Microsoft Defender Weekly Wrap - Issue #97
Celebrate Good Times, C'mon
Things from Me
Happy Friday everyone!
Welcome to the latest issue of the Microsoft Defender newsletter. In this issue, I want to make you all aware of celebrating the 20th anniversary of Cybersecurity Awareness Month, a global initiative that aims to raise awareness and educate people about the importance of cybersecurity. Cybersecurity Awareness Month was launched in 2003 by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS) to help individuals and organizations stay safe online. Since then, it has grown into a worldwide campaign that involves governments, businesses, nonprofits, academia, and individuals.
This year’s theme for Cybersecurity Awareness Month is “Do Your Part. #BeCyberSmart.” It emphasizes the role that everyone plays in protecting their own and others’ digital security and privacy. It also encourages people to learn and practice the key habits of cyber hygiene, such as using strong passwords, enabling multifactor authentication, updating software, avoiding phishing emails, and backing up data.
At Microsoft, we are proud to support Cybersecurity Awareness Month and share our vision, expertise, and resources to help secure our world together. We believe that cybersecurity is not only a technical challenge but also a human one. That’s why we are committed to empowering people with the knowledge, skills, and tools they need to protect themselves and their organizations from cyber threats. We also collaborate with our partners, customers, and communities to foster a culture of trust and responsibility in cyberspace.
This issue highlights some of the ways that Microsoft is helping you to do your part and be cyber smart. This issue will showcase some of our latest security solutions, such as Microsoft Defender for Cloud, Microsoft Entra ID Governance, and more. Look for best practices, tips, and resources for improving your security posture and resilience. I hope that you will find this issue informative and useful, and that you will join all of us in celebrating Cybersecurity Awareness Month.
Thank you for reading the Microsoft Defender newsletters. Stay tuned for more updates and insights from Microsoft Security. And remember: Do Your Part. #BeCyberSmart.
I’m also really excited to announce we'll be hosting some special guests next week on the Microsoft Security Insights show to help us celebrate Cybersecurity Awareness month!
Microsoft Security Insights Show Episode 175 - Celebrate Cybersecurity Awareness Month - Join us at 4pm EST on Wednesday, October 25th on your favorite streaming network:
…
Lastly, there’s a new update newsletter for Security Copilot. Sign up for email updates to stay up to date on what’s next with generative AI and Microsoft Security Copilot:
https://aka.ms/Security-AI-News
…
That’s all from me for this week. Thanks all!
Talk soon.
-Rod
Things to Attend
Entra Identity Governance | Deep Dive session 1 - Webinar date: 1 November 2023. Learn about:
HR Driven Provisioning: provisioning from an external non-directory authoritative system of record to Microsoft Entra ID, via HR-driven provisioning.
Lifecycle Workflows: utilize pre-defined workflows to automate the joiner, mover and leaver lifecycle processes. Extend these with the flexibility provided with Custom Extensions through Logic Apps.
Entitlement Management: manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration, for both your employees and non-employee users.
Entra Identity Governance | Deep Dive session 2 - Webinar date: 8 November 2023. Learn about:
Access Reviews: efficiently manage group memberships, access to enterprise applications, and role assignments.
Privileged Identity Management: Just-in-time and scheduled access, alerting, approval workflows for Entra ID roles and Azure Resource roles.
Auditing and Reporting: use the audit data for reporting, view in dashboards, or send to an external system.
Things that are Related
Microsoft Security Copilot Early Access Program: Harnessing generative AI to empower security teams - Today as we announce our Early Access Program is now open to qualified customers, we are adding important new capabilities:
A new Security Copilot experience embedded within our industry-leading extended detection and response (XDR) platform, Microsoft 365 Defender. This new embedded experience helps guide analysts directly with actionable recommendations—all from within a single unified experience.
Microsoft Defender Threat Intelligence is now included at no cost with Security Copilot. Defender Threat Intelligence enables customers to directly access, operate on, and integrate Microsoft’s finished threat intelligence, delivering a greater depth of insight to security teams.
Security Copilot with Microsoft Intune: Early Access Program - This blog highlights how including data from Microsoft Intune in Security Copilot will help revolutionize how customers can swiftly respond to security threats with full device context and strengthen enterprise security posture with AI-assisted insights and actions to manage devices simply and securely.
Operationalizing Microsoft Security Copilot to Reinvent SOC Productivity - Security Copilot provides expert guidance and helps analysts accelerate investigations to outmaneuver adversaries at scale. It is important to recognize that not all generative AI is the same. By combining OpenAI with Microsoft’s security-specific model trained on the largest breadth and diversity of security signals in the industry–over 65 trillion to be precise. Security Copilot is built on the industry-transforming Azure OpenAI service and seamlessly embedded into the Microsoft 365 Defender analyst workflows for an intuitive experience.
