Hello Everyone,

I want to create an Entra Dynamic Group that will that will look for the Department and the Description attribute.  I have sync’d the “description (group)” and “description (user)” Directory extensions via our AAD Connect but the rule builder still won’t pick up on it.

After sync’ing the attributes I go into Entra -> Groups -> Create New -> select Dynamic.  While building the rule I click the Get Custom Extension Properties button and enter the App ID of my Tenant Schema app.  After this I can see the “extension_<AppID>_description Property to select from.  

However when I put in a matching value the rule validator does not pick up on it.

Microsoft Entra Connect Sync: Directory extensions – Microsoft Entra ID | Microsoft Learn

Is there anything I am missing?

Ultimately I would like to simply create an EXO Dynamic Group that can filter on these, but I cannot find away. 

Thanks for any input.

​Hello Everyone, I want to create an Entra Dynamic Group that will that will look for the Department and the Description attribute.  I have sync’d the “description (group)” and “description (user)” Directory extensions via our AAD Connect but the rule builder still won’t pick up on it. After sync’ing the attributes I go into Entra -> Groups -> Create New -> select Dynamic.  While building the rule I click the Get Custom Extension Properties button and enter the App ID of my Tenant Schema app.  After this I can see the “extension_<AppID>_description Property to select from.   However when I put in a matching value the rule validator does not pick up on it. Microsoft Entra Connect Sync: Directory extensions – Microsoft Entra ID | Microsoft Learn Is there anything I am missing? Ultimately I would like to simply create an EXO Dynamic Group that can filter on these, but I cannot find away.  Thanks for any input.  Read More

​

This is a step-by-step guided walkthrough of how to use the custom Copilot for Security pack for Microsoft Data Security and how it can empower your organization to understand the cyber security risks in a context that allows them to achieve more. By focusing on the information and organizational context to reflect the real impact/value of investments and incidents in cyber. We are working to add this to our native toolset as well, we will update once ready.

Prerequisites

License requirements for Microsoft Purview Information Protection depend on the scenarios and features you use. To understand your licensing requirements and options for Microsoft Purview Information Protection, see the Information Protection sections from Microsoft 365 guidance for security & compliance and the related PDF download for feature-level licensing requirements. You also need to be licensed for Microsoft Copilot for Security, more information here.
Consider setting up Azure AI Search to ingest policy documents, so that they can be part of the process.

Step-by-step guided walkthrough

In this guide we will provide high-level steps to get started using the new tooling. We will start by adding the custom plugin.

Go to securitycopilot.microsoft.com
Download the DataSecurityAnalyst.yml file from here.
Select the plugins icon down in the left corner.

Under Custom upload, select upload plugin.

Select the Copilot for Security plugin and upload the DataSecurityAnalyst.yml file.

Click Add
Under Custom you will now see the plug-in

 The custom package contains the following prompts

 Under DLP you will find this if you type /DLP

Under Sensitive you will find this if you type sensitive

Let us get started using this together with the Copilot for Security capabilities

Anomalies detection sample.
Access to sensitive information by compromised accounts.
Document accessed by possible compromised accounts.
CVE or proximity to ISP/IPTags.
Tune Exchange DLP policies sample.
Purview unlabelled operations.
Applications accessing sensitive content.
Hosts that are internet accessible accessing sensitive content
Exchange incident sample prompt book.
SharePoint sample prompt book.

Anomalies detection sample

The DLP anomaly is checking data from the past 30 days and inspect on a 30m interval for possible anomalies. Using a timeseries decomposition model.

The sensitivity content anomaly is using a slightly different model due to the amount of data. It is based on the diffpatterns function that compares week 3,4 with week 1,2.

Access to sensitive information by compromised accounts.

This example is checking the alerts reported against users with sensitive information that they have accessed.

Who has accessed a Sensitive e-mail and from where?

We allow for organizations to input message subject or message Id to identify who has opened a message. Note this only works for internal recipients.

You can also ask the plugin to list any emails classified as Sensitive being accessed from a specific network or affected of a specific CVE.

Document accessed by possible compromised accounts.

You can use the plugin to check if compromised accounts have been accessing a specific document.

