Microsoft Defender Weekly Wrap - Issue #27
Hi, all!
I want to thank you so much for your interest in Microsoft security. I don't think a day ever goes by that I'm not thankful for this community, but it's always good and healthy to say it. And I think it's probably good to hear it, too.
So, thank you all for your engagement, participation, and continued interest.
I hope you had a good week. In the U.S., we have a 3-day weekend that ends in the Memorial Day holiday on Monday, and I am looking forward to the extra time to relax and reflect.
...
If you missed Microsoft Build this week, you missed something cool that was announced.
Who Hacked? is a cloud game from Microsoft Learn, which is a way to gamify learning security and how to use Microsoft security products to identify and react to threats. This is a fun romp!
Here's the trailer: https://cda.ms/4kL
Learn more and sign-up to participate: https://aka.ms/MicrosoftLearnCloudGames
Incidentally, we also talked about it on the Microsoft Security Insights show on Wednesday night if you want to catch it there.
...
If you're looking for yet another way to show your support for KQL, there's a new piece of merch in the Must Learn KQL store. Many of you should appreciate this.
It's the "KQL is the New PowerShell" T-shirt and hoodie.
As with everything, all profit goes to St. Jude.
...
Identifying Business-Critical Cloud Data Resources
Today, Microsoft Defender for Cloud includes the ability to discover and protect cloud data resources for both structured and unstructured data types using Defender for Storage and Defender for Databases.
Our goal is to identify the business-critical data resources, including the organization's valuable data, to help security administrators focus on first protecting what has a more significant business impact.
We would appreciate your time and input on this short survey to ensure our product will align with your needs.
...
That's it for me for this week. I hope you all have an awesome weekend.
Talk soon.
Things to Attend
Managing the unmanaged with Security Management for Defender for Endpoint — techorama.be
Wednesday 25 May 2022 08:45 - 09:45 | Room 10 DevOps & Architecture & Security | Intermediate The security threat landscape is confusing and changing rapidly – there’s so much out there, how do you keep up to understand where the true risks are and keep your assets safe from bad actors? It all starts with insights and managing your endpoints. But what if they are not?
Things that are Related
Microsoft Security Insights Show Ep. 103 — www.youtube.com Tune in! Microsoft Security Insights is a weekly podcast that provides information, news, and tips on Microsoft Security Solutions including Microsoft Sentin...
SC-100 Cybersecurity Architect Expert Certification Study Cram — www.youtube.com Key knowledge to help pass the SC-100 exam and be on your way to being a Cybersecurity expert.🔎 Looking for content on a particular topic? Search the channe...
Beneath the surface: Uncovering the shift in web skimming - Microsoft Security Blog — www.microsoft.com Microsoft security researchers recently observed that web skimming campaigns now employ various obfuscation techniques to deliver and hide skimming scripts. It’s a shift from earlier tactics where attackers conspicuously injected malicious scripts into e-commerce platforms and content management systems (CMSs) via vulnerability exploitation, making this threat highly evasive to traditional security solutions. As of this writing, some of the latest skimming HTML and JavaScript files uploaded in VirusTotal have very low detection rates.
Azure KQL – Working with IP Addresses – Yet Another Security Blog — www.garybushey.com Much of the investigative work done inside of Microsoft Sentinel, as well as many other Azure products that use KQL, deals with IP Addresses. Matching, comparing, and seeing if they show up in a table are many of the actions we perform against IP Addresses. Luckily, KQL provides many different functions to work with IP Addresses. In this blog post we will look at them. While there are some IPv6 functions, we will not be looking into them as they work the same as IPv4 with the big difference being the IPv6 functions can work with IPV4 addresses while the IPv4 functions cannot work with IPv6 addresses.
