Microsoft US Sovereign Cloud Myth Busters – CUI Effectively Requires Data Sovereignty

Microsoft US Sovereign Cloud Myth Busters – CUI Effectively Requires Data Sovereignty

by | Aug 19, 2020 | Uncategorized

This article is contributed. See the original author and article here.

This article is the fourth of a series in the Microsoft Tech Community Public Sector Blog that explores myths of deploying Microsoft Cloud Services into the *US Sovereign Cloud with Azure Government and Microsoft 365 Government (GCC High).

 

We will focus on the myth that Controlled Unclassified Information (CUI) does not require data sovereignty.  This article is written through the lens of requirements to protect CUI in the context of the U.S. Department of Defense for national security, such as in alignment with the Defense Industrial Base (DIB) and the Cybersecurity Maturity Model Certification (CMMC).

 

Executive Summary

 

Microsoft has prescribed the *US Sovereign Cloud with Azure Government and Microsoft 365 Government (GCC High) to protect Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) consistently.  Our rationale is that CUI includes International Traffic in Arms Regulation (ITAR) regulated data, and the U.S. Department of Defense (DoD) requires Defense Federal Acquisition Regulation Supplement clause 252.204-7012 (DFARS 7012) to protect it.  We only accommodate that contractually across Azure, Office 365, and Dynamics 365 in the US Sovereign Cloud, built in a fully isolated environment that is both physically and logically separated.  All services in the US Sovereign Cloud are contained within an accreditation boundary supporting US Export Controls requiring screened US persons and data sovereignty in the Continental United States (CONUS).

 

*For more information on the US Sovereign Cloud, please refer to the Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

 

Preface

 

If only I had a quarter for every time I’ve had to explain why we have a “Maybe” for CUI and CDI in clouds other than the US Sovereign Cloud.

 

Our mantra is clear.  I quote this from the compliance Jedi Master @Shawn_Veney:

 

If you find your organization manages so many types of CUI, and is perhaps thinking of taking on new work and adding to that challenge; then sometimes it is easier to adopt a high watermark strategy to accomplish your data protection goals. This trade off recognizes that your solution may exceed requirements for a specific type of data; but provides confidence you likely have addressed your aggregate requirements. This is ideal when your internal classification and marking efforts may not be where you would like them yet.

 

Throughout this article, I will explain why we have a definitive “Yes” for CUI and CDI in the US Sovereign Cloud.  In what will be one of my most hotly contested articles to date, this is intended to spark a debate on how CUI data protection practices apply holistically.  I intend to keep this initial argument high level, as there are a million nuances that may be deliberated indefinitely.  That said, the “thesis” of this article should be debated passionately as an industry.

 

At the end of the day, Microsoft offers multiple clouds from Commercial to GCC to GCC High to DoD and even to Azure Government Secret.  In other words, we can satisfy many risk profiles and offer you a cloud that best aligns with your organization’s risk posture.  We will not police you, nor will we demand you choose one cloud over another.  We will be very clear on where we provide contractual obligations.  Hence why we are only confident in saying “Yes” to CUI in the US Sovereign Cloud.

 

Summary

 

The CUI Program is an ever-evolving initiative to standardize the markings and data protection practices across Federal agencies to facilitate sharing of sensitive information, transcending individual agencies.  CUI includes markings that span many categories and groupings.  The groupings consist of everything from Financial and Privacy data, all the way up to Export Controlled and Intelligence data.  Individual agencies have their own requirements for CUI, resulting in additional rules that govern the data protection practices of CUI.  For example, the DoD defines standards in the Cloud Computing (CC) Security Requirements Guide (SRG), in DFARS 7012, and in the Cybersecurity Maturity Model Certification (CMMC) to protect CUI.

 

CUI is defined by a program that includes all categories under a single umbrella.  Not all CUI markings are protected precisely the same way.  However, it can be untenable to discern the various restrictions for CUI given consolidated language used by standards and regulations.  In addition, the complicated array of markings are often not applied effectively.  As a result, the reduced risk data protection strategy is to opt for the highest watermark possible for protection of CUI, rather than risk it by adopting a lower control set.  CUI has export-controlled data as a common high watermark, to include ITAR regulated data.  ITAR has a data sovereignty requirement.

 

In other words, CUI effectively requires data sovereignty.

