Hello and welcome to the let's talk. Azure podcast with your hosts, Sam Foote and Alan Armstrong. If you're new here, we're a pair of Azure and Microsoft 365 focused it security professionals. It's episode twelve of season five. Sam and I had a recent discussion around what Microsoft released in March. Here are a few things we co pilot for security in Microsoft 365, Syslog and CEF Ama connector, Microsoft Sentinel, and lots of Azure changes, features and retirements.
We've noticed that a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show your support to the show. It's a really great episode, so let's dive in. Hey, Alan, how are you doing this week? Hey, Sam. Not doing too bad. It's been a busy, busy week. How about you?
Yeah, I think this, the amount that we've got to talk about on this episode, I think says it all, to be totally honest with you. What do you think? I just, there's a, there's a lot of new going around, that's for sure. Yeah, it's definitely a burst of, burst of stuff. And actually just thinking about it, I've just thought about other stuff I want to put on this list that we shouldn't put on here.
It was, it's funny because when we, when we, when I go to look for like Azure updates, I go to like the changelog. And um, like in January there was like one page or something like that. And then I think in, you know, February it was like two or three pages or something like that. And I swear I had to look through six pages of updates in March. And that's not even what we're like. We're sort of, you know, talking about, we're talking about like security related, you know, updates that we're sort of looking at. But, yeah, there's just loads it feels like. Yeah. I don't know, just been on an absolute spree, I would say. Yeah.
Well, I just thought about all the stuff that potentially got announced at Microsoft secure that I've not even included, like exposure management and things like that. Yeah. Yeah. Maybe we should do well some of these, some of these new things we need to do dedicated episodes on anyway, right. So, you know, definitely. But, yeah. Shall we get cracking? Because we've got quite a lot to get through this week. Alan, what do you want to kick us off with first?
Okay, so let's talk about the big one. Co pilot for Security now generally available as of the 1 April so technically not in March but it might as well be to be fair because it was announced that the Muxler secure being you know generally available in at the 1 April so that is now available for the world to. To consume and start using I guess against in within there Microsoft defender and purview and intune and that. So yeah that's a really you know big announcement that that's now available for everyone to use. Still trying to understand. I think it's fair to say the. The pricing of it. It's fair to say isn't it Sam that it's.
It's. It's reason it kind of makes sense but it's just working out how best to use use it to get the benefit of all the. The capability it's there.
Yeah I think the way that I'm sort of approaching it is it feels like a brand new product. Right. We're sometimes quite lucky with new security products from Microsoft. They're acquisitions. And with an acquired product we have potentially years worth of development, training, guidance, documentation that comes along with those products. Right. They might need to be microsoftified and integrated but the core of the product is what it was pre acquisition. To me copilot for security is completely brand new and I don't want that to come across as a criticism at all because I personally see the way that you interact with it and sort of the user experience in my sort of thought process. It's a lot better way to interact with your security tooling via natural language than having to write KQL run through lots of different portals X, Y and Z. Now I'm not the elephant in the room. There is how effective is it today? And that can be criticized and you can benchmark that and rank it. It might not be returning the data that you want. It may be slow, it might get confused sometimes. But this is literally week one of GA of a brand new product. What I think the community is trying to get their head around is how you use it effectively, how you license it because it can be expensive. But you could also make the argument that productivity accuracy benefits could give you some sort of ROI on that cost. But again because we've had quite a short our interaction with it has been quite short leading up to general availability as well. You know. So we have had chance to use it to start to understand it and how we would start to use it. But there is a lot to learn, a lot to understand I think to maximize the benefit of the tool at the moment and that's not a criticism. I don't want it to come across as one because what we are seeing is, you know, insane amounts of development in that area and it almost changes weekly at this point.
Yeah, and it's a different way of, like you said, consuming your products as well, isn't it? That's completely different. You know, people might be using copart for 365 or just, you know, the copilot side of things, or chat GPT, sort of ask it questions and get data from, from the Internet, from, from your, from your, your data in Sharepoint, Onedrive, etcetera. But this is slightly different because it's all about the masses of data that is, you know, your, your seam, your, your defenders, etcetera. So it is a different way of thinking in that as well.
