Microsoft Defender Weekly Wrap - Issue #26
Good day all! Happy Friday!
I'm in steady preparation for the upcoming RSA conference. If you've not seen or heard yet, Microsoft will be at RSA in a big, big way.
If you're also attending, check out all the ways to connect with us: https://cda.ms/4jD
Incidentally, I'll be on-hand at the pre-day and at the booth in the expo and would love to connect with anyone attending. Let me know if you'll be there.
...
Next week, there's a couple Defender-specific webinars that may be of interest:
May 24 - Microsoft Defender for IoT | Section 52 - Investigating Malicious Ladder Logic
May 26 - Microsoft Defender for Cloud | Azure Security Benchmark V3 Workbook
To register go here: https://cda.ms/4jF
...
The Must Learn KQL learning series is an unequivocal success but more needs to be done. I outline in a recent post the number of completion certificates I've handed out already and while that number is wonderful, more people need to get the message how important learning KQL really is.
So, the Must Learn KQL book is now available on Amazon!
Kindle version: https://amzn.to/3MyMOOS
Paperback: https://amzn.to/3sN8ajE
Hardcover: https://amzn.to/3yOAFRS
This gives it a much wider audience and like everything that's part of this learning series, any and all profit goes directly to St. Jude Children’s Research Hospital.
I owned and sold an eBook publishing company (NetImpress) way back in 2004-2005 before even Amazon had concocted its own eBook production methods. It was revolutionary at the time and most of what our company did had to be invented. And, while many of the same things I learned through NetImpress are still valid and useful today, there are many aspects that have changed or just didn't exist. Developing and delivering Must Learn KQL series has been a pioneering experience on all the nuances of producing a learning series in this manner and I suspect others will take notice and begin duplicating my efforts.
There are some other things to tweak, but I do know that I'll be doing it again with another series in the very near future. Stay tuned.
...
That's it for now. Have a wonderful weekend and week ahead.
Talk soon.
-Rod
Things to Attend
Registration: iboss and Microsoft Powering Zero Trust with Secure Resource Access
Join us for this event! June 1, 2022. 9:00 - 10:00 AM, PDT (16:00 – 17:00 UTC)
In this session you will learn:
How iboss and Microsoft are partnering together to power Zero Trust across users, resources, and devices.
How iboss integrations expand value across Microsoft's Identity, Security and Compliance portfolio
How iboss helps protect Azure resources and improve M365 user experience
Webinar: Securing AWS with Microsoft
Webinar: Securing AWS with Microsoft - Wednesday, June 1, 2022 | 10:00 AM - 12:00 PM | (GMT-08:00) Pacific Time (US & Canada)
Things that are Related
Get started with Microsoft Learn for CMMC - Microsoft Tech Community If you are part of the U.S. Department of Defense supply chain, you should be hearing more chatter about the Cybersecurity Maturity Model Certification
Must Learn KQL Now Available from Amazon - Azure Cloud & AI Domain Blog — azurecloudai.blog The Must Learn KQL series has been a success with over 700 completion certificates delivered so far and many thousands more who have gone through the course or still progressing through. I fully expect to see over 1,000 certificates delivered soon. And this has all been through just word of mouth and focused directly on
Microsoft Security Insights Show Ep. 98 - microsoftsecurityinsights on Twitch — www.twitch.tv
Among the many topics on Microsoft Security Insights we talked about Microsoft Federal and SLG and also about what Microsoft is doing to help service members skill into cybersecurity
Microsoft Defender for Containers - The Azure Security Podcast | Podcast on Spotify — open.spotify.com Listen to this episode from The Azure Security Podcast on Spotify. In this episode we talk to Shay Amar about Microsoft Defender for Containers, we go into the weeds in places! Also, Azure security news about Confidential Compute VMs, Azure Arc, Sentinel and Ransomware. Michael and Sarah also discuss their experiences with the AZ-500 exam refresh.
Sentinel vs Advanced Hunting — github.com
While both Microsoft Sentinel and Advanced Hunting leverage KQL, there are differences in schema in certain tables. For instance, TimeGenerated is used in Sentinel while Timestamp is used in Advanced Hunting.
Things from Partners
Kocho unveils Managed XDR service, empowering clients to detect and respond to complex cyber threats — kocho.co.uk Find out how Kocho's new Managed Extended Detection and Response (XDR) service will enable organisations to detect and prevent threats, fast.
Vectra AI recognized as a Microsoft Security Excellence Awards finalist for Security ISV of the Year /PRNewswire/ -- Vectra AI, a leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises, today announced that the company has...