 

What is Controlled Unclassified Information?

 

If you have not read the CUI History from the National Archives and Records Administration (NARA), I highly recommend it.  It’s a short read, and helpful for context.

 

https://www.archives.gov/cui/cui-history

 

To summarize, before the advent of CUI, there were a myriad of autonomous Federal agencies and departments that had each developed its own practices for protecting sensitive information.  This non-conformity made it extremely difficult to share information with transparency throughout the Federal government and its stakeholders, such as the Defense Industrial Base (DIB).

 

The CUI program is an ever-evolving initiative to standardize the markings and data protection practices across Federal agencies to facilitate sharing of sensitive information, transcending individual agencies.  Ultimately, NARA oversees the CUI Program and is primarily scoped to the Federal executive branch agencies.  Major contributors to the program include the DoD, the Department of Energy (DoE), the Department of Homeland Security (DHS), the Department of State (DoS), etc.  NARA defines CUI as:

 

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

 

Presidential executive orders evolved to a rule published in 2016 called “32 CFR Part 2002 Controlled Unclassified Information”.  You can read about it here in the Federal Register:

 

https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information

 

32 CFR Part 2002 prescribes the CUI Program markings that span many categories and groupings.  The groupings consist of everything from Financial and Privacy data, all the way up to Export Controlled and Intelligence data.  You can find the list here:

 

https://www.archives.gov/cui/registry/category-marking-list

 

 

CUI Registry.png

Illustration 1: Microsoft Summary CUI Registry

 

Is All CUI the Same?

 

It goes without saying that each of the Federal executive branch agencies have had their own requirements for CUI, resulting in additional rules that govern the data protection practices of CUI.  For example, the DoD defines data protection standards in the DoD CC SRG, DFARS 7012, and in the CMMC to protect CUI.  Thus, there does remain a level of autonomy from NARA.

 

For example, the DoD recently released DOD Instruction 5200.48 establishing policies, responsibilities, and procedures for CUI.  It includes a “DOD CUI repository” not accessible by the public.  It is intended to address inconsistent definition and marking requirements specific to the DoD expanding what is outlined in 32 CFR Part 2002.  The DoD CUI Registry outlines an official list of Indexes and Categories to identify CUI, clarifying what has been a common source of confusion.

 

In addition, there are multiple regulations that govern specific categories of CUI.  For example, export-controlled categories may be regulated by ITAR administered by the Department of State Directorate of Defense Trade Controls (DDTC), or by EAR administered by the Department of Commerce’s Bureau of Industry and Security (BIS).

 

In other words, while “CUI” is defined by a standardized program of markings and data protection practices, not all CUI is the same.  Some CUI categories may generally fall into the bucket of Personally Identifying Information (PII), such as Privacy.  Mishandling of other categories may earn you an orange jump suit, such as spilling ITAR regulated data to an unauthorized foreign state actor.

 

To answer the question, “Is All CUI the Same?”  Conclusively No.

 

Is All CUI Protected the Same Way?

 

Since all CUI is not the same, certainly not all categories of CUI are protected precisely the same way. 

 

Without going into analysis paralysis on topics such as CUI Basic versus CUI Specified groups, there is a statement that jumped out at me in 32 CFR Part 2002:

 

“We understand the concerns raised in these comments and agree that the penalties and consequences for failing to adequately protect CUI of some types may differ significantly from failure to protect CUI of other types. That being said, we cannot adjust the definition of CUI to exclude export controlled or other protected information; the Executive Order’s definition of CUI is clear and includes all unclassified information that laws, regulations, and Government-wide policies require to have safeguarding or dissemination controls.”

 

While we may agree that not all CUI is the same, there is a consensus that all CUI is defined by a program that includes all categories under a single umbrella.  So the question is, how do you differentiate between CUI that is sensitive such as Privacy categories, versus those with damaging national security concerns, such as export-controlled data?  It’s all CUI, right?  Another way to ask the question is, how do you discern the various restrictions for CUI given the complicated array of markings that are not often applied effectively?

