 Hey, how are you doing? I'm good. Okay. There's a partner. He's your home defender. He's my co-presenter, right? Yes. No, I'm good. I'm super excited about what was just delivered the last two days. Amazing how we turned all of this into watch events and now we can't get enough. So let's do this and do a post-it night show. We were supposed to have Anthony also join us and say a few words to start this very special edition of AZ Update. I'm normally behind the scene, but today I am on camera with you. Anthony suddenly dropped to add some technical issues, so we don't know. Maybe he needs help from Patcher, Switch, or Steve, the audio guy. In any case, let's do it when he comes in, he comes in, whatever. As long as he does his next segment. So maybe you had just forgotten to put the jacket on. Maybe not. No, no. So I know you're talking about security. I think Patch and Switch got in again. My laptop completely froze and all these logos of Patch and Switch showed up on the screen and I'm like, what's going on? So I had to reboot and my defender kicked in and cleared it all out, which is awesome. And we're back up and running. So I apologize. We have a nice transition to Defender. There you go. All right. So I'll let you guys take it away. I apologize for interrupting. Okay. So I will be completely serious here that I have not been concentrating or looking at Defender or Microsoft Threat Protection in pretty much anyway, because we've got Oren Thomas on our team, which kind of specializes in the security part to cyber security is actually doing his doctorate in cyber security. So I've kind of left that because there's enough in Azure for all of us to cover. So take me through it. What's Microsoft Threat Protection? What's the value prop and educate me? Of course. So first of all, yes, there is a lot of other tech going on. So I understand. So let's try to summarize this. So at Ignite, we announced our new rebranding. So entering a specific new market, which is a XDR market, we also aligned our products to this. So we have now Microsoft Defender, which is Microsoft's XDR solution. And it is composed of Microsoft 365 Defender, as well as Azure Defender. So those are also two new names. So Microsoft 365 Defender was formerly known as Microsoft Threat Protection, and Azure Defender was formerly the Cloud Workload Protection of Azure Security Center. So those two components now make Microsoft Defender. Is there a chart somewhere that show where old products and why and the new names and so that we don't confuse everyone like I'm confused now? That is OK with you. And then I prepared that. Oh, OK. I didn't know, but that's a great lead-in, almost like we know what we're doing. So let me go and share this guy with you. So can you see this? Yes, we can. Wonderful. So this is kind of the entire Microsoft or Threat Protection by Microsoft. So we have, of course, in the center on all of this is our AI machine learning fused by all the thousands of Microsoft's researchers that we have in our company. And then in order to help customers to be protected as well as prevent attacks in the first place, we have these two solutions. We have Azure Sentinel and we have Microsoft Defender. And I will go again into Microsoft Defender in a bit. But because of the full picture, I want to include Azure Sentinel. Azure Sentinel was announced, I think maybe a year ago or like no earlier this year, I guess, at RSA is our SIEM solution. It helps customers to get all the events and alerts into a single place. And even though this talk is not about Azure Sentinel, just quickly spend a minute and go into the details. So Azure Sentinel is a cloud native SIEM. It's not something that we built before and on-premise and then reported it in the cloud. It was built for such a big scale, like lots of data, any data that you want. Of course, it has then all the machine learning AI to help to immediately get time to value and then also any data that you think. It's like we have a lot of connectors. We even announced many more connectors now here at the Ignite conference. And it helps customers to do hunting and have a single place for Microsoft alerts, but also third party events, firewalls, routers, whatever is there. So and then Microsoft Defender, the XTR solution helps to protect the identities, devices, data, infrastructure, apps and networks and in details, this is what it is. So we have a cross-domain protection. We used to have Microsoft threat protection and Azure Security Center and those are the new names. So if you look at what that is, that is a lot. So we have identities. We have cloud apps. We have data and email and all of this. And I want to go into the old name, new name that you asked for. We have announced also new names for all the individual pieces that are part of Microsoft 365 Defender. So we used to have Azure Advanced Threat Protection. It's now Microsoft Defender for Identity. Microsoft Defender ATP is now Microsoft Defender for Endpoint. And Microsoft, what was it? Office 365 ATP, I think there's a typo in the slide. Office 365 ATP is now Microsoft Defender for Office 365. Okay. So I'm not the only one that's confused. No. And it's still, you know, we just announced it a couple of days ago. It's very hard to really already speak the new name. So if I still say MD ATP, then it's MSDE, like Microsoft Defender for Endpoint. We'll put that into our own user directory and we'll make the switch. Yes, yes. And you will see, I mean, I'm hopping into a demo probably shortly. And you will see that, of course, also in the products themselves, it will take a while to reflect all the name changes. It's easier to do this on a marketing slide than actually in the code of all the individual products. Well, you mean it's not just a search and replace? No. I tried this in our internal Wiki and no, that didn't even work there. So, okay. So did this clarify a little bit about the names? Yes, absolutely. Wonderful. So, and now what is Microsoft 365 Defender, formerly known Microsoft Threat Protection? It's our automated cross-domain security. What that means is, you know, if you look at the Threat landscape today, we have many point solutions. We have something that helps customers to find, I don't know, feature, like protect against phishing or spot user anomalies or endpoint activities. And then they get, because the tools are actually great, so they get more alerts and more signals and the customers are just struggling to put all of these pieces together. So with Microsoft 365 Defender, we actually do exactly that. We correlate events and alerts across those multiple domains and bring them into a nice incident, a nice story to tell customers what exactly happened. We also do automation across those domains. So if I see something suspicious