Thibault CHÂTIRON

Cybersecurity

MTP Advance Hunting Cheat Sheet

The purpose of this cheat sheet is to cover commonly used threat hunting queries that can be used with Microsoft Threat Protection. Microsoft Threat Protection has a threat hunting capability that is called Advance Hunting (AH). AH is based on Azure Kusto Query Language (KQL). The cheat sheet consist of some of the most frequently …

Microsoft Cloud App Security – Release 177

What’s new in MCAS ? New real-time malware detection (Preview, gradual rollout)Microsoft has expanded their session controls to detect potential malware using Microsoft Threat Intelligence upon file uploads or downloads. The new detection is now available out-of-the-box and can be configured to automatically block files identified as potential malware. For more information, see Block malware …

Power BI and Information Protection integration [General Availability]

General availability of sensitivity labels in Power BI Sensitivity labels provide a simple way to classify critical content in Power BI. They can be applied on datasets, reports, dashboards, and dataflows… Source https://techcommunity.microsoft.com/t5/microsoft-security-and/announcing-general-availability-of-microsoft-information/ba-p/1449183

Livestream for Azure Sentinel [General Availability]

What is Azure Sentinel Livestream?  Livestream lets you run queries that refresh every 30 seconds and notifies you of any new results.  Creating a livestream enables you to : test newly created queries as events occur, receive notifications from a session when a match is found, promote a livestream to a detection rule to generate …

Office 365 ATP recommended configuration analyzer version 1.8 released

New version 1.8.8 of ORCA (Office 365 Recommended Configuration Analyzer) ready for download: https://powershellgallery.com/packages/ORCA/ Improvements : Optional additional outputs (not just HTML) : JSON File and CosmosDB Support for running within Azure automation (instructions coming soon) and probably other automated fashions Dupe checks for anti-spam and anti-malware policies now (like the ones for ATP policies …

Exchange Online PowerShell v2 [General Availability]

The V2 module is now available in the PowerShell Gallery. The new EXO V2 module contains all the existing Remote PowerShell cmdlets, as well as 9 new V2 cmdlets. The new module is entirely Modern Authentication based. If you start using this, you are getting off Basic Authentication for your admin tasks, and as you …

New report available for Mailflow Status

Microsoft just released several new views for the Mailflow status report: https://protection.office.com/reportv2?id=MailFlowStatusReport&pivot=EventType View 1 – By type This view provides an overview of the different large detection category types in our protection stack. It shows that out of the total number of messages, how many were filtered as malware, as phish, as spam, by edge, …

Sessions in Azure AD Conditional Access [General Availability]

Prerequisites Authentication session management capabilities require Azure AD Premium P1 subscription. Integration First, sign in to Azure Portal. Next, navigate to Azure AD Conditional Access and then access an existing policy or create a new policy, where you’ll see the Session under Access Control as shown below: Configure sign-in frequency Sign-in frequency defines the time period …

Update: Issue with Azure AD Conditional Access and macOS

Following to my previous article that was published the 1st of May, I’m happy to say that a fix is now know for this issue. Reminder After an end user updated his MacOS version to 10.15.4, he experienced unexpected access app prompts or blocks to applications such as native mail. The macOS device was enrolled …

Automatic classification with sensitivity labels in Microsoft 365 services [General Availability]

Prerequisites This capability is included with Microsoft 365 SKUs (E5, E5 Compliance and E5 Information Protection & Governance) and Office 365 E5 SKU. Activation You can turn on this feature in Microsoft 365 compliance center Integration You can create an auto-labeling policy with custom rules in order to correspond to your needs. A policy can …

Office 365 ATP recommended configuration analyzer version 1.7 released

New version 1.7.5 of ORCA (Office 365 Recommended Configuration Analyzer) ready for download: https://powershellgallery.com/packages/ORCA/ Improvements : Check Safe Attachments Policy Exists for all domains Check Safe Links Policy Exists for all domains Check for duplicate anti-phishing policies Checks to determine if Safe attachments unknown malware response set to block Check ATP Phishing Mailbox Intelligence Protection …

Updates to Campaign Views

Microsoft is expanding the functionality of the Campaign Views feature beyond phish. You will now see malware campaigns as well. Microsoft is adding an interactive timeline, and developing a process for automated campaign write-ups. They are also working to surface Campaign Views in additional views, so that you can easily refer to them from wherever …

Prepare for update to the new My Apps and My Account experiences users

Microsoft will be updating the current Azure AD Apps and Profile experiences on July 20th 2020. This means that on July 20th all users will be automatically switched over to the updated My Apps and My Account experiences. Please note that the updated My Apps and My Account offer the same functionality as the current …

Microsoft Threat Protection will automatically turn on for eligible license holders

Effective June 1, 2020, as soon as you have one Microsoft security products among Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security or Azure ATP you will be able to access the new unified console Microsoft Threat Protection with correlation cross-workload, advanced hunting and automatic healing. https://azure.microsoft.com/en-us/updates/mtp-auto-enabled/

Advanced eDiscovery tenant reports [Public Preview]

Microsoft has made the decision to make additional changes to the code before they proceed with the roll-out. Microsoft has begun rolling out Advanced eDiscovery tenant reports in preview. The rollout will be completed by mid-February. How does this affect your organization ? Admins and relevant roles will see tenant-level reports in Advanced eDiscovery. Advanced …

Shadow Protection – MDATP [Private Preview]

When Shadow Protection is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode, i.e. Shadow Protection, works behind the scenes to remediate malicious artifacts that are detected post-breach. Prerequisites PermissionsGlobal Administrator or Security Administrator role assigned in Azure …

New policy details blade for Conditional Access troubleshooting [Public Preview]

The new policy details blade displays which conditions and access controls were satisfied during sign-in. This granular information makes it easy to troubleshoot failures and re-configure policies if necessary. In this example, we can see that the report-only policy “Block access outside trusted locations” applied to Lisa Smith’s sign-in because she satisfied the user, application, …

Insights and reporting workbook [General Availability]

The insights and reporting workbook gives you a summary view of Azure AD Conditional Access in your tenant. With the capability to select an individual policy, you can better understand what each policy does and monitor any changes in real time. The workbook streams data stored in Azure Monitor. Using the dashboard, you can see …

Report-only mode for Azure AD Conditional Access [General Availability]

Report-only mode for Azure AD Conditional Access lets you evaluate the result of a policy without enforcing access controls. You can test report-only policies across your organization and understand their impact before enabling them, making deployment safer and easier. New Azure AD Conditional Access policies will be created in report-only mode by default. This means …

Sensitivity labels with protection in SharePoint and OneDrive [General Availability]

You can now apply sensitivity labels, with protection policies, not just in Office apps on Windows, Mac, iOS and Android but also in Office on the web. Users will see sensitivity as an option on the ribbon of the Office on the web, and as the applied label name on the status bar. In addition, for …