by Contributed | Jan 16, 2023 | Technology
This article is contributed. See the original author and article here.
As a security analyst or incident responder, you not only want to closely observe everything happening in an environment, but also react quickly and efficiently once malicious activity is detected. While Microsoft 365 Defender has powerful detection capabilities, it also provides response actions at the file, device and user level, that can be triggered both manually and automatically.
During widespread security incidents, where threat containment is the number one priority, actions must be taken on multiple entities based on specific criteria. The ability to perform these actions quickly, ensures a timely response to threats and saves precious analyst and responder time.
Examples of such actions could be performing an antivirus scan of all devices with a certain file hash present, isolating all compromised devices based on an IR report provided as CSV, or tagging all devices running vulnerable version of software X. After these actions are performed, it is always nice to have some change log.
For some of the scenarios above, you may need to operate beyond the Microsoft 365 Defender user interface, and this is where automation with API comes in handy. Using the API and a programming language of your choice, you can make yourself a simple yet effective tool for taking actions on multiple entities based on the criteria selected from your incident investigation.
Microsoft 365 Defender has a rich and growing set of APIs. These APIs help you automate workflows and make full use of Microsoft 365 Defender capabilities. A feature-rich schema helps SOC and IR teams perform integrations and enable automation in their processes. For example, Security Operations Center (SOC) can leverage Machine Actions resource type to take actions on devices. These actions include Isolate, Run AV Scan, Restrict App Execution, or programmatically run Live Response sessions.
This blog post walks through a simple response tool that benefits from APIs and are using PowerShell as the tool of choice to perform actions in bulk. It doesn’t require installation and can easily be adapted by anyone with some scripting experience. In addition, PowerShell is a cross-platform language makes it easier for anyone to port to their platform of choice with minimal to no changes in the code.
To begin, we need access to the Microsoft 365 Defender API. Check out the following getting started guide which describes how to create an application, an application secret, and grant access to required APIs. You will need to follow the documentation on creating a new AppID and Secret and then make sure you provide the following App Permissions to your App.
Permission name
|
Description
|
AdvancedQuery.Read.All
|
Run advanced queries
|
Machine.Isolate
|
Isolate the device
|
Machine.ReadWrite.All
|
Read and write all device information (used for tagging)
|
Machine.Scan
|
Scan the device
|
Table 1: API permissions used by application.
This API-based tool has a simple PowerShell GUI with a series of numbered steps that’s intuitive to use.
- Specify application credentials created above and connect.
- Get devices on which you want to perform an action.
- Tag/Scan/Isolate all the selected devices.
- Export the log of all actions performed (if needed).
Figure 2: MDE API GUI tool interface
The tool currently accepts advanced hunting queries, computer names, and CSVs as device input methods. Once devices are selected, three types of actions can be performed:
- Tagging devices
- Performing Quick/Full AV scan, and
- Performing Isolation/Release from Isolation
The main benefit of a tool like this is the ability to perform actions in bulk and save time as a result. For example, a simple task of manually tagging 100 servers can take a lot of time using the security portal, especially if servers don’t share a common naming scheme. Instead, when using APIs it can be done in minutes. API usage also provides granular delegation capabilities. For example, a subset of users can be delegated an ability to run AV scans on devices even without having access to a portal.
In the screenshot below, you can see how all the devices running a vulnerable version of software can be quickly identified in the organization, scanned, and tagged while corresponding teams are busy installing patches.
Figure 3: Performing actions on devices running vulnerable version of software
Currently the tool covers response actions against devices, but it can be further updated to support other response actions on files, users, and more. It can also be upgraded with user authentication to be better suited for enterprise usage and can be extended for many other scenarios that might be unique for your own team. We are releasing our code on GitHub so anyone can use it, contribute, fork it, and extend it but most importantly, share your feedback and your scenarios.
The is an impactful enabler for security teams looking for alternative ways to complete their tasks or integrate with other tools. The built-in API Explorer can be used to explore various APIs interactively and the tool we described in that blog and just released on GitHub can be used as a starting point or inspiration for building your own toolset.
More information
To learn more about the APIs in Microsoft 365 Defender, check out our documentation.
Timur Engin @timurengi contributed to this article.
by Priyesh Wagh | Jan 16, 2023 | Dynamics 365, Microsoft, Technology
Here’s how you can create Custom Pages and add them to your Model-Driven Apps!
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
by Contributed | Jan 15, 2023 | Technology
This article is contributed. See the original author and article here.
In several situations we found that our customer reported that their query is taking too much time to execute, but, it is important to determine what is the phase of the TSQL query execution is taking time.
It is important to explain that when you execute a query we have different phases:
- Compilation:
- Parser: To Verify the TSQL syntax
- Algebrizer: To resolve all the names of the objects, columns, etc..
- Optimization: To consider the alternatives to achieve the requested query.
- Execution:
- Execution Engine: Executes the query per the instrucctions set out by compilation.
