1
00:00:00,000 --> 00:00:07,200
Welcome to the Azure Security Podcast,

2
00:00:07,200 --> 00:00:09,520
where we discuss topics relating to security,

3
00:00:09,520 --> 00:00:11,320
privacy, reliability,

4
00:00:11,320 --> 00:00:14,760
and compliance on the Microsoft Cloud Platform.

5
00:00:14,760 --> 00:00:18,000
Hey everybody, welcome to Episode 57.

6
00:00:18,000 --> 00:00:21,120
This week it is myself, Michael and Sarah Mark.

7
00:00:21,120 --> 00:00:23,200
Gladys is still taking a little bit of time off.

8
00:00:23,200 --> 00:00:24,680
We also have a guest this week,

9
00:00:24,680 --> 00:00:29,080
Rui Ben Haim, who's here to talk to us about Sentinel Content Hub.

10
00:00:29,080 --> 00:00:30,800
But before we get to our guest,

11
00:00:30,800 --> 00:00:32,920
why don't we take a little lap around the news?

12
00:00:32,920 --> 00:00:35,040
Sarah, why don't you kick things off?

13
00:00:35,040 --> 00:00:38,140
The day that we are recording this,

14
00:00:38,140 --> 00:00:40,720
Microsoft Entry Permissions Management,

15
00:00:40,720 --> 00:00:45,200
which I definitely mentioned a few episodes ago, is now GA.

16
00:00:45,200 --> 00:00:48,400
If you don't remember what that is,

17
00:00:48,400 --> 00:00:53,160
it's a new platform for managing permissions

18
00:00:53,160 --> 00:00:56,800
for any different identity across different Clouds.

19
00:00:56,800 --> 00:00:59,920
That's across AWS and GCP, etc.

20
00:00:59,920 --> 00:01:02,480
It's now because it's GA.

21
00:01:02,480 --> 00:01:05,720
Of course, not all customers want to use things before it goes GA.

22
00:01:05,720 --> 00:01:07,360
So go and have a look at that.

23
00:01:07,360 --> 00:01:10,400
But they've also a 90-day free trial.

24
00:01:10,400 --> 00:01:12,200
You can actually go and have a play around with it,

25
00:01:12,200 --> 00:01:13,640
and I'm a big fan of free trials.

26
00:01:13,640 --> 00:01:17,200
So if you're interested, go and have a look at that.

27
00:01:17,200 --> 00:01:18,400
If I can add to that,

28
00:01:18,400 --> 00:01:21,160
I'm actually really excited about this because one of

29
00:01:21,160 --> 00:01:24,320
the biggest problems the Cloud introduced was that permission sprawl,

30
00:01:24,320 --> 00:01:26,760
where we'll just give you more permission,

31
00:01:26,760 --> 00:01:28,760
we'll just give this team more permission.

32
00:01:28,760 --> 00:01:33,040
The ability to discover and manage that is actually pretty slick with this tool.

33
00:01:33,040 --> 00:01:35,560
So I highly recommend folks check that one out.

34
00:01:35,560 --> 00:01:37,520
The interface is actually really nice.

35
00:01:37,520 --> 00:01:41,080
It's actually a really nice way of governing things like our back policies.

36
00:01:41,080 --> 00:01:42,880
It's a fantastic tool.

37
00:01:42,880 --> 00:01:46,560
Yeah. I unfortunately have not had a look at it yet.

38
00:01:46,560 --> 00:01:49,520
So I'm going to take what Michael and Mark say as gospel.

39
00:01:49,520 --> 00:01:50,880
So yeah, go check it out.

40
00:01:50,880 --> 00:01:53,360
Then next up is Mystic Pi.

41
00:01:53,360 --> 00:01:55,760
The awesome people over at Mystic,

42
00:01:55,760 --> 00:01:57,920
if you don't remember the acronym that is

43
00:01:57,920 --> 00:02:01,880
Microsoft Threat Intelligence Center folks,

44
00:02:01,880 --> 00:02:04,440
they've released a new version of Mystic Pi.

