In this second of our four-blog series, we’ll see how prevention is truly the best defence. And as organisations continue to transition to the cloud, independent software vendors have been instrumental in building innovative cyber security solutions that appeal to customers in the fast-paced world of digital transformation.  

Darktrace, one of TIME magazine’s “Most Influential Companies” in 2021, is one such vendor. Currently protecting nearly 8,900 organisations around the world, including Royal Caribbean, City of Las Vegas, and McLaren, Darktrace works with companies of all sizes and in all verticals – from enterprises to governments, or small and medium businesses.  

Darktrace AI is designed to work with your security team across the entire attack lifecycle, providing clear analysis and context in ordinary language to drive understanding and efficiency. The solution integrates seamlessly with Microsoft Azure Sentinel and hosts its email service on Azure. Read on to discover how Darktrace’s AI-powered security products, available on the Microsoft marketplace, can help protect your organisation, building even greater confidence that your business, data and staff are safe.

On a mission to mitigate cyber-disruption  

As a global leader in cyber security AI, Darktrace is on a mission to tackle and minimise cyber-disruption. Breakthrough innovations in their Cambridge-based Cyber AI Research Centre have resulted in over 160 patents filed and research published to contribute to the cybersecurity community. That’s great news for stretched security teams, who are struggling with increasingly complex digital systems and an escalating threat landscape – from fending off ransomware attacks and data leaks, through to phishing and supply chain attacks.  

In fact, Darktrace research found that traditional email security tools, which rely on knowledge of past threats, take an average of 13 days from the launch of an attack to detection of it. (Source: Major Upgrade to Darktrace/Email™ Product Defends Organizations Against Evolving Cyber Threat Landscape.)

Darktrace has tackled the challenges of traditional cyber security efforts by turning the entire approach on its head. 

Responding to threats by knowing you

Rather than study attacks, Darktrace’s technology continuously learns and updates its knowledge of your business. Its distinction lies in the algorithms and data it uses, and how the two interact. Instead of training an AI on historical attacks – an approach that requires constant updating and maintenance – Darktrace takes their “Self-Learning AI” to your data. It’s plugged into your enterprise and learns in real time from everything that happens in your digital world – including email, cloud environments, manufacturing and operational systems, and physical locations.  

From this, the AI builds up a sense of “normal” for your organisation. This allows it to identify unusual patterns that indicate a cyber-threat – and then take targeted action to contain emerging attacks.  It then applies that understanding to optimise your unique state of cybersecurity.  

In effect, Darktrace is fuelling a continuous end-to-end security capability that can spot and respond to novel in-progress threats within seconds.  

In reality, that translates to increased threat detection accuracy and time savings – freeing you up to focus on what matters most: running your business. 

Bespoke solutions that build confidence 

According to Dan Fein, Director of Product at Darktrace, “Cyber-criminals will do whatever it takes. Daily, we see attackers impersonate CEOs or compromise vendors’ accounts to send out targeted, topical emails that look legitimate. Our security products align perfectly with Microsoft’s, allowing us to build even greater confidence among our mutual customers that their business, data and staff are protected.” 

What could that mean for your business? With Darktrace, you’ll be equipped to:  

• Detect and respond to cyber-attacks, including unknown and highly targeted attacks that evade traditional tools trained on historical attack data.   
• Stop phishing attacks with increasing accuracy, based on an understanding of “normal” user behaviour and communications.   
• Defend against threats across the entire digital enterprise – from cloud and email systems to networks, endpoints, and Operational Technology – with the same underlying AI technology.  
• Reduce triage and investigation time by automating tedious, repetitive tasks.   

Businesses are already seeing the benefits, with Darktrace customers reporting significant improvements in threat detection accuracy and time savings. One real estate enterprise reported a 95.83% reduction in time to identify potential threats. Another healthcare organisation reported a 90% reduction in triage time.  

Driving cognitive AI with Microsoft Security Copilot 

Helping to take cutting-edge cybersecurity to new levels, Darktrace is taking part in Microsoft’s Security Copilot Partner Private Preview.  