Our customer has the following script:
CREATE Table Academy_BlobData
(ID INT IDENTITY(1,1) PRIMARY KEY,
Age INT,
CustomerData NVARCHAR(MAX) )
DECLARE @Times Integer =0
WHILE(@Times <=100000)
begin
SET @Times=@Times+1
INSERT INTO Academy_BlobData (Age,CustomerData) VALUES(RAND()*(100-5)+5,REPLICATE('xyz',200000))
end
But, when our customer executes the query we saw around 2 minutes to complete the query using SQL SERVER Management Studio from OnPremise to Azure SQL Database.
SELECT * FROM Academy_BlobData
In this situation, all points that the query is trivial and we need to identify why the query is taking too much time, for this reason, we suggested running the following query to investige if the problem is how we compile the query or execute the query.
SET STATISTICS IO ON
SET STATISTICS TIME ON
SELECT * FROM Academy_BlobData
We found that the parse and compile time took 0 ms and execution took the almost time.
So, right now, that we know that the phase was execution time, let’s try to identify what was the component that took time, running the following query:
SELECT * FROM sys.dm_exec_session_wait_stats WHERE session_id = @@spid ORDER BY max_wait_time_ms DESC
In this case, the wait stats “ASYNC_NETWORK_IO” took the almost time, indicating that the main cause was downloading the data from SQL Server to SQL Server Management and we need to improve our network, reducing the number of rows or query the information needed.
Enjoy!
by Contributed | Jan 14, 2023 | Technology
This article is contributed. See the original author and article here.
We got an issue that our customer is migrating a WIN32 C++ application from on-prem to Azure. When connecting to Azure they got the following error message: [Microsoft][ODBC Driver 18 for SQL Server][SQL Server]Error requesting access token, HTTP status 400, expected 200. SQL State was: CE275; Native Error code was: 0.
Other additional information about the error are:
- [Microsoft][ODBC Driver 18 for SQL Server][SQL Server]Failed to authenticate the user ” in Active Directory (Authentication option is ‘ActiveDirectoryMSI’).
- [Microsoft][ODBC Driver 18 for SQL Server]TCP Provider: Timeout error [258]. (258)
- [Microsoft][ODBC Driver 18 for SQL Server]Unable to complete login process due to delay in login response (258)
- [Microsoft][ODBC Driver 18 for SQL Server]Login timeout expired (0)
Our customer is changing the connection using of their application using ODBC (API) from Windows Integrated authentication to Azure Active Directory in Azure SQL with User Managed Identity and they found this error message calling SQLConnect function:
dwResult = SQLConnect(hDefaultDBC, (SQLCHAR*)szDataSourceName, (SQLSMALLINT)strlen(szDataSourceName), (SQLCHAR*)szUserName, (SQLSMALLINT)strlen(szUserName),(SQLCHAR*)szPassword, (SQLSMALLINT)strlen(szPassword));
In this situation happened when szUserName is empty and we assume the will take this information from LoginID specified in the ODBC DSN. At this point we found out that giving the value of szUserName the UID/object principal id, the issue was resolved.
Enjoy!
by Priyesh Wagh | Jan 14, 2023 | Dynamics 365, Microsoft, Technology
Here’s how you can install Smart Buttons for Ribbon Workbench!
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
by Contributed | Jan 13, 2023 | Technology
This article is contributed. See the original author and article here.
Announced at Ignite 2022, the integration of Microsoft Planner with Viva Goals is now available. This capability enables you to view your teams’ Planner tasks and update the Objectives and Key Results (OKRs) in Viva Goals that relate to your Planner work. You can automatically track your team’s progress towards your high-level key results based on the completion of day-to-day tasks in Planner.
For more information about Viva Goals, check out the Make Your Goals a Reality with OKRs and New Capabilities from Microsoft Viva Goals and 4 goal-setting trends for 2023 and how Microsoft Viva Goals can help articles.
by Contributed | Jan 13, 2023 | Business, Microsoft 365, Technology
This article is contributed. See the original author and article here.
Discover four goal-setting trends for 2023 and how to use Microsoft Viva Goals to elevate your business and align your teams with OKRs.
The post 4 goal-setting trends for 2023 and how Microsoft Viva Goals can help appeared first on Microsoft 365 Blog.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
by Scott Muniz | Jan 13, 2023 | Security
This article was originally posted by the FTC. See the original article here.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
by Scott Muniz | Jan 12, 2023 | Security, Technology
This article is contributed. See the original author and article here.
Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.
CISA encourages users and administrators to review Juniper Networks’ security advisories page and apply the necessary updates.
by Contributed | Jan 12, 2023 | Technology
This article is contributed. See the original author and article here.
As we shared in November 2021, Stream (Classic) will be retired as customers transition to the new Stream platform built on SharePoint. Today, we are sharing the update that Microsoft will retire Stream (Classic) on February 15, 2024 for all customers except GCC, and we will turn off upload functionality in August 2023.1 The successor service, Stream (on SharePoint), entered general availability in October 2022, and has been widely popular since we first announced it more than two years ago. In 2022, billions of videos were uploaded to the service, and its use continues to grow rapidly because of how simple it is to create, discover, and view video across Microsoft 365.