45
00:02:04,440 --> 00:02:07,160
Mystic Pi is their Python library,

46
00:02:07,160 --> 00:02:11,960
which basically allows you to do notebooks and cool things in notebooks.

47
00:02:11,960 --> 00:02:14,400
I know we've talked about that in the past before.

48
00:02:14,400 --> 00:02:15,800
So go and check it out.

49
00:02:15,800 --> 00:02:19,240
They've done things like dropping Python 3.6 support,

50
00:02:19,240 --> 00:02:23,760
and they've reorganized the package and added a few modules.

51
00:02:23,760 --> 00:02:26,720
So yeah, go have a check out of that.

52
00:02:26,720 --> 00:02:29,200
And last but not least, because it's my baby,

53
00:02:29,200 --> 00:02:32,080
and I would never finish the news without talking about Sentinel.

54
00:02:32,080 --> 00:02:34,800
Well, arguably Mystic Pi you can use in Sentinel.

55
00:02:34,800 --> 00:02:36,760
But just one thing for Sentinel,

56
00:02:36,760 --> 00:02:39,320
because it is a little bit that sort of quiet time of year.

57
00:02:39,320 --> 00:02:43,960
But we now have in the Microsoft 365 connector,

58
00:02:43,960 --> 00:02:47,600
we also now have Microsoft Perv UDLP alerts.

59
00:02:47,600 --> 00:02:52,920
So that means you can bring those alerts in natively through the Defender portal.

60
00:02:52,920 --> 00:02:55,360
So go and have a look at that as well.

61
00:02:55,360 --> 00:02:57,360
That's all my news for this time.

62
00:02:57,360 --> 00:02:59,720
Michael, over to you.

63
00:02:59,720 --> 00:03:01,080
Yeah, I got a handful of things.

64
00:03:01,080 --> 00:03:05,200
First one, which I'm really happy to see actually, is in exchange online,

65
00:03:05,200 --> 00:03:09,720
they're changing the way they support authentication and authorization.

66
00:03:09,720 --> 00:03:13,200
So historically, we'd use classic basic authentication credentials

67
00:03:13,200 --> 00:03:14,920
for POP and IMAP.

68
00:03:14,920 --> 00:03:19,160
Well, that's now changing to support OEARTH 2 client credentials flow.

69
00:03:19,160 --> 00:03:22,040
This is actually really important because that way your clients

70
00:03:22,040 --> 00:03:25,640
are not sort of throwing around passwords all over the show.

71
00:03:25,640 --> 00:03:30,320
And this is obviously a really important part of modern identity management.

72
00:03:30,320 --> 00:03:34,280
It's using OEARTH 2.0 and OpenID Connect.

73
00:03:34,280 --> 00:03:36,240
That's really great to see.

74
00:03:36,240 --> 00:03:40,200
Next one is on my as your backup,

75
00:03:40,200 --> 00:03:44,760
we now support the ability to provide like another level of authorization.

76
00:03:44,760 --> 00:03:47,560
There's a thing that's been added called resource guard.

77
00:03:47,560 --> 00:03:50,320
And you can put an authorization policy on the resource guard.

78
00:03:50,320 --> 00:03:52,680
So for someone to do sort of manipulate a backup,

79
00:03:52,680 --> 00:03:54,880
they not only have to have access to backup,

80
00:03:54,880 --> 00:03:59,400
they can optionally also have RBAC permissions on resource guard.

81
00:03:59,400 --> 00:04:03,520
So you can have even tighter control over who's allowed to perform

82
00:04:03,520 --> 00:04:07,760
specific kinds of manipulations or configuration of the backup.

83
00:04:07,760 --> 00:04:11,280
We talked about this a few weeks ago, but now in GA in general availability,

84
00:04:11,280 --> 00:04:14,440
as you're active, direct to authentication for application insights.

85
00:04:14,440 --> 00:04:19,880
So now you can configure app insights to exclusively only allow

86
00:04:19,880 --> 00:04:23,920
data that comes in from say applications running under managed identities

87
00:04:23,920 --> 00:04:25,560
using as your active directory.