CVE or proximity to ISP/IPTags

This is a sample where you can check how much sensitive information that is exposed to a CVE as an example. You can pivot this based on ISP as well.

Tune Exchange DLP policies sample.

If you want to tune your Exchange, Teams, SharePoint, Endpoint or OCR rules and policies you can ask Copilot for Security for suggestions.

Purview unlabelled operations

How many of the operations in your different departments are unlabelled?  Are any of the departments standing out?

In this context you can also use Copilot for Security to deliver recommendations and highlight what the benefit of sensitivity labels are bringing.

Applications accessing sensitive content.

What applications have been used to access sensitive content? The plugin supports asking for applications being used to access sensitive content. This can be a fairly long list of applications, you can add filters in the code to filter out common applications.

If you want to zoom into what type of content a specific application is accessing.

What type of network connectivity has been made from this application?

Or what if you get concerned about the process that has been used and want to validate the SHA256?

Hosts that are internet accessible accessing sensitive content

Another threat vector could be that some of your devices are accessible to the Internet and sensitive content is being processed. Check for processing of secrets and other sensitive information.

Promptbooks

Promptbooks are a valuable resource for accomplishing specific security-related tasks. Consider them as a way to practically implement your standard operating procedure (SOP) for certain incidents. By following the SOP, you can identify the various dimensions in an incident in a standardized way and summarize the outcome. For more information on prompt books please see this documentation.

Exchange incident sample prompt book

Note: The above detail is currently only available using Sentinel, we are working on Defender integration.

SharePoint sample prompt book

Posts part of this series

Cyber Security in a context that allows your organization to achieve more
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/cyber-security-in-a-context-that-allows-your-organization-to/ba-p/4120041
Guided walkthrough of the Microsoft Purview extended report experience https://techcommunity.microsoft.com/t5/security-compliance-and-identity/guided-walkthrough-of-the-microsoft-purview-extended-report/ba-p/4121083 
How to build the Microsoft Purview extended report experience https://techcommunity.microsoft.com/t5/security-compliance-and-identity/how-to-build-the-microsoft-purview-extended-report-experience/ba-p/4122028 

​Microsoft Tech Community – Latest Blogs –Read More 

Hello,

Our customer requested that to provide a solution for Azure DR. I am not sure how to accomplish this.

Anyone, please help.

Seaniro: 

Primary Site 

West Europe – Qatar Central

Secondery site 

West Europe to  North Europe  

and all are IAAS VM’s 

​Hello, Our customer requested that to provide a solution for Azure DR. I am not sure how to accomplish this.Anyone, please help. Seaniro: Primary Site West Europe – Qatar CentralSecondery site West Europe to  North Europe  and all are IAAS VM’s       Read More

​

Cloud computing has revolutionized the way businesses operate, with many organizations shifting their business-critical services and workloads to the cloud. This transition, and the massive growth of cloud environments, has led to a surge in security issues in need of addressing. Consequently, the need for contextual and differentiated security strategies is becoming a necessity. Organizations need solutions that allow them to detect, prioritize, and address security issues, based on their business-criticality and overall importance to the organization. Identifying an organization’s business-critical assets serves as the foundation to these solutions.

Microsoft is pleased to announce the release of a new set of critical cloud assets classification capability in the critical asset management and protection experience, as part of Microsoft Security Exposure Management solution, and Cloud Security Posture Management (CSPM) in Microsoft Defender for Cloud (MDC). This capability enables organizations to identify additional business-critical assets in the cloud, thereby allowing security administrators and the security operations center (SOC) teams to efficiently, accurately, and proactively prioritize to address various security issues affecting critical assets that may arise within their cloud environments.

Learn more how to get started with Critical Asset Management and Protection in Exposure Management and Microsoft Defender for Cloud: Critical Asset Protection with Microsoft Security Exposure Management, Critical assets protection (Preview) – Microsoft Defender for Cloud

Critical Asset Management experience in Microsoft Defender XDR

Criticality classification methodology

Over the past few months, we, at Microsoft, have conducted extensive research with several key objectives:

Understand and identify the factors that signify a cloud asset’s importance relative to others.
Analyze how the structure and design of a cloud environment can aid in detecting its most critical assets.
Accurately and comprehensively identify a broad spectrum of critical assets, including cloud identities and resources.

