Microsoft Defender Weekly Wrap - Issue #13
Hi, all! Welcome to the revamped newsletter!
As I noted a couple weeks back, this newsletter will now cover all Defender-branded content and will deliver weekly instead of bi-weekly. So, while this is issue #13 of this newsletter edition you wouldn't be wrong if you reset the counter and started with #1.
As you'll see below, the content is organized by Defender service and each leading title will be denoted for what the article contains, i.e., if it's a video, a blog post, an article, code, something new, or something else. I'm still working to improve as we go along, but these title "tags" should help.
As always, though, if you have suggestions and recommendations, I'm always open to those. Reach out to me over Twitter: @rodtrent
...
One big thing of note this week that I don't want anyone to miss is that we are Deprecating the legacy SIEM API. This could have monumental impact for those organizations not using Microsoft Sentinel, but other products like Splunk, ArcSight, or QRadar. Some of these have add-ons that have been updated to support the new API, but some have not. If you're using any of these tools, make sure you don't miss out.
...
It's been an awesome week here so far - well except for the grumblings of Spring. As I write this, we're expecting lots of rain and possible tornadoes this afternoon. I don't know about you, but I much prefer snow to the threat of bad weather.
I completed the Must Learn KQL series this week. Part 20 was posted on Thursday. Next steps are to push the series to the official Microsoft Docs and then a Learn module. And, then in March, the advanced series, Addicted to KQL, will commence. After developing and delivering the first series that started back in November 2021, I'll need the short break before digging into advanced topics.
Speaking of that, I'm asking for advanced KQL topics. The TOC that you see today...
...was built entirely based on request. If you have advanced areas of KQL that you're interested in, let me know.
That's it for this week. This newsletter will deliver every Friday from here on out.
Enjoy!
Things to Attend
Join us at the What’s Next in Security from Microsoft digital event on February 24 — techcommunity.microsoft.com Hi everyone! I hope you’ll join us at the What’s Next in Security from Microsoft digital event on February 24, 2022. Register now to get a
Things that are Related
BLOG: ‘Ice phishing’ on the blockchain - Microsoft Security Blog — www.microsoft.com The technologies that connect us are continually advancing, and while this brings tremendous new capabilities to users, it also opens new attack surfaces for adversaries and abusers. Social engineering represents a class of threats that has extended to virtually every technology that enables human connection. Our recent analysis of a phishing attack connected to the blockchain reaffirms the durability of these threats as well as the need for security fundamentals to be built into related future systems and frameworks.
VIDEO: Microsoft Azure AD Identity Protection Deep Dive — www.youtube.com A deep dive look at the Azure AD Premium P2 Identity Protection feature. What it is and how best to use it.🔎 Looking for content on a particular topic? Sear...
REFERENCE: Sentinel vs Advanced Hunting — github.com While both Microsoft Sentinel and Advanced Hunting leverage KQL, there are differences in schema in certain tables. For instance, TimeGenerated is used in Sentinel while Timestamp is used in Advanced Hunting. The below tables are designed to help you convert queries between the two products.
Things in the News
Microsoft Defender will soon block Windows password theft — www.bleepingcomputer.com Microsoft is enabling an 'Attack Surface Reduction' security feature rule by default to block hackers' attempts to steal Windows credentials from the LSASS process.
Microsoft finally makes bypassing Defender scans harder by changing Exclusions permission - Neowin — www.neowin.net If you are wondering why this is such a big deal, when the Exclusions is visible to everyone, a threat actor could easily place a malicious payload inside one of those excluded folders and completely bypass Windows Defender scanning.
4 best practices to implement a comprehensive Zero Trust security approach - Microsoft Security Blog — www.microsoft.com Today’s threat actors don’t see barriers, they see opportunities. As the old firewalls protecting the corporate network become obsolete amid the rush to adopt a hybrid workspace, implementing Zero Trust security has become an imperative across all sectors, both public and private. During this time of unprecedented change, Microsoft Security is committed to helping you be fearless in pursuing your vision for growth and success.
Defender for Endpoint Things
NEW: The Splunk Add-on for Microsoft Security is now available - Microsoft Tech Community — techcommunity.microsoft.com We're happy to share that the Splunk-supported Add-on for Microsoft Security is now available. This Add-on builds on the Microsoft 365 Defender Add-on for
BLOG: Detect active network reconnaissance with Microsoft Defender for Endpoint - Microsoft Security Blog — www.microsoft.com Many of our customers have placed their trust in Microsoft Defender for Endpoint in order to help them protect, detect, and respond to threats that have emerged throughout this period of change. It is a diverse landscape that forces us to reconsider how we protect our most prized assets from borderless threat actors in IT environments that can no longer remain exclusively protected behind a network perimeter.
Defender for Cloud Things
BLOG: 7 steps to author, develop, and deploy custom recommendations for Windows using Guest Configuration - Microsoft Tech Community — techcommunity.microsoft.com While reviewing security recommendations under the ‘ Implement security best practices ’ control with a customer through the Microsoft Defender for Cloud
BLOG: Track your Secure Score over time in Azure — zimmergren.net Use Microsoft Defender for Cloud continuous export to enable tracking of the historical Secure score in your Azure subscriptions.