Security Copilot is Microsoft’s next-generation AI-powered security product that enables security professionals to respond to threats quickly, process signals at machine speed, and assess risk exposure in minutes. It combines an advanced large language model (LLM) with a security-specific model that’s informed by Microsoft’s unique global threat intelligence and more than 65 trillion daily signals. 

Selected for their proven experience with Microsoft security technologies and their close relationship with Microsoft, Darktrace will give feedback on Security Copilot product development, helping to refine new scenarios and drive future product releases. 

Get added benefits of buying through the marketplace 

Trust, simplicity and efficiency all count for a lot. Buying from the Microsoft marketplace means all solutions are certified and optimised to run on Azure. You’re able to use private offers to get exactly what you need, including customised terms and conditions, negotiated pricing, prototypes for proof of concept, and tailor-made solutions. 

Better still, transact in a single, accessible place, reducing procurement complexity, saving time and simplifying billing. Apply eligible purchases to your organisation’s Azure cloud commitment by contributing 100% of the purchase off your Azure Marketplace invoice.  

All while enjoying the peace of mind that comes from buying and running solutions on a trusted cloud with industry-leading security.  

Start protecting the Darktrace way today  

See what Darktrace discovers in your environment. Visit the Microsoft marketplace to buy Darktrace/Email or DarktraceDetect now, or contact our team at ISVUK@Microsoft.com.  

Other blogs in this series

Blog 1: Driving your AI transformation with the Microsoft marketplace 

Blog 3: Optimising business operations through AI-powered solutions 

Blog 4: Deliver transformational employee experiences through AI-empowering solutions

About the author

James joined Microsoft 15 years ago and has held leadership positions across the Consumer, Enterprise, and the Partner teams at Microsoft. James is currently the ISV Ecosystem Lead and has a passion for people and technology coming together to drive customer success. James has been at the forefront of Cloud & Digital transformation for the last 10 years launching new business models and driving transformation through the Microsoft Partner ecosystem resulting in and contributing to exciting new revenue streams and significantly accelerated growth for Microsoft and Partners.

The post Safeguarding your business with AI-powered security solutions  appeared first on Microsoft Industry Blogs - United Kingdom.

Sophisticated cyberattacks are on the rise

According to the Microsoft Digital Defense Report 2022, over 100 million attacks against remote management devices were observed in May 2022, up 500 percent on the past year. Human-operated ransomware remains the most prevalent cybercrime, however. One-third of targets are successfully compromised by criminals using these attacks, and 5 percent of them are ransomed.

Old perimeter-guarding strategies are no match for these increasingly sophisticated threats. An organisation needs to embrace a modern, data-driven and people-centred approach to managing security risk. This can help to identify and tackle existing threats more effectively while learning to anticipate new ones.

What is a security culture?

An organisation’s security culture is built on shared values, attitudes and ways of acting. It’s therefore hard to change, and it takes time. Creating a culture of security needs colleagues to understand the potential costs of a security lapse. They must also understand how bad actors tend to operate, and why existing security strategies are no longer adequate.

In the current climate, digital communications and cloud data management provide multiple ways to access organisations that previously didn’t exist. Once inside your network, cybercriminals can move laterally, seeking out value.

Zero Trust relies on strong identity verification

Adopting strong identity verification is key to Microsoft’s Zero Trust approach. Real-time data provides information on the user, the device, and the location – which is crucial in a hybrid world of work. Connecting both cloud and legacy systems to a single identity solution provides end-to-end visibility of an organisation’s digital presence. This helps to protect against internal threats that old-fashioned firewalls would miss. Where there is doubt, a Zero Trust approach applies conditional access. Where there is risk, it is assumed a breach.

A security strategy that enhances overall performance

Adopting a Zero Trust approach brings immediate improvements to an existing security posture, and builds a path that continuously improves risk management. It simplifies security processes to enhance customer experience, and potentially lowers costs by eliminating the need for external security providers.

Adopting a best-in-class security strategy can also make an organisation more forward-focused and risk-responsive in general. Nurturing a security culture brings long term benefits to a company as a brand and to its overall effectiveness in the marketplace. Security is not just a cost; it drives trust and therefore adds value.

