Need to Know podcast–Episode 276

i speak with MVP and Digital Workplace expert Rebecca Jaskson. Rebecca is fascinated by what makes people and organisations tick. She specialises in the digital workplace, employee experience and change management. We do a  deep dive into the main collaboration tools that Microsoft provides such as SharePoint, with an especial focus on the value of the modern Intranet.

There is also a round up of the latest Microsoft Cloud news at the front of the episode.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020.

Brought to you by

Take a listen and let us know what you think –

You can listen directly to this episode at:

Subscribe via iTunes at:

The podcast is also available on Stitcher at:

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.


Rebecca Jason – Linkedin, Twitter, Blog, Instagram

Mirosoft Ignite

AI-based Privacy Management for Microsoft 365 [VIDEO]

3 ways to support frontline workers in a hybrid world

Introducing Android™ Apps on Windows 11 to Windows Insiders

Microsoft achieves a Leader placement in Forrester Wave for XDR

Windows 11 security: Protect it all with Windows 11 chip to cloud security

Sysinternals in the Windows store

Sysmon report in virus total

Providing feedback on user reported messages

Hopefully, you are aware that Microsoft 365 provides users the ability to report a suspected email. I have spoken about this here:

Improved security is a shared responsibility


What you may not be aware of is that these submissions can viewed and action in the Microsoft Security Center:

under the Submissions menu option as shown above.

You may also not be aware that there are further actions you can take in here:


You can provide feedback directly to the user about their submission using the Mark as an notify option as shown above.


Doing so will send the user an email, like that shown above, to provide feedback about that submission for the user. Doing provides important reinforcement of users remaining vigilant as well as helping them better identify threats.


 You’ll also find actions you can take on that message that will provide feedback directly to Microsoft, as shown above.


Even better, if you go into Policies & rules | Threat Policies | User submissions you are able to customise what is sent to the user, both before and after reporting as shown above.

For more information on these capabilities visit:

Admin review for reported messages

Getting users involved in security is important. Part of that is providing them feedback and recognition of their contribution, no matter how small. Using these capabilities for reported messages, you are able to do that quickly and easily.

Need to Know podcast–Episode 275

Join for an episode with MVP Rory Braybrook where we learn more about modern identities, especially Azure including B2B and B2C. Identity is so critical to everything we do in IT these days it is important to have a refresher to understand what’s what and how it can be used effectively. I’ll also bring you the latest news and updates from the Microsoft cloud world so listen in and share your feedback.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020.

Brought to you by

Take a listen and let us know what you think –

You can listen directly to this episode at:

Subscribe via iTunes at:

The podcast is also available on Stitcher at:

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.


Rory Braybrook – LinkedIn, Authory

Windows 11: A new era for the PC begins today

Welcome to the new Whiteboard

Mailbox storage limits

Microsoft Ignite

How cyberattacks are changing according to new Microsoft Digital Defense Report

Microsoft Digital Defense Report

Defending Windows Server 2012 R2 and 2016

Power Platform Community Monthly Webinar – November 2021


Join us for our monthly Power Platform webinar where we share the latest news and updates from the Microsoft Power Platform plus take a deeper dive into Power Virtual Agents.

You can register now via:

If you wish to join our community and be part of the regular discussion and participation on the Microsoft Power Platform you can join via:


(look for the Power Platform option here to join us).
We look forward to seeing you on the webinar.

Add TAXII threat intelligence feeds to Azure Sentinel


There a public threat intelligence feeds available that Azure Sentinel can take advantage of. Think of these as providing information around entities that represent threats such as compromised IP addresses, botnet domains and so on. Typically, these feeds will support the TAXII connector inside Azure Sentinel.

Select the Data connectors option from the Azure Sentinel menu on the left. Next search for TAXII. Finally, select Threat Intelligence as shown above, then the Open connector page in the lower right.


On the right hand side of the page, you see the Configuration area as shown above. Here you’ll require information on the following items:

– API root URL

– Collection ID

– Username

– Password

If you have a look at the bottom of this article:

Connect Azure Sentinel to STIX/TAXII threat intelligence feeds

you’ll find the details for the free Anomali Limo threat feed, which is:

– API root URL =

– Collection ID = see list in article (i.e. 107, 135, 136, etc)

For the username and password of all these feeds use:



Complete the details for each Collection ID, like what is shown above. When you have completed each feed select the Add button.


The feed will be validated and if successful, an alert will confirm this at the top of the page as shown above.


The entered feed will appear in a list at the bottom of the page. At this point, feed information will start flowing into your environment depending on the Polling Frequency you selected for the feed.


