Microsoft Defender Weekly Wrap - Issue #125

Neckties and ashtrays

Things from Me

Happy Friday everyone! I hope your week was a good one.

I’m looking forward to visiting my best friend in Ohio Amish country this weekend to celebrate his birthday. If you’re not familiar with Amish areas of the US, it’s a very different world. It’s a much more relaxed environment, so visiting is always good for us to decompress from normal life. Funny enough, except for the horse and buggy and standard Amish styles, the approach to life reminds me very much of Hawaii where nothing is urgent and there are no emergencies. I can’t imagine, of course, the Amish wearing a Hawaiian shirt or hitting the beach, but they do have their own rituals. The Amish love their volleyball. This time of year, in the near 100F degree heat, you’ll often see full teams of Amish women wrapped in their long Amish dresses on a volleyball field serving, setting, and spiking with a competitive fervor for hours.

My friend and I always tend to get into something, so who knows what we’ll actually do this weekend. Last time we bought enough Tannerite to melt a small car, so we’ll probably focus on that once again. Our skill in this area needs some work as we were barely able to knock the top off a pumpkin or two.

On the way back we’re visiting my youngest son and his wife in Columbus, OH. His birthday is coming up next weekend, but he’s too busy to get together so we’ll celebrate early. Plus, its Father’s Day on Sunday and he said he has a gift for me. Long gone are the days of neckties and ashtrays, so Father’s Day gifts are much better than they were for my dad. But gift or not, I always look forward to being with my kids.

…

QUICK NEWSLETTER UPDATE: I mentioned a few newsletter issues ago that I’m planning to merge the Sentinel and Defender weekly newsletters. The necessity for this has become more and more evident and the pathway to do so is becoming even more clear.

Based on the poll last issue, I was actually surprised to find that the large majority of you subscribe to both newsletters anyway. So, this next week I will be merging the subscriber lists for the newsletters and revamping the format a little to accommodate including Sentinel content in the Defender newsletter.

Next Friday, we will continue on together through this Defender edition. So, be prepared to welcome our comrades with open arms.

At 161 issues (just over 3 years) the Sentinel newsletter has served this community well. But change is constant, and change is good in this case. As we see more and more content directed toward the unified Defender experience with Microsoft Sentinel sitting prominently in that console, it makes a lot of sense to follow suit.

…

That’s it from me for this week. Have a great weekend!

Talk soon.

-Rod

Things to Attend

Call for speakers is live for Microsoft Purview and Defender Days 2024 - Microsoft Purview and Defender Days 2024 is a one-day virtual event organized by the Microsoft 365, Power Platform & Cloud Security India User group. While the last year’s event focused only on Microsoft Purview, this year we’d like to focus both on Microsoft Purview and Microsoft Defender so that the goodness of both the product suites can be covered in one single virtual event.

Things to Watch/Listen To

Things in Techcommunity

Managed installer errors for specific devices - We are trying to roll out Windows Defender Application Control (WDAC) to the devices however, when we enabled the managed installer, it is failing on some of the devices.

Defender for Endpoint API vs Website - I use the Defender for Endpoint API to tag some devices. This generally works fine. Now I have the following situation for some days now (so no "sync" problem)

Things to Have

Enrolled_Device_Health.kql - Devices that are enrolled in Microsoft Intune. Add the device health score and the compliance status for each device using the lookup operator to join the devices table with a table of device health data and a table of device compliance data, based on the device ID.

Copilot for Security Things

Copilot for Security stuff now has its own bi-weekly newsletter!

THE PROMPT for Copilot for Security

THE PROMPT for Copilot for Security is a bi-weekly newsletter that covers Copilot for Security.

By Rod Trent

Defender for Cloud Things

Copilot for Security in Defender for Cloud is now in public preview. And here's the docs you need:

• Copilot for Security in Defender for Cloud (Preview) https://learn.microsoft.com/en-us/azure/defender-for-cloud/copilot-security-in-defender-for-cloud

• Analyze recommendations with Copilot for Security: https://learn.microsoft.com/en-us/azure/defender-for-cloud/analyze-with-copilot

• Summarize recommendations with Copilot for Security: https://learn.microsoft.com/en-us/azure/defender-for-cloud/summarize-with-copilot

• Remediate code with Copilot for Security: https://learn.microsoft.com/en-us/azure/defender-for-cloud/remediate-code-with-copilot

Defender for Endpoint Things

Detect suspicious processes running on hidden desktops - Today we are excited to announce a new way to identify potentially compromised devices in your organization via the new ‘DesktopName’ field in Defender for Endpoint, which enables analysts to easily detect, investigate, and hunt for suspicious interactive process executed on so called ‘hidden desktops’.  

Defender XDR Things

Microsoft Defender for Cloud Apps’ Shadow IT Discovery Capabilities Now Support MacOS - The rapid growth of SaaS apps makes it challenging to gain visibility across the apps used in an organization’s environment. SaaS apps are often used without the awareness of IT departments, a phenomenon known as Shadow IT. Moreover, the swift adoption of generative AI apps introduces an additional layer of security complexity and risks. Organizations need effective app security solutions more than ever to ensure that employees only access approved and safe apps.

Microsoft Entra Things

Effective strategies for conducting Mass Password Resets during cybersecurity incidents - You're in the middle of a cyber incident, and you know certain accounts have been compromised, but you are not certain of the full extent of the Threat Actor’s impact. What do you do? Oftentimes, Microsoft Incident Response will recommend a mass password reset. This helps you regain control of your identity plane, deny other avenues of access, and disrupt any persistence the attacker may have established in your environment. However, and especially for larger organizations, navigating mass password resets can be a complex task. In this blog post, we'll discuss the practical challenges of performing a mass password reset, how to prepare to carry one out, and best practices in performing them.