Workbooks, Playbooks and Notebooks. Oh my!

Microsoft's new(ish) cloud-based SIEM, Azure Sentinel, is a powerful solution that lets you collect security data cross an entire organization including devices, users, apps, servers in any cloud - which means that there are a lot of working parts.

When I first looked at the management page, I was confused by the fact that many of the terms are so similar. There are Workbooks. There are Playbooks. And there are Notebooks. What's a girl to do?

After spending some time with the tool, and learning how to use it I decided to publish my thoughts on the best ways to look at these features. Today we're going to talk about workbooks.

Workbooks

A workbook is really nothing more than a dashboard. In fact, in an earlier iteration of Sentinel, they were actually called Dashboards. You use Workbooks to view insights gathered from data collected from various sources. They're kind of like a canvas that you can use to paint the data you want to see at a glance.

You may think - Ugh. What do I need another dashboard for? But in the world of secops, dashboards and other data visualizations provide the ability to view data trends and anomalies which help you spot when something is amiss. 

Workbooks have tons of possibilities. You can do everything from simple data presentation, to complex graphing and investigative maps. With Workbooks, you can include text, charts, grids and graphs to help visualize the data in the most effective way for you. 

Sentinel provides a collection of out-of-the-box workbooks like the ones for Azure AD Sign-in logs or F5 or Palo Alto. You can also create your own. There is also a fantastic GitHub repository where people share workbooks, hunting queries and much more.

The real power of Workbooks is the ability to combine data from disparate sources within a single report. This allows for the creation of composite resource views or joins across resources enabling richer data and insights that would otherwise be impossible.

Let's take a look at one of the out-of-the-box Workbooks. Below is a screenshot of the Azure AD Sign-in logs. You can see that the report lists out Sign-ins by Location, Sign-ins by Device and the number of Sign-ins using Conditional Access. 

By looking at the report, we can see that 312 people are logging in from India. Maybe this is perfectly normal. But maybe we don't expect anyone to log in from India, so this is something we need to investigate.  Other important information might be that in Sign-ins by Device, we see that we have six log ins from a Windows 7 machine. Wait a second! We thought we had retired all the Windows 7 machines. 

Again, this just gives an easy visual representation of things that might need further investigation.

How do I know what's bad if I don't know what's good?

I was talking with my nephew the other day - about a subject totally unrelated to computers - but he asked a very interesting question during our discussion.

How do I know what's bad if I don't know what's good?

What a great question! Especially when you're dealing with complex attack techniques in today's world. If you're trying to figure out if you've been compromised, then you'd better know what should be there. That way, you know when something out of the ordinary shows up.

For the next few posts, I'm going to talk about several Windows processes and what you should know about them.

Today, let's talk about services.exe. Also known as the Service Control Manager.

What is it? Where should it be? How many instances should I see running in task manager? Most importantly, is services.exe safe?

What is it: Services.exe is designed to start and stop Windows system processes as well as handle scheduled tasks. It also launches the Service Control Manager (SCM), which runs at system startup, and loads services and device drives marked for auto-start. It also maintains the database of installed services, locking and unlocking the service database and sends request to the running services.

If you're familiar with the Last Known Good control set, SCM (services.exe) is the process that gives the thumbs to whether a user has successfully logged on interactively.

Where should it be: %systemroot\system32\services.exe

How many should there be when I open up task manager: One.

Parent process: wininit.exe

So the final verdict on the safety of services.exe? If there is only one process running and it located in %systemroot\system32\services.exe, you should be good.

Check out my guest appearance on the SecureTalk podcast

Check out my guest appearance on the SecureTalk podcast hosted by Mark Shriner from Adaquest - https://soundcloud.com/user-779694357/andrea-fisher-provides-an-overview-of-windows-10

Mark and I had a great chat about Windows 10 and Win 10 security

#windows10 #microsoft #markshriner

Security is the Baseline

The Windows 10s October 2018 Update (version 1809) also known as Redstone 5 made its debut into the world this week.

There are lots of amazing features that I will highlight over the coming days but one of the first things we should do as responsible IT folk is to secure the OS.

Every organization faces security threats. However, the types of security threats that are the biggest problem for one organization could be completely different from another organization. For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization. 

Years ago, Microsoft introduced the idea of the security baseline. A security baseline is a group of Microsoft-recommended configuration settings. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. 

If you haven't tried out the security configuration baseline settings for Windows or Windows Server, please check them out. 

You can download the content here: Windows-10-1809-Security-Baseline-DRAFT.zip

What can I learn about WDATP at Ignite 2018?

Microsoft Ignite is next week. Can you believe it?

Here are a few sessions that I recommend to enhance your knowledge of WDATP and all it's fun new features.

THR3039 - Become the hunter: Advanced hunting in Windows Defender ATP

THR2065 - Automate your security incidents with Windows Defender ATP

THR2069 - Raise your game as a security administrator with Windows Defender ATP

BRK2009 - Comprehensive endpoint protection with Windows Defender ATP

WRK2028 - Security Immersion Experience: A (bad) day in a life of a SecOps team

THR3040 - Dramatically improve your security posture through attack surface area reduction

#wdatp #Microsoft #security

In a world where danger lies behind every click...

As a former SCCM admin, I spent countless hours trying to make sure all the machines in my environment were patched and as secure as possible. That was a Herculean feat ten years ago and the changes in attack vectors have changed dramatically that things aren't much better today than they were back then.

But yesterday, Windows Defender Advanced Threat Protection got an amazing new feature in that is designed to help you stay more aware of the vulnerabilities in your environment. 

This feature is called Threat Analytics - a set of interactive reports on significant and emerging attack campaigns that fuses organizational risk analytics with threat intelligence.

When a new major event, such as the zero day or other major outbreak, occurs - the WDATP research team publishes a special threat analytics report with data about the event that allows the customer to see:

• An overview of the zero day or exploit
• If they are currently at risk (mitigation status) 
• If they are affected by someone exploiting this zero day (machines with alerts)
• Get recommendation of actions they need to take

This robust tool gives security teams real-time information that helps them understand the nature of the threat and evaluates impact on their environment. Threat Analytics also provides recommendations and guidance on how to contain the threat.

#wdatp #microsoftadvocate