88
00:04:25,560 --> 00:04:28,200
You don't have to turn this on, it's totally optional,

89
00:04:28,200 --> 00:04:31,360
but it's just another layer of defense around security

90
00:04:31,360 --> 00:04:36,120
and reliability of the telemetry that is coming out of your applications.

91
00:04:36,120 --> 00:04:40,840
The other one that I have is you should be migrating to as your monitor,

92
00:04:40,840 --> 00:04:43,400
if you're sort of as your monitor agents, I should say,

93
00:04:43,400 --> 00:04:45,880
if you're using the log analytics agents.

94
00:04:45,880 --> 00:04:48,440
Eventually the log analytics agent will be deprecated.

95
00:04:48,440 --> 00:04:53,280
I don't have a date on that just yet, but you should be moving over to AMA.

96
00:04:53,280 --> 00:04:56,960
Lots of good reasons for it, better performance, better security.

97
00:04:56,960 --> 00:05:00,040
So for example, AMA uses a managed identity.

98
00:05:00,040 --> 00:05:03,720
It can also provide higher events per second upload rate

99
00:05:03,720 --> 00:05:06,600
compared to log analytics agent.

100
00:05:06,600 --> 00:05:10,840
There are cost savings, it's easier to manage honestly,

101
00:05:10,840 --> 00:05:15,320
there probably isn't any major downside to migrating to AMA.

102
00:05:15,320 --> 00:05:20,200
The last one, which is perfectly and completely and utterly self-serving,

103
00:05:20,200 --> 00:05:25,080
we just made available the table of contents from the book that's coming up,

104
00:05:25,080 --> 00:05:28,440
written by myself and Hirot Gansambine and Simone Kurtzi,

105
00:05:28,440 --> 00:05:30,760
Design and Developing Secure Asus Solutions.

106
00:05:30,760 --> 00:05:34,360
We just made the table of contents available up on the website,

107
00:05:34,360 --> 00:05:36,200
so I'll provide a link to that.

108
00:05:36,200 --> 00:05:38,760
The book looks like it'll be around 500 pages,

109
00:05:38,760 --> 00:05:41,080
so we're pretty happy with that.

110
00:05:41,080 --> 00:05:43,240
So with that, that's kind of the news out the way.

111
00:05:43,240 --> 00:05:45,480
So why don't we turn our attention to our guests?

112
00:05:45,480 --> 00:05:48,360
Michael, if you don't mind, I forgot one piece of news.

113
00:05:48,360 --> 00:05:52,120
I'm actually co-authoring the SC100, probably been covered

114
00:05:52,120 --> 00:05:54,120
on some of the things while I was on vacation,

115
00:05:54,120 --> 00:05:58,200
but co-authoring that and really excited about getting that

116
00:05:58,200 --> 00:06:03,640
Microsoft Cybersecurity Architecture exam reference guide put out there.

117
00:06:03,640 --> 00:06:08,920
Mark, Mark, would you not like to mention your other co-author?

118
00:06:08,920 --> 00:06:10,760
Well, I know one of them has got to be Yuri, right?

119
00:06:10,760 --> 00:06:11,960
I mean, you're a diogeness.

120
00:06:11,960 --> 00:06:13,320
It's always Yuri.

121
00:06:13,320 --> 00:06:14,920
Yuri's always a girl.

122
00:06:14,920 --> 00:06:17,560
Gladys and Sarah as well, so really excited.

123
00:06:17,560 --> 00:06:18,360
Hang on, hang on.

124
00:06:18,360 --> 00:06:20,680
What's going on here is like you, Gladys and Sarah,

125
00:06:20,680 --> 00:06:22,120
there's someone else on this podcast.

126
00:06:22,120 --> 00:06:23,560
Do you know the guys on the podcast?

127
00:06:23,560 --> 00:06:25,320
You were already busy with another talk.

128
00:06:27,160 --> 00:06:29,960
So with that, let's turn our attention to our guest.

129
00:06:29,960 --> 00:06:31,960
This week we have Rowe Ben-Hame,

130
00:06:31,960 --> 00:06:36,360
who's here to talk to us about Microsoft Sentinel Content Hub.