 

Many of you reading this, especially the compliance authorities out there, are thinking “yes, it’s all CUI” but “no, not all CUI is protected the same way”.  Technically, you are right.  However, I’ve talked to hundreds of organizations out there ranging from the DoD, to the DIB, the FFRDCs (Federally Funded Research and Development Centers), the UARCs (University Affiliated Research Centers), and beyond.  I honestly do not hear anyone differentiating categories of CUI for purposes of maintaining compliance with individual markings.  When they say “CUI”, they are aggregating all categories together in a comprehensive fashion, not unlike what is described in 32 CFR Part 2002 above.  In addition, most recognize CUI markings are not applied consistently and marking efforts may not be where they would like them yet.  In other words, they have not located all CUI stored in their enterprise information systems.

 

Here is another example from the Cybersecurity Maturity Model Certification (CMMC).  CMMC defines five Levels:

 

  • Level 1: Safeguard Federal Contract Information (FCI)
  • Level 2: Serve as transition step in cybersecurity maturity progression to protect CUI
  • Level 3: Protect Controlled Unclassified Information (CUI)
  • Levels 4-5: Protect CUI and reduce risk of Advanced Persistent Threads (APTs)

 

Does anything jump out at you?  It’s NOT this:

 

  • Level 3: Protect Controlled Unclassified Information (CUI) of the non-export-controlled categories
  • Levels 4-5: Protect CUI including export-controlled categories and reduce risk of Advanced Persistent Threats (APTs)

 

Why?  CMMC Levels 3-5 are intended to protect all CUI.  Period.  CMMC does not attempt to differentiate CUI that is export-controlled versus CUI that is not.  If you delve into the CMMC Model Appendices, you will find many references to CUI, none of which qualify what categories of CUI are in scope per Practice or Process.  All categories are in scope for all Practices and Processes in CMMC Levels 3-5.  In fact, if you search for “export”, you will find many references, especially in alignment with the NIST SP 800-171.

 

Assuming you conclude that CMMC is intended to protect CUI regardless of category, you may also conclude export-controlled data, and specifically ITAR data is a common high watermark for compliance. 

 

This article is not about how to become CMMC compliant.  This article is specifically focused on CUI.  However, there is something to be said about the stated requirements for a CMMC Certified Third-Party Assessor Organization (C3PAO) that uses an external cloud service provider to store, process, or transmit CUI.  This is quoted from the CMMC Accreditation Body (CMMC AB) website:

 

the C3PAO shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) High baseline and in particular, Impact Level (IL4)

 

If the cloud service provider is not DoD CC SRG IL4 authorized, it becomes the responsibility of the C3PAO to provide an independent assessment to address the gaps to become compliant.  Most CSPs will not allow ad-hoc third parties to perform assessments on their data centers.  Even if they did allow an assessment, it is untenable to make the commercial CSP compliant with FedRAMP and IL4 without significant engineering efforts by the CSP. Trust me, we would not have invested an extraordinary amount to build the US Sovereign Cloud if we could have simply pulled it off in Commercial with a few compensating controls.

 

The point is, this CMMC AB requirement for FedRAMP High and IL4 to protect CUI does not qualify what categories of CUI are in scope.

 

Sidebar: The language of requiring an IL4 cloud is nuanced when applied to the DIB and with C3PAOs, as IL4 only applies to Federal information systems.  IL4 is not an authorization the DoD will provide to a non-Federal entity, nor is it for a CSP cloud environment not in use directly by the DoD.  DFARS 7012 is what applies to non-Federal information systems. I am assuming the intent is to drive the selection of a cloud that has been authorized by the DoD, as opposed to a cloud that is only authorized with FedRAMP.  For example, Microsoft Azure Government has a Provisional Authorization for DoD CC SRG IL4, with many services now at IL5.

 

Speaking of IL4, read this excerpt from DoD CC SRG 3.2.4 Level 4:

 

CUI contains a number of categories, including, but not limited to the following: • Export Controlled–Unclassified information concerning items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives.

 

It goes on to define the specific requirements for ITAR.  In this case, IL4 is specifically placing an emphasis on CUI to explicitly scope in export-controlled data and how to protect it.

 

Thesis:  Not all CUI markings are protected precisely the same way.  However, it can be untenable to discern the various restrictions for CUI given consolidated language used by standards and regulations.  In addition, the complicated array of markings are often not applied effectively.  As a result, the reduced risk data protection strategy is to opt for the highest watermark possible for protection of CUI, rather than risk it by adopting a lower control set.

             

Does All CUI Have a NOFORN Requirement?

