Microsoft Defender Weekly Wrap - Issue #78
Noisy collaboration
Things from Me
Happy Friday, everyone!
It’s been a weird week here at Trent Manor. We’re having our basement waterproofed this week by Everdry. The contractors started on Tuesday with a crew of about eight people. On Wednesday, they started breaking up the concrete in the basement which led to some interesting Teams meetings. The noise was less than I had imagined, but still debilitating just the same. We’re thoroughly impressed with the work and excited to see the work finished sometime on Friday. It’s been a massive undertaking, but if you remember my earlier discussions around rain, flooding, and our basement, you’ll understand that the effort has been necessary.
For those that are new to this community, you can catch up on that recent story in issue #69: Microsoft Defender Weekly Wrap - Issue #69 - by Rod Trent (substack.com)
This particular service is completely thorough. They do everything from excavation, to coating the walls and foundation with goo, to building a new irrigation system that sends everything underground (including downspouts) to the end of the property. It’s pretty fantastic. And, as we’re steadily working toward selling the house, the 25-year waterproofing warranty also applies to the next owners. We’re just crossing our fingers that our past flooding woes aren’t repeated in the next place. But I would do this again.
…
This week I spent some time moving the Must Learn KQL learning series content from its original blog system to Substack. Fortunately, I was smart enough when I started it to use GitHub as the central hub for the links so the changes I made this week won’t affect anything.
You can still find all the pertinent links and information at https://aka.ms/MustLearnKQL, but now, using Substack’s tagging system, the Must Learn KQL content has its own place on my blog right in the top menu.
All 20 chapters are stored there and in the proper order.
I made this effort because I’ve become concerned that the original location may not last since the owner was let go as part of the Microsoft layoffs earlier this year. I have no real knowledge of this, just a feeling.
…
That’s it from me for this week. I hope your weekend and week ahead are great.
Talk soon.
-Rod
Things that are Related
Understanding the Intricacies of AAD Sign-In Logs to Detect MFA Fatigue Attacks - It is not uncommon to observe complacency when securing digital identities: organizations mandate strong password requirements and enforce multifactor authentication (MFA). Then, if a user account’s credentials are compromised, the threat actor will be thwarted by MFA. Job done! Well, not quite.
Easy Way to Build KQL Query Templates for Azure Services - If you want KQL queries to monitor general Azure services, there’s actually a pretty easy, quick way to build them. This is not a hidden feature, by any means, but probably (for some of you) something that you’ve overlooked hundreds of times.
Things to Watch/Listen To
Microsoft Security Insights Show Episode 155 - Ed Fisher - Come join us as we talk with Ed Fisher about all things Microsoft security.
Things in Techcommunity
Microsoft Defender for Server- Endpoint Protection Disable - I discovered that we can off endpoint protection in Defender for Server Settings. My question is whether there are any alternatives to endpoint protection.
Licensing - Limit Defender for Identity to certain users - I have seen similar questions regarding licensing before, but not this one in particular. Right now I am working with a client who would like to use Defender for Identity, but only for a certain part of their organization. From what I can read in the Microsoft Documentation, this should be possible, as long as you take efforts to limit the use to those who have the proper license.
Things in the News
The global artificial intelligence (AI) in cybersecurity market size was evaluated at USD 17.4 billion in 2022 and is expected to hit around USD 102.78 billion by 2032 - The market for artificial intelligence in cybersecurity is also anticipated to grow during the forecast period as a result of the proliferation of 5G technology and the rising demand for cloud-based security solutions among small and medium-sized organizations. Artificial intelligence in cybersecurity is currently gaining popularity to secure information. Because end users are anticipated to embrace AI in cybersecurity to address security concerns and spot new types of assaults that can occur at any time, the market for artificial intelligence in cybersecurity is growing steadily.
Defender for Cloud Things
Agentless scanning now supports encrypted disks in AWS
Agentless scanning for VMs now supports processing of instances with encrypted disks in AWS, using both CMK and PMK.
This extended support increases coverage and visibility over your cloud estate without impacting your running workloads. Support for encrypted disks maintains the same zero impact method on running instances.
For new customers enabling agentless scanning in AWS - encrypted disks coverage is built in and supported by default.
For existing customers that already have an AWS connector with agentless scanning enabled, you'll need to reapply the CloudFormation stack to your onboarded AWS accounts to update and add the new permissions that are required to process encrypted disks. The updated CloudFormation template includes new assignments that allow Defender for Cloud to process encrypted disks.
You can learn more about the permissions used to scan AWS instances.
Revised JIT (Just-In-Time) rule naming conventions in Defender for Cloud
We revised the JIT (Just-In-Time) rules to align with the Microsoft Defender for Cloud brand. We changed the naming conventions for Azure Firewall and NSG (Network Security Group) rules.