131
00:06:36,360 --> 00:06:37,960
Rowe, thank you so much for joining us this week.

132
00:06:37,960 --> 00:06:40,440
We'd like to take a moment and sort of give our listeners

133
00:06:40,440 --> 00:06:42,120
a little bit of a background on what you do.

134
00:06:42,760 --> 00:06:43,320
Yeah, sure.

135
00:06:43,320 --> 00:06:44,520
Hi, everyone.

136
00:06:44,520 --> 00:06:45,800
So I'm Rowe.

137
00:06:45,800 --> 00:06:47,960
I'm the tech lead of Sentinel's Content Hub,

138
00:06:48,520 --> 00:06:51,800
which is like our one-stop shop for all of the Sentinel content.

139
00:06:51,800 --> 00:06:53,000
A bit about myself.

140
00:06:53,000 --> 00:06:56,040
I've been developing all sorts of software since high school,

141
00:06:56,040 --> 00:07:00,360
so I'd say I'm a developer for around 20 years, something like that.

142
00:07:01,000 --> 00:07:05,320
And I've been working for Microsoft for the past seven years

143
00:07:05,320 --> 00:07:06,440
or eight years, something like that.

144
00:07:06,440 --> 00:07:09,320
I started my career in Microsoft at the Office Online.

145
00:07:09,320 --> 00:07:12,760
Later, I was part of an incubation group that turned into

146
00:07:12,760 --> 00:07:14,280
Microsoft Defender for IoT.

147
00:07:14,920 --> 00:07:20,040
And for the last year, I actually joined Microsoft Sentinel here in the US.

148
00:07:20,840 --> 00:07:23,640
So I've got to ask the most obvious of obvious questions.

149
00:07:23,640 --> 00:07:26,760
So what on earth is Sentinel Content Hub?

150
00:07:27,640 --> 00:07:33,320
Content Hub specifically enables content lifecycle management.

151
00:07:33,800 --> 00:07:36,040
So what is content essentially?

152
00:07:36,040 --> 00:07:41,800
So Sentinel Content is the actual resource that enables customers to ingest data,

153
00:07:41,800 --> 00:07:45,080
to monitor, alert, hunt, investigate, respond,

154
00:07:45,720 --> 00:07:50,760
and connect with different products or platforms in Microsoft Sentinel.

155
00:07:51,320 --> 00:07:56,120
So you can actually think of Content Hub as like a marketplace for Sentinel content.

156
00:07:56,840 --> 00:08:01,000
And it kind of allows you a lot of discoverability, searchability,

157
00:08:01,000 --> 00:08:02,680
and enablement of such content.

158
00:08:02,680 --> 00:08:08,280
And it's also written in React and has a really slick UX, which I'm really proud of.

159
00:08:08,280 --> 00:08:13,320
Okay, so with this Content Hub, I mean, is there something that's deployed with Sentinel?

160
00:08:13,320 --> 00:08:14,840
I mean, how do you deploy this thing?

161
00:08:14,840 --> 00:08:15,720
How do you use it?

162
00:08:15,720 --> 00:08:17,560
What's the sort of end user experience?

163
00:08:17,560 --> 00:08:22,920
It's actually a page that you can scroll to in the main view of Sentinel.

164
00:08:22,920 --> 00:08:25,320
You just go to Content Hub and over there, you can see

165
00:08:25,320 --> 00:08:28,920
all the different content availability we have on our marketplace.

166
00:08:28,920 --> 00:08:36,200
The main idea was for users to be able to witness the different capabilities

167
00:08:36,200 --> 00:08:41,960
that Sentinel has, whether it's different alert rules, hunting queries,

168
00:08:41,960 --> 00:08:44,200
workbooks, automation rules.

169
00:08:44,200 --> 00:08:47,000
So everything is available in this one-stop shop.

170
00:08:47,000 --> 00:08:51,640
So as I said earlier, Content Hub is a one-stop shop for all Sentinel content.

