Microsoft Defender Weekly Wrap - Issue #70
Plugging the dam
Things from Me
Happy Friday everyone!
I’ve been surprised by the number of people who have responded with questions, curiosity, support, and their own stories about the plight of my flooded basement that I’ve been documenting in the last couple newsletter issues.
It doesn’t matter what the situation is, it really helps when there are people willing to offer their comfort and encouragement. I don’t think we realize sometimes that that’s an effort that goes a long way. It’s a transfer of energy when you think about it. The energy of the act is transferred as energy for strength, resilience, and power. It’s one of the most basic but underestimated things we can do for others, but it still takes effort.
I say all that to say this: it’s truly appreciated!
So, more to the story…
In my last note about the situation, I mentioned I had reached out to various basement waterproofing services in my area. After deep consideration, my wife and I signed with Everdry for the full deal. We’re just waiting now for when one of their crews come available for our project.
…
You in the Spotlight!
We have a super-cool opportunity where YOU can be featured on Microsoft Learn or even at Microsoft Build. All you have to do is listen to some silly guy on the following web page ramble for about 3 minutes to get all the information.
https://aka.ms/YourPathtoCybersecurity
…
Do you manage cloud resources or services on more than one Public Cloud?
We're looking for security engineers, cloud architects, developers or anyone who wants to share their experience with asset inventory when managing resources across multiple public clouds.
Your perspective is invaluable as we explore new opportunities and refine existing capabilities to realize Azure Arc's aspiration of affording customers a single pane of glass across their multi-cloud infrastructure.
…
That’s it from me for this week. Have a wonderful weekend and week ahead. And Happy Easter - He is risen!
-Rod
Things to Attend
Discover a new era of security with Microsoft at RSA 2023 - We’re thrilled to participate and connect with you at RSA Conference 2023 from April 23 to 27, 2023, in San Francisco. Join your security peers as we welcome you to the new era of security—shaped by the power of OpenAI’s GPT-4 generative AI—and introduce to you the recently announced Microsoft Security Copilot.
Reg: Entra Permissions Management: Navigate multicloud with an integrated CIEM solution - Please join us for this event on April 20, 2023. 9:00-10:00 AM, WEST | 10:00-11:00 AM, CEST This session will be delivered in German.
Microsoft Secure Tech Accelerator - Apr 13 2023, 07:00 AM - 12:00 PM (PDT) - Save the date and save your spot for a closer look at what was announced at Microsoft Secure. Our goal is to equip you with the technical information that will help you and your team implement our comprehensive security solutions in your business. Join us for demos, technical deep dives, and of course everyone's favorite – Ask Microsoft Anything (AMA). https://rodtrent.com/s5q
What's on tap:
Ask Microsoft Anything: SIEM and XDR
Microsoft Defender threat intelligence and Sentinel integration deep dive
Protecting your user identities
The value of Identity Governance
Ask Microsoft Anything: Safeguard privacy with Microsoft Priva
Ask Microsoft Anything: Secure data with an intelligent and people-centric approach
Information protection and DLP
Ask Microsoft Anything: Azure network security
Implementing Defender for Cloud, Microsoft’s CNAPP to embed security from code to cloud
Things that are Related
Open Sourcing the Must Learn KQL Workshop Deck - For the past 8 months the Must Learn KQL series has been developed into a workshop in preview, with many hands helping enhance and update it. There are many more updates to come, but the PowerPoint deck is now to the point where I feel comfortable making it available as part of the learning. So now anyone can take the series content and deliver it to their customers or organization.
Fuzzy hashing logs to find malicious activity - In this blog we will explain how a JsonHash is calculated, then show some practical examples of how it can be used. We implemented JsonHash using the python plugin for Azure Data Explorer and used it to search for web shell activity in IIS logs. Logs corresponding to the web shell activity had similar JsonHash values, demonstrating how JsonHash can be used to find related groups of malicious activity.
Things in Techcommunity
Preset policies have suddenly started notifying users of quarantined messages - Hi all. We have been using preset policies (standard and strict) for some time and were happy with the fact that they don't notify users of messages which have been quarantined (and nor is it possible to change the notification policy). However, quarantine notifications suddenly started turning up in users' mailboxes at the weekend.