Security culture starts small and collaboratively

When implementing a new security protocol, take a step-by-step approach beginning with a small, controlled group and a security risk that qualifies as low-hanging fruit. Once new protocols have been validated, and teams have given feedback, it can be expanded to another part of the business, such as identities, infrastructure, devices, data, networks or apps.

As for implementing organisation-wide security culture change, this will benefit from full and visible support from your senior leadership team. Aim to implement your new strategy collaboratively, and through a phased programme of activities. Taking a creative approach to security skilling and education helps stimulate staff engagement. Microsoft for example produces a successful video series that follows the security-themed adventures of its protagonist, Nelson, which gets promoted internally.

Understand and work with colleagues who may express resistance to change. While moving to new day-to-day practices – for example, new ways of working with different classes of data – openness and empathy will be crucial in empowering all teams to own, understand and learn from their inevitable mistakes.

Data-driven monitoring spots emerging risks

In time, your security strategy can become more sophisticated. AI can be deployed to detect abnormal behaviour and protect your organisation’s most sensitive information from accidental exfiltration as well as bad actors. Microsoft Azure, Azure Sentinel and Microsoft 365 apps can document your compliance with regulations, monitor access, and apply data analytics to predict where the next security risk might emerge.  Data metrics can guide security strategy on the principle of maximising costs to the attacker and prioritising your most valuable data. Many of Microsoft’s UK customers and partners have benefited from this security-first approach.

LGL money managers find security on the cloud

LGL Group are a financial services company who were frustrated by the cost and complexity of enterprise-grade cybersecurity. Microsoft worked collaboratively with LGL to design a roadmap that modernised their security controls, enhanced their security posture and reduced their reliance on third-party application subscriptions, driving down costs. By migrating to the latest Microsoft 365 and Azure security stack, LGL also benefited from a more streamlined and simplified hybrid security system.

Meanwhile Microsoft continues to work with schools and colleges to close the cybersecurity skills gap, with targeted investments here in the UK. Salford City Council leveraged the skills and resources of the Microsoft Enterprise Skills Initiative to develop a cyber strategy and a security operations centre using Microsoft Sentinel. It now aims to share its best-in-class skills with other public sector organisations to proactively monitor, detect and respond across Greater Manchester.

Zero Trust is a journey

Zero Trust is a journey, not a destination. Visit the security hub at Microsoft Business Security Solutions and discover how Microsoft can help you implement an identity environment with cloud identity federation, strong authentication and conditional access at its core.

Find out more

Microsoft security blogs

Strong identity management provides Zero Trust security

Microsoft Sentinel strengthens Salford Council’s cybersecurity

The post What is a ‘security culture’? Best practices for implementing your security strategy appeared first on Microsoft Industry Blogs - United Kingdom.

Tip you can also use the queries to form an Alert in Azure Monitor or Azure Sentinel to detect when a IP address is made public.

Demo: Demo Gif file

Installation instructions: https://github.com/CliveW-MSFT/KQLpublic/blob/master/README.md

Download: https://github.com/CliveW-MSFT/KQLpublic/blob/master/KQL/Workbooks/PublicIP/PublicIP%20v0.1.workbook

Overview

Use this Workbook to compare any Public IP address (PIP) in Azure Montor Logs and Azure Resource Graph (ARG). ARG may have more data that is useful to compare logged data against.

- e.g. If you create a Resource but never start it, ARG will have data, whereas Log Analytics wont have a log entry.  
- Also Log Analytics has data retention, so the data you seek may have been removed if the retention period has passed.

Data Source required:

AzureActivity
| where ResourceProvider == "Microsoft.Network"

Permission:

Access to ARG

The post Azure Workbook: This will show Public IP Address that you have appeared first on Microsoft Industry Blogs - United Kingdom.