171
00:08:52,200 --> 00:08:55,800
So Content Hub essentially is partitioned into something called solution.

172
00:08:55,800 --> 00:09:00,840
And solution is a bundle of those Sentinel content, of those alert rules,

173
00:09:00,840 --> 00:09:05,560
workbooks, playbooks, hunting queries, data connectors.

174
00:09:05,560 --> 00:09:13,080
So all of these content are actually bundled inside this solution.

175
00:09:13,960 --> 00:09:16,760
And we actually see it as an end-to-end product.

176
00:09:16,760 --> 00:09:22,520
And we partition it into domains such as DevOps, Storage, or user behavior,

177
00:09:22,520 --> 00:09:26,520
and also industry verticals such as finance.

178
00:09:26,520 --> 00:09:29,560
So it's like a whole solution for all of these.

179
00:09:30,520 --> 00:09:35,480
Now, an example of such solution is something that happened like a couple of months ago.

180
00:09:36,680 --> 00:09:38,920
We have a solution for Log4j.

181
00:09:38,920 --> 00:09:41,160
So as you're well aware, a couple of months ago,

182
00:09:41,160 --> 00:09:44,120
there was a very famous vulnerability for Log4j.

183
00:09:44,760 --> 00:09:48,440
And immediately after it got published,

184
00:09:48,440 --> 00:09:51,000
we also published a solution on our marketplace.

185
00:09:51,000 --> 00:09:58,520
That actually detects remote code execution that got triggered as a result of the Log4j vulnerability.

186
00:09:58,520 --> 00:10:01,160
So you can actually see that in Content Hub right now.

187
00:10:01,160 --> 00:10:07,320
So it sounds like the solutions are like a bundle of a bunch of different things,

188
00:10:07,320 --> 00:10:14,520
you know, dashboards, queries, et cetera, that kind of drive an outcome or a theme or something coherent.

189
00:10:14,520 --> 00:10:16,280
Is that a correct assumption?

190
00:10:16,280 --> 00:10:17,880
That's exactly what it is. Yeah.

191
00:10:17,880 --> 00:10:23,480
Now, how are these different between what already comes with Sentinel or is there stuff that comes out of the box,

192
00:10:23,480 --> 00:10:26,200
and then third-party things? How does all that work?

193
00:10:26,200 --> 00:10:32,360
In Content Hub, we actually distinguish different types of publisher.

194
00:10:32,360 --> 00:10:39,320
There's a first party in which we actually develop and create the solution.

195
00:10:39,320 --> 00:10:44,120
We have actually new content that isn't available out of the box whenever you install Sentinel.

196
00:10:44,120 --> 00:10:49,560
And we also have a lot of support from our communities from different ISVs

197
00:10:49,560 --> 00:10:52,440
that can also contribute and create different solutions.

198
00:10:52,440 --> 00:10:56,840
When you create a Sentinel solution, you don't really need all of the information

199
00:10:56,840 --> 00:10:59,880
or all of the different solutions that you have in Content Hub,

200
00:10:59,880 --> 00:11:02,760
but maybe you specifically are in the finance industry,

201
00:11:02,760 --> 00:11:07,800
so you would probably need a solution that supports your specific use case.

202
00:11:07,800 --> 00:11:11,480
So in that case, you'd go to Content Hub, you'll filter for finance,

203
00:11:11,480 --> 00:11:14,680
and you'll install the solution that we actually recommend you to.

204
00:11:14,680 --> 00:11:21,400
Oh, you mentioned some of the solutions are made by Microsoft and some are made by other people.

205
00:11:21,400 --> 00:11:25,960
Can you give us some examples of both of those?

206
00:11:25,960 --> 00:11:31,400
Essentially, it's all available for the support filter.

207
00:11:31,400 --> 00:11:35,240
We have a support filter for both Microsoft and partner,

208
00:11:35,240 --> 00:11:38,840
and by choosing Microsoft, you will be able to watch our first-party

209
00:11:38,840 --> 00:11:42,680
created solutions, and partner is the community-based solutions.

210
00:11:42,680 --> 00:11:48,120
An example of a solution that our own creation is actually Teams.

