and work with security data. We are making it easier than ever for your security analysts to access any data, over any timeframe to provide the most comprehensive and innovative threat hunting solution in the market.  

CloudKnox Permissions Management is now in Public PreviewLast July we announced the acquisition of CloudKnox Security, a leader in Cloud Infrastructure Entitlement Management (CIEM). As an important move in our multicloud security vision, we have made tremendous progress integrating CloudKnox into our technology stack. Today, I’m excited to announce the public preview of CloudKnox Permissions Management, a unified CIEM solution that manages permissions of any identity across any cloud.

Extend the reach of Azure AD Identity Protection into workload identitiesWe are delighted to announce the public preview for Azure AD Identity Protection for workload identities! This work comes from working with our customers as we apply all we’ve learned from protecting user accounts to workload identities, especially in the context of current attacker behaviors. Purpose-built anomaly detection capabilities for workload identities work with user detections to help protect your entire estate!

Microsoft Security delivers new multicloud capabilitiesToday, we’re announcing new advances to help customers strengthen visibility and control across multiple cloud providers, workloads, devices, and digital identities—all from a centralized management view. These new features and offerings are designed to secure the foundations of hybrid work and digital transformation.  

Microsoft Defender for Key Vault – Deploy to Azure Synapse AnalyticsWe are excited to announce that Microsoft Defender for Key Vault has moved the back-end processing infrastructure to Azure Synapse Analytics.

New! Normalization is now built-in Microsoft Sentinel Normalization is at the core of every SIEM, and Microsoft Sentinel is no exception. The Advanced Security Information Model (ASIM) is Microsoft Sentinel’s normalization engine. Until now, you had to deploy ASIM from Microsoft Sentinel’s GitHub. Starting today, ASIM is built into Microsoft Sentinel.

Run custom workflows in Azure AD entitlement managementAutomating complex processes for managing user access is now even easier with the recent introduction of custom workflows in entitlement management using Azure Logic Apps, and today we’d like to walk through a couple scenarios where you can use this new capability to customize the flow of on- and offboarding users to access packages.

Joint forces – MS Sentinel and the MITRE frameworkMicrosoft Sentinel’s bread-and-butter for defending organizations against threats is our analytic rules. Analytics rules search for specific events, or sets of events, across your organization’s data sources, alert you when certain event thresholds or conditions are reached, generate incidents for your SOC to triage and investigate, and respond to threats with automated tracking and remediation processes. You can use our rich set of out-of-the-box detections, tagged with the relevant MITRE techniques and tactics, or create your own.

Automate your patching using Azure Arc and Azure Automation!Patching can be a struggle for a lot of organizations. However, it is one of the most basic security tasks that security defenders must ensure happens regularly. If you’re still manually patching your servers, you need to look into Azure Arc and Azure Automation to automate this.