Microsoft Defender Weekly Wrap - Issue #103
Defendered - again
Things from Me
Happy Friday, everyone! Welcome back to your weekly foray into Microsoft Defender - or should I say… Defender XDR.
If you’ve not caught on yet, Defender is now Defender XDR. I’ve even gone as far as to rebrand the Microsoft 365 Defender section of this newsletter to the new nomenclature. As I talked about in the Microsoft Sentinel newsletter this week, even Sentinel is getting a slight bump. With the further Microsoft Security platform consolidation into the Defender XDR, even Microsoft Sentinel is being called just SIEM + XDR in some cases.
I saw one discussion this week where there was another effort to determine if Sentinel content should now just be merged with Defender content to match what is happening with the Defender XDR console. In my mind, these need to remain separate - and they will remain separate here for now.
…
Join over 200 security peers virtually on December 6 for Tech Accelerator!
Last call to register and save the date for your chance to ask questions live + engage with Microsoft Security Experts.
NOTE: If you do not have a Tech Community profile – be sure to make one today so that you can RSVP and ask questions. This link will take you there – aka.ms/communityregistration and it’s not one of those platforms that you have to use your government name, put in alllll your info or anything like that.
IF you don’t want to make a profile that’s 100% great as well – just tune in live on one of the platforms listed below. No registration required:
Security, Identity, and Compliance Microsoft Tech Community – create a profile here
Microsoft Tech Community X - @MSTCommunity
Microsoft Security X - @msftsecurity
Microsoft Tech Community YouTube channel - @MicrosoftTechCommunity
We’re excited to host you from 7am – 12pm PDT on December 6.
…
Must Learn AI Security is now an official Amazon offering! The official book ended up being over 400 pages of content.
For those that want a physical copy of the book, or prefer a Kindle formatted copy, all editions are now live from Amazon in the various regional marketplaces.
Find it here: https://amzn.to/3uBEzgH
As always, the standard eBook version is available for download from https://aka.ms/MustLearnAISecurity and I’ve even now included the reformatted, reorganized Kindle version there for download, too.
…
That’s it from me for this week. I’m suffering a bit from a head cold. My grandson spent the night with us last Friday after the Thanksgiving festivities and he coughed directly into my face all night long. I thought I had dodged this one but woke on Wednesday to the glory of the winter cold.
Talk (or cough) soon.
-Rod
Things that are Related
The KQL Mysteries: Chapter 1: Discovery - Jon loved his job. He enjoyed hunting for threats and anomalies in the vast amount of data collected by his company, using the powerful KQL search operator. The search operator was Jon’s go-to first step when trying to expose potential threats in his company’s environment. It is simple, yet powerful.
Must Learn AI Security Now Available from Amazon - As it did with the Must Learn KQL series, the Amazon offering helps expand the audience beyond this blog and the GitHub repository that supports it. And just like the Must Learn KQL Amazon versions, any profit from the Must Learn AI Security Amazon versions go to St. Jude’s Children’s Research Hospital. So, when getting something for yourself or your special someone, you’re also giving to a great cause.
Things to Attend
Security Copilot overview - Mon, Dec 4, 2023, 12:00 PM - 12:30 PM EST - Join us as Product Manager Gabriel Damaschin introduces the capabilities of the highly anticipated Microsoft Security Copilot, driven by cutting-edge generative AI technology. In this episode, we discuss how the extensive capabilities and various applications of this tool enable you to operate at lightning-fast speeds and how Security Copilot extends its valuable support beyond the security operations center.
Security Copilot for SOC analysts - Wed, Dec 6, 2023, 9:00AM (PT) – boosting efficiency and expertise with Security Copilot in Microsoft Defender XDR - Returning guest Principal Program Manager Corina Feuerstein highlights the seamless fusion of Microsoft Security Copilot with the Defender XDR platform. Join us for a demo that shines light on the industry-transforming Microsoft Azure OpenAI within Security Copilot, which helps you accelerate investigations to outmaneuver adversaries at scale.
Things to Watch/Listen To
Things in Techcommunity
Microsoft Defender for Endpoint Query - I have a few queries regarding Microsoft Defender for Endpoint and MTD. Normally how long does it take for sync between Defender Console and Intune? With Web protection enabled on mobile device, the smartscreen test URL works, but it doesn't block many URL's that I tried many suspicious URL from https://urlhaus[.]abuse[.]ch/ , none of them were blocked and even download was allowed. so want to confirm how does it work and we need any additional configuration on the Defender or Intune console?
Bug in [ASR Only Per Rule Exclusions] - I have found a bug in [ASR Only Per Rule Exclusions]. When you open an Excel with Win32 API calls macros from the exclusion path. The next Excel with macros you open from any other location will not be blocked.
Things from Partners
BlueVoyant Acquires Conquest Cyber In Deal That Reshapes Microsoft Security Landscape - Together the two companies -- which both grew at an 80 percent clip over the last year -- provide a single “powerful combination” that will appeal to customers that need to secure Microsoft environments in both the commercial and government sectors, says BlueVoyant CEO Jim Rosenthal.
Things in the News
Safety feature for Microsoft 365 apps bites the dust as hackers embrace more sophisticated AI-powered techniques - Microsoft is depreciating Defender Application Guard for Office, impacting Windows Security Isolation APIs.
Microsoft Ignite 2023: Highlights for Security-Conscious IT Pros - Microsoft this month held its largest conference, Ignite, this time with about 4,500 attendees on site, and myself plus another 175,000 or so IT pros and developers connecting online. I've digested about 20 session recordings so far, and in this article, I'll take you through my personal highlights, promising it won't be all about AI and Copilots.
