March 5, 2024
Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we’ve made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we’ll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you’re lucky.
Introduction and Overview
This week was all about you! Yes you!
We currently have dedicated customer detection sprints that focus on bugs and requested detections.
New Detections
This update introduces several new detections, including:
Top Secret
If you know, you know. You were one of the completed custom detections. 😁
New Reports
This update introduces new global reports, including:
Microsoft 365: MFA Changes Against Users
As a report version of the detection released last week, this shows a 30 day view of all MFA options that have been changed. However you may notice that any changes initiated by an admin user will point to an Entra ServicePrincipal Accounts. These accounts can be correlated in the Entra portal, or with the report below.
Microsoft 365: User MFA Changes – By Admin – EventHub
This is like the one above but better! As a rule of thumb (at least currently, who knows with MS) EventHub can sometimes send significantly more data in the logs than other methods. This report will show you what Admin account changed what user MFA options in full.
