Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability, and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to Episode 57. This week it is myself, Michael and Sarah Mark. Gladys is still taking a little bit of time off. We also have a guest this week, Rui Ben Haim, who's here to talk to us about Sentinel Content Hub. But before we get to our guest, why don't we take a little lap around the news?
Sarah, why don't you kick things off? The day that we are recording this, Microsoft Entry Permissions Management, which I definitely mentioned a few episodes ago, is now GA. If you don't remember what that is, it's a new platform for managing permissions for any different identity across different Clouds. That's across AWS and GCP, etc. It's now because it's GA. Of course, not all customers want to use things before it goes GA. So go and have a look at that. But they've also a 90-day free trial.
You can actually go and have a play around with it, and I'm a big fan of free trials. So if you're interested, go and have a look at that. If I can add to that, I'm actually really excited about this because one of the biggest problems the Cloud introduced was that permission sprawl, where we'll just give you more permission, we'll just give this team more permission. The ability to discover and manage that is actually pretty slick with this tool. So I highly recommend folks check that one out.
The interface is actually really nice. It's actually a really nice way of governing things like our back policies. It's a fantastic tool. Yeah. I unfortunately have not had a look at it yet. So I'm going to take what Michael and Mark say as gospel. So yeah, go check it out. Then next up is Mystic Pi. The awesome people over at Mystic, if you don't remember the acronym that is Microsoft Threat Intelligence Center folks, they've released a new version of Mystic Pi.
Mystic Pi is their Python library, which basically allows you to do notebooks and cool things in notebooks. I know we've talked about that in the past before. So go and check it out. They've done things like dropping Python 3.6 support, and they've reorganized the package and added a few modules. So yeah, go have a check out of that. And last but not least, because it's my baby, and I would never finish the news without talking about Sentinel. Well, arguably Mystic Pi you can use in Sentinel.
But just one thing for Sentinel, because it is a little bit that sort of quiet time of year. But we now have in the Microsoft 365 connector, we also now have Microsoft Perv UDLP alerts. So that means you can bring those alerts in natively through the Defender portal. So go and have a look at that as well. That's all my news for this time. Michael, over to you. Yeah, I got a handful of things.
First one, which I'm really happy to see actually, is in exchange online, they're changing the way they support authentication and authorization. So historically, we'd use classic basic authentication credentials for POP and IMAP. Well, that's now changing to support OEARTH 2 client credentials flow. This is actually really important because that way your clients are not sort of throwing around passwords all over the show.
And this is obviously a really important part of modern identity management. It's using OEARTH 2.0 and OpenID Connect. That's really great to see. Next one is on my as your backup, we now support the ability to provide like another level of authorization. There's a thing that's been added called resource guard. And you can put an authorization policy on the resource guard.
So for someone to do sort of manipulate a backup, they not only have to have access to backup, they can optionally also have RBAC permissions on resource guard. So you can have even tighter control over who's allowed to perform specific kinds of manipulations or configuration of the backup. We talked about this a few weeks ago, but now in GA in general availability, as you're active, direct to authentication for application insights.
So now you can configure app insights to exclusively only allow data that comes in from say applications running under managed identities using as your active directory. You don't have to turn this on, it's totally optional, but it's just another layer of defense around security and reliability of the telemetry that is coming out of your applications.
The other one that I have is you should be migrating to as your monitor, if you're sort of as your monitor agents, I should say, if you're using the log analytics agents. Eventually the log analytics agent will be deprecated. I don't have a date on that just yet, but you should be moving over to AMA. Lots of good reasons for it, better performance, better security. So for example, AMA uses a managed identity.
It can also provide higher events per second upload rate compared to log analytics agent. There are cost savings, it's easier to manage honestly, there probably isn't any major downside to migrating to AMA. The last one, which is perfectly and completely and utterly self-serving, we just made available the table of contents from the book that's coming up, written by myself and Hirot Gansambine and Simone Kurtzi, Design and Developing Secure Asus Solutions.
We just made the table of contents available up on the website, so I'll provide a link to that. The book looks like it'll be around 500 pages, so we're pretty happy with that. So with that, that's kind of the news out the way. So why don't we turn our attention to our guests? Michael, if you don't mind, I forgot one piece of news.
I'm actually co-authoring the SC100, probably been covered on some of the things while I was on vacation, but co-authoring that and really excited about getting that Microsoft Cybersecurity Architecture exam reference guide put out there. Mark, Mark, would you not like to mention your other co-author? Well, I know one of them has got to be Yuri, right? I mean, you're a diogeness. It's always Yuri. Yuri's always a girl. Gladys and Sarah as well, so really excited. Hang on, hang on.
What's going on here is like you, Gladys and Sarah, there's someone else on this podcast. Do you know the guys on the podcast? You were already busy with another talk. So with that, let's turn our attention to our guest. This week we have Rowe Ben-Hame, who's here to talk to us about Microsoft Sentinel Content Hub. Rowe, thank you so much for joining us this week. We'd like to take a moment and sort of give our listeners a little bit of a background on what you do. Yeah, sure.