As a result, we are announcing the release of a new set of pre-defined classifications for critical cloud assets, encompassing a wide range of asset types, from cloud resources, to identities with privileged permissions on cloud resources. With this release, the total number of business-critical classifications has expanded to 49 for cloud identities and 8 for cloud resources, further empowering users to focus on what matters most in their cloud environments.

In the following sections, we will briefly discuss some of these new classifications, both for cloud-based identities and cloud-based resources, their integration into our products, their objectives, and unique features.

Identities

In cloud environments, it is essential to distinguish between the various role-based access control (RBAC) services, such as Microsoft Entra ID and Azure RBAC. Each service has unique permissions and scopes, necessitating a tailored approach to business-criticality classification.
We will go through examples of new business-critical rules classifying identities with assigned roles both in Microsoft Entra and Azure RBAC:

Microsoft Entra

The Microsoft Entra service is an identity and access management solution in which administrators or non-administrators can be assigned a wide range of built-in or custom roles to allow management of Microsoft Entra resources.

Examples of new business-criticality rules classifying identities assigned with a specific Microsoft Entra built-in role:

Classification: “Exchange Administrator”
Default Criticality Level: “High”

‘Exchange Administrator’ classification in Critical Asset Management in Microsoft Defender XDR

This rule applies to identities assigned with the Microsoft Entra Exchange Administrator built-in role.

Identities assigned this role have strong capabilities and control over the Exchange product, with access to sensitive information through the Exchange Admin Center, and more.

Classification: “Conditional Access Administrator”
Default Criticality Level: “High”

‘Conditional Access Administrator’ classification in Critical Asset Management in Microsoft Defender XDR

This rule applies to identities assigned with the Microsoft Entra Conditional Access Administrator built-in role.
Identities assigned this role are deemed to be of high importance, as it grants the ability to manage Microsoft Entra Conditional Access settings.

Azure RBAC

Azure role-based access control (Azure RBAC) is a system that provides fine-grained access management of Azure resources that helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. The way you control access to resources using Azure RBAC is to assign Azure roles.

Example of a new criticality rule classifying identities assigned with specific Azure RBAC roles:

Classification: “Identities with Privileged Azure Role”
Default Criticality Level: “High”

‘Identities with Privileged Azure Role’ classification in Critical Asset Management in Microsoft Defender XDR

This rule applies to identities assigned with an Azure privileged built-in or custom role.
Assets criticality classification within the Azure RBAC system necessitates consideration of different parameters, such as the role assigned to the identity, the scope in which the role takes effect, and the contextual business-criticality that lies within this scope.

Thus, this rule classifies identities which have a privileged action-permission assigned over an Azure subscription scope, in which a critical asset resides, thereby utilizing contextual and differential security measures. This provides the customer with a cutting-edge criticality classification technique for both Azure built-in roles, and custom roles, in which the classification accurately adapts to dynamic changes inside the customer environment, ensuring a more accurate reflection of criticality.

List of pre-defined criticality classifications for identities in Microsoft Security Exposure Management

Cloud resources

A cloud environment is a complex network of interconnected and isolated assets, allowing a remarkable amount of environment structure possibilities, asset configurations, and resource-identity interconnections. This flexibility provides users with significant value, particularly when designing environments around business-critical assets and configuring them to meet specific requirements.

We will present three examples of the new predefined criticality classifications as part of our release, that will illustrate innovative approaches to identifying business-critical assets.

Azure Virtual Machines

Examples of new criticality rules classifying Azure Virtual Machines:

Classification: “Azure Virtual Machine with High Availability and Performance”
Default Criticality Level: “Low”

‘Azure Virtual Machine with High Availability and Performance’ classification in Critical Asset Management in Microsoft Defender XDR

Compute resources are the cornerstone of cloud environments, supporting production services, business-critical workloads, and more. These assets are created with a desired purpose, and upon creation, the user is presented with several types of configurations options, allowing the asset to meet its specific requirements and performance thresholds.

As a result, an Azure Virtual Machine configured with an availability set, indicates that the machine is designed to withstand faults and outages, while a machine equipped with a premium Azure storage, indicates that the machine should withstand heavy workloads requiring low-latency and high-performance. Machines equipped with both are often deemed to be business-critical.

