Microsoft Defender Weekly Wrap - Issue #67
A grand move
Things from Me
Is it Friday already? My calendar says it is.
It’s been an interesting week after this past weekend’s time change to daylight savings time. For whatever reason, even with the setting the clock’s forward, I’m waking up even earlier. But then my body also says it’s still time to work when the 5pm rolls around. So, my body clock is thoroughly confused.
So, yes, it does appear to be Friday and the weekend is definitely welcome. The wife and I have begun looking to move and we have a prospective house to walk-through on Saturday just to start to get a sense of what is out there. The house seems good from pictures, but it’s the area we’re most interested in. The house is in a neighborhood that’s only about 5 minutes from our grandboy. It’s amazing how your perspective and focus change when your own family starts having family of their own.
I don’t have a lot extra to share this week, just a reminder for help if you have time for it.
MSI Show Satisfaction Survey - Please take a moment to participate here to let us know how we're doing for both the live and audio versions of the show and if you have feedback please let us know where we can improve. We take your feedback very seriously and are grateful for any time you can spend on this short survey: https://rodtrent.com/f4e
…
Lastly, in a couple weeks, myself and Javier Soriano (senior PM for Sentinel) will be delivering a Learn Live session on Microsoft Sentinel Hunting for our newest conference, Microsoft Secure. Learn Live sessions are awesome in that they are “live", they are interactive, and if you attend you can ask questions and get immediate answers as we dig into the topics at hand. There’s plenty more than just Sentinel, too. I’ll also be participating as one of the moderators for the Enable and manage Microsoft Defender for Cloud on April 12, 2023.
You can find all the Learn Live sessions for Microsoft Secure here: https://rodtrent.com/zpy
Talk soon.
-Rod
Things that are Related
DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit - Adversary-in-the-middle (AiTM) phishing kits are part of an increasing trend that is observed supplanting many other less advanced forms of phishing. AiTM phishing is capable of circumventing multifactor authentication (MFA) through reverse-proxy functionality. DEV-1101 is an actor tracked by Microsoft responsible for the development, support, and advertising of several AiTM phishing kits, which other cybercriminals can buy or rent. The availability of such phishing kits for purchase by attackers is part of the industrialization of the cybercriminal economy and lowers the barrier of entry for cybercrime.
Protect against cyberattacks with the new Azure Firewall Basic - Since public preview, we have seen a wide adoption of the Azure Firewall Basic. Customers stated the simplicity and ease of use of the Azure Firewall as one of the key benefits for choosing Azure Firewall Basic. We have also added the capability to deploy Azure Firewall inside a virtual hub in addition to a virtual network. This gives businesses the flexibility to choose the deployment option that best meets their needs.
Things to Attend
Join us at Microsoft Secure to discover the latest security solutions - Microsoft Secure is our first flagship event designed just for security professionals. On March 28, 2023, we will bring together security professionals from around the world to explore security information and event management (SIEM) and extended detection and response (XDR), threat intelligence, AI, data security, multicloud security, and more. In this one-day virtual event, you’ll be among the first to hear exciting product announcements from Microsoft leaders, gain insights into the state of security, and get interactive looks into Microsoft Security solutions with our product experts. Plus, there will be live Q&A in chat and Ask the Experts sessions where you can ask our team questions. Among our big announcements will be news on what an AI-powered future means for cybersecurity.
Things to Watch/Listen To
Microsoft Security Insights Show Episode 144 - Ann Johnson, CVP SCI - In our third episode in the series for Women in Cybersecurity month, CVP at Microsoft SCI, Ann Johnson, joins us to chat about filling the skills gap in cybersecurity and how Artificial Intelligence (AI) is positioned to change this industry.
Things in Techcommunity
Azure AD Premium P1 features without AADP1 license assigned - I have noticed that our Azure AD tenant overview shows that we are using Azure AD Premium P1. However, we have never purchased Azure AD Premium P1 add-on licenses.
Microsoft Attack Simulation Test generating false positive clicks when user forward email - I ran a Microsoft Security phishing simulation test for users. Some users detected it as phishing and forwarded emails to helpdesk to review. It looks like Microsoft does its due diligence when a email is forwarded and this generates an auto click or attachment opened condition and user is falsely assigned a training as having clicked or opened attachment in email. Any fix for this?
Microsoft Security Tech Community Join the other 67,000 members of the Tech Community to ask questions to the product team and get the latest on product updates. The Security Tech Community is free to join and provides the easiest way to get notified when something new is in product, and how you can implement it into your workflows.
