The above pic is AI based illustration for Access reviews and AI, it sure looks like it. It uses the same theme than many others but still it's unique.

AI has been in the news after OpenAI has created some friction, in good and bad.

Power of quantity

Did you know that many Microsoft features and solutions use Machine learning and Artificial intelligence to provide the best automated protection and prepopulated choices for different scenarios.

The amount of traffic Microsoft oversees inside their products is at insane levels, the following picture is from Microsoft's Digital Defense Report 2022

Read the full report from here, https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report-2022?ocid=cmmlio1fr8z

One of the solutions you could use to connect the dots is the API called.

Graph Security API

The Microsoft Graph security API allows developers to access a variety of security-related information and services from multiple Microsoft Graph security providers using a single, unified interface. This makes it easier for developers to integrate security features into their applications, as they only need to interact with a single API instead of multiple security providers.

The security API provides access to various types of security-related information and services, including:

  • Threat intelligence data
  • Security alerts and notifications
  • Security configuration information
  • Security policy management capabilities

By using the Microsoft Graph security API, developers can build applications that can help organizations monitor and manage their security posture, detect and respond to threats, and take preventive actions to protect against potential security vulnerabilities.

Microsoft Graph security API overview - Microsoft Graph

Use the Microsoft Graph security API to connect Microsoft security products, services, and partners to streamline security operations and improve response capabilities.

Defender for Endpoint and EDR

Scenario

Let's say you organization have bought a third-party Antivirus solution for what ever reason. Yes, there could be real reason to do say instead of using full Defender for Windows capabilities.

So let's assume this one, you install the management consoles, you install the clients and it keeps dropping those bad actors from your devices.

But one day there is a new variant that isn't known to it and it let's it through. The bad actor install itself to run inside your devices and hides itself from being seen.

See more here on why you should enable the integration.

Why you should use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint

For best results, use Microsoft Defender Antivirus together with your other Microsoft offerings.

When EDR in Block mode kicks in

First we have to understand that EDR in Block mode works only when Defender for Windows antivirus functionality is disabled.

So you have that third-party antivirus solution running and Microsoft Defender Antivirus is running in Passive mode.

The requirements

RequirementDetails
PermissionsYou must have either the Global Administrator or Security Administrator role assigned in Azure Active Directory. For more information, see Basic permissions.
Operating systemDevices must be running one of the following versions of Windows: Windows 11 Windows 10 (all releases) Windows Server 2019 or later Windows Server, version 1803 or later Windows Server 2016 and Windows Server 2012 R2 (with the new unified client solution)
Microsoft Defender for EndpointDevices must be onboarded to Defender for Endpoint. See the following articles:
Minimum requirements for Microsoft Defender for Endpoint
Onboard devices and configure Microsoft Defender for Endpoint capabilities
Onboard Windows servers to the Defender for Endpoint service
New Windows Server 2012 R2 and 2016 functionality in the modern unified solution (Preview)
Microsoft Defender AntivirusDevices must have Microsoft Defender Antivirus installed and running in either active mode or passive mode. Confirm Microsoft Defender Antivirus is in active or passive mode.
Cloud-delivered protectionMicrosoft Defender Antivirus must be configured such that cloud-delivered protection is enabled.
Microsoft Defender Antivirus platformDevices must be up to date. To confirm, using PowerShell, run the Get-MpComputerStatus cmdlet as an administrator. In the AMProductVersion line, you should see 4.18.2001.10 or above.To learn more, see Manage Microsoft Defender Antivirus updates and apply baselines.
Microsoft Defender Antivirus engineDevices must be up to date. To confirm, using PowerShell, run the Get-MpComputerStatus cmdlet as an administrator. In the AMEngineVersion line, you should see 1.1.16700.2 or above.To learn more, see Manage Microsoft Defender Antivirus updates and apply baselines.

Check that Microsoft Defender for antivirus is disabled.

MethodProcedure
PowerShell1. Select the Start menu, begin typing PowerShell, and then open Windows PowerShell in the results.

2. Type Get-MpComputerStatus.

3. In the list of results, in the AMRunningMode row, look for one of the following values:
Normal
Passive Mode

To learn more, see Get-MpComputerStatus.
Command PromptSelect the Start menu, begin typing Command Prompt, and then open Windows Command Prompt in the results.Type sc query windefend.In the list of results, in the STATE row, confirm that the service is running.

How do we enable it?

You can do it with https://security.microsoft.com portal.

Check that it's enabled

Get-MPComputerStatus | select AMRunningMode

NanoCore RAT attack and EDR

I won't do any demo for this post as Microsoft has a perfect example on this in their Techcommunity post.

Introducing EDR in block mode: Stopping attacks in their tracks

Endpoint detection and response (EDR) in block mode is a new capability in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) that turns EDR detections into blocking and containment of malicious behaviors. This capability uses Microsoft Defender ATP’s industry-leading visibility…

So as we can see, you don't always have to use full Defender capabilities for make your devices safe. With EDR in block mode, you can achieve a rich protection after antivirus protection even when using third-party solution.

Defender for Endpoint and AI

This year at Ignite Microsoft released network level protection for Endpoints. It will use Microsoft's own AI and your tenant scoring to determinate what to block before it reaches any critical components.

This is an perfect example of the analytics that is done automatically by Microsoft.

Detecting and remediating command and control attacks at the network layer

Overview Update - 11/10/2022 - Network Protection command and control (C2) detection and remediation capabilities are now generally available in Microsoft Defender for Endpoint. We are excited to announce the general availability of Network Protection command and control (C2) detection and remed…

And this is a perfect segue (yes, segue not Segway) to the following topic.

Access Reviews and AI

The controls for helping decision making are simple and clear, if you are using Multi-stage reviews, you can also can hints from previous stages.

More on decision helpers.

Create an access review of groups and applications - Azure AD - Microsoft Entra

Learn how to create an access review of group members or application access in Azure Active Directory.

User-to-Group Affiliation (preview)

Which also use Machine learning to achieve what is does. Basically the idea as that User-to-Group Affiliation is a relationship between a user and a group in which the user is a member of the group. This means that the user is associated with the group and has certain privileges or permissions within the group, such as the ability to access certain resources or information, or to participate in group discussions or activities. User-to-Group Affiliation is often used in computer systems and online platforms to manage access to resources and to enable collaboration and communication among members of a group.

And Microsoft has a perfect organizational diagram to display this.

In this diagram the guy on the right doesn't have any affiliation with others, so if they are all added to group, Machine learning will suggest Phil to be denied.

See more here.

Introducing Machine Learning based recommendations in Azure AD Access reviews

Many of you are already using Azure AD access reviews to govern access of your employees, guests, and workload identities to sensitive resources. Over the years, one of the top requests from our customers is to make the review process easier so that reviewers can make quicker and more accurate decis…

Closure

Adding to the topic mentioned in the beginning, in example we could ask AI.

And it will answer with the steps that needs to be done. Just need to validate what are the steps correct and write the working flows and settings.

AI cannot be completely trusted with this kind of advices but as decision helpers they are working nicely. But good that we have other MVP's to provide the correct steps for different things.

Like Pim's series on Azure AD Lifecycle Workflows

Starting with brand new Azure AD Lifecycle Workflows – Part 1

A warm welcome to my next blog in the Identity Governance series which will focus on the new feature called Azure AD Lifecycle Workflows, which has been released at the start of September 2022 and …

And Jan's posting about the same area.

https://janbakker.tech/automate-issuing-temporary-access-pass-for-joiners-with-lifecycle-workflows/

Be sure to follow both gents if you are interested on Identity and access based content!

Archives