Microsoft Defender Weekly Wrap - Issue #58
Statute of limitations
Things from Me
Happy Friday everyone!
Welcome to the 2nd week of 2023. I was all set to say “Happy New Year” again, but I’m told that there’s certain social criteria to follow when to stop saying that after the new year turns around. There are a couple different schools of thought on it. One says you can say it to the people for which you’ve not said it yet. Another says you stop saying it after the 2nd week of January.
In one of my favorite TV shows, Curb Your Enthusiasm, Larry David says 3-days is the max.
So, I’ll just play it safe and remove it from my vernacular for the remainder of the year.
…
If you’re new to this newsletter, you may not be aware that I co-host a popular show/podcast called the Microsoft Security Insights Show. The show runs live (video) every Wednesday evening at 5pm EST on Twitch and YouTube, and then the audio portion is available on all popular podcasting services the following Monday.
I want you all to be aware of some upcoming DO NOT MISS events.
On February 1, 2023, Ann Johnson, Corporate Vice President for Security, Compliance, & Identity @ Microsoft will be joining us. No registration necessary, just jump out to our YouTube channel and set a reminder: https://rodtrent.com/xvo
And, then on March 8, 2023 Vasu Jakkal, CVP at Microsoft SCI will be joining us. You can set a reminder for this one here: https://rodtrent.com/why
I have another one to announce (hopefully) next week. But just wanted to drop this information now for all of you to start planning.
…
The LinkedIn community groups for Sentinel, Defender, Intune, and Entra have become almost legendary for their membership, engagement, and traffic. LinkedIn has become one of the best places to deliver community because most everyone that participates there are there for the same reasons. You can go and try to participate in places like Reddit or Discord but find that many people that go to those places just go to complain. LinkedIn has a very safe and professional environment, so community just works so much better there.
So, with the success of the other community groups, and more and more focus needed on data governance, risk, and compliance, I’m happy to announce that I’ve kicked off a new Microsoft Purview community group.
All are welcome! I hope to see you there.
…
Lastly, this is our second Substack issue after migrating from Revue. Not familiar with the migration story? See last issue for details.
As I continue to sort out the functions and features of Substack and get into a rhythm, I’m happy to hear from all of you about your experiences with the platform, the newsletter, and anything else you think would help make this resource a continuing success.
I’ll make it easy to start with a quick survey. What do you think so far?
…
That’s it from me for this week. Have a great weekend and week ahead!
Talk soon.
-Rod
Things to Attend
Go Beyond Data Protection with Microsoft Purview - Digital event - Secure your data with a multilayered defense. Tuesday, February 7, 2023, 9:00 AM – 10:15 AM Pacific Time (UTC-7).
Join the Entra Permissions Management Hackathon! - Come together virtually in an intense, fun-filled, month-long hackathon to develop and build solutions that make Entra Permissions Management easy to deploy and onboard. Your solution should bring extra visibility to the product and empower customer scenarios involving multicloud deployments.
Feb 1st - Microsoft Defender for Cloud Apps Webinar | Protect, Detect and Respond to malicious OAuth applications abusing cloud e-mail services
Microsoft Security disrupted an infrastructure that leverages Identity Provider and SaaS Email applications to abuse business brands and spread fraud to millions. Join us to learn how to protect and detect Azure AD and Exchange Online using Microsoft Defender for Cloud Apps.
Things that are Related
Cloud Adoption Security Review - Assess your Security Journey for Cloud Adoption. Receive actionable considerations to improve your security posture.
Unraveling the techniques of Mac ransomware - Ransomware continues to be one of the most prevalent and impactful threats affecting organizations, with attackers constantly evolving their techniques and expanding their tradecraft to cast a wider net of potential targets. This is evident in the range of industries, systems, and platforms affected by ransomware attacks. Understanding how ransomware works across these systems and platforms is critical in protecting today’s hybrid device and work environments.
Four things you can do to make your environment safer in less than five minutes - As the new year approaches, we often make resolutions in our personal life – things we can do to make our lives better. Maybe it’s exercise, maybe it’s dry January or maybe you’re going to try to read a book a month. This year, I recommend that you make a resolution to improve the security where you work. The five items on this list will help you improve the security of your environment in less than five minutes each.
Common security policies for Microsoft 365 organizations - Organizations can take these policies as is or customize them to fit their needs. If possible, test your policies in a non-production environment before rolling out to your production users. Testing is critical to identify and communicate any possible effects to your users.
Things to Watch/Listen To
Tips for Internal Investigations While Maintaining Privacy - In this month’s episode of Uncovering Hidden Risks, we explore how schools can conduct internal investigations while maintaining the privacy and safety of students within the K-12 education system. Joining us as the episode guest is Randyll Newman, Supervisor of Student Data and Information Security for Prince William County Public Schools in Virginia. Randyll oversees the planning, operation, and management of security for the school division's network infrastructure, data, and student information systems. He also served 10 years as a police officer and detective in Fairfax County, Va., retiring from the United States Naval Reserves after serving 26 years.