So, yeah, and I just think that the big sort of challenge for me to get my head around is with, you know, because it's generative, how grounded it is, how, you know, how much it hallucinates, how accurate it is, you know, compared to other copilot type systems, you know, because if you summarize a document into a PowerPoint with 365 copilot, it doesn't really matter because you're looking through it, typo checking it, things like that. If you're writing code with GitHub Copilot, it might be suggesting code blocks for you autocompletes and you're still going through and doing QA and understanding that. My sort of thing that I'm trying to get my head around is as you're going through your threat hunting or investigating an incident in real time, how accurate is it for what it's returning back to you. And we're seeing a lot of guidance and documentation from Microsoft about how to ground it, in truth, how to really engineer your prompts to get the best out of the tooling. Right. So there's a lot to understand and unpick. You know, it's, yeah, it's a big one in my opinion.
Yeah, I would definitely do an episode on it at some point. It's just I think we're going to leave it to venture the world a little bit and get some, get some views about how, you know, organizations are starting to use it and now aren't we? So, yeah, yeah, 100% so, yeah.
Okay, so that's, you know, it's massive. And again, that's an episode. And plus for even good diving into that one. Okay, so for defender of cloud apps, MDA, they released new detections for Microsoft copy for 365. So this is looking at activity within the environment on your 365 to see how copart is being used. It allows you to then hunt for the type of events that it's creating and things like that. So I think that's really good. Starting to bring in some of that visibility of what copart is accessing within your 365 environment.
Yeah, no, really good. Seeing lots of customers asking about technical readiness, security and compliance related around copilot for 365. So yeah, that's really good to see. Yeah. And that just bolsters the other one we announced about cloud discovery seeing generative AI in there so you can start tracking usage there. But this is actually activity in access now into your environment. Okay. So let's just double check. Yeah, that's fine. Okay.
So defender for identity. So there's an updates to the agents themselves. But one of the key things that we sort of seen is now that there's a new graph based API now for viewing the health issues that you might see on the, the agents that are on the domain controllers. So previously you were unable to programmatically collect that data or monitor that data that is now available as of. I think that was actually only last week that she came out. So that probably was in March. That's a really good help for being able to track when, when stuff is going unhealthy. Maybe it's the tomato troller is under provisioned or one of the services has stopped working and causing blind spots.
Yeah, heartbeat monitoring of security tooling is big, important. Really up the list, isn't it? So that's really positive to see that you can, you know, plumb that into whatever system you're using to track.
Yeah, definitely. Okay, so Microsoft Sentinel, there was a couple in here, but one sort of picked out was that the syslog and CEF connector for use with the azure monitoring agent AMA is now generally available. I think it's been in public preview for a long time now. But that's, that's good to hear because you know, the, the Microsoft monitoring agent MMA is going end of life in August, I think it is. And everyone has to move to AMA previously, so there may be some organizations out there waiting for it to go generally available before using it. If that's the case, then it's now ga. So let's, let's put the, take the brakes off and let's get everyone over to AMA before AMA goes end of life. And then probably one or two last from me, one is an extra one I just thought about. But within the Defender XTR portal, Microsoft have now made it public preview for the unified security operation platform view of it. So now you're able to bring Microsoft Sentinel into the Defender portal. So now you'll be able to see your content, your analytic rules, the alerts are all in there as well. They're synchronized and yes, and now you can technically most majority of the functionality there is now able to do it in one portal alongside your defender. You know, all the other defender sort of capabilities there. So even with advanced hunting that means that technically now you can query against the Sentinel log analytics workspace and the defender tables. So you can do a cross in effect across query there and build some. It must probably be custom detection rules at that point I think, rather than analytic rules. But you can at least save some queries there so you can do it across the whole data set. I think that's really good. It's just pushing us all into the defender XDR portal to see all of our security information.
