A day with Copilot for Security

Given that Copilot for Security has just been released, I thought I’d spin it up in my tenant and see what it looks like.

To get the most from Copilot for Security you’ll first need to have an Azure subscription. You’ll get more out of the service if you also have Intune and Sentinel as well as aggregation of your logs, but an Azure subscription is all you need to get started.

The easiest way to commence the set up process is to visit:

https://securitycopilot.microsoft.com

where you’ll be greeted with the set up wizard shown above.

Prior to setting up Copilot for Security, as I mentioned, you need an Azure subscription and I’d also recommend setting up a dedicated Azure Resource Group to help monitor and manage costs.

It is important to under what this will cost you in the default configuration. That is detailed on this page:

Yup, you read right $2,880 per month is the minimum! That is basically $4 per hour over 730 hours in a month. So, ensure you turn all this OFF once you have finished testing!

Once you complete all the listed fields you can continue.

You’ll need to wait a moment or two as the service is set up.

Since the Azure Resource Group into which I’m placing Copilot for Security is in Australia, my data will also be in Australia.

You’ll then be asked whether you wish to help Copilot improve as shown above. Make your choice and continue.

Next, you get the option to set up any permissions. As this is simply a test and I’ll be the only one using it I didn’t make any changes and just continued.

You should be all good to go as shown above.

If you now return to the initial starting point:

https://securitycopilot.microsoft.com

you should see the above, where you can input your query.

If you look in the Azure back end you will see a new item called Copilot inside your Azure portal, which looks like the above.

Selective the resource displayed the above.

You’ll also notice that you can’t adjust the Security Compute Units (SCU) below 1.

By clicking this button in the prompt

you’ll see all the plugins that can be configured in your environment

So, I went off and had a play to see what results it would give me.

I asked for some summaries.

and I had a look at some inbuilt playbooks.

I them dug around into the Usage monitoring which you’ll find the menu at the top left of the page.

In here I could change the Security compute units and delete them as well. Which I did eventually after play around a bit more.

Clearly, most smaller businesses are not going to justify running this full time. It is therefore VERY important to delete the SCU when you have finished playing around. After doing that and running Copilot for Security I was interested to see my bill, but as yet no amounts have appeared in my Azure portal. I’ll share these when they appear.

I still however believe this can be an effective security tool for SMB, PROVIDED, you enable and disable it as required, kind of on demand. I’m playing with doing that for myself to better understand any limitations on that approach and I’ll report back.

I have more to share on my findings so far so stay tuned.

Time to enable more logging

Having logs enabled is a good thing because it allows you to track down information after the fact. This is especially handy when you are performing a security investigation. Here is some additional logging that I recommend you enable.

Start by navigating to:

https://entra.microsoft.com

You’ll need to login with an administrative account that has rights. Expand the menu on the left of the screen until you see Monitoring & health and shown above.

Under this option you will find the menu item Diagnostic settings as shown above, which you select. This will display your diagnostic settings on the right. Here you can see that I am currently sending logs to a Log Analytics workspace, which is linked to Microsoft Sentinel for analysis. If you aren’t already sending your logs to a Log Analytics workspace you can set one up via the Add diagnostic setting hyperlink. I will assume here you already have something set up.

Select the Edit settings hyperlink and under Edit settings column on the right, as shown above.

Scroll down the categories of logs listed and ensure they are all select so the logging data will be sent to Microsoft Sentinel via the Log Analytics workspace.

If you have already enabled this logging I suggest you go back in and check that all categories are selected as Microsoft has now added some additional items:

– EnrichedOffice365Auditlogs

– MicrosoftGraphActivityLogs

– RemoteNetworkHealthLogs

which I had to enable.

When you have completed your category selections press the Save button in the menu bar at the top of the window to update your preferences.

This now means that you’ll have even more data in your Sentinel environment to help keep you secure.

blockMsolPowerShell blocks all users if set to true

One of the options in the EntraID Authorization policy in the Default user permissions section is a setting blockMsolPowerShell which means when you dig into it:

Specifies whether the user-based access to the legacy service endpoint used by MSOL PowerShell is blocked or not.

