Simplify and accelerate AI for the entire data science team with Azure Machine Learning designer

by Contributed | Sep 30, 2020 | Azure, Technology, Uncategorized

This article is contributed. See the original author and article here.

At Microsoft Ignite, we announced the general availability of Azure Machine Learning designer, the drag-and-drop workflow capability in Azure Machine Learning studio which simplifies and accelerates the process of building, testing, and deploying machine learning models for the entire data science team, from beginners to professionals. We launched the preview in November 2019, and we have been excited with the strong customer interest. We listened to our customers and appreciated all the feedback. Your responses helped us reach this milestone. Thank you.

“By using Azure Machine Learning designer we were able to quickly release a valuable tool built on machine learning insights, that predicted occupancy in trains, promoting social distancing in the fight against Covid-19.” – Steffen Pedersen, Head of AI and advanced analytics, DSB (Danish State Railways).

Artificial intelligence (AI) is gaining momentum in all industries. Enterprises today are adopting AI at a rapid pace with different skill sets of people, from business analysts, developers, data scientists to machine learning engineers. The drag-and-drop experience in Azure Machine Learning designer can help your entire data science team to speed up machine learning model building and deployment. Specially, it is tailored for:

• Data scientists who are more familiar with visual tools than coding.
• Users who are new to machine learning and want to learn it in an intuitive way.
• Machine learning experts who are interested in rapid prototyping.
• Machine learning engineers who need a visual workflow to manage model training and deployment.

Connect and prepare data with ease

Azure Machine Learning designer is fully integrated with Azure Machine Learning dataset service for the benefit of versioning, tracking and data monitoring. You can import data by dragging and dropping a registered dataset from the asset library, or connecting to various data sources including HTTP URL, Azure blob, Azure Data Lake, Azure SQL or upload from a local file with Import Data module . You can use right click to preview and visualize the data profile, and preprocess data using a rich set of built-in modules for data transformation and feature engineering.

Build and train models with no-code/low-code

In Azure Machine Learning designer, you can build and train machine learning models with state-of-the art machine learning and deep learning algorithms, including those for traditional machine learning, computer vision, text analytics, recommendation and anomaly detection. You can also use customized Python and R code to build your own models. Each module can be configured to run on different Azure Machine Learning compute clusters so data scientists don’t need to worry about the scaling limitation and can focus on their training work.

Validate and evaluate model performance

You can evaluate and compare your trained model performance with a few clicks using the built-in evaluate model modules, or use execute Python/R script modules to log the customized metrics/images. All metrics are stored in run history and can be compared among different runs in the studio UI.

Root cause analysis with immersed debugging experience

While interactively running machine learning pipelines, you can always perform quick root cause analysis using the graph search and navigation to quickly nailed down to the failed step, preview logs and outputs for debugging and troubleshooting without losing context of the pipeline, and find snapshots to trace scripts and dependencies used to run the pipeline.

Deploy models and publish endpoints with a few clicks

Data scientists and machine learning engineers can deploy models for real-time and batch inferencing as versioned REST endpoints to their own environment. You don’t need to worry about the deep knowledge of coding, model management, container services, etc., as scoring files and the deployment image are automatically generated with a few clicks. Models and other assets can also be registered in the central registry for MLOps tracking, lineage, and automation.

Get started today

Get started today with your new Azure free trial, and learn more about Azure Machine Learning designer.

Understanding Microsoft Teams Data Schema in Azure Sentinel – Analyst / Researcher View

by Contributed | Sep 30, 2020 | Azure, Technology, Uncategorized

This article is contributed. See the original author and article here.

Millions of people are using Microsoft Teams as their secure, productive and mobile collaboration & communication tool, today @Pete Bryan from Microsoft Threat Intelligence Center and @Hesham Saad  from Microsoft CyberSecurity Global Black Belt will detail Microsoft Teams schema and data structure in Azure Sentinel so let’s get started!