Defender: Another explanation to identify privileged escalation in Azure - Kusto Query Language (KQL) script to identify privileged escalation in Azure. In Azure, privileged escalation often involves accounts with elevated privileges or roles. We’ll be looking for unusual or high-privilege activities.
Microsoft releasing a game changing feature? - Microsoft Security Co-pilot feature maybe the biggest change to Security monitoring for some time.
Quish Me If You Can: Detect QR Code phishing emails in Exchange using computer vision - In this article, I will explore, for purely educational purposes, how computer vision can help to detect QR codes in email attachments using image classification or object detection. These are two common computer vision tasks that can be performed by various machine learning models. The post is accompanied with a proof-of-concept written in C# which can be adapted to your own (experimentation) needs.
Detect threats using Microsoft Graph Logs - Part 1 - When working with Microsoft Entra there are many log sources you can use to detect usage and changes to the environment and the assets within it. Most of them can be forwarded using the diagnostic settings to different targets for better analysis capabilities or long-term storage.
Things to Watch/Listen To
Things in Techcommunity
MDE-Management - I have 5 2016 servers which are on the domain, sync'd with Azure in hybrid mode. They have been added to Arc and onboarded. I've tagged them in defender with the MDE-Management tag, however they don’t show as managed by MDE with an enrollment of success the same way the other 100 2016 servers have. These 5 just state: The device isn’t enrolled to MDE security settings management, verify it complies with pre-requisites and that it is in scope for the feature in the MDE Settings. All other 100+ servers are fine and working as they should so I know it’s not the setup of defender or something similar but more server specific, what troubleshooting actions can be taken?
Can this be forced?
Acknowledge Quarantine release request via Mail - Hi Everyone, I want to send an acknowledge mail to the user who requesting for quarantine mail release with a custom message. I don't find any option, does anyone having any workaround ?
Defender for Cloud Things
Predicting future attacks with Microsoft Defender for Cloud - In the evolving landscape of cloud security, preventing data breaches remains a top concern. Traditional security tools and general guidelines may offer some protection, but to genuinely fortify your defenses, you need a more advanced approach.
Microsoft Defender Cloud Now Supports CIS Azure Security Foundations Benchmark 2.0.0 - We are thrilled to announce that Microsoft Defender Cloud, in collaboration with the Center for Internet Security (CIS), now supports the latest CIS Azure Security Foundations Benchmark - version 2.0.0. This release also includes the new corresponding built-in policy initiative in the Azure Policy blade.
Defender for Endpoint Things
Known issue: Incorrect count for onboarded Microsoft Defender for Endpoint devices report - We were recently alerted to an issue where devices onboarded to Microsoft Defender for Endpoint are not properly reflected in the Microsoft Intune admin center report for devices with/without the Defender for Endpoint sensor. We've identified a bug that is causing incorrect counts for the number of devices onboarded to Defender for Endpoint and are working on a fix that is expected to be released later this year. The report is located under Endpoint security > Microsoft Defender for Endpoint and on the connector page.
365 Defender Things
How to Safeguard Against Phishing Attacks Using .onmicrosoft.com Domains - In recent weeks, I have noticed a significant uptick in the use of “.onmicrosoft.com” domains for phishing attempts. It seems that the attackers have been setting up multiple trial Microsoft 365 accounts, automatically activating Exchange Online. They are exploiting this as a temporary method to send out phishing emails.
Defender for Office Things
Authenticate Outbound Email to Improve Deliverability - Learn why email authentication is more important than ever for sending email from Microsoft 365 and Exchange Online Protection (EOP), and how to set up Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) records to improve your email deliverability.
Microsoft Entra Things
Entra ID Audit Log To Microsoft Graph Request Uri - A list of Entra ID (Azure AD) Audit event names and the corresponding Microsoft Graph Request Uri.
Entra ID now enables you to receive emails in your preferred language - We have added logic to check multiple places for language information to make the best possible choice for what language we should send an email in, and these changes are now generally available for Privileged Identity Management, Access Reviews and Entitlement Management.
Common Conditional Access policy: Require multifactor authentication for admins accessing Microsoft admin portals - Microsoft recommends securing access to any Microsoft admin portals like Microsoft Entra, Microsoft 365, Exchange, and Azure. Using the Microsoft Admin Portals app organizations can control interactive access to Microsoft admin portals.
Automatically Exclude BreakGlass Group From Conditional Access - Having your break glass accounts be part of an exclusion group which is EXCLUDED from conditional access policy is a pivotal piece to your Zero Trust Identity plane, for two simple reasons. This allows the identity team to gain access back into a tenant if someone were to configure a mistake and break AuthZ/AuthN to the tenant. As well as if a threat actor has taken over and removed the exclusions from the policies. You are at mercy of the recurrence, and I would suggest this run, every 1-5m in corporate orgs.
Fun Thing This Week
Fun and useful!
Decode.tax - Use AI to find savings for your tax returns.