Please see part1: http://approjects.co.za/?big=en-gb/industry/blog/cross-industry/2020/06/18/log-analytics-kql-saved-queries-how-to-find-and-run-them-in-a-workbook/

For future versions please look here: https://github.com/CliveW-MSFT/KQLpublic/tree/master/KQL/Workbooks/findMySynatx

Summary

So why do I have a Azure Monitor Workbook to find Workbooks, two main reasons:

1. In Shared Workbooks, I can again search within the code for a keyword – highly useful for finding specific syntax.  Shared Workbooks are those other people are granted access to view.
2. You can filter by Time Modified – again useful if you have a lot of Workbooks to search through.  This is also true for Private Workbooks (only the ones the author can see).  

I have 100s of Workbooks from various projects, so a search by date is extremely useful.   Unfortunately you cant do a keyword search within these, private workbooks.

Example:

I also created a similar Tab for Azure Resource Graph saved queries (saved Queries only), again the main benefit is a Time and Keyword search.

Please see the latest file in my Github:  https://github.com/CliveW-MSFT/KQLpublic/tree/master/KQL/Workbooks/findMySynatx

If you’d like to give it a try please read how to Import a Workbook from here: https://github.com/CliveW-MSFT/KQLpublic/blob/master/README.md

Special thanks to Gary Bushey for testing some of this, sorry Gary, but not all the bugs I’ve fixed yet!

Thanks Clive

The post Log Analytics: Queries, how to find and run them in a Workbook – part 2 appeared first on Microsoft Industry Blogs - United Kingdom.

Azure Monitor workbooks are a fantastic way to visualise data within a Log Analytics workspace and there are a number available in the Azure Portal.

Useful references

• Azure Monitor Workbook documentation
• Azure Log Analytics REST API reference
• Setting Data Retention by data type
• Azure Resource Graph

The workbook uses a combination of Azure Resource Graph (ARG) and the Log Analytics REST API to collect the required pieces of information that are needed, which is available from my repository on GitHub, where you will also find instructions on how to download and import it.

On importing the workbook, you will notice two dropdown pickers (as shown below), one which allows you to select the subscription where the Log Analytics workspace(s) are and the other is for what I refer to as the Report Option.

Use the Subscription dropdown picker to select the appropriate subscription, which will use Azure Resource Graph (ARG) to retrieve all the workspaces that exist in that subscription and the results are presented in a table as shown below:

The Report Option picker gives you two choices:

1. Full List – where the REST API call returns the Data Retention settings for all tables
2. View by Table – where you choose or search for a particular table and its associated Data Retention setting

NOTE: The Report Option is dependent on you having selected a particular workspace which is displayed in a table above as this exports some values into parameters that are used by the API queries.

So, here are some screenshots showing the results of both of those options:

Full List view

You will note that I have highlighted a couple of tables in the Full List report option that I changed as part of my previous post.

View by Table

You see the picker allows you to scroll through the list of available tables or you can do a text search. Once you have chosen a table the result will be presented to the right of the dropdown.

I will look at making some enhancements to this workbook in the future.

Thanks Paul

The post Log Analytics Workspace Retention Reporting Options (Part 2) appeared first on Microsoft Industry Blogs - United Kingdom.

Log Analytics has a option called Query Explorer (note, this is due to be updated, so this example is applicable for a short period of time).  If like me you have 100’s of saved queries, managing them can be a challenge (my #1 challenge!), lets fix that with a Azure Monitor Workbook…

One of the ways Query Explorer is used, is to save your KQL queries in a Category, with a Name – to help you find them again.  So I may have saved a query in Category:Demo and with a  Name: “This is a demo query”.   If I wanted to use this query again, I’d open Query Explorer, search for the name and re-run it.  However the challenge is, the search only looks at the “name”.  So for example if I had some KQL using the “externaldata” operator, unless I had that in the name as well, I couldn’t find it (without opening all my files), which is only ok, if you have a few saves.  It’s a reason I started to store more in Github, as that has a keyword search.

John Gardner a Principal Software Engineer in the Azure Monitor Workbooks team recently shared an example of using an api within a Workbook, similar to what I did here: https://techcommunity.microsoft.com/t5/azure-sentinel/using-the-sentinel-api-to-view-data-in-a-workbook/ba-p/1386436   John has kindly let me share his example,  the workbook he produced retrieved the ‘Saved Searches’ from the Log Analytics api, displayed them, then if you clicked one, shows the KQL and tries to run it in a workspace.