Microsoft Teams now has an official connector at Azure Sentinel:

• Easy deployment (in a single checkbox)
• Data into Office Activity 
• It’s free activity logs
• Only keep the custom connector for other workloads

Here’s a quick demonstration:

You can check as well a couple of hunting queries been shared on the Azure Sentinel GitHub

Lets understand now Microsoft Teams Schemas:

• Office 365 Management API

• Microsoft Graph API:

What’s in Teams Logs:

• TeamsSessionStarted – Sign-in to Teams Client (except token refresh)
• MemberAdded/MemberRemoved – User added/removed to team or group chat
• MemberRoleChanged – User’s permissions changed 1 = Owner, 2 = Member, 3 = Guest
• ChannelAdded/ChannelRemoved – A channel is added/removed to a team
• TeamCreated/Deleted – A whole team is created or deleted
• TeamsSettingChanged – A change is made to a team setting (e.g. make it public/private)
• TeamsTenantSettingChanged – A change is made at a tenant level (e.g. enable product)

+ Bots, Apps, Tabs

https://docs.microsoft.com/en-us/microsoftteams/audit-log-events

• callRecord: Represents a single peer-to-peer call or a group call between multiple participants, sometimes referred to as an online meeting.
• onlineMeeting: Contains information about the meeting, including the URL used to join a meeting, the attendees list, and the description.
• callRecord/organizer – the organizing party’s identity
• callRecord/participants – list of distinct identities involved in the call
• callRecord/type – type of the call (group call, peer to peer,…etc)
• callRecord/modalities – list of all modalities (audio, video, data, screen sharing, …etc)
• callRecord/ (id – startDateTime – endDateTime – joinWebUrl )
• onlineMeeting/ (subject, chatInfo, participants, startDateTime, endDateTime)

https://docs.microsoft.com/en-us/graph/api/resources/communications-api-overview?view=graph-rest-1.0

Log Structure:

Log Structure (additional fields)

A step-by-step guide on how to ingest CallRecords-Sessions Teams data to Azure Sentinel via Microsoft Graph API, check out Secure your Calls- Monitoring Microsoft TEAMS CallRecords Activity Logs using Azure Sentinel blog post.

Other Logs:

SigninLogs 
AAD Signin for Teams 
| where AppDisplayName contains “Microsoft Teams”

OfficeActivity
Files uploaded via Teams
| where SourceRelativeUrl contains "Microsoft Teams Chat Files"

Hunting:

• Users added and removed
• Large number of team ownership changes
• Mass deletes
• External user adds followed by file uploads
• Link with SigninLogs
• Suspicious sign-in followed by file uploads
• Visualize activity,   more details : https://techcommunity.microsoft.com/t5/azure-sentinel/graph-visualization-of-external-teams-collaborations-in-azure/ba-p/1356847

Detection:

• Difficult due to usage variations between orgs
• SigninLogs analytics will protect against a lot of common attack types
• New external organization hunting query is a good candidate

SOAR:

• Plenty of actions in Azure Sentinel Playbooks – LogicApps controls for Teams
• Use this to get additional context for alerts
• You can also post messages to teams

Get started today!

We encourage you to try it now and start hunting  in your environment. 

You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community.

Auditing Azure Sentinel activities

by Contributed | Sep 30, 2020 | Azure, Technology, Uncategorized

This article is contributed. See the original author and article here.

Many customers require the ability  to audit what happens in their SOC environment for both internal and external compliance requirements . It is important to  understand the who/what/when’s of activities within your Azure Sentinel instance. In this blog, we will explore how you can audit your organization’s SOC if you are using Azure Sentinel and how to get  the visibility you need with regard to what activities are being performed within your Sentinel environment. The accompanying Workbook to this blog can be found here.

There are two tables we can use for auditing Sentinel activities:

• LAQueryLogs
• Azure Activity

In the following sections we will show you how to set up these tables and provide examples of the types of queries that you could run with this audit data.

