The case of the missing Azure Sentinel ingested data

image

Recently, I have seen my Azure Sentinel overview look like the above. I was puzzled why I had so many hours without any data being ingested? In short, it turned out that I had exceeded my storage tier capacity. Here’s where to look if you see something similar.

image

From the menu on the left of the Azure Sentinel workspace scroll to the bottom and select Settings as shown. Then from the pane that appears on the right select Workspace settings at the top as shown.

image

This will take you to the Azure Log Analytics workspace that underpins Sentinel. From the menu on the left here select Usage and estimated costs. Note on the right what is highlighted under Free pricing tier I was using:

(The log data ingestion includes the 500 MB/VM/day data allowances from Azure Security Center.)

That is the limit for my current tier. Any ingested data over that quota was not being ingested. Not ingested data, nothing recorded in the Sentinel overview report.

image

If you select the Daily cap button at the top of the page you’ll get more information appear from the right as shown.

image

The two important things to note are that the daily volume cap is 0.5 GB/day and that the limit is reset at 2am UTC (12pm Sydney time).

clip_image001

When I checked the Workspace Pricing tier details, shown above, there is indeed a daily cap of 512MB.

image

Then when I looked at the overview report in Sentinel I see that data did indeed start begin re-ingest at 12pm local time (2am UTC) as expected.

image

So the next question was, how is it going to cost me avoid this situation and ingest all my data? Looking at the Pay-as-you-go pricing tier I see the estimated cost per month would only be AU$4.79. Easy choice.  SELECT.

SNAGHTMLd5b1a0

The important thing to remember with this ingested data is that you always get the initial 512MB per day free. Anything above that you won’t get any captured data unless you upgrade your pricing tier. But then you’ll only pay for the amount above the 512MB per day, which in my case was only about 34MB per day on average.

image

A good way to keep track of this sort of data, before it becomes and issue as it did for me, is to use the Workspace usage Report workbook which you can access from the Sentinel console as shown above.

image

Here you’ll see everything you need to keep on top of this total data you are ingesting and where it is coming from.

The reason I’m so much data is that I’m pulling security events from local devices. Most Microsoft cloud services include free ingestion, which is the place you should start. However, I had added a number of demo devices to my tenant which pushed me over the free 512MB limit. Most people should be able to stay well below this quota by default, at least to start with. However, if you ever need to upgrade, like I have, it’s still cheap for it provides!

All the Defenders–Updated

knight

A while back I wrote an article on All the Microsoft Defender products. It’s now time to update that since much has changed in that short time period.

Microsoft unfortunately has quite a few products under the ‘Defender’ banner that I see causing confusion out there. Most believe that ‘Defender’ is only an anti-virus solution, but that could not be further from the case. Hopefully, I can show you here how broad the ‘Defender’ brand is here and hopefully give you a basic idea of what each ‘Defender’ product is.

To start off with there are products that are considered ‘Window Defender’ products, although I see the Windows and Microsoft brand intermingled regularly. Here is a list of specific ‘Windows Defender’ products, typically tied to Windows 10 devices, and typically only available with Windows 10 Enterprise but not always:

Windows Defender Application Control – WDAC was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients.

Windows Defender Firewall – By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device.

Windows Defender Exploit Guard – Automatically applies a number of exploit mitigation techniques to operating system processes and apps.

The four components of Windows Defender Exploit Guard are:

  • Attack Surface Reduction (ASR): A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats
  • Network protection: Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen
  • Controlled folder access: Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders
  • Exploit protection: A set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications

Windows Defender Credential Guard –  Uses virtualization-based security to isolate secrets so that only privileged system software can access them.

Windows Defender System Guard – Reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It’s designed to make these security guarantees:

  • Protect and maintain the integrity of the system as it starts up

  • Validate that system integrity has truly been maintained through local and remote attestation

In contrast, here are the ‘Microsoft Defender’ products many of which have been re-branded lately:

image

Microsoft 365 Defender – (over arching service which includes other Defender services) is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Microsoft Defender for Office 365 – (previously Office 365 ATP) Safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.

Microsoft Defender for Identity – (previously Azure ATP) Cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Azure Defender – (previously Azure Security Center) Provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network, and more. It includes:

Microsoft Defender for Endpoint – (previously Defender ATP) an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats especially on user devices like desktops, laptops and mobiles.

Microsoft Defender Smart screen – Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.

Microsoft Defender Antivirus – Brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your organization.

Microsoft Defender Application Guard – helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet.

Microsoft Defender Security Center – is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.

Microsoft Defender Browser Protection –  a non Microsoft browser extension helps protect you against online threats, such as links in phishing emails and websites designed to trick you into downloading and installing malicious software that can harm your computer.

So, as you can see, there are quite a lot of ‘Defender’ products out there from Microsoft. How and when you get each of these varies greatly as well as their capabilities, since most will integrate together. That however, is beyond the scope of this article but maybe something I explore in upcoming articles.

For now, just be careful to investigate what is actually meant when it says ‘Defender’ in the Microsoft space!

Microsoft Secure Score should be your security benchmark

Security is tough. There are many different settings in many different places I know, however my suggestion is that you should start, and continue to use, Microsoft Secure Score as your security benchmark when it comes to the protection of your environment will make things much easier and provide a simple starting point.

To start, visit:

https://securescore.office.com/

You’ll need to login with a Microsoft 365 administration account to view the results.

image

You should then pretty much see your Secure Score, out of 100, front and centre as shown above. Think of this score as an aggregation of your entire Microsoft 365 environment.