 

Another way to describe data sovereignty, is what may be referred to as “NOFORN”.  NOFORN stands for “NO FOReign Nationals”.  In other words, NOFORN applies to sensitive data that is not releasable to foreign nationals, governments, nor non-US persons.

 

I led this article clearly stating not all CUI requires similar handling, such as a NOFORN requirement.  However, is it that simple?  The above conclusion is that CUI has export-controlled data as a common high watermark of data protection practices, to include ITAR regulated data.  ITAR has a NOFORN requirement.  Since ITAR is a high bar for compliance, it comes along with a stringent set of requirements for data sovereignty. Using that logic, CUI in aggregate does have an effective NOFORN requirement.

 

Allow me to pull on that string a bit.  I’ve heard a very clear decree that any company certified at a CMMC Level 3 or above, is trusted for data handling of “CUI”.  I have not seen any additional qualifications such as “are you CMMC Level 3 *and* ITAR compliant?”  It’s implicit the company protects all categories of CUI, including ITAR export-controlled data.

 

Let’s assume you have two different companies.  The first is a company that frequently works with export-controlled data and has a System Security Plan (SSP) in place to protect data with NOFORN requirements.  They have deployed their information systems in the Microsoft US Sovereign Cloud with Azure Government and Microsoft 365 GCC High.  They have the contractual amendment from Microsoft to support ITAR with NOFORN and have established a clear accreditation boundary for protection of export-controlled data natively within their information systems.

 

The second company does not handle export-controlled data frequently.  They establish an SSP to accommodate protection of export-controlled data using special End-To-End Encryption.  They have deployed their information systems in commercial clouds that are not natively compliant for ITAR regulations.  However, they pass their CMMC assessment for Level 3 because they have established a human-based process for marking and specially encrypting data before it’s saved to the commercial cloud, relying on people to pre-determine export-controlled data.  It’s not a problem for them though, as they rarely deal with it.

 

Do the two companies have equivalent risk profiles, as they both have certifications for CMMC Level 3?  The short answer is definitively no.  The second company has a tremendously higher risk of non-compliance and spillage relying on the human factor to protect export-controlled data. 

 

In addition, most export-controlled data does not begin its life as such.  Most begin simply as intellectual property, such as documents generated during a research and development project.  It’s not until that data progresses through a lifecycle and exchange with the DoD before it gets properly marked as export-controlled (if ever – hello DoD Instruction 5200.48!).  If you are saving that data in a commercial cloud unprotected (not opaque to the Cloud Service Provider), you subsequently end up with a deemed export without the fault of the original document author.  As such, it is imperative to protect all intellectual property by specially encrypting virtually everything that may potentially become CUI in the future.  It goes without saying that is a much easier thing to do if the information systems they use natively support ITAR and NOFORN without the additional End-To-End Encryption applied by the human element.

 

Here is final example.  I’ve talked to many of the DIB with numerous sub-contractors.  They do not personally know all their tier 3+ sub-contractors in their supply chain.  They rely on a system of checks and balances throughout the tiers to ensure each sub-contractor levels deep is compliant and is obligated to protect their crown jewels.  If CMMC is intended to establish a level of trust that any vendor certified at a Level 3 is compliant for data handling of CUI, they should not have to additionally qualify protection of export-controlled data.  However, they absolutely do care if the vendor has an accreditation boundary that supports ITAR and NOFORN natively.  These DIB may not accept the second company that is in any ole commercial cloud without native compliance.  After all, they themselves would not have gone to all the trouble and expense of using the ITAR compliant cloud if it’s not that important.

 

Conclusion: CUI Effectively Requires Data Sovereignty

 

Microsoft has prescribed the US Sovereign Cloud with Azure Government and Microsoft 365 GCC High to protect CUI and CDI consistently.  Our rationale is that CUI does include ITAR regulated data, and the DoD requires DFARS 7012 to protect it.  We only accommodate that contractually across Azure, Office 365, and Dynamics 365 in the US Sovereign Cloud.  It’s that simple.  It’s true that you may demonstrate compliance for CUI in our Commercial or GCC cloud offerings, but you will not get a contractual obligation from Microsoft to protect an aggregate of CUI anywhere else other than in the US Sovereign Cloud.  It will be your sole responsibility to prove and maintain compliance for it in other clouds.