Microsoft Security Insights Show Episode 135 - Nathan Swift, Security CSA at Microsoft - What's up with Nathan? Nathan has been working on some awesome security stuff since we last checked in. Join us as we catch-up with all the Nathan awesomeness.
Things in Techcommunity
Microsoft defender for identity lab: Domain dominance playbook - In the last step, when you have injected the kerberos ticket on command prompt session and you try to run a dir on domain controller, I get always the same error message: "The system cannot contact a domain controller to service the authentication request. Please try again later." Has anyone gotten it to work?
Conditional Access Block Download policy matched but not redirect to *.mcas.ms - I'm trying to block file downloads from Teams Web Client with conditional access. It seems that there is a match to the policy in Sign-in logs, it shows Session Controls "Enfoeced" but Teams Web Client did not redirect to *.mcas.ms.
Things from Partners
Difenda Recognized with Microsoft Verified Managed XDR Solution Status - Difenda today announced it has achieved Microsoft verified Managed Extended Detection and Response (MXDR) solution status. By achieving this status, Difenda has proven their robust MXDR services including a Security Operation Center (SOC) with 24/7/365 proactive hunting, monitoring, and response capabilities all built on tight integrations with the Microsoft Security platform. This solution combines expert-trained technology with human-led services and has been verified by Microsoft engineers.
Things to Have
PersistenceSniper - a Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines.
Report_by_Devicegroup - KQL to report anything by device group, calculating a factor per devices in the device group.
Create-MDEDeviceTagArc - This Logic App can be set to run daily,weekly. Upon scheduled trigger it will match Arc connected server name in Azure to MDE Device name and Set a defined MDE Device Tag on the Server in MDE. This can be useful to help with reporting in MDE portal and MDE Tag can also be tied to a Device Group so you can Seperate Permissions to Servers and also set Automation Investigation & Remediation (AIRs) to none, Semi, or Full for the Servers onboarded to MDE from Defender for Servers P1/P2.
Create-MDEDeviceTagAzure - This Logic App can be set to run daily,weekly. Upon scheduled trigger it will match Azure VMs to MDE Devices and Set a defined MDE Device Tag on the Server in MDE. This can be useful to help with reporting in MDE portal and MDE Tag can also be tied to a Device Group so you can Separate Permissions to Servers and also set Automation Investigation & Remediation (AIRs) to none, Semi, or Full for the Servers onboarded to MDE from Defender for Servers P1/P2.
Sync-AzureVMTags-MDEDeviceTags - This Logic App can be set to run daily,weekly. Upon scheduled trigger it will match Azure VMs to MDE Devices and Sync the Azure VM tags to the MDE Device Tags on the Server in MDE. This can be useful to help with reporting in MDE portal and MDE Tags can also be tied to a Device Group so you can Separate Permissions to Servers and also set Automation Investigation & Remediation (AIRs) to none, Semi, or Full for the Servers onboarded to MDE from Defender for Servers P1/P2.
Defender for Cloud Things
DOCS: Get-AzSecurityPricing - Gets the Azure Defender plans for a subscription in Azure Security Center.
VIDEO: Defender for Cloud in the Field #24: Enhancements in Defender for SQL Vulnerability Assessment - In this episode of Defender for Cloud in the Field, Catalin Esanu joins Yuri Diogenes to talk about the enhancements that were announced in Defender for SQL Vulnerability Assessment (VA) capability. Catalin explains how the new SQL VA Express changed to allow a frictionless onboarding experience and how it became easier to manage VA baselines. Catalin demonstrates how to enable this experience and how to customize the baseline with companion scripts.
VIDEO: Managing Microsoft Defender for Cloud as Codez - Microsoft Defender for Cloud provides organizations with Cloud Security Posture Management (CSPM), and Cloud Workload Protection (CWP) capabilities for their Azure, multicloud and hybrid workloads. We know that programmatically deploying and managing Defender for Cloud is top of mind for both Microsoft partners and customers.
BLOG: What you need to know when deleting and re-creating the security connector(s) in Defender for Cloud - This article provides guidance on important considerations for removing and re-creating security connectors in Microsoft Defender for Cloud. These security connectors store the configuration preferences that Defender for Cloud uses to access your AWS/GCP environment and provide security recommendations and alerts. There may be instances where you need to re-create the connector, such as following best practice guidance, connecting to a different Azure tenant, or storing connectors in different resource groups. I cover the process of re-creating the connector in more detail, including the creation of the connector, the deletion of the connector, and the re-creation of the connector.
*NEW*: Microsoft Defender for Cloud integration with Update management center is now in Public Preview! This integration enables monitoring and patching of missing security and critical updates, for both Linux and Windows, virtual and Arc machines, which have crucial effect on the environment security posture. This integration is intended to replace the former experience, which is based on MMA, thus removing the last dependency over MMA. Key features:
Allows visibility on all missing security patches with up to a single patch granularity level.