on an endpoint and it was triggered by a user, I can go and clean the user in Microsoft Defender for Identity. So automation also goes and cleans up across those domains. You mentioned one word here that kind of stuck with me. Maybe it's my old ITIL background, but you mentioned incident. So does the system make a distinction between events, problems and incidents? So I think, yeah, so we make the distinction. So I think the tiniest item is an event that we pick up, that we collect from those individual sources. And individual events are being correlated with our tech in the background or on the client and they turn if this is something suspicious, malicious, into an alert. And then alerts are being now correlated amongst each other to then build an incident. And then incident is something that a security persona should probably focus on. Open the incident and within the incident, there's all the individual alerts that belong to this one incident. Oh, perfect. And then if you go and investigate one alert a little bit deeper, you might actually end up going on an endpoint timeline or a user timeline. And then you actually see all the individual events that were around the timeline on the time where the alert was raised. So the system will help the security professionals in any enterprise to be able to follow the breadcrumbs instead of having to hunt all over a series of logs and events in order to just see what's relevant to this incident. Yeah. So why don't we just have a look at that? Perfect. So what you can see here is the list of incidents. And you can see various columns here. And one of the columns says alerts. You can see that how many alerts are active and how many alerts are in there at all. So of course, this is a demo tenant and we turned off automation in multiple cases just that we actually have something to see and to look at and not everything is clean. So what you also can see is there is, for instance, multiple alerts and from multiple entities. And this is what I was talking about. We have devices, we have users, we have mailboxes. And if I actually click on one of those incidents, you can see a nice summary. Let me actually make this a little smaller so that we can see something. So the summary gives you a great overview of, first of all, what are all the individual mitre attack tactics that have been used in this specific incident? You can see the timeline. You can see the scope. It immediately tells you how big this incident is for your organization, how many devices, how many users, and how many mailboxes are part of this incident. And then you can go through the individual tabs that show you all the individual alerts and all the devices, and I will go over this in a moment. So but also because some of our customers, they might have only one solution that is part of the Microsoft 365 Defender solution, let's say they have Microsoft Defender for Office 365. We also invite those customers to come over to use the security.microsoft.com security center because they get all this extra value as well. So they also have incidents now. Even if they only contain Office alerts, it's still something that they don't have in there, let's call it Old World. And sometimes you might have an incident that is only if you have, let's say, a fishing campaign, a good one, meaning the attacker is really good. You have hundreds of alerts just because of one email. You have them all in one incident and you see the scope right away and you're not flooded with figuring out whether the other alerts all in my tools. Yeah, because we keep telling the users if you don't trust the source of the email, don't click you did not win a Best Buy or an Amazon card that just doesn't happen in email. But it's interesting to click on it anyways. I need to tell you a little quick side story here. So in order to onboard the devices to the service, you can of course do this with management tools like Microsoft Endpoint Manager, System Center Config Manager, but there's also a script that you can just double click for local, for smaller, usually POC environments. And a CISO once in one of my EBCs was saying like, oh, that's cool. So I will just send this via email to all of my employees and we are onboarded within five minutes because everybody is clicking on everything that they're getting. That was funny. It's not funny when they get hacked though, but I know, I know. So okay, back to this view. So we have all these individual alerts, like list of alerts we have even here, you can see that there's two alerts that are again grouped. So we really help to narrate the story and make it as easy as possible to understand all the devices, user mailboxes, and I want to move over to investigations. So investigations is another feature of Microsoft 365 Defender, which helps as I mentioned before to clean up the devices or the users or the mailboxes with any kind of malicious activity or evidence that's there. Of course, user meaning reset the password or turn on multi-factor authentication, these kinds of things or devices, it's malware or some changes that one made in the registry. And automation comes in two flavors. It's semi-automated, which usually most of the customers start semi-automated to see how everything works and we investigate the incident and we provide a remediation package and then the security operator has to approve before the remediation is being done. Okay, so there is a human gate there to prove. Exactly, yes. And then there's also the fully automated which is it's done entirely automated. And of course, we give enough freedom and customization so you can put your endpoints in the group fully automated, but then you might have some servers that you put in the semi-automated or user groups and so on. So there is flexibility that then fits any organization's needs. Yeah, oh, so that's kind of cool. Yes, and we see more and more customers actually going into the fully automated because they don't want to wait for a human to first have to approve if you have some shit happening there on your end. Well, if the alert comes up, if the incident comes up, let's say on Friday night at 10 o'clock and you don't want to have to wait till Monday morning in order to address it. You just want it cleaned and the user accounts locked and changed. Exactly, and there is also a it's called the action center where we lock all the activities that have been done by the automation and you can go and reward something that you think wasn't the appropriate step to do. So everything that was found is in the evidence tab. You can see all the entity types, what was suspicious, what has been remediated, what is left and so on. All this one thing in an incident. One question about the evidence. Does it actually keep like a copy of the email that had