Things to Have
Deploying Detections at Scale — Part 0x01 use-case format and automated validation - A question we get asked a lot is: “how do you manage and deploy such a collection at scale?” Because we want to support the infosec community we have decided to release our internally developed file format to store these detections, as well as our automated tools that can be used to manage and validate a repository of detections. If you are a frequent reader of our blogs, it might not come as a surprise that we focus on the Microsoft Sentinel and Microsoft 365 Defender platforms.
KQL : Azure AD Identity Protection & Detection - Azure AD Identity Protection is a cloud-based security service that helps organizations protect their identity infrastructure. It uses machine learning and threat intelligence to identify and mitigate risks related to identity and access. Some of its key features include risk-based conditional access, identity risk assessment, threat intelligence, and self-service password reset. It helps organizations to prevent identity-related attacks and improve the security of their identity infrastructure.
Things from Partners
Transform IT security and management with Microsoft and Tanium - Not long ago, I spoke with the CISO of a Tanium customer that had integrated hundreds of thousands of endpoints from an acquired organization. With so many endpoints involved, he initially felt daunted by the task, and for good reason. Discovering assets, assessing device compliance and vulnerability state, fixing gaps, merging active directories, and otherwise bringing assets under management in the context of a corporate merger is a lot to ask, let alone optimizing IT operations and user experience.
Defender for Cloud Things
BLOG: Microsoft Defender PoC Series – Defender CSPM - This Microsoft Defender for Cloud PoC Series provides guidelines on how to perform a proof of concept for specific Microsoft Defender plans. For a more holistic approach where you need to validate Microsoft Defender for Cloud and Microsoft Defender plans, please read How to Effectively Perform an Microsoft Defender for Cloud PoC article.
VIDEO: Zero Trust and Defender for Cloud | Defender for Cloud in the Field #28 - In this episode of Defender for Cloud in the Field, Mekonnen Kassa joins Yuri Diogenes to the importance of using Zero Trust. Mekonnen covers the principles of Zero Trust, the importance of switching your mindset to adopt this strategy and how Defender for Cloud can help. Mekonnen also talks about best practices to get started, visibility and analytics as part of Zero Trust and what tools can be leverages for that.
365 Defender Things
NEW: Respond to threats in near real-time with custom detections - Today we are excited to announce the public preview of near real-time custom detections in Microsoft 365 Defender. This new frequency will allow you to respond to threats faster with automated responses and gain valuable time in stopping attacks and protecting your organization.
Defender for Identity Things
BLOG: Microsoft Defender for Identity Sensor Identification - Someone asked if I knew how to identify if a domain controller holds a Microsoft Defender for Identity sensor, remotely. It was an interesting question, so I took up the challenge. In this blog post, I will explain how I identified the presence of a Microsoft Defender for Identity sensor on a domain controller.
Microsoft Purview Things
Update March 14, 2023: The new configuration that disables Azure Information Protection Add-in in Office has started rolling.
Built-in labeling is now the default for Microsoft 365 Apps for Enterprise - Microsoft 365 Apps for Enterprise are now disabling the legacy Azure Information Protection (AIP) Add-in by default, starting in v2302. With this new configuration, the add-in is prevented to load and instead switches to the built-in labeling client for most users, giving them drastic improvements in performance/reliability, new capabilities, and much more that are not available with add-in. Customers who aren't ready to adopt the built-in labeling experience can opt-out to continue using AIP add-in for Office during its maintenance period. Stay up to date with this transition at our blog.
Defender for Office Things
VIDEO: Mastering Email Authentication and Slashing Overrides Pt. 1 | Virtual Ninja Training w/ Heike Ritter - Paul Newell shares the importance of using Microsoft Defender for Office 365 to implement email authentication practices. Find out how poor practices can cause false-positives, how overrides can cause false-negatives, and how standards can affect your organization’s incoming email.
VIDEO: Mastering Email Authentication and Slashing Overrides Pt. 2 | Virtual Ninja Training w/ Heike Ritter - Dive deeper into Microsoft Defender for Office 365 to better understand the complexities behind false-positives and false-negatives in email. Part 2 of this series outlines practices you can put in place now to prevent malicious, spam, or phishing emails in your environment.
Defender EASM Things
VIDEO: Introduction to Microsoft Defender External Attack Surface Management - Introduction into how to gain comprehensive visibility and insights over external facing organizational assets and their digital footprint with Defender EASM.