Hi, everyone. So I'm Rowe. I'm the tech lead of Sentinel's Content Hub, which is like our one-stop shop for all of the Sentinel content. A bit about myself. I've been developing all sorts of software since high school, so I'd say I'm a developer for around 20 years, something like that. And I've been working for Microsoft for the past seven years or eight years, something like that. I started my career in Microsoft at the Office Online.
Later, I was part of an incubation group that turned into Microsoft Defender for IoT. And for the last year, I actually joined Microsoft Sentinel here in the US. So I've got to ask the most obvious of obvious questions. So what on earth is Sentinel Content Hub? Content Hub specifically enables content lifecycle management. So what is content essentially?
So Sentinel Content is the actual resource that enables customers to ingest data, to monitor, alert, hunt, investigate, respond, and connect with different products or platforms in Microsoft Sentinel. So you can actually think of Content Hub as like a marketplace for Sentinel content. And it kind of allows you a lot of discoverability, searchability, and enablement of such content. And it's also written in React and has a really slick UX, which I'm really proud of.
Okay, so with this Content Hub, I mean, is there something that's deployed with Sentinel? I mean, how do you deploy this thing? How do you use it? What's the sort of end user experience? It's actually a page that you can scroll to in the main view of Sentinel. You just go to Content Hub and over there, you can see all the different content availability we have on our marketplace.
The main idea was for users to be able to witness the different capabilities that Sentinel has, whether it's different alert rules, hunting queries, workbooks, automation rules. So everything is available in this one-stop shop. So as I said earlier, Content Hub is a one-stop shop for all Sentinel content. So Content Hub essentially is partitioned into something called solution.
And solution is a bundle of those Sentinel content, of those alert rules, workbooks, playbooks, hunting queries, data connectors. So all of these content are actually bundled inside this solution. And we actually see it as an end-to-end product. And we partition it into domains such as DevOps, Storage, or user behavior, and also industry verticals such as finance. So it's like a whole solution for all of these.
Now, an example of such solution is something that happened like a couple of months ago. We have a solution for Log4j. So as you're well aware, a couple of months ago, there was a very famous vulnerability for Log4j. And immediately after it got published, we also published a solution on our marketplace. That actually detects remote code execution that got triggered as a result of the Log4j vulnerability. So you can actually see that in Content Hub right now.
So it sounds like the solutions are like a bundle of a bunch of different things, you know, dashboards, queries, et cetera, that kind of drive an outcome or a theme or something coherent. Is that a correct assumption? That's exactly what it is. Yeah. Now, how are these different between what already comes with Sentinel or is there stuff that comes out of the box, and then third-party things? How does all that work? In Content Hub, we actually distinguish different types of publisher.
There's a first party in which we actually develop and create the solution. We have actually new content that isn't available out of the box whenever you install Sentinel. And we also have a lot of support from our communities from different ISVs that can also contribute and create different solutions.
When you create a Sentinel solution, you don't really need all of the information or all of the different solutions that you have in Content Hub, but maybe you specifically are in the finance industry, so you would probably need a solution that supports your specific use case. So in that case, you'd go to Content Hub, you'll filter for finance, and you'll install the solution that we actually recommend you to.
Oh, you mentioned some of the solutions are made by Microsoft and some are made by other people. Can you give us some examples of both of those? Essentially, it's all available for the support filter. We have a support filter for both Microsoft and partner, and by choosing Microsoft, you will be able to watch our first-party created solutions, and partner is the community-based solutions. An example of a solution that our own creation is actually Teams.
We have a solution for teams that catches activity logs, and over there, we can use a lot of very cool analytic roles, such as, I don't know, multiple teams deleted by a single user or a user that was made as an owner of multiple teams. So this is an example of a really cool solution that we have. So as for the third party, we actually have a really cool solution published by Cisco. I can add in here as well.
I mean, I'm asking you these questions, but as anyone who has listened to this podcast knows, I kind of spent my life messing around with Sentinel, so I am fully aware of what's there. So we have things like Palo Alto, we've got Cisco, we've got CrowdStrike. There's a lot of different third-party things, all things that are security products, that if you've got them in your environment, you probably want to connect into Sentinel.
Can you talk to us a bit more about what is the problem that Content Hub is trying to solve for people who are using Sentinel? Why would you go into Content Hub and deploy a solution over kind of doing everything one by one throughout the different bits of the product? Yes, so it's actually in the body of your question, right? The main answer is centralization. So you can think of the solution as I said earlier, we publish everything as a solution.
