Microsoft 365 Defender – Part 2

-

In this blog post, which is part 2 of a series (part 1 here), we will go a little more into some of the functionality in this product. Some of the more important features of new security products are the ones based on machine learning and AI. It is important to work on security skills, but when things happen so fast and on such a large scale, we can really use some help from the machines that are on our side. Microsoft Threat Intelligence analyzes 24 trillion signals daily and use machine learning and AI to react and respond to threats. 

 

Microsoft Threat Intelligence (aka.ms/mcra)


This means that we in many cases can expect response times way beyond what even the best security teams can achieve. 

Todays topic – Threat analytics

Today, as we continue our journey into the Microsoft 365 Defender product, we're going to talk about Threat analytics. This is an extremely useful feature which gives us insight into what's going on in the world, and if our environment is vulnerable to the ongoing threats. As Microsoft describes this: 

Threat analytics is our in-product threat intelligence solution from expert Microsoft security researchers, designed to assist security teams to be as efficient as possible while facing emerging threats, including:

  • Active threat actors and their campaigns
  • Popular and new attack techniques
  • Critical vulnerabilities
  • Common attack surfaces
  • Prevalent malware

This is an awesome one: 

Threat analytics pane


  1. Threat analytics can be reached by selecting the option on the left. This will take us into the portal, and present us with a view of the current threat landscape. 
  2. Latest threats shows us what new and dangerous in the world. 
  3. High impact threats will show the really dangerous stuff. We also have a "Highest exposure threats" which in my case is empty. Normally you would see some products here, but things are calm and peaceful in my demo tenant. 
  4. This is where it get's interesting. Below the mentioned columns we can see how this is impacting your environment. 
  5. Let's say that we have some devices that are vulnerable to one of the threats, we can see that, and look into which devices are impacted, and how we can fix it.  

Looking into one of the threats

 

  1. The list of options will allow us to read detailed analyst reports, see which (if any) assets are impacted, and more. 
  2. In my case there are no impacted assets, but if that is the case, you can view the impacted assets by selecting the View all impacted assets option. 
  3. Exposure level is Low in my case. That is a good thing. In the example above there are no Misconfigured og vulnerable devices (yay), but if you do, you go to View exposure and mitigation details. 

So, there you have it. A quick look at the Threat analytics pane. If you have the opportunity, go explore here, and see how things are in your tenant. I hope this has been useful and will have another post about Defender soon. If you look at the picture below, you will see many of the security features in Microsoft cloud. We will look at several of these in the coming weeks, but in the meantime I can recommend taking a look at Microsoft Cybersecurity Reference Architectures to gain more insight into this. 

 




Comments

Post a Comment

Popular posts from this blog

Do not Forward and the protection of attachments

-
Image
Maybe I am the only one who has misunderstood this, but if not, this may be useful for you. I've been wrong about this for a while, and since it is not a feature we have used, I didn't really look into it until today. I always thought that using Do not Forward in a label would make sure attachments where given the same DNF rights.  Unfortunately I was shown the error of my ways by one of my customers today, when I answered (with some confidence) that, yes: Attachments get the same protection. He then replied that he was able to do all kinds of things with the attachment, and I started to look into it more closely. Microsoft has many great articles about protecting information, and this article is no exception. I guess you just have to read it carefully. They say:  “When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be authenticated. Then, the recipients cannot forward it, print it, or copy from it . For example, in the Outlook cli
Read more

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label

-
Image
Do not Forward and Encrypt Only can be found in Outlook by default for all who uses Office 365 E3 or equivalent/higher. And as many know, they can also be used in a Sensitivity label. But what are the consequenses of using these, instead of creating our own encryption settings within the label? This is what we will be looking at today.  As many know, we can use these two in Outlook, as long as we have the proper license. They are well hidden away under Options, and can look a little like this:    EO and DNF in Outlook.  I've covered these in earlier blogposts , but lets just quickly go through them again here: " Encrypt/Encrypt-Only " option makes sure the email is encrypted and recipients must be authenticated, but then they have all usage rights except Save As, Export and Full Control (Basically means no restriction except that they cannot remove the protection). When the Do Not Forward option is applied to an email, the email is encrypted and recipients must be au
Read more