Get help with technical questions from experts and peers on Microsoft Q&A - Attaining new technical skills takes time, and having a community of fellow learners to lean on can make a big difference. That’s why Microsoft Q&A offers unique opportunities to engage with peers and Microsoft experts for technical insights and guidance.
Microsoft Security Tech Community Join the other 67,000 members of the Tech Community to ask questions to the product team and get the latest on product updates. The Security Tech Community is free to join and provides the easiest way to get notified when something new is in product, and how you can implement it into your workflows.
Things from Partners
Microsoft Security Insights Show Episode 147 - Juliana Zaremba, Difenda - Join us as we prepare for RSA conference with a chat with MISA partner Difenda. Juliana Zaremba from Difenda joins the MSI Show crew to catch us up on Difenda’s valued and valuable offerings and how to catch them at RSA.
Meet Difenda at RSA! Register for a meeting and be entered to win a fantastic LEGO Technic Land Rover Defender!
Register here: https://insights.difenda.com/meet-difenda-at-rsa-2023
Defender for Cloud Things
BLOG: Microsoft Defender for Cloud– The ultimate blog series (Intro) – P0 - This ultimate blog series will contain as much information as possible based on my Defender for Cloud experience in the past years. Not a copy of Microsoft Docs, but an addition based on practical experience combined with informational details – including the most frequent questions asked by customers focussing on the configuration and deployment.
MMA agent crashes on W2K8R2, if Defender for SQL solution “SQLVulnerabilityAssessment” is enabled and OS is not updated - [UPDATE] Problem acknowledge by MS product-team. It will be mitigated this month.
BLOG: Microsoft Defender for Cloud Monthly news April 2023 Edition - This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month. In this edition, we are looking at all the goodness from March 2023.
VIDEO: Security Policy Enhancements in Defender for Cloud | Defender for Cloud in the Field #29 - In this episode of Defender for Cloud in the Field, Tuval Rozner joins Yuri Diogenes to talk about the new security policy enhancements. Tuval covers the new security policy dashboard within Defender for Cloud, how to filter, and create exemptions from a single place without having to make changes in the Azure Policy dashboard. Tuval also demonstrates how to use the new dashboard and customize policies.
NEW: Defender for Cloud: Agentless scanning for machines - Agentless scanning for VMs provides vulnerability assessment and software inventory, both powered by Microsoft Defender Vulnerability Management, in Azure and Amazon AWS environments. Agentless scanning is available in both Defender Cloud Security Posture Management (CSPM) and Defender for Servers P2.
BLOG: Uncover the latest cloud data security capabilities from Microsoft Defender for Cloud - As digital transformation accelerates, many organizations are moving their data to the cloud at an exponential rate, taking advantage of the cost and operational efficiencies cloud deployments offer. The dynamic and complex nature of an organization's cloud data estate – storage and database resources, where data is stored and processed – along with the increased multicloud adoption and cloud-native application development, have multiplied the data security blind spots for security teams.
BLOG: DevOps threat matrix - At Microsoft, we have conducted extensive research into the techniques that malicious adversaries may use to attack DevOps environments. We categorized these techniques into their related tactics and mapped these into a threat matrix. This mapping aims to help defenders to better understand the landscape and possible attacker actions, so defenders are better equipped to defend against each technique and protect DevOps environments.
Defender for Endpoint Things
BLOG: Defender for Endpoint and disconnected environments. Cloud-centric networking decisions - This article is part of a group of articles regarding Defender for Endpoint and disconnected environments. The first two articles can be found here and here. The objective of this article, along with the two previous articles, is to provide you with a better understanding of Defender for Endpoint and how it works in a disconnected environment. This requires a mental shift in our understanding of what “risk” means with a cloud-first product.
Defender for Cloud Apps Things
Simplifying SaaS Security: Deploying Microsoft Defender for Cloud Apps in 4 steps - Microsoft Defender for Cloud Apps makes it simple to secure organization’s SaaS applications. It can be deployed quickly and easily, with no other dependencies or installations required. We’ll walk through 4 steps that demonstrate how easy it is to deploy Defender for Cloud Apps and protect your organization from app-based threats.