211
00:11:48,120 --> 00:11:51,320
We have a solution for teams that catches activity logs,

212
00:11:51,320 --> 00:11:55,880
and over there, we can use a lot of very cool analytic roles, such as, I don't know,

213
00:11:55,880 --> 00:12:04,840
multiple teams deleted by a single user or a user that was made as an owner of multiple teams.

214
00:12:04,840 --> 00:12:11,720
So this is an example of a really cool solution that we have.

215
00:12:11,720 --> 00:12:17,000
So as for the third party, we actually have a really cool solution published by Cisco.

216
00:12:17,720 --> 00:12:19,320
I can add in here as well.

217
00:12:19,320 --> 00:12:23,880
I mean, I'm asking you these questions, but as anyone who has listened to this podcast knows,

218
00:12:23,880 --> 00:12:27,800
I kind of spent my life messing around with Sentinel, so I am fully aware of what's there.

219
00:12:27,800 --> 00:12:35,800
So we have things like Palo Alto, we've got Cisco, we've got CrowdStrike.

220
00:12:36,840 --> 00:12:41,720
There's a lot of different third-party things, all things that are security products,

221
00:12:41,720 --> 00:12:46,120
that if you've got them in your environment, you probably want to connect into Sentinel.

222
00:12:46,120 --> 00:12:52,280
Can you talk to us a bit more about what is the problem that Content Hub is trying to solve

223
00:12:52,280 --> 00:13:01,320
for people who are using Sentinel? Why would you go into Content Hub and deploy a solution

224
00:13:01,320 --> 00:13:06,600
over kind of doing everything one by one throughout the different bits of the product?

225
00:13:08,120 --> 00:13:14,280
Yes, so it's actually in the body of your question, right? The main answer is centralization.

226
00:13:14,840 --> 00:13:20,200
So you can think of the solution as I said earlier, we publish everything as a solution.

227
00:13:20,200 --> 00:13:25,800
So a solution is like a whole product that is actually an entire view of a problem that you're

228
00:13:25,800 --> 00:13:32,280
trying to solve of connecting a data connector to a specific analytic rule

229
00:13:33,320 --> 00:13:38,680
in which you actually fetch the data and then check for a specific alert based on that data.

230
00:13:40,520 --> 00:13:45,960
So we actually see everything as a whole as opposed to trying to solve every bit of the

231
00:13:45,960 --> 00:13:50,680
problem individually. So that's one thing. And the other problem that we're solving

232
00:13:50,680 --> 00:13:56,280
is discoverability. So a lot of the time it's pretty hard to find the specific query that

233
00:13:56,280 --> 00:14:01,000
you're looking for or the specific use case that you're looking for. And by having everything

234
00:14:01,000 --> 00:14:06,600
bundled into different solutions that are all published on a central location,

235
00:14:07,480 --> 00:14:13,480
which can be searched, filtered and sorted, you can actually increase your security score because

236
00:14:13,480 --> 00:14:19,080
you can see everything in front of you pretty easily. And also since we also like

237
00:14:20,120 --> 00:14:26,200
publish new solutions on almost a weekly basis, this will also increase your security score,

238
00:14:26,200 --> 00:14:32,600
obviously. So that brings me on to another question then. So you said that you're publishing new

239
00:14:32,600 --> 00:14:40,280
solutions maybe weekly, but what about updating solutions? So I know that say a customer has

240
00:14:40,280 --> 00:14:48,520
deployed a solution and then we release an update. Obviously, how does that work? Because this is

241
00:14:48,520 --> 00:14:53,720
something I know I've been asked by customers loads of times before. Like if you update it after I

242
00:14:53,720 --> 00:14:59,960
publish it, how am I going to know? What do I do? Because usually customers want to have the most

243
00:14:59,960 --> 00:15:05,800
up to date stuff. Yes. So when updating a solution, you can actually see it in Content Hub. One of

244
00:15:05,800 --> 00:15:11,320
our views, one of the most important views is for you to be able to see all the solutions that you've