Once the feed has started to import data select the Threat intelligence from the main Sentinel menu as shown above. You should see a range of entries. These entries can now be utilised throughout your Sentinel environment. This is detailed here:

Work with threat indicators in Azure Sentinel


This data is stored in a table called ThreatIntelligenceIndicator as shown above, which can be used directly in hunting queries.

Keep in mind that any threat indicator data incurs an ingestion and data storage cost. However, this is not a great amount and the value they provide is well worth that minor cost. You can track threat indicator costs using workbooks that Sentinel provides. You can add more feeds if you wish and details about what is available can be found at:

Threat intelligence integration in Azure Sentinel

Having additional threat data provides more signal information for Sentinel when it examines your environment. If information from these threat indicators is detected in your environment, then alerts will be generated. For a small ingest and storage cost having these threat indicators flow into your Sentinel environment provided a huge amount of value and increase your security.

Intelligence not Information


I use the above diagram to help people understand where they should be investing human capital when it comes to security. I see too many people who are responsible for security focused at the Information (top and widest) level of the above diagram.

The Information level is a constant deluge of independent and uncorrelated signals. At this level I would suggest that probably 95% or more of these signals are benign or should be ignored. Thus, if you are investing precious human capital at this level, you are wasting 95% of that or more.

The Information level in today’s security environment is where the machine (aka software) provides the greatest return on investment. This is because the machine can constantly evaluate every signal that arrives, impartially, consistently and tirelessly. It also doesn’t care that 95% of the signals it evaluates has little or no value. It can also do this 24/7/365. It will continue to do this faster and faster with the passage of time.

The Policy level can takes these raw signals and produce results to better secure the organisation. For example, a Data Loss Prevention Policy (DLP) can evaluate the usage of a document and its contents, then determine whether to allow of block access. The machine can’t create the DLP policy but it can very effectively evaluate it and take action. The human adds value to the equation by creating the policy the machine implements.

The Condition level can further use policies, like Conditional Access (CA) based on multiple signals i.e. where a device is connecting from, what information it wants access to, who the user requesting and so on to then determine whether access should be granted. Once again, the machine doesn’t craft the policy but evaluates and enforces the policy constantly. Once again, the human adds value to the equation by creating the policy the machine evaluates all the combined signals against.

Hopefully, you can see my argument here, that the further down the triangle you go, the more effectively human capital is utilised. Conversely, the further up the triangle the more efficient it is for the machine. At the Events level, services like Microsoft Cloud App Security (MCAS) align signals into a format that is much easier for a human to digest and evaluate. Here the machine looks up signals such as IP locations and usages automatically to provide even more data for human assessment.

The machine can thus digest the raw information, then use techniques such as Artificial Intelligence (AI) and Machine Learning (ML) to refine the information and make it more relevant. That is add value. This allows the human to apply what they are best at, on the highest quality information, not the lowest. The precious human analysis effort is deployed where it has the most impact, in a pool of refined and relevant information that has been culled of low quality results.

I would suggest that the relevancy of signals at the Intelligence level, using tools like Azure Sentinel, is much greater than the mere 5% I suggested as a benchmark at the Information layer. But even if it was just 5%, the value of this 5% is infinitely higher because the total value of the signals at this level is much much greater than at lower levels and there are far fewer of them to examine. If the human has the same amount of time and cognitive load to invest at any level, doing so at the Intelligence level all them to spend far more time on each individual item. Anyone who knows will tell you, when it comes to a quality output, you need to invest time.

As with unread email items in an inbox, many people love to make themselves feel important by pointing to how many emails they are receiving. The number of emails your receive or have accumulated is totally irrelevant! What is the important is the VALUE of the information, NOT the quality. So it also is with security. Overwhelming yourself with signals from many different system doesn’t align with better security. If anything, it introduces greater fatigue, distraction and inconsistency, leading to much poorer security.

We live in a world that has more information coming at it daily than there has ever been in history. Tomorrow there will be even more and so on and so on. That growth is only going to accelerate. You cannot approach this modern environment with old approaches such as drowning yourself in low value signals. There are simply too many, and at some point nothing more gets processed due to overwhelm. The smart move is to use technology efficiently. Put it to work on the repetitive and mundane work that humans are not good at or like doing even less. Move down the levels until you have systems that give you intelligence rather than swamping you in a sea of information. After all, isn’t NOT doing this just a self imposed DDOS (distributed denial or service) attack?

CIAOPS Need to Know Microsoft 365 Webinar – October


Join me for the free monthly CIAOPS Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at using eDiscovery and Content search in your environment.

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite! Yeah Teams webinars.

You can register for the regular monthly webinar here:

October Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – October 2021
Friday 29th of October 2021
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

or purchase them individually at:

Also feel free at any stage to email me directly via with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.