Microsoft Defender Weekly Wrap - Issue #68
Where's my floaties?
Things from Me
It’s Friday — again. (Why do I feel like Bill Murray in Groundhog Day when I say that?)
So, happy Friday everyone! I hope your week has been good and you have splendid plans for the upcoming weekend. As most of you know, I’m from Southwest Ohio where the Spring months can be a washout which leads to a bevy of allergies from the mold. As this newsletter is being delivered to your inbox today, we’re bracing for a forecasted 4-5 inches of rain which means I’ll probably be cleaning up a wet basement on Saturday when the rain is supposed to subside. But it’s all good. I’ve come to terms it living in Ohio my entire life.
…
SURVEY: Defender for DevOps Threat Detection
Defender for DevOps team is working to build comprehensive and robust solutions that help you to detect about critical malicious activity in your DevOps systems.
Please take this 5-minute survey to provide your valuable feedback, insights and asks on threat detection in DevOps systems.
Survey link: https://rodtrent.com/yqp
…
I mentioned last week that we have some cool things coming for the Microsoft Entra LinkedIn community group. These cool things include product team participation including exclusive ability to request 1:1 sessions with our product managers to share your feedback and help you leverage the full potential of Entra.
My buddy, Thibault Martin, made it all clear in the following post: Come and join the Microsoft Entra Community!
There’s more coming, but suffice to say that the Entra team is invested in connecting with the Identity community and the LinkedIn group is a great mechanism to use. If you’re not a member of this community yet and want to check it out, you can find the LinkedIn Entra Community group here: https://rodtrent.com/7it
…
That’s it for me this week. I hope you enjoy the newsletter - and as always - if you see something here that interests you, don’t keep it to yourself.
Here’s hoping I don’t have to canoe to the grocery on Saturday.
Talk soon.
-Rod
Things that are Related
KillNet and affiliate hacktivist groups targeting healthcare with DDoS attacks - In the last year, geopolitical tension has led to an uptick of reported cybercrime events fueled by hacktivist groups. The US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to warn organizations about these attacks and teamed with the FBI on a distributed denial-of-service (DDoS) response strategy guide. KillNet, a group that the US Department of Health and Human Services (DHHS) has called pro-Russia hacktivists, has been launching waves of attacks against western countries, targeting governments and companies with focus on the healthcare sector. DHHS published an analyst note on KillNet’s threat to the health sector, mentioning that the group compromised a US healthcare organization that supports members of the US military.
Things to Attend
Microsoft Secure is next week!
Join us for the 1st annual Microsoft Secure event. I’ve seen the list of product announcements for next week and you’re going to be thrilled. Register to attend to hear them all: https://secure.microsoft.com
Women in Cybersecurity Month (March) Schedule
We have one episode left! Here’s our Women in Cybersecurity schedule for the remainder of the month of March 2023…
March 29th (Wed), 5pm EST - Microsoft Security Insights Show Episode 146 - Elizabeth Stephens, Dir of DC Cyber Risk Intelligence
Things to Watch/Listen To
Microsoft Security Insights Show Episode 145-Future Kortor and Lara Goldstein - Welcome to Women in Cybersecurity month! In our fourth episode in the series for Women in Cybersecurity month Future and Lara stop by to chat about Microsoft Defender for Cloud (a CNAPP Solution). If you listen in, you may also learn about leg presses.
Things in Techcommunity
Re-install MDE.Windows extension - Onboarding several servers into MDE via Azure Arc. For one of the servers, experienced this error when Azure Arc tried to install the MDE.Windows extension. I suspect need to re-install the Unified Agent Manually using the downloaded Unified Agent downloaded from the MDE portal. Presume if do that, Azure Arc will recognise that the client has been installed?
Device inventory endpoint and Microsoft Defender Antivirus endpoint count is getting differ - I just want to know how many devices are in my environment using Microsoft 365 Defender so, I cross verified using Microsoft Defender Antivirus health count and Device inventory some devices are active but it is not listed in Microsoft Defender Antivirus health. I don't know the reason for this cause could someone help me please?