Allows easily patching machines using “Fix” action, with control over patching logic.
Does not require agent installation.
*NEW*: Cleanup of deleted Azure Arc machines in connected AWS and GCP accounts - A machine connected to an AWS and GCP account and covered by Defender for Servers or Defender for SQL on machines is represented in Defender for Cloud as an Azure Arc machine. Until now, that machine wasn't deleted from the inventory when the machine was deleted from the AWS or GCP account. This leads to unnecessary Azure Arc resources left in Defender for Cloud that represent deleted machines. Defender for Cloud will now automatically delete Azure Arc machines when those machines are deleted in connected AWS or GCP account.
BLOG: Integrate Microsoft Defender for SQL servers with Azure Arc-enabled SQL Server (on Windows) using Hyper-V nested virtualization and ARM templates - The following Jumpstart scenario will walk you through how to use the provided Azure ARM Template to deploy an Azure VM installed with Windows Server, setup Hyper-V to support nested virtualization, and create guest VM with SQL Server 2019 on Hyper-V to demonstrate Defender for Cloud for SQL servers on machines and generate alerts for SQL attacks. By the end of the guide, you will have an Azure VM JS-Client installed with Windows Server 2019 with Hyper-V and nested Windows Server VM JS-Win-SQL-01 pre-configured with SQL Server 2019, projected as an Azure Arc-enabled SQL Server, then enabled SQL assessment and Microsoft Defender for SQL servers on machines.
Defender for Endpoint Things
BLOG: How to save $$$ by storing your Syslog and Defender for Endpoint long-term logs in Azure Data Explorer cluster using Azure Data Factory and Azure Storage Account export – while keeping Kusto query functionalities - This blog is about keeping long-term Sentinel logs, giving you insight to the options today, with great opportunities to save money.
BLOG: Disconnected environments, proxies and Microsoft Defender for Endpoint - Microsoft Defender for Endpoint is a multi-platform cloud-based endpoint protection product that comprises multiple capabilities and features. There are many moving parts that make up Defender for Endpoint, and many of these parts require network connectivity. Disconnected and air-gapped environments can pose a challenge to deploying and configuring Defender for Endpoint. When proxies are added into the mix, interesting things can happen.
BLOG: Threat Hunting with Jupyter Notebooks To Detect Advanced Threats: Part 1 – Setting up Msticpy with MDE - Traditional threat hunting does not scale in the MSP space where you may need to manually login to multiple different EDR consoles which takes time and thats without taking into account the time to run the queries to get the data and the brainpower required to understand what’s normal in the environment. This also leads to analysts working in silos and not collaborating to the best of their ability on hypothesis and query development. I’ve found Jupyter notebooks a good way to fix these issue plus many more, especially within the MSP space, for me Jupyter notebooks addresses the following issues.
BLOG: Introducing tamper protection for exclusions - Tamper protection is a feature of Microsoft Defender for Endpoint that prevents antivirus tampering and misconfiguration by malicious apps and actors. Microsoft Intune and Microsoft Defender for Endpoint integrate to allow enterprises to selectively enable and disable tamper protection in their environment.
365 Defender Things
BLOG: Protect your sensitive data against malicious apps - Protecting sensitive content is a top priority for security and compliance administrators across all organizations. With Microsoft Purview Information Protection, you have the ability to track and regulate user access to content with sensitivity labels. However, with the accelerated adoption of apps and the evolution of our threat landscape, administrators need to ensure that the same protection of the sensitivity content available to users is also available to the apps running in their organization.
Defender for Identity Things
VIDEO: Modern Identity powered by Azure - part 1: Modern Authentication with Microsoft Identity Platform - This is the first video from the series called Modern Identity powered by Azure. This first video discusses Azure identity services (Azure AD, Azure AD B2C CIAM, and Entra Verified ID), and makes introduction to the Microsoft Identity Platform.
Defender for Cloud Apps Things
BLOG: Architect More Secure Cloud Apps - Protect against ransomware and other threats as you build new cloud-based services and migrate or modernize existing apps and services. Get guidance for where to start, with a free new assessment with security recommendations and a prioritized list tailored for your organization, apps, and services.
Microsoft Entra Things
BLOG: Microsoft Entra: 5 identity priorities for 2023 - As the first line of defense, identity has become the new battleground. This is evident from the huge volume of attacks that we intercept at Microsoft.1 For example, we prevent 1,287 password attacks every second, or more than 111 million a day. This past year, password breach replay attacks grew to 5.8 billion per month, while phishing attacks rose to 31 million per month and password spray attacks soared to five million per month.
Windows Defender Things
BLOG: How to Manage Microsoft Defender on Windows Server via Intune - As companies adopt Microsoft Defender, there are certain questions coming from customers in terms of EPP management. These questions are mostly focusing on Microsoft Defender management in Windows Servers. I’d like to touch base on different management options for different customer scenarios.