Yeah, no, that sounds really powerful, that's for sure.
Yep. And then probably the last one that I remembered which was part of the Microsoft secure release was probably the exposure management that's now been released into the Defender XDR portal. So this is bringing, you know, secure score in there but also allowing you to see in effect potential risks in your environment. Sort of pre, this is kind of looking at pre breach protections. So this is making sure that you are secure, reducing your risk of compromise before you even get breached and identifying critical assets within identity and devices and potentially be able to see similar to cloud the attack paths. But it's in effect the same thing but against your devices and your identities as well. So it's all kind of bringing data in from the products that you have enabled in defender there. So I think that's a really key part to protecting yourself before or reducing your risk of compromise there.
Yeah, nice. Yeah, because there's a lot of posture, you know, posture and exposure information across all of those different product. So you know, seeing it being amalgamated into one place is really positive. I really like the meshing around initiatives in there. I think it aligns a lot of the recommendations into you know, known scenarios that make sense to people. I would say, you know, like there's initiative for, is it business, email compromise, things like that. So you can actually start to focus on, you know, actual real events that we see in the wild and how prepared you are for those in your environment.
Yeah, and I think there's some like cis initiatives in there as well, isn't there, for 365 and things like that. So yeah, different, different lenses, determining what you need, you might need to do to harden or protect yourself.
And those scenarios are real and it's presented in a way that is real, not just, you know, framework X control 56.5. You know, you should do this. Well, why should I do it? You know, what does it really mean, you know, and I think this links it together with a bit more narrative, personally.
Yeah, definitely. Okay, so that's probably my updates around all the defenders and things like that. There were some others in there, but I think there's some of the key ones that came out of last month. So what's happening in azure, Sam? Okay, I've got ten tabs that I'm going to work through. So yeah, we've got quite a few things to talk about. Some of them are. Sorry, what did you say? Just. Just ten. That's only a page, isn't it, that you're saying?
It's mental. Right, here we go. So new generation of AMD virtual machines. Das V six. So this is the latest Genoa fourth generation epic AMD Epic cpu's. We like to promote later versions because they usually give you better cpu performance for around the same sort of price, if not sometimes cheaper. It's a bit weird how that works out sometimes. And also you get any of the other sort of like storage and I o related benefits that may come along with technology that's built into those newer cpu's. So definitely worth checking out if you're using v five s today. Generally available support for node JS version 20 on Azure functions. So I don't know what the latest LTS is. Lts node js. Let me just double check. Yeah, LTS is version 20. So this is a big release for Node JS and Azure functions has got support for it now. Generally available as of the start of March. There's a public preview in Azure which is called change actor or change analysis. It effectively adds two tables into Azure resource graph with resource changes and resource container changes, which allows you to summarize who made a change in Azure with what client they made that change and what operation they actually made on that object. This isn't something I've looked at yet, but I think this could be really important for observing infrastructure changes in Azure. That has been a challenge previously to understand who did what when, especially if you're further down the line, you know, with new resources coming online. Yeah, in public preview it's definitely gone on my list to take a look at. Microsoft entry id is now being integrated with for authentication with Azure Cosmos DB for postgres SQL. So again, we're getting a binding into those native postgres SQL roles in Cosmos DB. So always good to see modern cloud based authentication integrated with. I can't really call postgres as a traditional system, but when it comes to databases and how their authentication usually works is. Yeah, it's a bit, a little bit antiquated sometimes. Yeah, sorry, go on.
Although I say it's good because we're seeing that a lot more now, aren't we? That entra, you know, enter id authentication. It's coming into a lot more of the stack, isn't it, where it maybe not have done. Because I think it's been a sequel for a long time, hasn't it? Yes. Yeah. Yeah. Sequel server. Yeah. And Azure sequel. Yeah. Yeah. So I guess that means that at some point you'll be able to use merge identity center to access it.