 

 

Appendix

 

Please follow me here and on LinkedIn.  You may also find me in forums under the handle wakeCooey

 

Here are my additional blog articles:

 

Blog Title

Aka Link

Accelerating CMMC compliance for Microsoft cloud (in depth review)

https://aka.ms/CMMCResponse

History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud for Government

https://aka.ms/AA632wo

Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

https://aka.ms/MSGovCompliance

The Microsoft 365 Government (GCC High) Conundrum – DIB Data Enclave vs Going All In

 https://aka.ms/AA6frar

Microsoft US Sovereign Cloud Myth Busters – A Global Address List (GAL) Can Span Multiple Tenants

https://aka.ms/AA6seih

Microsoft US Sovereign Cloud Myth Busters – A Single Domain Should Not Span Multiple Tenants

https://aka.ms/AA6vf3n

Microsoft US Sovereign Cloud Myth Busters – Active Directory Does Not Require Restructuring

https://aka.ms/AA6xn69
Fast cloud deployment: CI/CD from an Azure Marketplace partner

Fast cloud deployment: CI/CD from an Azure Marketplace partner

by | Aug 19, 2020 | Azure, Microsoft, Technology, Uncategorized

This article is contributed. See the original author and article here.

The cloud revolution solved one of the basic problems of infrastructure: ensuring scalability easily and simply. With Microsoft Azure services, you can now expand computing capacity on demand. While getting access to extra infrastructure is easier than ever before, the same cannot be said for the deployment tools that take advantage of this infrastructure. That’s where an Azure Marketplace partner like Codefresh can help software developers.

 

Kostis Kapelonis, Developer Advocate at Codefresh, explains how his company’s continuous integration/continuous delivery (CI/CD) solution in the Azure Marketplace helps companies stay competitive by delivering new features to production in a fully automated manner and at a steady pace. Adding new features quickly can help any company adapt and pivot to market needs, offering its customers the best service possible without lengthy delays. Especially in the case of important security updates, the speed at which a company can upgrade systems to a new version is paramount.

 

Codefresh CI/CD has native support for Azure and a heavy focus on cloud services such as Docker containers and Kubernetes clusters. It enables developers to take advantage of Azure services and minimize the time from feature inception to deployment.

 

Codefresh image 1.png

 

 

 

Codefresh acts as a central hub for several related Azure services:
• Developers use Azure Git repositories to create new features for their company
• Codefresh continuously builds and tests the source code from the repository
• New releases of a software product are packaged in one or more Docker containers and stored in Azure Container Registry
• The final release is deployed to Azure Kubernetes

Codefresh can also take advantage of Azure SSO/AD installations to help enterprise companies provide a unified way of credential usage among employees.

 

How to store Docker images in the Azure Container Registry
One of the most basic functions of a CI/CD system is the creation of software artifacts comprising a software application. Especially for cloud services, Docker images have become the de facto standard for application packaging and deployment.

 

Using the Azure Container Registry in Codefresh is a straightforward process. First, you connect your Azure Registry in your Codefresh account using the Integration UI screen.

 

Docker image.png

 

Then you can use the registry in any deployment pipeline, simply by referencing it by name. A starting workflow is one that has only two steps:
• Checking out source code from Azure Git
• Building a Docker image and storing it in the Azure Container Registry.

This can be easily accomplished in Codefresh with a pipeline of two steps (a git-clone step and a build step).

 

Pipeline image.png

 

Each pipeline in Codefresh is defined with declarative YAML format. Here is the respective pipeline definition:

version: “1.0”
stages:
– “clone”
– “build”
steps:
clone:
title: “Cloning repository”
type: “git-clone”
repo: “kostis-codefresh/trivial-go-web”
revision: “master”
stage: “clone”

build:
title: “Building Docker image”
type: “build”
image_name: “my-go-app”
working_directory: “${{clone}}”
tag: “latest”
dockerfile: “Dockerfile”
registry: azure
stage: “build”

 

This pipeline has a clone step that checks out the source code and a build step that creates the Docker image and also pushes it to ACR.

 

Notice the “registry” property in the build steps that define our Azure registry as the target of the Docker push action.

 

After the pipeline has run, the Docker image is stored in the Azure Container Registry.

 

Azure Container Registry.png

 

How to deploy applications to Azure in an automated manner
Creating a Docker image is only one part of the software delivery process. The other part is to deploy the image artifact into production. Codefresh also has native integration for Azure Kubernetes Service (AKS).