245
00:15:11,320 --> 00:15:16,920
already installed. And you can see a market whether if it's updated or not, whether if there's a new

246
00:15:16,920 --> 00:15:23,000
version available or not. And if there is, you just need to click off a button, just click on update

247
00:15:23,000 --> 00:15:28,760
and it will update everything. We don't do automatic updates, do we? On content? No, that's

248
00:15:28,760 --> 00:15:33,560
that's yeah. Okay. So maybe I need to emphasize that we don't do automatic update, but you will be

249
00:15:33,560 --> 00:15:38,360
notified in the Content Hub page that you need to do an update. And then once you click on the

250
00:15:38,360 --> 00:15:44,360
update button, everything should work out of the box. Yeah, that's again, I know that I've heard

251
00:15:44,360 --> 00:15:49,080
this from customers because of course, if you're using something in production, you don't necessarily

252
00:15:49,080 --> 00:15:55,080
want to have it update automatically because you may need to go through a change window or whatever.

253
00:15:55,080 --> 00:16:02,520
But, Rory, do you know, because I know this will have changed over time, but of the current solutions

254
00:16:02,520 --> 00:16:08,120
we have in Content Hub, do you know which ones or could you give our listeners an idea of which

255
00:16:08,120 --> 00:16:15,720
ones are the most popular? So obviously, Log4j is still hitting the jackpot. Another solution that

256
00:16:15,720 --> 00:16:22,200
we see people using quite a lot and I also talked about it is Teams that takes team audit logs.

257
00:16:22,200 --> 00:16:28,120
We have a new solution that we see like also that is also in high demand is Azure activity

258
00:16:28,120 --> 00:16:33,160
that collects different activity logs from Azure such as role assignment operations and

259
00:16:33,160 --> 00:16:39,960
command executions on VM. That is really cool. We also have Octa that is like Octa is an authentication

260
00:16:39,960 --> 00:16:46,440
provider, kind of like active directory. And we collect also activity logs, we also collect

261
00:16:47,640 --> 00:16:52,200
logs from there and generating rules according to that. But those are the solutions that I've

262
00:16:52,200 --> 00:16:56,840
found to be quite interesting that people are using. I don't think we've mentioned this,

263
00:16:56,840 --> 00:17:03,160
so I'll just ask the questions again for listeners. How much does Content Hub cost

264
00:17:03,880 --> 00:17:08,120
if you were going to use it and deploy it? It's free. What do you mean?

265
00:17:08,840 --> 00:17:14,920
That's what I mean. That's what I mean. Because I know that some similar products in,

266
00:17:15,720 --> 00:17:22,200
not Sentinel, but similar like marketplaces, whatever you want to call it, some of those cost

267
00:17:22,200 --> 00:17:27,960
money in other products. I just wanted to emphasize to everyone that using this part of Sentinel is

268
00:17:27,960 --> 00:17:34,760
free. There's no additional cost to it. You mentioned earlier, we talked about solutions,

269
00:17:34,760 --> 00:17:39,800
and you mentioned out of the box content. Actually, genuinely, I do not know the answer to this.

270
00:17:41,000 --> 00:17:45,400
What is the difference between a solution and out of the box content?

271
00:17:45,400 --> 00:17:52,120
So, solution actually contains several Sentinel content, as we've mentioned earlier. However,

272
00:17:52,760 --> 00:17:57,960
and this is something we actually launched to public preview a month ago, we also extended

273
00:17:57,960 --> 00:18:03,720
solutions to include not just let's call it the active Sentinel content, but also out of the box

274
00:18:03,720 --> 00:18:10,360
content. And you can think of out of the box content as a Sentinel content blueprint. And this

275
00:18:10,360 --> 00:18:16,120
is something that we've actually already supported in Sentinel, like in analyticals, for instance.

276
00:18:16,120 --> 00:18:21,160
So, we have an analytical role and analytical template. So, let's take that as an example.