Classification: “Azure Virtual Machine with a Critical User Signed In”
Default Criticality Level: “High”

‘Azure Virtual Machine with a Critical User Signed In’ classification in Critical Asset Management in Microsoft Defender XDR

Resource-user interconnections within a cloud environment enable the creation of efficient, well-maintained, and least privilege-based systems. These connections can be established to facilitate interaction between resources, enabling single sign-on (SSO) for associated identities and workstations, and more.

When a user with a high or very high criticality level has an active session in the resource, the resource can perform tasks within the user’s scoped permissions. However, if an attacker compromises the machine, they could assume the identity of the signed-in user and execute malicious operations.

Azure Key Vault

Example of a new criticality rule classifying Azure Key Vaults:

Classification: “Azure Key Vaults with Many Connected Identities”
Default Criticality Level: “High”

‘Azure Key Vaults with Many Connected Identities’ classification in Critical Asset Management in Microsoft Defender XDR

Through the complex environments of cloud computing, where different kinds of assets interact and perform different tasks, lies authentication and authorization, supported by the invaluable currency of secrets. Therefore, studying the structure of the environment and how the key management solutions inside it are built is essential to detect business-critical assets.

Azure Key Vault is an indispensable solution when it comes to key, secrets, and certificate management. It is widely used by both business-critical and non-critical processes inside environments, where it plays an integral role in the smoothness and robustness of these processes.

An Azure Key Vault whose role is critical within a business-critical workload, such as a production service, could be used by a high number of different identities compared to other key vaults in the organization, thus in case of disruption or compromise, could have adverse effects on the integrity of the service.

List of pre-defined criticality classifications for cloud resources in Exposure Management

Protecting the crown jewels of your cloud environment

The critical asset protection, identification, and management, lies in the heart of Exposure Management and Defender Cloud Security Posture Management (CSPM) products, enriching and enhancing the experience by providing the customer with an opportunity to create their own custom business-criticality classifications and use Microsoft’s predefined ones.

Protecting your cloud crown jewels is of utmost importance, thus staying on top of best practices is crucial, some of our best practice recommendations:

Thoroughly enabling protections in business-critical cloud environments.
Detecting, monitoring, and auditing critical assets inside the environments, by utilizing both pre-defined and custom classifications.
Prioritizing and executing the remediation and mitigation of active attack paths, security issues, and security incidents relating to existing critical assets.
Following the principle of least privilege by removing any permissions assigned to overprivileged identities, such identities could be identified inside the critical asset management experience in Microsoft Security Exposure Management.

Conclusion

In the rapidly growing and evolving world of cloud computing, the increasing volume of security issues underscores the need of contextual and differentiated security solutions to allow customers to effectively identify, prioritize, and address security issues, thereby the capability of identifying organizations’ critical assets is of utmost importance.

Not all assets are created equal, assets of importance could be in the form of a highly privileged user, an Azure Key Vault facilitating authentication to many identities, or a virtual machine created with high availability and performance requirements for production services.

Protecting customers’ most valuable assets is one of Microsoft’s top priorities. We are pleased to announce a new set of business-critical cloud asset classifications, as part of Microsoft Defender for Cloud and Microsoft Security Exposure Management solutions.

Learn more

Microsoft Security Exposure Management

Start with Exposure Management Documentation, Product website, blogs
Critical Asset Management documentation
Critical Asset Protection and how to get started in Microsoft Security Exposure Management blog post
List of Microsoft’s predefined criticality classifications: Link
Microsoft Security Exposure Management what’s new page

Microsoft Defender for Cloud

Microsoft Defender for Cloud (MDC) plans
Microsoft’s Cloud Security Posture Management (CSPM) documentation
Critical Asset Protection in Microsoft Defender for Cloud (MDC) documentation

​Microsoft Tech Community – Latest Blogs –Read More 

You don’t need us to tell you about the current Cyber Security threat landscape, if you are reading this blog post you already know. You are also aware that the absence of evidence for a breach is not the same as not being breached and that your cyber security posture is constantly being assessed by adversaries. This is not becoming easier with the boom of AI and related services that are leading to a boom in data processing in combination with new capabilities for threat actors. Or… could it?