365 Defender Things
VIDEO: Find and Expel hidden attackers in your network - Investigate and contain sophisticated attacks in real-time using updates to Microsoft’s integrated XDR solutions. Get an inside look at a multi-stage and multi-cloud incident inspired by real tactics, techniques, and procedures in Microsoft Sentinel, and visibility into the attack sequence and timeline of alerts with Microsoft 365 Defender. Use Threat Intelligence to investigate and stop threat actors in their tracks with real-time threat disruption, and automate mitigations to contain the damage.
DOC: Implement Microsoft Sentinel and Microsoft 365 Defender for Zero Trust - This solution guide walks through the process of setting up Microsoft XDR tools together with Microsoft Sentinel to accelerate your organization’s ability to respond to and remediate cybersecurity attacks.
BLOG: Microsoft 365 Defender Monthly news April 2023 Edition - This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from March 2023.
Microsoft Purview Things
BLOG: Microsoft Purview DevOps policies for Azure SQL Database is now generally available - In a prior blog, we announced the General Availability (GA) of the Microsoft Purview DevOps policies integration with SQL Server 2022 (Arc-enabled). Today, we are launching DevOps policies for Azure SQL Database into GA.
BLOG: Public preview: Programmatically interact with Microsoft Purview workflows using APIs and SDKs - To increase our developer experience landscape and to allow customers to interact and extend Microsoft Purview functionality using software technologies and tools in their organization, we are happy to announce that REST APIs and SDKs for workflow data plane in public preview. Software engineers or developers in your organization can now leverage these APIs/SDKs to programmatically create or update a workflow, submit a workflow, approve or reject an action, update or re-assign an approval or task action, list or cancel workflow runs, and more.
BLOG: Secure hybrid and remote workplaces with a Zero Trust approach - Adopting an end-to-end Zero Trust security strategy, and implementing Zero Trust security pillars, promotes the most secure and optimized access for users in the modern hybrid workforce. Organizations need to adapt to stay competitive, and cybersecurity remains a top concern as work environments continue to shift toward hybrid and remote settings.
Defender for Business Things
BLOG: How does Microsoft Defender for Business compare to Defender for Enterprise? - Three licenses are available for Microsoft Defender for Business: Defender for Endpoint Plan 1, Defender for Endpoint Plan 2, and Defender for Business. A Plan 1 license is limited and contains only Antivirus capabilities. Defender for Endpoint Plan 2 is the oldest and default plan, and it covers features such as Antivirus, Endpoint Detection & Response (EDR), Attack Surface Reduction, Advanced Hunting, and Automated Investigation and Response. Defender for Business is a license tailored to small and medium-sized businesses whose feature set sits between Plan 1 and Plan 2. In this article, I discuss the capabilities of Defender for Business.
Defender Vulnerability Management
What’s new in Microsoft Defender Vulnerability Management | April 2023 Update - We are excited to share new and updated capabilities for Microsoft Defender Vulnerability Management. Vulnerability management is a moving target, and we hope these updates will enable you to enhance your vulnerability management program and better protect your organization. Our April update unveils the following enhancements and new capabilities:
Enhanced security baseline assessments, including new Microsoft benchmarks, and the ability to add exceptions that exclude the assessment of specific configurations on certain devices.
New “Pending restart” information provides information about the reboot status of devices.
The ability to view data for devices that are not onboarded, through vulnerability management APIs.
Microsoft Entra Things
BLOG: Quick Wins to Strengthen Your Azure AD Security - In this blog we discuss some Quick Wins to reduce the attack surface of Azure AD. From a technician's standpoint, these tasks are immediate and require minimal testing to get them rolled out in production.
BLOG: Microsoft Entra Change Announcements – March 2023 Train - Today, we're sharing our March train for feature and breaking changes. We also communicate these changes on release notes and via email. We are continuing to make it easier for our customers to manage lifecycle changes (deprecations, retirements, service breaking changes) within the new Entra admin center as well. In addition, we will be including new feature launch announcements as part of this blog post going forward so you can see both changes to existing features and new features in a single list.