Microsoft Security Tech Community Join the other 67,000 members of the Tech Community to ask questions to the product team and get the latest on product updates. The Security Tech Community is free to join and provides the easiest way to get notified when something new is in product, and how you can implement it into your workflows.
Things to Have
DeviceProcessEvents
| where InitiatingProcessFileName == "svchost.exe"
| where FileName == "rundll32.exe" and ProcessCommandLine contains "davclnt.dll" and ProcessCommandLine contains "DavSetCookie"
| where ProcessCommandLine !contains "http://10."
| where ProcessCommandLine !contains "http://192.168."
| extend url = split(ProcessCommandLine, "http://")[1]
| extend domain = split(url, "/")[0]
| where domain contains "." and domain !endswith ".local"
| summarize count() by tostring(domain)Microsoft Sentinel Defender for Cloud Data Connector At Scale - This workflow will enable the Microsoft Defender for Cloud data connector in Microsoft Sentinel automatically for all subscriptions you have the logic app scoped to.
Defender for Cloud Things
BLOG: How to configure Security Events collection with Azure Monitor Agent - Security events collection (for Windows systems only) is done with the help of a guest agent. This has been possible so far with the legacy Log Analytics agent and the Defender for Servers auto-provisioning experience, and is also possible for Microsoft Sentinel users, via the Log Analytics and Azure Monitor Agent (AMA) data connectors. However, if you are not a Sentinel user yet and you are using Defender for Servers with the new AMA experience, it is still possible to collect security events, as you will learn next.
BLOG: The next wave of multicloud security with Microsoft Defender for Cloud, a Cloud-Native Application Protection Platform (CNAPP) - With digital transformation in the face of macroeconomic pressures, strategies to optimize both cloud environments and cloud security are increasingly appealing to enterprises. Organizations worry about vulnerabilities in code getting deployed, critical misconfigurations, overprivileged access to cloud infrastructure, and evolving threats that can cause sensitive data loss. Unfortunately, most reported security incidents involve bad actors exploiting vulnerabilities that security teams aren’t even aware of. The answer is an end-to-end solution that offers comprehensive cloud security from development to runtime—a Cloud-Native Application Protection Platform (CNAPP).
BLOG: Announcing Microsoft cloud security benchmark v1 (General Availability) - Since its first introduction in 2019, the Azure Security Benchmark (ASB) has been widely used by our customers to secure their Azure environments, especially as a toolkit for Azure security implementation planning and helping report compliance on multiple regulatory standards. As the successor of ASB, today we are announcing the general availability the Microsoft cloud security benchmark v1
BLOG: Cloud security is incomplete without hybrid and multicloud coverage - Discover key capabilities to prioritize when creating a secure, integrated multicloud or hybrid environment.
Defender for Endpoint Things
TIP: A trick I discovered with MDE which has come in handy on multiple occasions - Redirection is actually supported with Live Response, I commonly use this for inspecting persistence packages on local host rather than through the portal as it’s much easier.
NEWS: Microsoft awarded Best Advanced Protection for Corporate and Consumer Users by AV-TEST - Today Microsoft is pleased to announce that AV-TEST has awarded Microsoft Best Advanced Protection 2022 for both Corporate Users and Consumer Users categories. After a year of extensive lab evaluations made up of live testing and step by step in special attack scenarios, such as ransomware, we are honored that AV-TEST has recognized Microsoft Defender AV for its exceptional performance against malware.
Defender for IoT Things
NEW: Leverage cloud-powered security with Microsoft Defender for IoT - It is with great pleasure that we announce the general availability (GA) of the Microsoft Defender for IoT cloud-managed platform, which lets businesses interconnect their OT environment without compromising security. Powered by Microsoft’s scalable, cost-effective cloud technology, Defender for IoT helps you manage assets, track emerging threats, and control risks across enterprise and mission-critical networks—both in connected and air-gapped environments. In this blog, we’ll look at today’s connected OT environment, including the advantages of cloud-managed security and how a converged security operations center (SOC) can offer advantages over the traditional siloed approach.
