How to visualise security and threat information in Microsoft Power BI

The best way to think of Microsoft Power BI is as the next generation of Excel. And like Excel, it’s not just useful for business analysts and data engineers; IT pros can also take advantage of it for understanding large amounts of data. If the security tools you use don’t have dashboards and reports that help you quickly grasp what’s going on with your systems, you can build them yourself in Power BI — and you don’t need to be an expert in analytics to create something useful.

“With very little training, we have seen folks creating detailed and interactive reports that really help with compliance, audit, and security reporting,” Amir Netz, technical fellow and chief technology officer for Power BI, told TechRepublic.

Obviously, you can use Microsoft Power BI to monitor Power BI usage, using the Power BI Admin APIs to track who is accessing data and visualisations and make sure it’s only the people you expect to have access to what might be critical or confidential business information (which role-based access and Microsoft Information Protection will ensure, as long as you’ve set that up). Monitoring user access permissions on Power BI workspace and artifacts means the IT department can feel sure sure they follow auditing and security requirements, Netz said.

That can apply to any critical enterprise assets, thanks to Power BI integration with Microsoft Cloud App Security and Microsoft 365 compliance tools. “Microsoft Cloud App Security enables organizations to monitor and control, in real time, risky Power BI sessions such as user access from unmanaged devices. Security administrators can define policies to control user actions, such as downloading reports with sensitive information. With Power BI’s MCAS integration, you can set monitoring policy and anomaly detection and augment Power BI user activity with the MCAS activity log.”

That would help you find patterns like a malicious insider who uses Power BI data to find the critical business systems to exfiltrate data from. “We provide raw audit log data that goes back 30 days via API and via the Microsoft 365 compliance center,” he said.

SEE: Microsoft 365: A cheat sheet (free PDF) (TechRepublic)

Custom security dashboards

You can also use Microsoft Power BI to bring together data from the many security tools most organizations use, which might cover different stages of an attack as well as the different systems attackers will be probing, like email, identity, endpoints, applications and so on.

A security information and event management (SIEM) system like Azure Sentinel will pull together that kind of information for you, but the advantage of Power BI is how easy it is to create exactly the right reports and visualisations for what’s important to you, along with AI-powered analytics that find and highlight anomalies and outliers in the data. With a never-ending to do list, security teams are always busy and always looking for ways to prioritise what they should be working on.

There are Power BI content packs for various security tools, and several of Microsoft’s security tools have APIs so you can bring that information into Power BI. Microsoft Defender for Endpoint has APIs to access threat and vulnerability data for software inventory, software vulnerabilities and devices that have been detected as being misconfigured — which includes missing Windows security updates.

That way you can keep an eye on how many CVEs your organization is exposed to, see how much new software is being installed across your organisation, get a priority list of exposed devices or look at what OS version vulnerable devices are running — whatever metrics and issues you need to have at your fingertips.

SEE: Hiring Kit: Microsoft Power BI Developer (TechRepublic Premium)

Netz suggests using the Treemap visual to quickly see the comparative numbers of devices and issues, or even a simple bar chart that ranks various key measures. “They show you relative magnitude of impact from a glance. The Bing map visual can also be very effective in showing geo distribution of certain activities.” Add slicers to filter quickly to what you’re interested in, like by operating system, and the visuals will update to show just that data.

You might want a detailed report with a lot of visuals, or just some key figures you can check quickly on your phone. You can also set up alerts to your email address when data you’re tracking reaches a threshold.

The Microsoft Defender team runs a repository of useful Power BI Defender report templates that includes firewall, network, attack surface and threat management layouts.

If you have large numbers of devices, take the time to scope your queries to optimise them, so your Power BI reports don’t slow down because they’re pulling more data than you actually need. You can also choose between accessing JSON data or, if you have more than 100,000 devices being monitored, data files on Azure Storage.

You can pull a full snapshot or just the changes since you last pulled the data, depending on whether you want to look back at security data over time to see patterns and see if security policies you’ve introduced are making a difference or whether you’re looking for the same kind of real-time overview that Power BI can give you for IoT devices.

“Some customers are content with being in a more reactive position and examine daily/weekly snapshots, while others demand more real-time monitoring,” Netz said. Microsoft Power BI lets you pull together either kind of report quickly, when you need it.

Microsoft Weekly Newsletter

Be your company’s Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets.
Delivered Mondays and Wednesdays

Sign up today

Also see