Stream (on SharePoint) puts video in the flow of work
Stream (on SharePoint) brings you many of the same capabilities of Stream (Classic) while also allowing you to use video in many everyday work and school apps such as Teams, Office.com, Yammer, Viva, PowerPoint, and SharePoint. With video now in the flow of your work, you can more easily create and discover video content for collaboration and knowledge transfer. Here’s a quick look at the capabilities of Stream (on SharePoint) that are not available in Stream (Classic):
- Record videos with advanced tools directly in the camera like background blur or replace, inking, text, audio only, and teleprompter.
- Search for videos anywhere in Microsoft 365. You can now find videos and Teams meeting recordings across Microsoft 365 by searching keywords such as those found in the title, description, chapter names, or transcripts of videos.
- Find what you need quickly on the Stream start page in Office. The new start page shows recent, shared, and favorite videos, with playlists coming soon. (Note: The Stream start page doesn’t show you videos in Stream (Classic); it only shows videos directly stored in Microsoft 365.)
- View Teams meeting recordings with transcripts, chapters, timeline markers, speaker attribution, and comments.
- Easily manage video files with the same security, admin controls, multi-geo support, compliance (eDiscovery, legal hold, retention, and data loss prevention policies), permissions, and sharing controls as the rest of your files in SharePoint and OneDrive.
- Create custom page, site, and portal experiences to feature videos as part of your intranet and Viva Connections.
- Share videos the same way you would any other file in Microsoft 365 with support for Guests, People in your Organization links, or unauthenticated external sharing with “anyone” links.
- Get analytics per video, for all the videos in a site, or see who has watched your video.
- Add videos to the Viva Connections Feed.
- Use APIs based on the Microsoft Graph Files API for basic video file operations.
These benefits add up to ease of video management for admins and more productivity for your teams. Stream (on SharePoint) helps you communicate visually to explain, learn, and collaborate across teams.
Stream (Classic) retirement timeline
While Stream (Classic) will be available until February 15, 2024, we plan to retire some functionality sooner than 2024. For example, we will disable the uploading of videos to Stream (Classic) on August 15, 2023. See the Stream (Classic) retirement timeline for the most current dates in the retirement process.
The timeline for Stream (Classic) retirement is as follows:
February 15, 2023 – Start of one-year countdown to retirement, and Stream (Classic) migration tool enters general availability with these enhancements:
-Single video embed codes redirect and play inline.
-New settings added to schedule/delay blocking of uploads and tenant disablement.
May 15, 2023 – No new videos can be uploaded to Stream (Classic). Admins can delay this by three months if needed.2
August 15, 2023 – No new videos can be uploaded to Stream (Classic).
October 15, 2023 – Users can no longer access or use Stream (Classic). Admins can delay this change by four months if needed.2
February 15, 2024 – Stream (Classic) is fully retired and automatically disabled.
-Users and admins can no longer access or use Stream (Classic).
-Any remaining content in Stream (Classic) that wasn’t migrated will begin being deleted.
February 15, 2025 – Stream (Classic) links and embed codes will no longer redirect to the migrated videos in OneDrive and SharePoint.
If you are a Stream admin, we recommend that you begin planning your organization’s migration to Stream (on SharePoint) and onboarding your users to this service as soon as possible.
Migrating your content from Stream (Classic) to Stream (on SharePoint)
To support your move to Stream (on SharePoint), we have created a migration tool that allows you to transfer all your Stream (Classic) video to Stream (on SharePoint). The tool also brings over metadata, links, and permissions associated with your Stream (Classic) audio and video content. The migration tool is now in public preview, and we expect it to become generally available on February 15, 2023 for all Stream customers, except GCC.
To begin using the migration tool, please review our migration support and migration strategies guides. The migration process involves both moving your content and directing your users to Stream (on SharePoint), which has both a different entry point and look and feel than Stream (Classic). Follow the adoption guides for ideas on how to help your users start using Stream (on SharePoint). We recommend you begin the migration planning process soon.
For more information on the retirement of Stream (Classic) see our FAQs.
For more information on Stream (on SharePoint) see our IT Admin guides and end user help documents.
Stream live events retirement
We have not yet announced a retirement date for Stream live events. In the coming months, we will announce the retirement date of Stream live events and give you a six-month period to begin using the successor service, Teams live events with external encoder support, which is currently in public preview.
Feedback & learn more
We welcome your feedback. Feel free to comment below or share and vote on ideas in the Stream feedback portal.
Lastly, we’d like to invite you to join our customer connections office hours. In this twice-monthly meeting, we answer your questions, share our plans, learn more about your video needs, and get your feedback. To get on the meeting invite list, you can sign up at aka.ms/StreamConnect.
1 The Stream (Classic) retirement date for Government Commercial Cloud (GCC) customers has not yet been announced. Until those dates are announced, GCC customers can continue to use Stream (Classic) without interruption. GCC customers will receive one-year advance notice of retirement.
2 Admin delay settings will become available in the Stream (Classic) admin center on Feb 15, 2023.
Recent Comments