So a solution is like a whole product that is actually an entire view of a problem that you're trying to solve of connecting a data connector to a specific analytic rule in which you actually fetch the data and then check for a specific alert based on that data. So we actually see everything as a whole as opposed to trying to solve every bit of the problem individually. So that's one thing. And the other problem that we're solving
is discoverability. So a lot of the time it's pretty hard to find the specific query that you're looking for or the specific use case that you're looking for. And by having everything bundled into different solutions that are all published on a central location, which can be searched, filtered and sorted, you can actually increase your security score because
you can see everything in front of you pretty easily. And also since we also like publish new solutions on almost a weekly basis, this will also increase your security score, obviously. So that brings me on to another question then. So you said that you're publishing new solutions maybe weekly, but what about updating solutions? So I know that say a customer has deployed a solution and then we release an update. Obviously, how does that work? Because this is
something I know I've been asked by customers loads of times before. Like if you update it after I publish it, how am I going to know? What do I do? Because usually customers want to have the most up to date stuff. Yes. So when updating a solution, you can actually see it in Content Hub. One of our views, one of the most important views is for you to be able to see all the solutions that you've already installed. And you can see a market whether if it's updated or not, whether if there's a new
version available or not. And if there is, you just need to click off a button, just click on update and it will update everything. We don't do automatic updates, do we? On content? No, that's that's yeah. Okay. So maybe I need to emphasize that we don't do automatic update, but you will be notified in the Content Hub page that you need to do an update. And then once you click on the
update button, everything should work out of the box. Yeah, that's again, I know that I've heard this from customers because of course, if you're using something in production, you don't necessarily want to have it update automatically because you may need to go through a change window or whatever. But, Rory, do you know, because I know this will have changed over time, but of the current solutions we have in Content Hub, do you know which ones or could you give our listeners an idea of which
ones are the most popular? So obviously, Log4j is still hitting the jackpot. Another solution that we see people using quite a lot and I also talked about it is Teams that takes team audit logs. We have a new solution that we see like also that is also in high demand is Azure activity that collects different activity logs from Azure such as role assignment operations and command executions on VM. That is really cool. We also have Octa that is like Octa is an authentication
provider, kind of like active directory. And we collect also activity logs, we also collect logs from there and generating rules according to that. But those are the solutions that I've found to be quite interesting that people are using. I don't think we've mentioned this, so I'll just ask the questions again for listeners. How much does Content Hub cost if you were going to use it and deploy it? It's free. What do you mean?
That's what I mean. That's what I mean. Because I know that some similar products in, not Sentinel, but similar like marketplaces, whatever you want to call it, some of those cost money in other products. I just wanted to emphasize to everyone that using this part of Sentinel is free. There's no additional cost to it. You mentioned earlier, we talked about solutions, and you mentioned out of the box content. Actually, genuinely, I do not know the answer to this.
What is the difference between a solution and out of the box content? So, solution actually contains several Sentinel content, as we've mentioned earlier. However, and this is something we actually launched to public preview a month ago, we also extended solutions to include not just let's call it the active Sentinel content, but also out of the box
content. And you can think of out of the box content as a Sentinel content blueprint. And this is something that we've actually already supported in Sentinel, like in analyticals, for instance. So, we have an analytical role and analytical template. So, let's take that as an example. An analytical template can contain actually a shared logic between several analyticals. Then you can create an analytical based on this analytical template. So, let's say that I have an
analytical template with a particular query. So, I can create an instance of an analytical out of it with a particular query interval and alert threshold. But then let's say that I want to create another rule based on it, but with a different interval and also a different threshold and put those as like two different alert rules. Then we can have a template that has the shared logic in one place. And whenever we want to update the query, for instance, we can do it over from
the template. And then we can update the alert rule. Now, our idea was, after we've incorporated content tab to incorporate those out of the box template into a solution as well. So, we currently have this supported, and again, this is public preview for analyticals, for workbooks. And this should make the entire update of solution easier. Because whenever you update the solution, if you had an active content, you probably messed around with it. You probably changed the content a little
bit from the way it's handled in the marketplace. So, whenever you update it, you have to have some sort of merging logic. But if you're working with templates, you won't have that because the template is fixed. So, an update of a solution would be way more clean. However, after you've downloaded the out of the box content, you will have to update your active item. So, that's a distinction that we have to make. Okay, makes sense. Probably, at least it gives people some flexibility,
right? And what they can do, maybe for more advanced users. That was a really good discussion. I certainly learned a couple of things. But before you go, Rui, one question we always ask our guests is, if you had one thought to leave our listeners with, what would it be? Okay, here's the thing. The solid idea of Content Hub is all about community. And we actually have a process
of adding a new content as you like to our community. So, it would be available in Content Hub. So, in case you are a security expert or you find something that you think other people in the security community might be interested in, then by all means, go to our Github. I'll publish the link someplace. If you'll just give me someplace to publish it. And I really encourage everyone that listens and has a passion for security to just be a part of our thriving community and
contribute. You just need to add your resources to our Github repository or part of your solution. We'll have a quick authoring process. And then you're basically in. Well, with that, let's bring the podcast to an end. Rui, thank you so much for joining us this week. Again, I really appreciate you taking the time. I know that you guys are always very busy. And to all our listeners out there, thank you so much for listening. I hope you found this
podcast of interest. Stay safe and we'll see you next time. Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website azsecuritypodcast.net. If you have any questions, please find us on Twitter at AzureSecPod. Background music is from ccmixter.com and licensed under the Creative Commons license.