Solution

This was great, but whilst having a conversation about this, I thought why can’t it be used to solve my #1 challenge; how to find a keyword or command within a saved KQL query.  A light bulb moment.  Fortunately it was easy to make a few simple changes to the code from John.  Now from the search control in this Workbook you can type and find any text.

You can see in the next screenshot, we can search on a string, that can be the category, name or content/key word in the code.  This is a great time saver for me – just today I wanted a “regex” example and had to open 10+files to find it, with this workbook, I only needed one go!

You can see here, I looked for the word ‘extend‘ which was found in the Demo category, in a file called services-running – prior to this Workbook…would I have remembered it was in a file with that name, probably not?

Demo

Please click here to see a recorded Demo stored as a GIF from my Github.

Download the example

If you’d like to give it a try please read how to Import a Workbook from here: https://github.com/CliveW-MSFT/KQLpublic/blob/master/README.md

Then download the Workbook here: https://github.com/CliveW-MSFT/KQLpublic/blob/master/KQL/Workbooks/findMySynatx/FindmySyntax%20v0.2.4.workbook (remember to use ‘RAW’ mode)

Thanks Clive

The post Log Analytics: KQL saved Queries, how to find and run them in a Workbook appeared first on Microsoft Industry Blogs - United Kingdom.

This is the first of two posts that I will be doing on how you can report on the Retention settings of an Azure Log Analytics workspace. In the second post I will provide a sample Workbook for displaying the settings.

It is often that during my conversations with customers about Azure Monitor, Azure Security Center and Azure Sentinel, the topic of data retention comes up. In most cases discussing the default global settings of:

• 31 days for Log Analytics
• 90 days for Application Insights
• 90 days for an Azure Sentinel linked workspace
• and the maximum retention time of 730 days

are sufficient but then there are those occasions when a customer wants to retain certain data types for either a longer or shorter period of time, because either the data becomes stale and therefore not of value or they are thinking about cost optimisation.

Note: the above global defaults do not apply to Free Pricing tier, which has a retention of 7 days.

The process to change the data retention period is part of the Azure Monitor documentation in the Usage and Cost section. Changing the data retention period using the Azure portal is a global change across all data types. The ability to set retention by data type has been available since October 2019 and can be changed by utilising the Azure Resource Manager REST API.

Using this method it is possible to set different retention settings for individual data types from 30 to 730 days. I should note that both Usage and AzureActivity data types are retained for a minimum of 90 days by default and these cannot be set any lower.

So now that we know that it is possible to set individual settings, how do we go about setting it? The documentation provides a link to an OSS tool – ARMClient but I decided to take a slightly different approach and used Postman as it allowed me to save individual requests and then come back to them at a later date.

After downloading and installing the Postman client, I used this great blog post from Jon Gallant to configure Postman to work with Azure AD. It also provides some examples to make sure that everything is working correctly.

One of the things that I like about using Postman is that I can set variables for an environment and then reuse them when constructing the REST API calls. Although not shown in the screenshot below, I created variables for each of my workspaces and then inter-changed the variable as I needed.

With that bit done, it was now a case of creating the API requests applicable to the Azure Monitor Log Analytics workspace. The Azure Monitor documentation provides some example code for a GET request to list the retention for all the tables in a workspace:

GET /subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/MyResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/MyWorkspaceName/Tables?api-version=2017-04-26-preview

Getting the current settings

Rather than walk through the creation of a new request, below are some screenshots showing what a GET request looks like in Postman (note: I have utilised the variables in the construction of the GET request, so it now looks like this:

{{resource}}/subscriptions/{{subscriptionId}}/resourceGroups/{{ala-workspace}}/Tables?api-version=2017-04-26-preview

Params section:

Headers section:

Once these have been set, clicking the SEND button will connect to the workspace and return the current settings as shown below:

The screenshot above shows that I have already updated the retention settings for the ConfigurationData table to 30 days.

