Microsoft Defender Weekly Wrap - Issue #25
Good Friday everyone! I trust you had a great week, but like me, are absolutely ready for the weekend.
This weekend will be busy for me, though. My first and only (so far) grandson turned 1 year old on Wednesday this past week. We're taking him on his first zoo trip on Saturday, and then there's a planned 1st birthday event on Sunday afternoon. So, yes, I'll be busy, but it will all be pure enjoyment.
I've spent the last few days digging out from being away last week speaking at a conference. It seems that it does not matter how attentive you are to normal work life while away at a conference, there's still plenty to do catch up on when you return. So, most of my week was a frantic mess. But after a lot of hard work, I do finally feel like I'm back into a good place.
I'll be away again attending RSA in San Francisco during the first week of June, so I'll be doing this all over again in just a little while. If you're also attending RSA this year, please hit me up and let me know. I'd love to connect with you while I'm there.
Also, we're planning to have a big presence at RSAC this year. Microsoft will be on-hand for a pre-day security event - and you can attend! Check out the following link if you'll be coming to RSA and want to participate on Sunday.
Register to join: https://cda.ms/4gV
The agenda:
2:00 PM – 3:25 PM - Keynote “What’s next in Security”
3:25 PM – 4:10 PM - Innovation Break
4:10 PM – 5:55 PM - Breakout session and immersive experiences: on topics including Zero Trust, Multi-cloud Security, Identity and Threat Intelligence/ Hands-on Microsoft Immersion Experience: Secure Hybrid Cloud.
6:00 PM – 9:00 PM - Evening Reception
...
This week I have a couple new surveys to highlight.
The first: Identifying Business-Critical Cloud Data Resources
Today, Microsoft Defender for Cloud includes the ability to discover and protect cloud data resources for both structured and unstructured data types using Defender for Storage and Defender for Databases.
Our goal is to identify the business-critical data resources, including the organization's valuable data, to help security administrators focus on first protecting what has a more significant business impact.
We would appreciate your time and input on this short survey to ensure our product will align with your needs.
Survey link: https://cda.ms/4fD
Secondly...
Defender 365 to Sentinel Data Columns
I've seen and heard from our customers over the past many months looking for specific data columns that exist in 365 Defender but do not in the Sentinel tables. With all new tables now being available (https://cda.ms/4gp) you or your customers may find even more data columns they believe are missing.
I have a call coming up to discuss this. If you’d like to have those missing data columns reviewed, fill out the form below.
Survey link: https://cda.ms/4gw
...
Have a wonderful weekend and week ahead everyone!
Talk soon.
-Rod
Things that are Related
SC-100: Microsoft Cybersecurity Architect Gets a Learning Path - Azure Cloud & AI Domain Blog — azurecloudai.blog For those of us that took the SC-100 beta exam, there's a strong indicator today that the exam results could show up soon. That indicator is a new SC-100 Learn path. The Learn path is a set of modules that are repurposed from other exams, but it's a Learn path, nonetheless. The following is the
Microsoft security experts outline next steps after compromise recovery - Microsoft Security Blog — www.microsoft.com The Microsoft Compromise Recovery Security Practice (CRSP) is a worldwide team of cybersecurity experts operating in most countries, across both public and private organizations, with deep expertise to secure an environment post-security breach and to help you prevent a breach in the first place. As a specialist team within the wider Microsoft cybersecurity functions, we predominantly focus on reactive security projects for our customers.
Center for Threat-Informed Defense, Microsoft, and industry partners streamline MITRE ATT&CK® matrix evaluation for defenders - Microsoft Security Blog — www.microsoft.com The MITRE Center for Threat-Informed Defense, Microsoft, and other industry partners collaborated on a project that created a repeatable methodology for developing a top MITRE ATT&CK® techniques list. The method aims to facilitate navigation of the ATT&CK framework, which could help new defenders focus on critical techniques relevant to their organization’s environment, and aid experienced defenders in prioritizing ATT&CK techniques according to their organization’s nee
LEARN: Gain insights from your data by using Kusto Query Language - Learn | Microsoft Docs — docs.microsoft.com Learn how to write advanced queries in Kusto Query Language (KQL) by using the aggregation functions, the render operator, and variables.