Using my script:

https://github.com/directorcia/Office365/blob/master/graph-idauthpolicy-get.ps1

you can see whether this is enabled, which it is as shown above.

With this setting blockMsolPowerShell set to True, then all user access to the msolservice PowerShell commands are blocked as shown above. This applies to users, ordinary and administrators (even Global Administrators, which is the result I tested in the above screenshot). The user can connect to the service BUT they can’t run an msol commands as shown above.

Now given that the msolservice module will be deprecated on March 30, 2024 there shouldn’t be any issue disabling this for ALL users. However, you may want to make sure you test any Outlook add-ins or other third party apps you have in place that might have a dependency on the old msolservice module. The easiest way to achieve this is probably to simply disable the settings and see if problems arise. If they do, just make sure you know how to revert the setting back. I think is going to be the fastest way to determine if and what any dependencies you may have.

I would suggest that unless you have a dependency it should be disabled to improve the security of your environment.

Microsoft 365 Backup restore process

In a previous article:

Setting Microsoft 365 Backup policies

I determined that I liked the simplicity of setting up backups with Microsoft 365 Backup but the negative was a lack of reporting or alerting on the execution of these jobs.

I’m sorry to say that I also find the restoration process for Microsoft 365 lacking for a number of reasons.

1. The main reason is, at the moment, there is not really a granular restore option.

2. The restore option is typically all over the top of what is there already, effectively replacing it or restoring everything to a different location and then you have to manually copy the data across.

3. Selecting which actual backup to restore from I also found cumbersome.

4. I found the restoration of Exchange online mailboxes the most tricky to restore a select amount of data. You have to filter what you looking for via a few options. You kind of have to know what you want prior, you can’t just browse.

5. When the restore process actually runs you get no real indication of what it is actually doing, you simply have to wait for it to finish. My 1.28TB test SharePoint site took around 45 minutes to copy to a new location.

This may be me but when I did a restore of a OneDrive for Business to another location, the destination into which it copied the data is blank!

I did this more than once and got the same result. I couldn’t find any new SharePoint sites in my environment or sub folders. As such I am still trying to find out where the data actually restored to, as it does say it is completed!

The good thing is the restore process is pretty straight forward. A wizard takes you through the process as shown above.

For example, if you want to restore a OneDrive for Business you select the item from a list.

You then need to select a time and date to restore from. This is somewhat cumbersome and would be much better if you could simply browse through the available backups. For now you need to select the date and time you want.

I’m not sure what “standard restore” means when you confirm the restore point as shown above.

When you select the destination you’ll see that it typically everything over the top or everything to another location and then you need to manually copy what you need and delete the rest.

You confirm the restore.

and you select Done.

Then at the bottom of the page are the restore tasks as shown above.

Even with the restore in progress, you’ll see you don’t any information of progress or completion time. You’ll also note that the Destination will be available on restore,

but it wasn’t again unfortunately.

I found the mailbox restore process quite cumbersome.

If you want to do selected content as shown above you need to select a time frame

and that time frame is 14 days maximum.

Then you need to add filters from the four options shown above.

Then you have to find any matches and more me, most of the time I didn’t find any in my test environment, which was frustrating.

Remember, Microsoft 365 Backup is still in preview and will continue to improve and develop. However, as it stands now I don’t feel this is a viable alternative for people who do wish to restore their Microsoft 365 environment in a granular manner. I think as a disaster recovery tool, that is, back up everything and restore everything, over the top if needed, it would be fine.

Thus, in summary, for now, I think Microsoft 365 Backup could work as a disaster recovery service but for granular, item level restore – no so much. However, it is still very early days for this product, so keep your eye on what develops. I know I will.

Microsoft 365 Backup pricing

I recently detailed how to

Set up Microsoft 365 backup

I thought it was about time to take a look at the cost of Microsoft 365 Backup to see how it compares to other offerings.