365 Defender Things
BLOG: Abuse and Detection of M365D Live Response for privilege escalation on Control Plane (Tier0) assets - Live Response in Microsoft 365 Defender can be used to execute PowerShell scripts on protected devices for advanced incident investigation. But it can be also abused by Security Administrators for privilege escalation, such as creating (Active Directory) Domain Admin account or “phishing” access token from (Azure AD) Global Admin on a PAW device. In this blog post, I will describe the potential attack paths and a few approaches for detection but also mitigation.
Defender for Cloud Apps Things
Looks what's in Defender for Cloud Apps.
Microsoft Purview Things
BLOG: Microsoft achieves first native Cloud Data Management Capabilities certification - Today, Microsoft announced the successful completion of the Cloud Data Management Capabilities (CDMC) 14 Key Controls and Automations certification, conducted by Accenture and Avanade, accelerating the industry’s move to the cloud. The 14 Key Controls and Automations are a part of the EDM Council’s Cloud Data Management Capabilities framework formulated as a best practice to help all industries accelerate the migration of sensitive and non-sensitive data to the cloud with confidence. This certification demonstrates Microsoft’s commitment to providing comprehensive CDMC cloud data management automations and controls for protecting sensitive data to accelerate trusted cloud adoption.
PODCAST: Cloud native Data Loss Prevention: the future of data security - In this month’s episode of Uncovering Hidden Risks, we discuss some recent DLP research and what's coming up in this space. Microsoft spoke to more than 300 data and compliance professionals to create the whitepaper “Data Loss Prevention: From on-premises to cloud.”
Defender for Office Things
BLOG: Enhanced threat detection with URL click alerts by Microsoft Defender for Office 365 - To better protect against these types of threats, Microsoft Defender for Office 365 now features alerting policy enhancements to support the detection, investigation, and remediation of threats via URLs sent over email. With these enhancements, alerts are now capable of detecting threats at time of click and potential threats in the last 48 hours from the time of first click.
Defender for Business Things
BLOG: Microsoft continues to innovate to help secure small businesses - Last year, we introduced Microsoft Defender for Business, aimed at safeguarding endpoints for businesses with up to 300 employees. To further extend our security capabilities, we announced Defender for Business in Microsoft 365 Business Premium, providing comprehensive productivity and security solutions on a single platform. In November 2022, we launched server security features built into Defender for Business, with enhanced protection for both Windows Server and Linux servers through the Microsoft Defender for Business server add-on. But we’re not stopping there. In fact, we’ve made major strides in simplifying our comprehensive security approach with Defender for Business with the following updates…
Microsoft Entra Things
BLOG: The future is bright, the future is Entra - With the announcement of the Microsoft Entra product family, Microsoft has made three important statements.
Simplified insights with improved security summaries to help you better understand how secure you are across identity, devices, information, and apps. The report shows threats prevented by Defender for Business, current status from Microsoft Secure Score, and recommendations, all designed to help you increase security in key areas.
Protect mobile devices without the need for device management or add-ons by using new capabilities built into a single integrated Defender for Business experience. The standalone device security solution now includes a preview release of mobile threat defense that provides iOS and Android devices with OS-level threat and vulnerability management, web protection, and app security to help you and your employees stay secure on the go.
Microsoft Priva Things
NEWS: Microsoft recognized as a Leader in The Forrester Wave: Data Security Platforms, Q1 2023 - The Forrester report also acknowledges: “Microsoft shines with its ecosystem approach—if you go all in,” wrote Heidi Shey, Forrester Principal Analyst, in the report. “Microsoft Purview brings together capabilities to 1. understand and govern data; 2. safeguard data; and 3. improve risk and compliance posture. But Microsoft’s security capabilities go beyond Microsoft Purview. By design, the entire Microsoft ecosystem working together multiplies its value via telemetry from across the environment.” She added, “The power of Microsoft’s telemetry is evident in its capabilities for identifying data threats and risk visibility. These offer strong controls for data masking, encryption, and rights management.”