Security Copilot Things
Defender for Cloud Things
Defender for cloud's Agentless secret scanning for virtual machines is now generally available! - Cloud cybersecurity is of paramount importance in today's digital landscape, as organizations increasingly rely on cloud services to store and manage sensitive data, applications, and infrastructure. Attacks on cloud infrastructure pose severe risks to organizations such as data theft, ransomware attacks, crypto mining attacks, and service disruption.
Effective novelty detection in cloud security domain - In cloud security domain, we often need to monitor entities – such as users, IP addresses, applications, or access tokens – and their patterns of behavior. We might want to detect ‘novelties’ – unexpected and previously unseen values of these entities - which can indicate security issues.
Simplifying Onboarding to Microsoft Defender for Cloud with Terraform - If you are looking for a way to onboard Microsoft Defender for Cloud (MDC) with Terraform, you are in luck! In this blog post, we will introduce you to a new Terraform module that simplifies and enhances the onboarding experience for MDC. This module allows you to configure MDC plans for your subscriptions or management groups with just a few lines of code. You will also learn how to use this module in different scenarios, such as onboarding a single subscription, multiple subscriptions, or all subscriptions where you have owner permissions. By the end of this blog post, you will be able to onboard MDC with Terraform in a fast and easy way. Let's get started!
Protect Azure Storage In Microsoft Defender for Cloud - Comprehensive Guide - Enabling malware scanning is a feature of Defender for Storage. You can enable or disable it based on your needs.
Using Azure Site Recovery & Microsoft Defender for Servers to securely failover to malware-free VMs - In this article, we will see how Azure Site Recovery offers an automated way to help you ensure that all your DR data, to which you would fail over, is safe and free of any malware using Microsoft Defender for Cloud.
#DefenderforCloud #MicrosoftDefender #Security #MicrosoftSecurity #Cybersecurity #DefenderXDR
Announcing General Availability of Microsoft Defender for APIs - We are excited to announce the General Availability of Microsoft Defender for APIs, designed to protect organizations against API security threats with an integrated cloud security context. Defender for APIs offers full lifecycle protection, detection, and response coverage for organizations’ managed APIs.
Defender for Endpoint Things
MDE + MDI better together - Reconnaissance - Hello all defenders and threat hunters, and thank you for visiting my product research note. In this blog series, I would like to zero in on Microsoft Defender for Endpoint (MDE) + Microsoft Defender for Identity (MDI) better together, showcasing the various advantages of deploying both products together. Let's start by looking at reconnaissance in Part 1.
Defender XDR Things
Microsoft Defender XDR Unified role-based access control (RBAC) - Microsoft Defender XDR provides integrated threat protection, detection, and response across endpoints, email, identities, applications, and data within a single portal. Controlling a user's permissions around their access to view data or complete tasks is essential for organizations to minimize the risks associated with unauthorized access.
From Threat Report to (KQL) Hunting Query - Threat intelligence reports are an essential source to be able to identify and mitigate security threats. However, the process of converting the information in these reports into actionable queries (such as Kusto Query Language (KQL)) can be challenging. In this blog post, we will explore the steps involved in going from a threat intelligence report to a KQL hunting query. This is done based on two #StopRansomware reports of the joint Cybersecurity Advisory (CSA).
Microsoft Purview Things
Public Preview: Microsoft Fabric Items in Microsoft Purview - With Microsoft Fabric and Microsoft Purview together you can store, analyze, and govern your data seamlessly and efficiently. In addition to integrating Purview data security and compliance capabilities throughout Fabric, we are also infusing Fabric items into the Microsoft Purview Data Map. The Data Map is automatically provisioned and attached to every Fabric instance by default with no set-up required. You can browse and search your Fabric a. For easy access to all these Purview capabilities, we’ve created a centralized page called the Purview Hub, currently in public preview, which serves as a gateway to Purview and contains insights into item inventory, sensitive data, and endorsement.
Defender EASM Things
Defender EASM - Performing a Successful Proof of Concept (PoC) - Welcome to an introduction of the concepts and simple approach required for executing a successful Proof of Concept (PoC) for Microsoft Defender External Attack Surface Management (Defender EASM). This article will serve as a high-level guide to help you execute a simple framework for evaluating Defender EASM, and other items to consider when embarking on the journey to understand the Internet exposed digital assets that comprise your external attack surface, so you can view risks through the same lens as a malicious threat actor.
Microsoft Entra Things
Step-by-Step: Assign access packages automatically based on user properties in Microsoft Entra ID - Microsoft Entra ID Governance offers the capability to manage the access lifecycle of resources through access packages, which are organized into catalogs and define the resources available within them. Each access package includes at least one policy that outlines who can request access to it, the approval process, and access lifecycle settings such as assignment expiration and access review configuration.
The Twelve Days of Blog-mas: No.3 - Windows Local Admin Password Solution (LAPS) - This one is sure to please the crowd – it’s the NEW AND IMPRVOED easy to setup/deploy/use solution for when IT Ops/Support needs a local admin ID and password to perform some management task(s) on a Windows endpoint.
What’s new in Microsoft Entra - Microsoft has recently introduced a range of new security tools and features for the Microsoft Entra product family, aimed at helping organizations to improve their security posture. With the ever-increasing sophistication of cyber-attacks and the increasing use of cloud-based services and the proliferation of mobile devices, it’s essential that organizations have effective tools in place to manage their security scope.