We are excited to provide you with a series of posts that will help you use the new technology to your advantage. This series will help small to large organizations to achieve more with the Microsoft Cloud Ecosystem Security.

No matter if you are a business leader or a technologist this will spark ideas that will help you achieve more. These abilities are fully customizable, and we are also adding new out-of-the-box features that can be used to replace these custom features. We will post updates as those become available.

The basis of this approach

How do you identify new security projects? How do you assess which security project you should fund? Are you uncertain if the program you funded has had the desired outcome? What cost is associated with a failed control? What is the positive financial impact of effective controls?

We think the answer to these questions is: By focusing on what the adversaries are after and the consequences of controls being bypassed. Much may change but the target is your crown jewels (across the dimensions of confidentiality, integrity and availability).

The benefit of this focus is that it is well aligned with the focus of the entire organization. Investments to be made can be clearly articulated in terms and values that are understood across the organization. From a technology perspective, it switches the focus to the adversaries’ goals (and how to prevent), which avoids a too-introspective view and approach to security. It also helps you to focus on the consequences of such a breach, the awareness of the consequences will guide you to implement the right type of mitigation based on the impact. Do not let technology get in the way of your decision-making. Allow a freer form of communication across the organization using the value the technology enables.

What are attackers after? Let’s ask Copilot for Security

Please go here to learn more about Copilot for security. 

Figure 1: Prompting Copilot about cyber attacks

Are you able to tell how far away threat actors have been from this type of data in your system? Wouldn’t it be nice if every time you have an incident you could validate proximity to sensitive information? Before we go deep into this let’s zoom out.

Is there a way to visualize the impact that cyber security has in a business context?

Yes, if your organization is using Microsoft 365 Purview configured to capture file access and you have enabled Microsoft Defender for Cloud Apps integration with Advanced Hunting (more in technical document). This example provides an overview of the data that you can use. Organizational context like department, data context like the data types being accessed, type of cyber security incidents including incident details can be viewed at a high level or at a detailed level. Pair this with your technology investments and you can provide the gains of attacks prevented as well as a view of incidents that penetrated further. With the contextual data you can associate a monetary cost to compromises as well as effective protection.

Figure 2: Cyber attack data

What about non-Microsoft systems, to see the types of cross-platform systems that can be visualized please see Connect apps to get visibility and control – Microsoft Defender for Cloud Apps | Microsoft Learn. We have not built visualizations for all these products but if you follow the existing patterns, you can do so for your key applications.

We have added the ability to use Microsoft Defender for Endpoint data to output connections to sensitive systems from compromised devices. You can also use Copilot for Security as part of this work, bring in other contextual data you have in documents and in other forms and let Copilot for Security make the connections.

Do not limit this to reporting

Start tagging your incidents with the organizational context in mind. When communicating Cyber Security incidents to stakeholders use contextual data not technical details. Reporting on near misses and actual incidents should bring the actual financial impact and a steer for new investments.

For example, if you have a phishing incident, don’t just report the affected user and the type of phish. Instead, tag the incident with the class of sensitive information that may have been disclosed if the user was compromised. Even if the attack was successfully prevented.

Phishing is one of the most common attacks be realistic (anticipating your reaction), this type of data will support your investments. And it also provides an important data point, what if this control is bypassed. What types of controls do I have in between the attacker and the crown jewels? Which departments are targets, is this a specific threat actor?

Time for another sample from Copilot for Security

Incidents like Anonymous IP are not especially alarming for most organizations. It may be used as supporting data.

Figure 3: Anonymous IP involving one user

But when looking at this same innocuous incident from Copilot for Security we can note that this incident would benefit from the right type of tagging. The fact that an Account Key has been found in the open is concern enough. This tagging can be suggested directly by Copilot for Security, or for highest value connect Copilot for Security with your security policy and tagging taxonomy.

Figure 4: Copilot prompting about compromised data types

Regularly use Copilot for Security to map out potential ways the attacker may have gone deeper using MITRE ATT&CK as an example. With that in mind what is the proximity to other sensitive content and systems? Use the Exposure management tools like Microsoft Secure Score to find areas you can improve. Armed with this knowledge you may find additional controls that should be set in place to limit the impact of one of the controls failing. Backing the investment decisions with data that matters to your business.