277
00:18:22,920 --> 00:18:29,800
An analytical template can contain actually a shared logic between several analyticals. Then

278
00:18:29,800 --> 00:18:37,480
you can create an analytical based on this analytical template. So, let's say that I have an

279
00:18:37,480 --> 00:18:44,440
analytical template with a particular query. So, I can create an instance of an analytical

280
00:18:44,440 --> 00:18:51,480
out of it with a particular query interval and alert threshold. But then let's say that I want

281
00:18:51,480 --> 00:18:57,720
to create another rule based on it, but with a different interval and also a different threshold

282
00:18:57,720 --> 00:19:04,200
and put those as like two different alert rules. Then we can have a template that has the shared

283
00:19:04,200 --> 00:19:09,880
logic in one place. And whenever we want to update the query, for instance, we can do it over from

284
00:19:09,880 --> 00:19:16,840
the template. And then we can update the alert rule. Now, our idea was, after we've incorporated

285
00:19:16,840 --> 00:19:24,440
content tab to incorporate those out of the box template into a solution as well. So, we currently

286
00:19:24,440 --> 00:19:31,000
have this supported, and again, this is public preview for analyticals, for workbooks. And this

287
00:19:31,000 --> 00:19:36,360
should make the entire update of solution easier. Because whenever you update the solution, if you

288
00:19:36,360 --> 00:19:41,320
had an active content, you probably messed around with it. You probably changed the content a little

289
00:19:41,320 --> 00:19:46,360
bit from the way it's handled in the marketplace. So, whenever you update it, you have to have some

290
00:19:46,360 --> 00:19:52,280
sort of merging logic. But if you're working with templates, you won't have that because the template

291
00:19:52,280 --> 00:20:00,040
is fixed. So, an update of a solution would be way more clean. However, after you've downloaded

292
00:20:00,040 --> 00:20:05,960
the out of the box content, you will have to update your active item. So, that's a distinction

293
00:20:05,960 --> 00:20:11,960
that we have to make. Okay, makes sense. Probably, at least it gives people some flexibility,

294
00:20:11,960 --> 00:20:18,760
right? And what they can do, maybe for more advanced users. That was a really good discussion.

295
00:20:18,760 --> 00:20:24,280
I certainly learned a couple of things. But before you go, Rui, one question we always ask our

296
00:20:24,280 --> 00:20:29,240
guests is, if you had one thought to leave our listeners with, what would it be? Okay, here's

297
00:20:29,240 --> 00:20:34,600
the thing. The solid idea of Content Hub is all about community. And we actually have a process

298
00:20:34,600 --> 00:20:40,760
of adding a new content as you like to our community. So, it would be available in Content Hub. So,

299
00:20:40,760 --> 00:20:44,760
in case you are a security expert or you find something that you think other people in the

300
00:20:44,760 --> 00:20:51,320
security community might be interested in, then by all means, go to our Github. I'll publish the

301
00:20:51,320 --> 00:20:58,520
link someplace. If you'll just give me someplace to publish it. And I really encourage everyone

302
00:20:58,520 --> 00:21:03,960
that listens and has a passion for security to just be a part of our thriving community and

303
00:21:04,680 --> 00:21:10,040
contribute. You just need to add your resources to our Github repository or part of your solution.

304
00:21:11,160 --> 00:21:15,320
We'll have a quick authoring process. And then you're basically in.

305
00:21:16,440 --> 00:21:20,840
Well, with that, let's bring the podcast to an end. Rui, thank you so much for joining us this

306
00:21:20,840 --> 00:21:25,800
week. Again, I really appreciate you taking the time. I know that you guys are always very busy.

307
00:21:25,800 --> 00:21:29,480
And to all our listeners out there, thank you so much for listening. I hope you found this

308
00:21:29,480 --> 00:21:35,080
podcast of interest. Stay safe and we'll see you next time. Thanks for listening to the Azure

309
00:21:35,080 --> 00:21:42,360
Security Podcast. You can find show notes and other resources at our website azsecuritypodcast.net.

310
00:21:43,320 --> 00:21:47,080
If you have any questions, please find us on Twitter at AzureSecPod.

311
00:21:47,080 --> 00:22:00,200
Background music is from ccmixter.com and licensed under the Creative Commons license.