The changes are listed as follows:
DescriptionOld NameNew NameJIT rule names (allow and deny) in NSG (Network Security Group)SecurityCenter-JITRuleMicrosoftDefenderForCloud-JITRuleJIT rule descriptions in NSGASC JIT Network Access ruleMDC JIT Network Access ruleJIT firewall rule collection namesASC-JITMDC-JITJIT firewall rules namesASC-JITMDC-JIT
Learn how to secure your management ports with Just-In-Time access.
Defender for Endpoint Things
NEW: Performance mode for Microsoft Defender Antivirus is now available for public preview. This new capability provides asynchronous scanning on a Dev Drive, and does not change the security posture of your system drive or other drives. For more information, see Protecting Dev Drive using performance mode.
365 Defender Things
BLOG: DMARCy MARC and the funky bunch - Microsoft published their May 2023 Cyber Signals report this week. They shared information about the surge in Business Email Compromise (BEC). If you can believe it, cybercriminals have created CaaS – cybercrime as a service – to make BEC attacks easier than ever. I’m not going to rehash the report. You can check it out here. But I thought it would be good to talk about one way to help mitigate these kinds of attacks. Implementing DMARC in your email environment is a fairly simple method to verify the person sending you the email is who they say they are.
BLOG: ITDR with Microsoft: Identity threat-level detections and automatic attack disruption - At Microsoft, we see ITDR as the point where Identity and Access Management (IAM) meets Extended Detection and Response (.... The critical challenge organizations are faced with however, is in extending the necessary posture and protections across the entirety of their identity landscape. Modern Identity environments consist of multiple, often fragmented, components spanning on-premises infrastructure and the cloud. Leveraging our leadership and expertise in both Identity and Security, our goal has been to help our customers prevent, detect, and remediate identity-based attacks across their entire identity environment.
Defender for Identity Things
Defender for Identity release 2.204
Released May 29, 2023
New health alert for VPN (radius) integration data ingestion failures. For more information, see Microsoft Defender for Identity sensor health alerts.
This version includes improvements and bug fixes for internal sensor infrastructure.
BLOG: XDR meets IAM: Comprehensive identity threat detection and response with Microsoft - At Microsoft, we see ITDR as an integrated partnership between two historically separate, but critically important, disciplines: identity and access management (IAM) and extended detection and response (XDR).
Microsoft Purview Things
GA: Microsoft Purview DevOps policies API is now public - Microsoft Purview DevOps policies are now generally available for two data sources: Azure SQL Database and SQL Server 2022 (Arc-enabled). You can also enroll in the private preview of DevOps policies for Azure SQL MI here.
GA: Microsoft Purview Data Loss Prevention (DLP) policies for Power BI are now generally available! - We’re excited to announce the general availability of Microsoft Purview’s DLP policies for Power BI. DLP policies help you automatically detect sensitive information managed in your Power BI tenant and take risk remediation actions, to help you comply with governmental or industry regulations, such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Defender for Office Things
NEW: Threat Explorer: UX enhancements, URL clicks tab and customizable export - We are thrilled to announce the release of new Threat Explorer V3 by Microsoft Defender for Office 365 with improved user experience to detect and investigate potential threats in their email environment. This tool provides real-time insights and recommendations to security analysts, helping them identify and mitigate security risks quickly and effectively. With the new release, Threat Explorer V3 offers enhanced filtering into email security events, allowing administrators to proactively respond to potential threats and prevent security incidents from occurring. Additionally, the tool provides a comprehensive view of email-based attacks, URL clicks, high-risk users making it easier for security teams to investigate and respond to these threats in a timely manner.
Microsoft Entra Things
GA: Cross-Tenant Synchronization for seamless application access is now generally available! - Today I'm thrilled to announce that Cross-tenant synchronization is generally available! In the past, many of you spent significant time and money building custom scripts to provision accounts across tenants and enable cross-tenant collaboration. Since we launched public preview of cross-tenant sync in January, many of you quickly switched to the out of the box functionality and saved your companies both time and money. It’s amazing to hear how easy it has been to deploy cross-tenant synchronization!
GA: Microsoft Enterprise SSO for Apple Devices Is Now Available for Everyone - Today I’m excited to announce the General Availability of the Microsoft Enterprise SSO plug-in for Apple devices. This product provides single sign-on (SSO) for Azure Active Directory (Azure AD), now a part of Microsoft Entra, accounts on macOS, iOS, and iPadOS across all applications that support Apple's enterprise single sign-on feature. This includes older applications your organization depends on that don’t use the latest libraries or protocols and may not have access to the latest Microsoft Entra features.
GA: Conditional Access authentication strength is now Generally Available! - Greetings! I’m thrilled to announce that Conditional Access authentication strength is now generally available. This powerful feature allows organizations to choose the right authentication method requirements for specific scenarios, making it easier than ever for organizations to move towards more secure, modern, and strong authentication.
Fun Thing This Week
Have an interview coming up? Nail the interview, land your dream job with a custom-tailored mock interview with real-time feedback from ChatGPT.