Yeah, that would be my guess as into what you would generally tend to use it for, right? Yeah. Cool. Another one which I've seen on other cloud providers. I don't know if you can give any insights here, Alan. I don't know what the driver is for this one, but free data transfer out to the Internet when a leaving. So off boarding Azure, I think it, I don't know who publicly first did it. Was it GCP and then. Yeah.
And then AWS did it and now I've seen an update from Microsoft about it. I assume this is, I think it's driven from the European Data act, but I don't know any specifics about that. But my assumption is to prevent sort of vendor lock in of data within cloud providers. So I don't know if I saw it as GCP, first AWs and then azure. But I don't know if this has all been planned in, it's been driven from regulation. I'm not sure where it's come from.
Definitely seeing that being a sticking point for moving. Definitely seen it for, not necessarily the clouds but for other services where, you know, in effect no one's moving because it's going to cost too much to pull the data out.
Yeah. And you know, you pay for ingest and then you pay for egress. Right. And it's just, yeah, it's scary. Okay, so another sort of developer related one, support for.net seven, which doesn't really sound that old, but it wasn't. A long term release ends on the 14 May of this year. The upgrade to.net eight. Is Touchwood supposed to be pretty simplistic. Their APIs are very similar.net eight is the LTS release. So yeah, Azure functions is retiring.net seven on the 14 May, a cool one that's in preview at the moment is being able to change the partition key of a container in Azure Cosmos DB. This is for the NoSQL API and this is effectively a quick way, a more efficient way of rebuilding the container. From what I can see is you still need to rebuild the container. They're just going to do it on your behalf. It just makes it a bit easier. This is more for development when you're working out what your partition key can be and promoting development data could use it in production, obviously, but that's where I'd see it mainly being used that's currently in preview. I don't know, I'm not sure if I'd run a production change on the preview thing. But yeah, it's in preview at the moment. So going back to the.net, thinking I should have probably had this one next. So we talked about the move from.net seven to.net eight. Well.net six was the long term supported release. Now, weirdly, the support for that actually ends after the.net seven support. So.net was, I think it was, it said May this year.net six supports retires and ends in November this year. So again, you need to look to upgrade your Azure functions to.net eight for it to be supported. It's probably worth calling out when they retire these versions, your apps will still function, you'll be getting no new security updates, and there's no customer service when they're in their unsupported modes. A big one that came into GA at the end of March and I only realized this week was the new logic apps designer for consumption. Have you had a play with it, Alan, and used it?
I've been. I have used it occasionally, definitely. When.
If you've been using the old one for a long time, it's definitely different. There's pros and cons to it, I think from, I think, I think there's more pros, but I think it's more. If you've been using the, what was the current one? There's a lot of things you're used to doing and it's just different. It's like no one likes change, but there are things and they're like, yes, this is great. And then you go to other bits like, oh, wish that was the. I think one of them was. No. Is it this one? No.
I'm thinking of flow power automate, not flow it's not been flow for years. Power automate. Because in there you can copy actions and then paste them into the next section. You can't do that in the old one. Anyway. That's a bit. That was annoyance around those two. Anyway, but that's off topic.
One thing I didn't realize is. So yeah, I do think things have been moved around, that's for sure. One thing. Apparently the new designer is open source. Apparently. So I don't know if it's available on like, you know, GitHub. Oh yeah it is. I found the link for that, yes. So the new UI is actually available on GitHub and the issues are open and everything, so it is actually. What's the license? It's an MIT license. Wow. So they sort of community sourced the, the logic apps user experience now, which is. Yeah. Interesting to see.
I know there's one thing in it that. One thing that's different is that I think when you open an action, it turns up on the right hand side instead. And that's really good. But I think there's two x's and if you press the top x, it closes the whole thing. I think something like that, but I think that might be fixed in the.
Honestly, I haven't. All I noticed was I went to create, I was doing some testing with security copilot logic apps this week and I created a new logic app, a brand new one, and I was like, what is this? Have I created like a standard? Have I created a consumption one? It was a bit. Me adding my triggering was a little bit confusing to start off with. I could. It was. I don't know, it took me a few seconds to get it to work, but after that it was absolutely fine. But I haven't done anything big in it yet, if that makes sense. I haven't. You know, that logic app was literally like two actions.