Things in the News
Government of Nunavut comes back stronger after ransomware attack with Microsoft security solutions — www.youtube.com When a ransomware attack shut down computer systems at the Government of Nunavut, Canada’s largest and northernmost territory, the IT team responded with a w...
Defender for Cloud Things
VIDEO: Defender for Cloud in the Field - Out of Band Edition — www.linkedin.com In this week's episode of #Defender for #Cloud in the Field - Out of Band Edition, I'm bringing some news around: Security Alerts improvements, JIT for AWS and Defender for Servers in AWS.
DOCS: Understanding just-in-time virtual machine access in Microsoft Defender for Cloud | Microsoft Docs — docs.microsoft.com
In AWS, by enabling JIT-access the relevant rules in the attached EC2 security groups, for the selected ports, are revoked which blocks inbound traffic on those specific ports.
Defender for Endpoint Things
VIDEO: Get to know Microsoft Defender for Endpoint Episode 1 | Virtual Ninja Training with Heike Ritter — www.youtube.com Microsoft Defender for Endpoint is a comprehensive solution for preventing, detecting, and automating the investigation of and response to threats against en...
VIDEO: Get started with Microsoft Defender for Endpoint Episode 2 | Virtual Ninja Training with Heike Ritter — www.youtube.com In this episode, we dive into the most common features and scenarios to help get you started fast with your tenant. You get an overview of your control cente...
BLOG: Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices - Microsoft Security Blog — www.microsoft.com In the last six months, we observed a 254% increase in activity from a Linux trojan called XorDdos. First discovered in 2014 by the research group MalwareMustDie, XorDdos was named after its denial-of-service-related activities on Linux endpoints and servers as well as its usage of XOR-based encryption for its communications.
BLOG: Troubleshooting mode for Microsoft Defender for Endpoint now in public preview - Microsoft Tech Community — techcommunity.microsoft.com Troubleshooting mode for Microsoft Defender for Endpoint now in public preview Microsoft Defender for Endpoint offers the best possible protection
BLOG: Announcing the public preview of Microsoft Defender personal profile support for Android Enterprise — techcommunity.microsoft.com Microsoft has made great strides in pursuit of its ongoing commitment to empower and secure employee mobility with the recent delivery of extended support for the work profile in Android Enterprise with the Microsoft Defender app. But the work does not stop there...
Microsoft Defender for IoT Things
BLOG: Investigating an Alert Using Defender for IoT and Wireshark - Microsoft Tech Community — techcommunity.microsoft.com This blog will be one in a series of blogs to discuss the above topic. We will take specific Microsoft Defender for IoT alerts and try to understand what
Microsoft 365 Defender Things
NEW: Microsoft 365 Defender Streaming API: Identity and CloudApp Events in General Availability - Microsoft Tech Community — techcommunity.microsoft.com We're happy to share that Microsoft 365 Defender Streaming API support for the following event types (tables) is General Availability: Identity events IdentityLogonEvents IdentityQueryEvents IdentityDirectoryEvents CloudAppEvents
BLOG: In hot pursuit of ‘cryware’: Defending hot wallets from attacks - Microsoft Security Blog — www.microsoft.com The steep rise in cryptocurrency market capitalization, not surprisingly, mirrors a marked increase in threats and attacks that target or leverage cryptocurrencies. But Microsoft researchers are observing an even more interesting trend: the evolution of related malware and their techniques, and the emergence of a threat type we’re referring to as cryware.
Microsoft Purview Things
BLOG: So you want to be a CISO: What you should know about data protection - Microsoft Security Blog — www.microsoft.com We all know the days of firewalls and perimeter-based security aren’t coming back. Enabling an effective Zero Trust approach requires the ability to protect data across a multicloud, multiplatform environment. Microsoft’s decision to unify data protection, governance, and compliance capabilities as Microsoft Purview—bringing together the former Microsoft Azure Purview and Microsoft 365 Compliance portfolio under one brand—reflects our belief that organizations need a simpler approach to data protection.
Roadmap: Microsoft 365 compliance center: Microsoft Purview
Insider Risk Management integration with Power Automate Insider Risk Management integration with Power Automate allows organizations to configure Power Automate flows to automate tasks for Insider Risk Management cases and users.
Defender for Office Things
BLOG: Configurable impersonation protection and scope for Preset Security policies - Microsoft Tech Community — techcommunity.microsoft.com We're making enhancements to Microsoft Defender for Office 365 p reset s ecurity policies (namely , Strict and Standard policies) ! Preset security
Roadmap: Microsoft Defender for Office 365: Actions from the email entity page
We are adding the ability to take actions from the email entity page. You can take email purge actions, create submissions, tenant level block actions (block sender/domain/file/URLs), investigative actions from email entity page.