the malware in it? Or does it just keep a link to it? How does that work? No, it's always in quarantine and everything can be reviewed by a real human in the end. And this is actually the usually when we talk about automation, I wanted to bring this in and now that I mentioned humans. So automation is not just, oh, there is something suspicious. Let's isolate the machine. This is really mimicking the ideal steps that a security analyst would do in order to remediate this or investigate and then remediate the threat. There is a lot of intelligence and every time we get an answer, we might have a new question. So for instance, oh, how did this file get here? And it's like, oh, it was downloaded from this IP address. So who else access this IP address? Is this IP address associated with an activity group? What and so on. There's tons of questions that we keep asking until we really clean this out. Okay, so there is really the wealth of the security center and the AI that collects all that information in our cybersecurity groups that all that knowledge is kind of rolled into that tool. Yes, yes. So and today, if you click on individual alerts, you still go and you investigate those individual alerts and this eventually will collapse all into this one single portal. So another thing that I would like to show is advanced hunting. This is also a unique new capability for Microsoft Defender for Office 365 users going to this portal as well as for Microsoft Defender for Identity. Microsoft Defender for Endpoint users, they already had advanced hunting before. So but now if they use Microsoft 365 Defender portal, they can hunt across all those individual domains. So advanced hunting is a KQL query language. It's rich. You can now specify queries for instance, hey, show me all devices that have some vulnerabilities not fixed and a user with admin rights has been logged in. So this is huge. This is rich. So I'm combining the user information with the device information to do my hunting. So you can see all the individual schemers. We have apps and identities. We have the email data, events, attachment info, delivery events, devices, threatened vulnerability data. And then because, you know, it's all about community, we have a GitHub repository where people upload their great queries that they think would be beneficial for other users. And I want to ask everyone who's watching and listening. So if you want to contribute, please do. The community is only as good as their members are. And then you can also, of course, save those queries and share them only with your team. So I am going to do a suggested MTP one, which is here, a log on after a malicious email was received. So see again, I'm combining endpoint log ins with something that happened in an email. This is amazing, like hunting across those domains. And then I can run this query and wait and see that there is, I think there's one event that comes back in a moment. That is really cool because I remember back in my days, we're having to go through hunting all of those logs, you would find something and then you'd have to start over because you're looking at the second part of that equation or like the user, oh, we got this, but who's accessed it? And then, but now you can do this all in one query. All in one query. And the beauty about these queries is also that you can now actually save them. That's what we already did, but also create a detection rule. So, okay, and in this case, some of the properties are missing. But what is a detection rule? A detection rule is turning my own threat intel or my own query into alerts or like detections, custom IOCs, custom indicator of compromise. So I can say next time, every time someone logs on after a malicious email was received, I want to have an alert. I don't want to go and hunt again manually with the query. I want to have an alert raised into my system. So this is amazing. So it grows with you as you discover things and as you set things up, that knowledge stays within the system and then it'll start telling you without you having to ask for the info. That's great. Yes. So we looked at incidents. We looked at automation. We are self-healing. We looked at advanced hunting. One thing that I think is also very unique to Microsoft is we not only help show you the incidents and give you automation. We also help you contain threats by integrating with Microsoft Endpoint Manager or Azure Active Directory when it comes to conditional access. You probably know this technology already for a little while, but if there is something malicious with a user suspicious, if there is something suspicious happening on an endpoint, we raise an alert. Right. And now the alert has a severity and the severity will also tell how risky this device is. And if the device has a high risk, you can say this device is not compliant anymore and this device cannot access corporate resources until the threat is gone. And because the alert was raised, the risk level was high, we do the automation, we clean the alert, we close the alert, then the risk level is set to low again and the user can access. So it should work in, I don't know, let's say 10 minutes, 15 minutes, that there was something suspicious. The user was, the threat was contained. The user could still be productive, not access corporate resources. The threat was remediated and then the user can keep working even with corporate data again. This is amazing. This is wonderful. I'm thinking, man, I wish I had another hour, but we have Anthony and his panel that are going to be joining in a minute or so. People want more information, where do they go? So I would say, let's go to aka.ms-ms365D, which is the product website and you will find additional resources over there. And then of course, follow me on Twitter at Heike Ritter. And there's always some new stuff that I'm sharing via my Twitter account. That's the two things. This is wonderful. And I'm so glad that we invited you again to cover this, because really, when I looked at your 15 minutes during Ignite, it gave me the, like, I want to know more about this. And now you've given me enough to understand what I don't know. You were just saying you want more time. I want more time, but now I'm going to take that time and actually go and try it out on my own and look at it in my test description and see what I can see whether or not I'm vulnerable. Okay. Do this. Let me know. I probably am, because it's the test subscription. All right. Well, thank you so much, Heike, for spending the time with us. And I hope you have a great post Ignite. Hopefully an uneventful move to your new house. And thank you. Thanks for having me again. It was great to see you and Anthony. Thanks everyone for doing this. Thanks. Cheers. Thanks, Heike, for joining us.