The interesting thing is that billing is a little different from other third party solution. Microsoft 365 Backup is based on storage not on users. This makes direct comparison hard, so let me just focus on Microsoft 365 Backup is billed for now.

If you take a look at the Microsoft 365 Backup site you’ll see that at this point in time the service is billed at US$0.15 per GB per month. That is no matter what the data is whether, SharePoint, Exchange, OneDrive for Business. Data is data and the backup cost is per GB per month.

You’ll find this from Microsoft:

Pricing model for Microsoft 365 Backup (Preview)

in which you need to note:

there is also a Microsoft 365 Backup pricing spreadsheet here:

https://aka.ms/M365BackupCalculator

but bottom line is to add up all your data storage and multiple by US$0.15, right? Not so quick. Per the documentation:

The size of protected content is equal to the cumulative size of the mailboxes being protected plus the size of the SharePoint sites and OneDrive accounts being protected (that is, the size of the live OneDrive accounts and SharePoint sites as display in the live sites’ usage reports) plus the size of any deleted/versioned content held for restore during the protection period.

Let’s say that I have 1,024GB (1TB) of total data I wanted backed up across SharePoint, Exchange and ODFB. That is relatively easy to determine via the usage reporting tools in Microsoft 365. Where it becomes more challenging is determining the deleted data capacity.What exactly is that?

After some digging, in essence, deleted data is data that has been purged from the service. For example, deleted data is data that was backed up in the SharePoint Online recycle bin that has now expired the standard retention period of 93 days and is no longer in SharePoint Online. Thus, deleted data, is largely, data that no longer resides in the service but has been backed up inside the service at some stage. Ok, but how will I know what that is? That’s a challenge. I can’t find an easy way of determining that. Maybe we’ll see that soon in Microsoft 365 Backup as I think we need to have it, otherwise knowing the costs becomes challenging.

For now, let’s say that the deleted data is exactly the same as my source data inside the services currently being backed up. Thus, if I have 1TB of live data to be backed up, let’s assume the total amount being sent to Microsoft 365 Backup is 2TB. Thus, the cost of this would be:

2,048 GB x US$0.15 = US$307.20 per month

If I assume say 30 users in that tenant of that size then I get roughly US$10 per month per user. I’m taking this as the high end benchmark for SMB in terms of tenant size. I’m just trying to get an average benchmark price with these numbers. That figure is around US$10 per user per month for Microsoft 365 Backup (with plenty of assumptions I admit, but you got to start somewhere)

I appreciate this is all very subjective but upon first glimpse, but looking at a few example tenants around the place and doing the same sort of calculations, I found that, at the very least, Microsoft 365 Backup seems to be comparable to the pricing of third party products on a purely economic basis, which I found interesting.

Of course, price isn’t the only measure of product value and the more live and deleted data you have as well as the longer you retain that data the more expensive it becomes with Microsoft 365 Backup. However, interestingly, Microsoft 365 Backup is pretty cost effective for smaller environments, that is, typically those in SMB. The challenge is that most competitive products are a flat fee per month per user (like a Microsoft 365 Business Premium license is), whereas Microsoft 365 Backup is a consumption based (Azure) fee (i.e. you pay for what you use). That leads to variable costs which many people don’t favour. But, remember with Microsoft 365 Backup your overall backup cost could be much lower as well. It all depends on what you use.

It is still early days for Microsoft 365 Backup and I remind you that it is still in preview at the moment. I’ll take a look a feature comparisons to third party services in an upcoming article but I found it interesting that Microsoft 365 Backup has taken a different approach to pricing that could work well in SMB, but I’ll take a closer look at the feature set in an upcoming article and hopefully present a better picture of how you should be considering Microsoft 365 Backup.

For me, that fact that it generally seems to be price competitive in SMB environments is a plus (aka in the ballpark). Not definitive, I grant you to replace what might be in place with other solutions from third parties, but still it is a good start in the comparison journey.