LAQueryLogs table

The LAQueryLogs table containing log query audit logs provides telemetry about log queries run in Log Analytics, the underlying query engine of Sentinel. This includes information such as when a query was run, who ran it, what tool was used, the query text, and performance statistics describing the query’s execution.

Since this table isn’t enabled by default in your Log Analytics workspace you need to enable this in the Diagnostics settings of your workspace. Click here for more information on how to do this if you’re unfamiliar with the process. @Evgeny Ternovsky has written a blog post on this process that you can find here.

A full list of the audit data contained within these columns can be found here. Here are a few examples of the queries you could run on this table:

How many queries have run in the last week, on a per day basis:

LAQueryLogs
| where TimeGenerated > ago(7d)
| summarize events_count=count() by bin(TimeGenerated, 1d)

Number of queries where anything other than HTTP response request 200 OK is received (i.e. the query failed):

LAQueryLogs
| where ResponseCode != 200 
| count 

Show which users ran the most CPU intensive queries based on CPU used and length of query time:

LAQueryLogs
|summarize arg_max(StatsCPUTimeMs, *) by AADClientId
| extend User = AADEmail, QueryRunTime = StatsCPUTimeMs
| project User, QueryRunTime, QueryText
| order by QueryRunTime desc

Summarize who ran the most queries in the past week:

LAQueryLogs
| where TimeGenerated > ago(7d)
| summarize events_count=count() by AADEmail
| extend UserPrincipalName = AADEmail, Queries = events_count
| join kind= leftouter (
    SigninLogs)
    on UserPrincipalName
| project UserDisplayName, UserPrincipalName, Queries
| summarize arg_max(Queries, *) by UserPrincipalName
| sort by Queries desc

AzureActivity table

As in other parts of Azure, you can use the AzureActivity table in log analytics to query actions taken on your Sentinel workspace. To list all the Sentinel related Azure Activity logs in the last 24 hours, simply use this query:

AzureActivity
| where OperationNameValue contains "SecurityInsights"
| where TimeGenerated > ago(1d)

This will list all Sentinel-specific activities within the time frame. However, this is far too broad to use in a meaningful way so we can start to narrow this down some more. The next query will narrow this down to all the actions taken by a specific user in AD in the last 24 hours (remember, all users who have access to Azure Sentinel will have an Azure AD account):

AzureActivity
| where OperationNameValue contains "SecurityInsights"
| where Caller == "[AzureAD username]"
| where TimeGenerated > ago(1d)

Final example query – this query shows all the delete operations in your Sentinel workspace:

AzureActivity
| where OperationNameValue contains "SecurityInsights"
| where OperationName contains "Delete"
| where ActivityStatusValue contains "Succeeded"
| project TimeGenerated, Caller, OperationName

You can mix these up and add even more parameters to search the AzureActivities log to explore these logs even more, depending on what your organization needs to report on. Below is a selection of some of the actions you can search for in this table:

• Update Incidents/Alert Rules/Incident Comments/Cases/Data Connectors/Threat Intelligence/Bookmarks
• Create Case Comments/Incident Comments/Watchlists/Alert Rules
• Delete Bookmarks/Alert Rules/Threat Intelligence/Data Connectors/Incidents/Settings/Watchlists
• Check user authorization and license

Alerting on Sentinel activities

You may want to take this one step further and use Sentinel audit logs for proactive alerts in your environment. For example, if you have sensitive tables in your workspace that should not typically be queried, you could set up a detection to alert you to this:

LAQueryLogs
| where QueryText contains "[Name of sensitive table]"
| where TimeGenerated > ago(1d)
| extend User = AADEmail, Query = QueryText
| project User, Query

Sentinel audit activities Workbook 

We have created a Workbook to assist you in monitoring activities in Sentinel. Please check it out here and if you have any improvements or have made your own version you’d like to share, please submit a PR to our GitHub repo!

With thanks to @Jeremy Tan @Javier Soriano, @Matt_Lowe and @Nicholas DiCola (SECURITY JEDI) for their feedback and inputs to this article.