When you validate CVE’s or software vendors for possible supply chain attacks check the impact they may have on your sensitive content. It can validate your next actions and you may even find the type of attackers you weren’t aware of.

Figure 5: Copilot prompting about sensitive information

But don’t stop here use Microsoft Defender for Cloud Apps to define networks and ISP’s, see this for more information. This will allow you to capture this type of detail based on vulnerabilities or threat actors you know are coming from a specific network segment and the amount of sensitive information being processed at that location. Which will allow you to extend this business context to investments needed in that space.

Are there other areas where this can be used?

What if you need to move one department to another location or are divesting parts of your organization? What type of data is being processed by that department or location?

You can use Copilot for Security.

Figure 6: Copilot prompting about types of sensitive info

Or you can use the view from Power BI to start the conversation and filter on the types that are key to your operations.

Figure 7: PowerBI info about data types

Conclusion

The approach to placing what is most valuable in the center will help you prepare for new and future threats. As your data landscape changes you will be able to monitor and early on spot weaknesses that may lead to increased risk. In a way you can see this as training where you build your muscles around your data. Instead of meeting cyber incidents as a problem you are meeting them as an opportunity to grow.

What’s next

Please see the new blog posts and start building on your own adaptation of this approach. This is the starting point, and you will see us make many advancements to allow you to grow further.

Security for Copilot Data Security Analyst plugin https://techcommunity.microsoft.com/t5/security-compliance-and-identity/learn-how-to-customize-and-optimize-copilot-for-security-with/ba-p/4120147 
Guided walkthrough of the Microsoft Purview extended report experience https://techcommunity.microsoft.com/t5/security-compliance-and-identity/guided-walkthrough-of-the-microsoft-purview-extended-report/ba-p/4121083 
How to build the Microsoft Purview extended report experience https://techcommunity.microsoft.com/t5/security-compliance-and-identity/how-to-build-the-microsoft-purview-extended-report-experience/ba-p/4122028 

​Microsoft Tech Community – Latest Blogs –Read More 

Hello,

one user receives emails from inside the Organisation marked as a Junk-Email. Not all and not every time.

I have no idea from what it depends. Nevertheless it should not happen inside my Organisation.

I cannot mark the whole domain as a safe (eg.: *@companyname.com) sender, because I get an error that is not possible to do inside the Organisation. Even if I mark only one email Address as a “safe” sometimes it goes to a Junk folder

In Exchange I also created a Email rule with SCL set to “0”. I red somewhere that in Exchange 2016 is possible to set “-1”. But in MS365 it seems that is not possible.

I have compared Email headers of a “normal” email and of a “junk” and they look fine.

The SPF also looks OK.

​Hello, one user receives emails from inside the Organisation marked as a Junk-Email. Not all and not every time.I have no idea from what it depends. Nevertheless it should not happen inside my Organisation.I cannot mark the whole domain as a safe (eg.: *@companyname.com) sender, because I get an error that is not possible to do inside the Organisation. Even if I mark only one email Address as a “safe” sometimes it goes to a Junk folderIn Exchange I also created a Email rule with SCL set to “0”. I red somewhere that in Exchange 2016 is possible to set “-1”. But in MS365 it seems that is not possible.I have compared Email headers of a “normal” email and of a “junk” and they look fine.The SPF also looks OK.  Read More

​

Hi,

I’m having an issue with devices automatically signing in to Sharepoint in the Edge browser.

I am looking for a way to prevent this, as there are confidential files on Sharepoint, so it should always ask for a password. The devices are enrolled in Intune. I have tried to disable implicit sign-in, but that does not do the trick. Can anybody point me in the right direction?

Thanks in advance.

​Hi, I’m having an issue with devices automatically signing in to Sharepoint in the Edge browser.I am looking for a way to prevent this, as there are confidential files on Sharepoint, so it should always ask for a password. The devices are enrolled in Intune. I have tried to disable implicit sign-in, but that does not do the trick. Can anybody point me in the right direction? Thanks in advance.   Read More

​