I’ll have more to share soon on what I’ve found and how I believe Microsoft 365 Backup can work in SMB.

Set up Microsoft 365 backup

The first step you’ll need to take is to:

Enable Microsoft Syntex PAYG

this is how the Microsoft 365 backup service will be billed. That will be basically via Azure and you’ll only pay for what your need.

You’ll then have to go backup into the Use content AI with Microsoft Syntex area again, which is where you established the billing. Here you need to select Manage Microsoft Syntex as shown above.

A dialog will appear from the right. In the list that appears, select Backup as shown above.

Select the Turn on button at the bottom of the page.

You should see a warning, like shown above that Microsoft Backup is about to be enabled. Select Save to continue.

There will now be a confirmation that the Microsoft 365 Backup service is Turned on (enabled) as shown above. You’ll also notice the Turn off button at the bottom of the page if you wish to return and disable Microsoft 365 Backup.

If you select the link Go to Microsoft 365 Backup you’ll be taken to the area to actually operate the service which looks like:

You’ll see that you can also navigate to this area via the Microsoft 365 admin center | Settings | Microsoft 365 Backup options on the menu on the left as shown above.

Stay tuned for upcoming posts on running Microsoft 365 Backup and the costs associated.

Enabling Microsoft Syntex PAYG

There are lots of great new features coming to Microsoft Syntex (or SharePoint Premium) and many of these can be used in a PAYG manner tied to an Azure subscription. This is much like the Power Platform PAYG configuration I have detailed previously.

Before you configure anything in Microsoft 365, you’ll need an Azure subscription to bill against that is in the same tenant as Microsoft 365. I would also suggest you create a new unique Resource Group which you can target for Syntex PAYG services. This will make it much easier to determine the costs of the Syntex services that you consume. I’m not going to cover how to add a resource group to Azure here, but make sure you have the subscription in place before proceeding.

To enable Syntex PAYG you need to login to the Microsoft 365 portal as an administrator and navigate to the Admin center as shown above. Select Setup from the menu on the left. On the right enter “use con” into the search box as shown in step two above. This will filter out all the other options except the one you want which is:

Use content AI with Microsoft Syntex

as shown in step 3 above. Select this.

You should see the screen shown above. If you have not yet configured the PAYG billing for Syntex the only option available will be the Set up billing option on the left, as shown, which you should select.

A dialog will appear from the right hand side with a number of options as shown above. Here you’ll need to select your Azure information from the drop down menus presented.

When you have completed all the fields (including the Resource Group which I suggest you create just for this purpose), select the I accept Microsoft pay-as-you-go billing terms of service. Finally, select the Save button at the bottom of the dialog.

The system will then display the above screen for a few minutes (be patient, it takes a little while to fully configure).

All going well, you should receive a confirmation of success at the top of the page as shown above. You can now close this dialog.

With the billing complete you should now be able to select the Manage Microsoft Syntex option on the right as shown above.

You should now see the current list of services that can be utilised with Syntex PAYG. More will be added over time, so don’t forget to check back regularly. To configure any of these simply select that service.

In this case, the Archive option was selected and you can see the Turn on button on the bottom of the dialog you would need to select to enable SharePoint Site archiving in your Microsoft 365 tenant. There are more configuration steps required to enable the service and all this really does is bill the service in a PAYG manner to your Azure subscription.

You can now close out of all these windows and leave everything turned off for now, ready for when you do want to start using those capabilities. There will be no costs until you actually start using these services (i.e. PAYG. Don’t use, don’t pay!)

It is really good that these advanced options are being made available in a PAYG manner, allowing greater access to such capabilities, without necessarily having to pay high monthly fees with a lock in contract. A very SMB friendly option in my opinion!

I look forward to seeing more services appear here for Syntex which I can star using, including eSignatures which is coming real soon. Stay tuned.