 

First, you need to connect your Azure cluster in your Codefresh account.

 

Codefresh account.png

 

Once the cluster is connected, you can easily deploy any application in an ad hoc manner using the deployment GUI of Codefresh.

 

Configure Kubernetes Service.png

 

Manual application deployments are a welcome solution for test environments and quick prototypes, but for production deployments, a delivery pipeline is the better choice, as it completely automates the software delivery process.

 

Image 7- Delivery pipeline.png

 

This delivery pipeline includes an extra deploy step that instructs the Azure Kubernetes cluster to pull the Docker image in the cluster and create an application deployment.

 

Here is the full pipeline definition:

version: “1.0”
stages:
– “clone”
– “build”
steps:
clone:
title: “Cloning repository”
type: “git-clone”
repo: “kostis-codefresh/trivial-go-web”
revision: “master”
stage: “clone”

build:
title: “Building Docker image”
type: “build”
image_name: “my-go-app”
working_directory: “${{clone}}”
tag: “latest”
dockerfile: “Dockerfile”
registry: azure
stage: “build”
deploy_to_aks:
title: Deploy App
type: deploy
stage: deploy
kind: kubernetes
cluster: ‘mydemoAkscluster@BizSpark Plus’
namespace: default
service: sample
candidate:
image: ‘${{build_image}}’
registry: azure

 

Again, notice the “registry” and “cluster” properties that explain how the Docker image deployed to the Azure Kubernetes cluster will also come from the Azure registry.

 

After the pipeline has finished running, you can verify the application deployment from the Codefresh Kubernetes dashboard and get more details such as health status or the number of replicas the application is using:

 

Image 8- Status.png

 

 

Conclusion
Codefresh makes the creation of Docker images and their deployment to Azure a very easy process. With built-in integration for AKS, ACR, Azure SSO, and Azure Git repositories, it is an extremely fast way for companies to take advantage of Azure scalability for any software product in any sector.

 

Create a free Codefresh account today and start deploying applications to Azure now.

What’s New: Query line numbering, Azure Sentinel in the schema pane

What’s New: Query line numbering, Azure Sentinel in the schema pane

by | Aug 19, 2020 | Azure, Microsoft, Technology, Uncategorized

This article is contributed. See the original author and article here.

 

This installment is part of a broader series to keep you up to date with the latest features in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content.

 

Every second counts. Some security incidents are unstoppable, but when prevention isn’t possible, the right investigation and response is everything. To help SOC analysts’ quickly reason over copious amount of security volume, we are delighted to introduce a set of enhancements that enrich and improve the investigation experience in Azure Sentinel.

 

Enable Line Numbers to Aid Quicker Debugging of Your Azure Sentinel KQL Queries

 

The Azure Monitor team released a new capability that enhances that way your SOC analyst reason and monitor the critical security data ingested into Azure Sentinel. To help enable quicker debugging for KQL queries in the Log Analytics workspace, analysts have the ability to enable line numbers to their KQL queries to quickly identify the line in which an error exist.

 

With this enhancement, when creating a Log Analytics query, each row in the query editor is indicated by a number:

 

rownumbers2.jpg

 

 

 

This makes it easier to find the part of the query you need, when composing a new query.. The new line numbers work in tandem with our new error messages. 

If there’s an error in the query the analysts composed, our newly designed error messages will indicate the row where an issue was found. Row numbers in query editor makes it faster and easier to find the issue and provides guidance to get rectify the error. 

 

errorquery.jpg

 

How to enable:

 

Open the Settings panel by clicking on the Settings cog icon and select the switch to turn row numbers off and on.

 

rownumberenable.gif

 

 

Azure Sentinel in the logs screen schema

 

Small, but never the less important, finally it is “Azure Sentinel”, rather than “SecurityInsights” on the schema pane of the log screen in Sentinel and in Log Analytics. This will help your SOC analysts easily identify all the data tables under the Azure Sentinel solution.

 

 

azuresentinelschema.png

 

 

Get started today!

 

We encourage you to leverage the new enhancements aid in debugging and improving the investigation experience in Azure Sentinel.

 

Try it out, and let us know what you think!