To me, your Secure Score should be at least 80% and higher if possible. If it’s not, then you have some work to do.

If your Secure Score is less than 80% and you are not the person responsible for configuring your Microsoft 365 environment then you need to open a dialog with them about improving your score. If you are paying an external business to manage your Microsoft 365 environment then you should ask them to show you what their own  Secure Score is.

– If their Secure Score is LOWER than what your is, then I would suggest it is time to find someone else who is actually serious about security.

– If their Secure Score is EQUAL to what yours is, ask them to show you a plan for how they plan to get your Secure Score to at least 80%. If they are unable to, again, think about whether you should be using them.

– If their Secure Score is HIGHER than yours is, ask them why that is so and how long will it take for your score to equal or exceed theirs.

A well configured tenant, to best practices, will normally come in with a Secure Score of 65% or so. To me, getting a tenant to 80% does require some work but it isn’t all that hard. Remember, good security means expending some effort. This means that if your Secure Score is well below the 65% mark, then you should be taking immediate action to improve it and implement things to best practices as soon as possible.

image

Now go back to your Secure Score console and select the Include menu in the top right as shown and select the Achievable score as shown. This now shows you what Secure Score you could achieve if you implemented everything you are currently paying for (i.e. licensed for). In essence, this shows you how much security stuff you are paying for that has not been enabled. If that is large, then add that item to your security To-Do list as well.

So in summary, in my opinion,

– Anything below a Secure Score of 30% means you are highly vulnerable I believe.

– Anything below a Secure Score of 50% indicates that best practices have not been fully applied.

– Around 67% is the Secure Score you should expect for a tenant configured to best practices and with all security features enabled.

– Around 80% is the Secure score you should be aiming to get to as soon as possible, mindful of the fact that it will required additional configurations to get to this level.

– A Secure Score of 100% should be your ultimate goal over time. Perhaps a better approach is to always be looking to improve your score above the recommended 80% I indicated. This will require many fiddly and time consuming settings throughout your environment BUT remember, each time you complete one of these your environment will be more secure and that fact should also be reflected in your Microsoft Secure Score.

Azure Cloud Shell now available in Microsoft 365

image

If you take a close look at your Microsoft 365 admin center, as shown above, you might see a new icon in the top right. The Azure Cloud shell is now available right from here.

image

If you select that, you’ll then see a PowerShell style window appear at the bottom of page as shown above. Here you can run all your favourite scripts directly in a browser!

I’ve covered the Azure Cloud Shell in previous articles:

Azure Cloud Shell

Connecting to Exchange Online with Azure Cloud Shell

and you can read the Microsoft documentation here:

Overview of Azure Cloud Shell

The only limitation seems to me is that you need an active Azure subscription tied to your Microsoft 365 environment because Azure Cloud Shell does need some storage to operate. But who doesn’t have an Azure subscription in their tenant these days right?

Deploy Office 365 and Azure together

(Hint, this is another reason to ALWAYS sell an Azure subscription when you sell Microsoft 365 if you are a reseller).

Hopefully, Microsoft might allow some included storage in the future for those without an Azure subscription.

Having the ability to run PowerShell directly from the browser with Microsoft 365 is a super handy addition and hopefully the functionality will keep extending with this.

New options in Defender for Endpoint web filtering

image

A nice new option I just noticed in Defender for Endpoint web filtering. As shown above, you can now block users navigating to newly registered domains and parked domains that can be used for phishing attacks.

To set this, navigate to Settings, the under Rules select Web content filtering and create or adjust a policy to include all the Uncategorized options as shown above.

ANZAC Day 2021

Some events change us. Some events change our community. Some events change our nation and finally, some events change the world. We are perhaps living through one of those world changing events now. It won’t be the first and it won’t be the last such event, but it has pretty much impacted everything. Over one hundred years ago, you could contend, the First World War had a similar effect. It made us more aware of our place on the world stage and it brought terrible death and destruction. Perhaps most importantly, it changed our perception of what it means to be Australian.

During that war, some experienced that firsthand in far away countries, for reasons that were not easily understood. Some never returned from places they went so willingly but were completely unfamiliar with. In the end, they did what they thought was right. They did what they felt obligated to do. They did this for King and Country. It is therefore respectful for us to pause and remember that. To remember their sacrifice and remember those that never returned all those years ago.

In just about every town I’ve been through in Australia, here is some memorial to those that served in the Great War. They are the ones who gave birth to the ANZAC legend. That legacy continues today with the recognition and acknowledgement we provided all those that have served and are serving our country and our community. In the end, it comes down to real people, with real families who made such sacrifices and bear the burden. It is important for us not overlook such sacrifices and continue to celebrate this remarkable part of our heritage that plays such an important part in what we have become.

As many of these heroes did, let’s look to our ‘mates’ for support just as much as providing them support. We are all in this together and can achieve amazing results, as the ANZACs did all those years ago, if we follow their lead and simply try to help. Their courage and resolve was born from not want to ‘let their mates down’. So it should be for us. Like the deeds of the ANZACs all those years ago, it is through our deeds that our legacy will live on and be the foundation for future generations. Let us try and prove a foundation as good as what we have been given. That indeed, would be best way to honour our ANZAC heroes.

Lest We Forget

If you want to learn more about the ANZAC battlefields in northern France, visit my web site – www.anzacsinfrance.com.