CIA Brief 231217

Investigating malicious OAuth applications using the Unified Audit Log –

https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/investigating-malicious-oauth-applications-using-the-unified/ba-p/4007172

Patching Perforce perforations: Critical RCE vulnerability discovered in Perforce Helix Core Server –

https://www.microsoft.com/en-us/security/blog/2023/12/15/patching-perforce-perforations-critical-rce-vulnerability-discovered-in-perforce-helix-core-server/

Advancing Cybersecurity: The Latest enhancement in Phishing-Resistant Authentication –

https://techcommunity.microsoft.com/t5/microsoft-entra-blog/advancing-cybersecurity-the-latest-enhancement-in-phishing/ba-p/2365681

Get started with Microsoft 365 for business –

https://www.youtube.com/watch?v=mWutD2Zb1Zk

Copilot for Microsoft 365 | Work On –

https://www.youtube.com/watch?v=0QEL9Y3Udvc

Satya Nadella 2023: Year of AI –

https://www.youtube.com/watch?v=Vu6Wq8lLUN0

Microsoft Cloud for Sovereignty now generally available, opening new pathways for government innovation –

https://blogs.microsoft.com/blog/2023/12/14/microsoft-cloud-for-sovereignty-now-generally-available-opening-new-pathways-for-government-innovation/

Introducing New Features of Microsoft Entra Permissions Management –

https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-new-features-of-microsoft-entra-permissions/ba-p/2466925

Announcing updates to Copilot for Microsoft 365 availability –

https://techcommunity.microsoft.com/t5/copilot-for-microsoft-365/announcing-updates-to-copilot-for-microsoft-365-availability/ba-p/4007075

Microsoft Sentinel – SOAR through the SIEM, begin with the basics –

https://techcommunity.microsoft.com/t5/fasttrack-for-azure/microsoft-sentinel-soar-through-the-siem-begin-with-the-basics/ba-p/3990142

Disrupting the gateway services to cybercrime –

https://blogs.microsoft.com/on-the-issues/2023/12/13/cybercrime-cybersecurity-storm-1152-fraudulent-accounts/

Protect your organizations against QR code phishing with Defender for Office 365 –

https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/protect-your-organizations-against-qr-code-phishing-with/ba-p/4007041

Strengthening identity protection in the face of highly sophisticated attacks –

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/strengthening-identity-protection-in-the-face-of-highly/ba-p/4006009

Threat actors misuse OAuth applications to automate financially driven attacks –

https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/

New Microsoft Incident Response team guide shares best practices for security teams and leaders –

https://www.microsoft.com/en-us/security/blog/2023/12/11/new-microsoft-incident-response-team-guide-shares-best-practices-for-security-teams-and-leaders/

Microsoft Defender XDR unified role-based access control (RBAC) model is now generally available –

https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/microsoft-defender-xdr-unified-role-based-access-control-rbac/ba-p/3993793

Staged rollout management for Graph connectors is generally available –

https://techcommunity.microsoft.com/t5/microsoft-search-blog/staged-rollout-management-for-graph-connectors-is-generally/ba-p/3998367

After hours

MInesweeper the movie –

https://www.youtube.com/watch?v=LHY8NKj3RKs

Editorial

If you found this valuable, the I’d appreciate a ‘like’. This helps me know that people enjoy what I have created. If you have any feedback or suggestions around this, I’m all ears. You can also find me via email director@ciaops.com and on X (Twitter) at https://www.twitter.com/directorcia.

I’m running a session on Microsoft Copilot in a few weeks. Read more and sign up for free here – https://blog.ciaops.com/2023/12/04/ciaops-need-to-know-microsoft-365-webinar-december-5/

Also, I’m doing a summer camp deep dive into Microsoft 365 Secure Score. You can read more and sign up here – https://blog.ciaops.com/2023/12/11/ciaops-summer-school-is-open-for-enrolments/

If you want to be part of a dedicated Microsoft Cloud community with information and interactions daily, then consider becoming a CIAOPS Patron – www.ciaopspatron.com.

Watch out for the next CIA Brief next week.