Hunt for threats using events captured by Azure ATP on your domain controller

Hunt for threats using events captured by Azure ATP on your domain controller

by | Aug 19, 2020 | Azure, Microsoft, Technology, Uncategorized

This article is contributed. See the original author and article here.

 

We’re thrilled to share that you can now hunt for threats using events on your domain controller with advanced hunting in Microsoft Threat Protection.

 

The new IdentityDirectoryEvents table—available in public preview—incorporates data from the Azure Advanced Threat Protection (Azure ATP) sensor, including various identity-related activities, such as account password changes or remote creation of scheduled tasks on the domain controller.

 

AATPTable.png

 

In general, the table captures three categories of events on your domain controller:

  • Remote code execution
  • Changes to attributes of Active Directory objects, including groups, users, and devices
  • Other activities performed against the directory, such as replication or SMB session enumeration

You can get the full list of supported events or action types in the in-portal reference.

 

AATPTable2.png

 

Here are some samples queries you can use:

 

//Track domain controller replication
IdentityDirectoryEvents
| where ActionType == "Directory Services replication"
| limit 100

Run query

 

//Track service creation activities on domain controllers
IdentityDirectoryEvents
| where ActionType == "Service creation"
| extend ServiceName = AdditionalFields["ServiceName"]
| extend ServiceCommand = AdditionalFields["ServiceCommand"]
| project Timestamp, ActionType, Protocol, DC = TargetDeviceName, ServiceName, ServiceCommand, AccountDisplayName, AccountSid, AdditionalFields
| limit 100

Run query

 

//Find the latest password change event for a specific account
let userAccount = '<insert your user account>';
let deviceAccount = '<insert your device account>';
IdentityDirectoryEvents
| where ActionType == "Account Password changed"
| where TargetAccountDisplayName == userAccount
//If you are looking for last password change of a device account comment the above row and remove comment from the below row
//| where TargetDeviceName == deviceAccount
| summarize LastPasswordChangeTime = max(Timestamp) by TargetAccountDisplayName // or change to TargetDeviceName for device account

Run query

 

 

As always, please let us know what you think and how we can tweak this enhancement further!

 

To learn more about advanced hunting in Microsoft Threat Protection and these new enhancements, go to the following links:

 

Run Azure Cloud Shell in Windows Admin Center

Run Azure Cloud Shell in Windows Admin Center

by | Aug 19, 2020 | Azure, Microsoft, Technology, Uncategorized

This article is contributed. See the original author and article here.

If you are managing a Hybrid Cloud environment, you can now get a new Azure Cloud Shell extension in Windows Admin Center. Azure Cloud Shell is an interactive, authenticated, browser-accessible shell for managing Azure resources. It provides the flexibility of choosing the shell experience that best suits the way you work, either Bash or PowerShell. We are able to use Cloud Shell directly from the Azure portal, shell.azure.com, in Visual Studio Code, in the new Windows Terminal, or even in the Azure mobile app. Now with the new solution/extension, administrators can also run Cloud Shell directly within WAC.

 

 

How to run Azure Cloud Shell in Windows Admin Center

First, you will need to enable and install the new Azure Cloud Shell solution. For that open Windows Admin Center, go to Settings and in the menu click on Extensions.

 

ExtensionsExtensions

 

Under available extensions, you will find the new Azure Cloud Shell (Preview) extension. Click on Install, the WAC portal will refresh automatically.

After the page has refreshed, the Cloud Shell option will show up in the top menu.

 

Start Cloud Shell in Windows Admin CenterStart Cloud Shell in Windows Admin Center

 

If you start Azure Cloud Shell for the first time, you will need to login to Azure.

After that, you can run the PowerShell or Bash experience, depending on what you prefer. You also have access to the clouddrive which comes with Cloud Shell.

 

Azure Cloud Shell in Windows Admin CenterAzure Cloud Shell in Windows Admin Center

 

In that, you can run tools like the Azure CLI, Azure PowerShell and much more. If you want to learn more about Azure Cloud Shell, check out my blog post, Mastering Azure with Cloud Shell. Windows Admin Center is a free download to use with your Windows Servers, you can download Windows Admin Center here. If you want to know more about the Hybrid capabilities, check out my blog post on ITOpsTalk.com.

I hope this gives you an overview of how you can run Azure Cloud Shell in Windows Admin Center. Let me know if you have any questions in the comments.