Microsoft Defender Weekly Wrap - Issue #98
Where's the beach?
Things from Me
Happy Friday, everyone!
Thanks so much for continuing to hang around and read this newsletter every week. It’s amazing to me how the Microsoft Security community continues to grow, but also how relevant this newsletter continues to be. The newsletter was originally created just to help customers get a grasp on new features and product enhancements that are constantly released at a blistering pace due to the accelerated development cycles. Turn your head for a minute and sometimes entire feature sets change places.
I also wanted to continually capture the great work of the community. That’s been a strong component and a great indicator of how much this community grows. In the beginning, it was me and a couple others that were delivering knowledge through producing Microsoft Security content. So, it’s so great to see so many others spreading their knowledge freely to the masses.
I don’t have a lot additional to share this week, other than the next few weeks will be super busy with travel. On Sunday, I make my way to MMS Miami. I have a couple sessions next week talking about security AI and then using AI for security. Two sides of the coin, but both equally important. Without securing AI, how can you trust it to provide proper and accurate intelligence for your security operations? I’m really looking forward to the event and the sessions. And of course, it’s in Miami, Florida so during the downtime I’ll hopefully be able to enjoy some beach time. The wife is traveling with me, so I expect she’ll spend much of the time on the beach or at the pool and constantly trying to pull me away from the conference festivities to soak in the local fare.
After MMS Miami, it’s on to Seattle for a couple weeks. One week for team meetings, and the second week for Microsoft Ignite. My team has been working hard to ensure that the Security track for Microsoft Ignite outshines all the others. And I’m pretty sure we will accomplish that. Fingers crossed that the post show reviews reflect that hard work.
Finally, just before the Christmas break, I’ll be headed to Houston to talk about AI and security once again. Details on that will be available the closer we get to December and the further we get from Microsoft Ignite.
Also this week, I put the cap on the Must Learn AI Security series. The final epilogue has been written. I’ve learned a lot writing this series and I hope those that have been following along have, too. So, what’s next for the Must Learn AI Security project?
The Must Learn AI Security series will continue. As more of our internal messaging is released publicly, the series will be updated to include extra tidbits.
But for now - and just like the Must Learn KQL version, the Must Learn AI Security eBook version will be reworked and developed into an actual book delivered through Amazon for wider distribution that can be acquired as a physical copy. A workshop is also in the works that will be open sourced and provided for delivery by anyone. I'll also be taking the series on the road a bit.
That’s it from me for this week. I hope the week ahead is a good one.
Talk soon.
-Rod
Things that are Related
New CISA Stop Ransomware Guide - The U.S. Cybersecurity and Infrastructure Security Agency (CISA) just released their updated #StopRansomware Guide with a number of new contributions from Microsoft, including a substantial section on hardening SMB and remote file services.
Service Endpoints vs Private Endpoints - For a long time, if you were using the multi-tenant, PaaS version on many Azure services, then you had to access them over the internet with no way to restrict access just to your resources. This restriction was primarily down to the complexity of doing this sort of restrictions with a multi-tenant service. At that time, the only way to get this sort of restriction was to look at using single-tenant solutions like App Service Environment or running service yourself in a VM instead of using PaaS.
Things to Watch/Listen To
Things in Techcommunity
Microsoft Defender for endpoint generating its own malware? - I have been closely monitoring our alerts and incidents recently, and I've come across something rather puzzling. From the data, it appears as if Microsoft Defender might be generating its own malware. This seems counterintuitive and quite unexpected. Can this even be possible? I'd appreciate any insights or similar experiences from the team.
Is it possible to scan specific BOX accounts from Microsoft defender? - As per the below article, I am able to connect the BOX and it is started the scanning for all my BOX accounts in Microsoft Defender for Cloud Apps. https://learn.microsoft.com/en-us/defender-cloud-apps/connect-box. I don't want to scan for all my BOX accounts, and I want only specific user accounts need to scan. Please let me know is there any option is available for this.
Defender for Endpoint Things
Incident Response Part 3: Leveraging Live Response - This is it, the last part of the Incident Response series. In the past weeks, insight was given on how KQL can be used to perform incident response, even if the data is not ingested in Sentinel or Microsoft 365 Defender. Part three marks the last part which discusses how you can leverage Live Response, which is available in Defender For Endpoint.
Announcing a streamlined device connectivity experience for Microsoft Defender for Endpoint - Deploying new security services can be an uphill battle. In the past, engineering teams looking to establish connectivity between endpoints and Defender for Endpoint services had to configure their firewalls and proxies using a more granular list of URLs. Some network devices required the use of static IPs to achieve the same goal. Once deployment was completed, the configured URLs needed to be maintained in case new services were introduced. To help simplify device connectivity and management, we are excited to announce a new method that streamlines the device connectivity and onboarding experience for Microsoft Defender for Endpoint, now available in public preview for Windows OS.
Defender Threat Intelligence Things
Chat with your Cyber Threat Intelligence data with Azure OpenAI - I’ve been thinking about use cases for Infosec Professionals, and I found it valuable to envision a chatbot powered by Generative AI that could be used to engage in conversations with your Threat Intelligence data.
Microsoft Purview Things
Auditing Deletions of Exchange Online Public Folders - We are very glad to announce new auditing feature added to Exchange Online public folders. The feature allows you to monitor/track public folder deletions in the organization.
Microsoft Entra Things
Microsoft Entra Identity Attack Threat Detection - This weekend with Okta support system being compromised and has led to many corporate using Okta to start scrambling to check if there are any unauthorized intrusion from the Okta support ID.
Delegate Azure role assignment management using conditions - We’re excited to share the public preview of delegating Azure role assignment management using conditions. This preview gives you the ability to enable others to assign Azure roles but add restrictions on the roles they can assign and who they can assign roles to.
HAR File Security - A HAR file is a recording of your current session & includes all web traffic including secrets & tokens.
Microsoft Global Secure Access: Empowering Secure and Seamless Connectivity - The way people conduct their work has undergone a transformation. Rather than adhering to conventional office setups, individuals now have the flexibility to work from virtually any location. As applications and data make their way to the cloud, there arises a need for a contemporary workforce to have a security infrastructure that is both identity-aware and cloud-based. This emerging category of network security solutions is referred to as Security Service Edge (SSE) which is a standalone subset of Secure Access Service Edge (SASE).
Windows Local Administrator Password Solution with Microsoft Entra ID now Generally Available! - Today we’re excited to announce the general availability of Windows Local Administrator Password Solution (LAPS) with Microsoft Entra ID and Microsoft Intune. This capability is available for both Microsoft Entra joined and Microsoft Entra hybrid joined devices. It empowers every organization to protect and secure their local administrator account on Windows and mitigate any Pass-the-Hash (PtH) and lateral traversal type of attacks.
Targeted Usage of the Cloud Management Gateway for Entra ID Devices - When allowing the usage of the Cloud Management Gateway in ConfigMgr, we assign a client setting for Enable clients to use a cloud management gateway and this can be set in the Client Settings under Administration\Overview\Client Settings in the Cloud Service section. Note we can also Allow access to cloud distribution point so clients can access content from the associated CDP.
Fun Thing This Week
Hey! I found my Halloween costume!