It was. It was literally nothing. So be interesting to see what's improved there. Sorry.
I opened a new tab for GitHub. The last thing that I've got as well is apparently there's free managed certificates on Azure container apps. I think I've done an episode on. Have I done an episode on container apps? I think I have, but container apps are epic if you've got containerized applications, as the name suggests. But apparently there's a free managed certificate for your custom domains on there now as well. So I don't know what this is. Maybe it's a let's encrypt cert or something like that. But yeah, that's really good because it's completely contained within that solution. You don't have to worry about the management of the certificates and their lifecycle. That makes that you adopting that technology even easier. And container apps is in my opinion a really good, useful tool for running containerized apps.
Yeah, I did see this one being announced somewhere and I thought that was really, really good for it because like you said, it's something else you don't have to worry about. It's all managed by Microsoft and. Yeah, it means you can get straight out to being secure from the start for your application because I suppose in theory you could do. Yeah, self signed and things like that.
Yeah, it's, you know, a lot of people do sort of, you know, load balance and firewall their containers anyway, so sometimes it's not so much of a true issue, but it will take a lot of that away. If you do want to. Well, even if you want to secure them in a private environment or you want to have them publicly accessible, then yeah, it's no bad thing, is it, to have this sort of management as part of a tool? Yeah.
And I guess like you said, if it's only if it's within the same solution, app to app communication and might be over the Microsoft public network part between different containers or web apps and things like that, maybe. Yeah, exactly. At least. Yeah, that's. At least that's easily secured without having to pay out for more stuff to manage. Yeah. So yeah, that's, that's, that's my lot. I try to get through them as efficiently as I possibly could.
That's cool. I do have one more which I do remember and I've been checking that I can talk about it in the background, but there's a link anyway to what I'm going to talk about anyway. So it's generally public, but probably going back on our not last but one episode around the customer connection program and I was saying there's only three or four of them. That aside with the release of Microsoft copywrite for Security, there is now a new CCP program for copyright for security. So if you are looking to start using it and want to see what it's doing and want to be part of its development, its enhancements, its fine tuning kind of thing, I want to give feedback on it so that we can, you know, everyone, yourselves and everyone else can sort of benefit from that, I guess that experience and things like that, it'd be worth joining it along with the other ccps that we're talking about. That's aka Ms join CCP. That was, I think that was released on the first or 2 April. So there's only what, a couple of days? Three or four, you know, four days being set up.
Nice. Thanks, Alan. Yeah, that's, that's really good to see another CCP. Yeah. Be creative for Copilot. Yeah, definitely. I'm sure it's gonna be a busy one as well. Yeah, definitely. Yeah. Yes. So yeah, that's all that I had. Cool. Alan, is it your episode next time? What are you going to be covering?
Yep. Yep, my episode next. So we're going to talk about cloud PKI within intune and part of the, either standalone or part of the intune suite there. So bringing device and use certificates being managed by Microsoft and you being able to deploy them via intune seems to be sort of another way to help push, push organizations into another part of their infrastructure into the cloud there from a security perspective and reducing the need to have, I guess, active directory there.
Alan, active directory. Yeah, it's another step to the cloud, cloud management. So yeah, it'll be a good one. I've had a play with it as part of the product preview and I've actually got it set up myself for sort of testing and stuff so I can go through sort of what it's like, what you can do and all that sort of stuff. So it'll be quite a good episode. Nice. Thanks, Alan. Yeah, that sounds really good.
Okay, so did you enjoy this episode? If so, please do consider leaving us a review on Apple or Spotify. This really helps us to reach more people like yourselves. If you have any specific feedback or suggestions, we have a link in our show notes to get in contact with us. Yeah. And if you've made it this far, thanks very much for listening and we'll catch you on the next one. Yeah, thanks. All.