Building API-first solutions that aid modern Zero Trust infrastructure - Microsoft Tech Community — techcommunity.microsoft.com One of the biggest pain points in security operations centers is the volume of alerts and CTRL-“C”/CTRL-“V” workflow. Cutting and pasting information generated by one security tool into another is repetitive, slows response times, and keeps businesses one step behind attackers. When we understand that the average security operations center uses dozens of tools sourced from a wide selection of vendors, the need for automation and interoperability becomes crystal clear. As a security provider focused on helping organizations adopt Zero Trust principles—namely, explicit verification, use of least privileged access, and assumption of breach—SentinelOne works with Microsoft and other security experts to address these needs.
Things to Have
E-book: a Modern and Secure Workplace • Wortell — www.wortell.be How a modern and secure workplace can help your organization become relevant.
Sentinel-Queries/Device-FindNewDevices.kql at main · reprise99/Sentinel-Queries · GitHub — github.com Find new devices onboarded to Defender in the last month
Sentinel-Queries/SecurityAlert-FindBlastRadiusofPasswordSpray.kql at main · reprise99/Sentinel-Queries · GitHub — github.com When Defender for Cloud Apps detects password spray activity, summarize the impact to your users
Harness the power of the cloud and ground your security model strategy in Zero Trust — propc-inc.dmc-microsite.com With 43 percent of cyberattacks targeting small and medium businesses, data security is a top priority. You can protect your data, systems, and employees with tooling from Microsoft Security and the solutions within Microsoft 365. Learn how to use Microsoft Security to implement a Zero Trust security model in your organization and significantly reduce data breach risks across all devices and from any location. Subscribe and stay connected—we’ll help you understand how to modernize security and defend against threats with Microsoft Security.
Defender for Endpoint Things
VIDEO: Threat and Vulnerability Management | Virtual Ninja Training with Heike Ritter — www.youtube.com Threat and vulnerability management discovers vulnerabilities and misconfigurations on your endpoints and provides actionable insights that help you quickly ...
BLOG: Evaluation Lab: New domain-joined devices support in Public Preview — techcommunity.microsoft.com Domain-joined devices support enable to run more complex simulations and impactful attack scenarios
BLOG: Managing Microsoft Defender for Endpoint with the new Security Management feature in MEM — jeffreyappel.nl Currently in general availability is the new Security Settings Management in Microsoft Defender for Endpoint. Security Management for Microsoft Defender for Endpoint is the new option to manage Security settings for devices and servers that are not enrolled yet in Microsoft Endpoint Manager/ Intune. The new feature makes it possible to centrally manage security settings. Since late 2021 the feature has been in public preview and is currently generally available.
Microsoft Defender for IoT Things
BLOG: Updated appliance catalog for OT environments — docs.microsoft.com
We've refreshed and revamped the catalog of supported appliances for monitoring OT environments. These appliances support flexible deployment options for environments of all sizes and can be used to host both the OT monitoring sensor and on-premises management consoles.
Microsoft 365 Defender Things
BLOG: Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp) - Microsoft Security Blog — www.microsoft.com On April 24, 2022, a privilege escalation hacking tool, KrbRelayUp, was publicly disclosed on GitHub by security researcher Mor Davidovich. KrbRelayUp is a wrapper that can streamline the use of some features in Rubeus, KrbRelay, SCMUACBypass, PowerMad/SharpMad, Whisker, and ADCSPwn tools in attacks.
BLOG: Archive Microsoft 365 Defender logs | by Koos Goossens | Wortell | May, 2022 | Medium — medium.com I’ve recently wrote an article about Microsoft Sentinel Basic and Archive logs and the new custom log ingestion API with Data Collection Endpoint. That was the first part in a series of two. In this…
Microsoft Purview Things
BLOG: Extending Microsoft Purview Ecosystem with new APIs, Power Automate and built-in integrations — techcommunity.microsoft.com Microsoft Purview aims to help customers govern and protect data across their multicloud, multiplatform data estates, while meeting the compliance requirements they are subjected to. That's why we are continuing to build extensibility and rich set of APIs and integrations with the broader ecosystem.