Setting the Retention

To change the setting(s) I created a new PUT request and the settings in the Params and Headers sections are the same as the GET request but now I needed to add the necessary code to the Body section to actually set the retention period – see below:

And like the GET request, clicking the SEND button connected to the workspace and updated the setting for the chosen table. In the screenshot below, I changed the setting for the ConfigurationData table to 60 days.

In summary, once you have Postman set up to work with Azure AD and you get your environment variables configured, it is a very simple and straightforward process to:

• check the existing settings across all tables or individual tables,
• but you can easily update the retention periods to suit your needs whether it is from a cost optimisation point of view or you simply don’t want to retain specific data types.

In the next post I will use the same REST API calls but will display the results in a workbook.

The post Log Analytics Workspace Retention Reporting Options (Part 1) appeared first on Microsoft Industry Blogs - United Kingdom.

https://techcommunity.microsoft.com/t5/azure-log-analytics/log-analytics-for-report-generation/m-p/1469610

Question: Can I schedule a query to run in Azure Monitor Logs / Log Analytics (or even for Azure Sentinel) and email the results?

Answer:  Yes, I think there are two ways.  The first which I don’t go into detail about here is to provide a Azure Monitor Workbook – that way anyone with access can see the data whenever they need (you can also enable a download control if required).

However if you do need automation, please use a Logic App (playbook).  These are great for running a Daily/Weekly/ Monthly report schedule.

This is one of mine as a example:

1. The Recurrence – sets the schedule, this one runs on Friday at 23:00 – you decide when.

2. We use the “Run query..” to send the KQL commands and create a output.  I actually run two queries, as I need a Capacity report (shown) and a Performance report.  By adding a parallel branch you can do more or less.

3. Use an email connector like “send an email…” – as I use O365, to send the output to the desired people/team.

Step 1: example

 Step 2

I used a time chart, you can see the other options here:

Step 3

I send a very simple email, with the output as an attachment.  You could also send via Microsoft Teams, or any other supported messaging or social platforms – Logic Apps has 100’s of 3rd party connectors?   You use Dynamic content (click from a list, to fill in the Attachment Content / Name field)

Please see more details: https://docs.microsoft.com/en-us/azure/logic-apps/tutorial-process-email-attachments-workflow

The post Log Analytics or Azure Sentinel – how schedule a report appeared first on Microsoft Industry Blogs - United Kingdom.

1. How is my Azure Security Center (ASC) licenced and configured?
2. And how many workspaces do I have, and what retention policy is set.

You can look in the portal, however to do this at scale, lets use Azure Resource graph:

I suggest you use Azure Resource Graph (ARG) for this (some of which my recent Workbook does as well, but for a quick check you can load ARG in the Azure Portal.  these are some basic query examples, but they could be the basis of more complex queries.

1. Azure Security Center:  free vs. Standard licence

securityresources 
| where type == “microsoft.security/pricings”
| extend tier = trim(‘ ‘,tostring(properties.pricingTier))
| summarize  resource = make_set(name), tier = make_set(tier) by  subscriptionId, tenantId

2. Workspace details

resources
| where type == “microsoft.operationalinsights/workspaces”
| extend sku = tostring(properties.sku.name), retention = tostring(properties.retentionInDays), created = tostring(properties.createdDate), modified = tostring(properties.modifiedDate)
| summarize by subscriptionId, name, sku, retention, created, modified, location
| order by sku asc

Example output from Query #2:  This shows that most of my workspaces are set for 30day retention but one is 90days (in this case that’s the one that supports my Azure Sentinel., so that is correctly set as 90days is part of the free retention for Azure Sentinel).

Query 3:  Much like Query2 but shows if its free or Standard per Subscription ID and Resource Name

The post Audit at scale. Workspaces and Azure Security Center appeared first on Microsoft Industry Blogs - United Kingdom.

I just found out today that the Render operator now supports more features in Log Analytics.

The post Log Analytics: Improved rendering of Charts appeared first on Microsoft Industry Blogs - United Kingdom.