BLOG: Validating Alerts on Microsoft Defender for SQL on machines - Microsoft Tech Community — techcommunity.microsoft.com Introduction Microsoft Defender for SQL contains several plans: Microsoft Defender for Azure SQL database servers, Microsoft Defender for SQL servers on
BLOG: Custom assessments and standards in Microsoft Defender for Cloud for AWS workloads (Preview) - Microsoft Tech Community — techcommunity.microsoft.com Microsoft Defender for Cloud implements AWS security recommendations in the Defender for Cloud portal right alongside Azure recommendations. There are
NEW: Microsoft Defender for Cloud: General availability updates for January 2022 | Azure updates | Microsoft Azure — azure.microsoft.com New enhancements and updates released for general availability in Microsoft Defender for Cloud in January 2022.
NEW: Microsoft Defender for Cloud: Public preview updates for January 2022 | Azure updates | Microsoft Azure — azure.microsoft.com Public preview enhancements and updates released for Microsoft Defender for Cloud in January 2022.
NEW: Azure Resource Graph sample queries for Microsoft Defender for Cloud | Microsoft Docs — docs.microsoft.com Sample Azure Resource Graph queries for Microsoft Defender for Cloud showing use of resource types and tables to access Microsoft Defender for Cloud related resources and properties.
VIDEO: Defender for Cloud in the field - Out of Band Edition — www.linkedin.com In this week's episode of #Defender for #Cloud in the field - Out of Band Edition, we have Tom Janetscheck sharing some tips to investigate alerts and Fernanda Vela is back with the Secure Score tip of the month!
CODE: Microsoft-Defender-for-Cloud/Workbooks/Secure Score Gamification at main · Azure/Microsoft-Defender-for-Cloud · GitHub — github.com
Workbook that displays the Secure Score from Azure Defender across all subscriptions selected.
CODE: Microsoft-Defender-for-Cloud/Readme.md at main · Azure/Microsoft-Defender-for-Cloud · GitHub — github.com Block suspicious DNS activity- block outgoing IP addresses in an NSG as response to a suspicious DNS activity in a virtual machine when a Defender for DNS alert is triggered/created
Microsoft 365 Defender Things
NEW: The Unified Microsoft Sentinel and Microsoft 365 Defender Repository – Azure Cloud & AI Domain Blog — azurecloudai.blog As product and services always to continue to align its great to see movement in areas that provide pure value. The Microsoft Sentinel GitHub repository has now made room to house Microsoft 365 Defender Hunting queries. KQL is the tie that binds these two security services, and because of that, Hunting queries for Microsoft 365…
VIDEO: Secure Score | Microsoft 365 Defender — www.youtube.com In Microsoft 365 Defender, Secure Score assesses and measures your organization's security posture, or how well you're protected from threats, and then provi...
BLOG: Attack Simulation Training: RBAC and End User Notifications — practical365.com Attack Simulations are Microsoft’s foray into a crowded field of competitors who provide a service that trains users to recognize dangerous email with simulated Phishing or malware-infested messages. Microsoft has continually added features and functionality since they released Attack Simulations, including additional simulation types, different payloads, custom payloads, customizable training and more. The most recent upgrades are RBAC permissions and end user notifications. These two additions to Attack Simulation Training are a great incentive to deploy and adopt this functionality, as End User communications are the key enhancement that make this feature worthwhile for an organization.
Microsoft Defender for Office Things
NEW: Streamlining the submissions experience in Microsoft Defender for Office 365 - Microsoft Tech Community — techcommunity.microsoft.com
We are excited to announce a streamlined submissions experience in the Microsoft 365 Defender portal https://security.microsoft.com which will make
BLOG: Helping users stay safe: Blocking internet macros by default in Office - Microsoft Tech Community — techcommunity.microsoft.com It’s a challenging time in software security; migration to the modern cloud, the largest number of remote workers ever, and a global pandemic impacting
GITHUB: darkquasar/AzureHunter: A Cloud Forensics Powershell module to run threat hunting playbooks on data from Azure and O365 — github.com A Powershell module to run threat hunting playbooks on data from Azure and O365 for Cloud Forensics purposes.
Microsoft Defender for Identity Things
NEW: All Microsoft Defender for Identity features now available in the Microsoft 365 Defender portal - Microsoft Tech Community — techcommunity.microsoft.com Over the last few months, as part of our XDR journey, we’ve been working to make all Microsoft Defender for Identity features available in the Microsoft
WHITEPAPER: Zero Trust for the Microsoft identity platform developer — azure.microsoft.com Application developers play a key role in organizational security. Gone are the days when an application and its developers can assume that the network perimeter is secure. With work originating from anywhere on any device, applications need to be developed in a way that incorporates Zero Trust principles throughout the development cycle. A compromised application today can have an impact on the entire organization. Developing apps that incorporate the Zero Trust framework will increase security, reduce the blast radius of a security incident and help recover swiftly. This whitepaper first covers the Zero Trust model and how it impacts the work developers do. Then, it provides Zero Trust best practices that developers can follow when developing with the Microsoft identity platform.
Microsoft Defender for IoT Things
VIDEO: Secure your Intelligent Platforms with Azure Defender for IOT featuring Accenture Security — www.youtube.com Secure your Intelligent Platforms with Azure Defender for IoT featuring Accenture Security
NEW: Micro-Agent Now Available for Public Preview for IoT Edge Devices - Microsoft Tech Community — techcommunity.microsoft.com While Microsoft Defender for IoT is well known to enable organizations to secure their IoT/OT environments it also provides an opportunity to device