LEARN: Prepare for cloud security by using the Microsoft Cloud Adoption Framework for Azure - Learn | Microsoft Docs — docs.microsoft.com Security is a core consideration for all customers, in every environment. But moving to the cloud is a significant change that requires a shift in your security mindset and approach. The Cloud Adoption Framework provides guidance for this security journey by providing clarity for the processes, best practices, models, and experiences.
BLOG: Passwordless RDP with Windows Hello for Business - Microsoft Tech Community — techcommunity.microsoft.com Windows Hello for Business (WHfB) provides a password-less experience for users to log into their Windows 10 or 11 device. However, a challenge remains
VIDEO: KQL Cafe | Session 4 | Guest: Olaf Hartong | April 2022 — www.youtube.com Topics:0:00 Welcome to KQL Cafe + PollWhat's new in KQL:3:16 Microsoft 365 Defender Connector8:31 Extend Columns Microsoft SentinelWorking with IOCs:10:18 Bl...
Things in the News
QNET’s successful migration to end to end Microsoft Security Solution — www.youtube.com E-commerce presents a valuable target for cybercriminals, and global e-commerce company QNET recognized the need to adopt a more efficient and secure IT infr...
Building a safer world together with our partners—introducing Microsoft Security Experts - Microsoft Security Blog — www.microsoft.com Security Experts combines expert-trained technology with human-led services to help organizations achieve more secure, compliant, and productive outcomes.
Introducing Microsoft Security Experts — www.youtube.com Today Microsoft is announcing Microsoft Security Experts. Microsoft Security Experts is a line of managed security solutions that combine human-led services...
Microsoft Defender Experts for Hunting - Explainer — www.youtube.com Microsoft Defender Experts for Hunting is a managed threat hunting service that provides Security Operation Centers (SOCs) with expert-level monitoring and a...
DGS Law raises the security bar and levels the playing field with Microsoft Defender Experts — www.youtube.com DGS Law proves that dispensing stellar legal services isn’t tied to having a large employee count, even though their medium-sized law firm is held to the sam...
Bridgewater using Microsoft Defender Experts, heralding a new age in managed security services — www.youtube.com Bridgewater Associates rose to the top of the financial space through a blend of innovation and proactive security strategy. It takes a global view, focusing...
Defender for Endpoint Things
KQL: DefenderKQL/CountofWindowsServers.txt at main · rod-trent/DefenderKQL · GitHub — github.com Getting the count of Windows Servers
NEW: Security Settings Management in Microsoft Defender for Endpoint is now generally available — techcommunity.microsoft.com Microsoft Defender for Endpoint's expanded configuration management capabilities are now generally available. Security Management for Microsoft Defender for Endpoint empowers security teams to configure devices with their desired security settings without needing to deploy and implement additional tools or infrastructure. Made possible with Microsoft Endpoint Manager, organizations have been able to manage antivirus, endpoint detection and response, and firewall policies from a single view for all enlisted devices.
NEW: Tamper Protection is now available on macOS — techcommunity.microsoft.com As we continue to invest in Microsoft Defender for Endpoint capabilities for macOS, we are thrilled to announce the public preview of Tamper Protection
BLOG: Microsoft Defender for Endpoint – The ultimate blog series for Windows (Intro) – P0 — jeffreyappel.nl
This ultimate blog series will contain as much information as possible based on my Defender experience in the past years. Not a copy of Microsoft Docs, but an addition based on practical experience combined with informational details – including the most frequent questions asked by customers focussing on the complete Windows platform. When it’s a success, other platforms like iOS, Android, Linux, and macOS will follow.
BLOG: Device Inventory – The evolution of the endpoint view — techcommunity.microsoft.com Over the course of the last 12 months, we have released several new features within Microsoft Defender for Endpoint. This has enhanced the functionality of the solution and provided various key benefits to the security analysts who engage with this portal on a consistent basis.
Microsoft 365 Defender Things
BLOG: Detecting and Remediating Impossible Travel - Microsoft Tech Community — techcommunity.microsoft.com Overview “Impossible travel” is one of the most basic anomaly detections used to indicate that a user is compromised. The logic behind impossible travel
DOCS: Security baselines assessment | Microsoft Docs — docs.microsoft.com Instead of running never-ending compliance scans, security baselines assessment helps you to continuously and effortlessly monitor your organization's security baselines compliance and identify changes in real time.
DOCS: Browser extensions assessment | Microsoft Docs — docs.microsoft.com A browser extension is a small software application that adds functionality to a web browser. Visibility into the browser extensions installed can help you ensure the safe usage of extensions in your organization.
DOCS: Certificate inventory | Microsoft Docs — docs.microsoft.com Certificates can be used in multiple ways, this includes: being part of the TLS\SSL protocol user certificates being used for VPN client authentication, document signing, email encryption and email signing providing data encryption and authentication to ensure the secure transfer of information within your network and over the internet
DOCS: Network share configuration assessment | Microsoft Docs — docs.microsoft.com The ability to share files and folders over a network allows users to provide access to resources like files, documents, and media to other people on the network. As network shares can be easily accessed by network users, some common weaknesses exist that can cause network shares to be vulnerable.
DOCS: Block vulnerable applications | Microsoft Docs The block action is intended to block all installed vulnerable versions of the application in your organization from running. For example, if there is an active zero-day vulnerability you can block your users from running the affected software while you determine work-around options.
NEW: Closer integration between Microsoft Sentinel and Microsoft 365 Defender - Microsoft Tech Community — techcommunity.microsoft.com Over a year ago, we first announced the integration between Microsoft Sentinel and Microsoft 365 Defender as part of the Microsoft SIEM and XDR story.
BLOG: Email remediation actions now available in unified Action Center - Microsoft Tech Community — techcommunity.microsoft.com We are extremely happy to announce that all email related actions, taken automatically or manually by the security teams via the various Microsoft
BLOG: Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself - Microsoft Security Blog — www.microsoft.com In this blog, we detail several of the ransomware ecosystems using the RaaS model, the importance of cross-domain visibility in finding and evicting these actors, and best practices organizations can use to protect themselves from this increasingly popular style of attack. We also offer security best practices on credential hygiene and cloud hardening, how to address security blind spots, harden internet-facing assets to understand your perimeter, and more.
Defender for Identity Things
Detecting DnsHostName Spoofing with Microsoft Defender for Identity - Microsoft Tech Community — techcommunity.microsoft.com On May 10th 2022, Microsoft disclosed a severe vulnerability affecting Active Directory environments in all versions of Windows Server. The vulnerability
Defender for Cloud Apps Things
BLOG: Deep Diver – Defender for Cloud Apps Malware Detection in Office 365 Workloads – Sam's Corner — samilamppu.com Microsoft Defender for Cloud Apps (MDA) provides visibility for files and related activities from connected applications. With MDA & application integrations you can achieve the following files related scenarios: Monitor file activitiesGenerate data management reportsGovernance actions for files based on MDA policiesAzure Information Protection integration - labeling & protecting of data In this blog, I…
Defender for Business Things
DOCS: Compare security features in Microsoft 365 plans for small and medium-sized businesses | Microsoft Docs — docs.microsoft.com Compare Microsoft Defender for Business to Microsoft Defender for Endpoint Plans 1 and 2 Defender for Business brings enterprise-grade capabilities of Defender for Endpoint to small and medium-sized businesses. The following table compares security features and capabilities in Defender for Business to the enterprise offerings, Microsoft Defender for Endpoint Plans 1 and 2.
Defender for Office Things
BLOG: Simplifying the Quarantine Experience - Part Two - Microsoft Tech Community — techcommunity.microsoft.com Managing false positives should be easy In the previous blog we talked about some of the key steps we took to make the quarantined experience simpler for
NEW: Introducing Additional Dynamic Tags in Attack Simulation Training - Microsoft Tech Community — techcommunity.microsoft.com Attack Simulation Training is an intelligent phish risk reduction tool that measures behavior change and automates the design and deployment of an