Microsoft Defender Weekly Wrap - Issue #110

The F's of the Work Week

Things from Me

Happy Friday, good people!

To start this week’s issue, I noted last issue that I would be speaking at the AI Tour in Paris next month. I’ve had a longer thought about that and wanted to update you all.

I have a couple big, super important family events coming up.

1. The wife and I celebrate 34 years of marriage on February 24th. We’re planning a weekend getaway to celebrate.

2. My oldest daughter gives birth to our 2nd grandbaby sometime in early March. We’re grandbaby fans here in the Trent household. If you’ve been a reader of this newsletter long enough, you know we’re crazy about our first grandboy.

For those reasons, I've opted out of the Paris trip for the AI Tour. Family is key to everything. It’s easy sometimes to lose sight of that. Everything I do, I do for my family. When I was younger - yeah - a lot of it was selfish. I did a lot of it for me and my career. But eventually you come to the understanding why you actually do the things you do. And if it’s not because of and for someone else, then you really need to review your life choices. Ego will not get you very far in life.

Paris is going to be great, though. My awesome colleague and teammate Joylynn Kirui will be speaking in Paris. You need to stop by to connect with her. She's the best!

I will still be speaking at Experts Live in Denmark. So that's currently the only way to connect with me in Europe in March.

Register now! https://events.justattend.com/events/conference-hub/584b32f5

There will be LOTS of Copilot for Security content in Denmark - some of it for the first time ever in a public setting.

…

We’ve finally released our show schedule for Women in Cybersecurity Month and hope you’ll be able to attend live or listen after.

Details at the link: https://aka.ms/MSIShow-WiCyS

…

That’s it for me for this week. I hope you have a great weekend, and your work week ahead is fruitful and fulfilling.

Talk soon.

-Rod

Things to Attend

Things that are Related

Announcing New Monitoring and Scaling Updates in Azure Firewall - We are pleased to introduce some new features and improvements for the service today. These features include capabilities that enhance the monitoring and scalability of your Azure Firewall:

• Flow Trace logs are now generally available.

• Autoscaling based on the number of connections is now generally available.

• Parallel IP Group update support is now in public preview.

The KQL Mysteries: Chapter 9 - The Ghost of Krampus Past - Jon braced himself, gripping the phone tighter. “What is it, Jordan? Don’t keep me in suspense.” Jordan’s voice was steady, but there was an undercurrent of disbelief. “It’s connected, Jon. The Night Princess… she’s using the same backdoor that Krampus_attack left open. It wasn’t fully secured.”

Things to Watch/Listen To

Microsoft Security Insights Show Episode 190 - Andre Camillo

Things in Techcommunity

"Users may register their devices with Microsoft Entra" grayed out. Neither Intune nor MDM in use - I want to prevent users from registering their personal devices in Entra. The option to do so in Identity -> Devices -> All Devices - > Device Settings  is grayed out. The explanation there doesn't apply to my case. It reads "Enrollment with Microsoft Intune or Mobile Device Management for Office 365 requires Device Registration. If you have configured either of these services, ALL will be selected and the button will be disabled." The thing is that I have configured neither, so the button should not be disabled.

Microsoft Defender XDR / Defender for Endpoint data connectors inconsistent failures - We are deploying our SOC (Sentinel) environments via Bicep. Now the Defender XDR (MicrosoftThreatProtection) and Defender for Endpoint (MicrosoftDefenderAdvancedThreatProtection) data connectors are failing to deploy inconsistantly.

Copilot for Security Things

Tanium Plugin Prompts - Thanks to the good folks at Tanium for supplying supporting content for their Copilot for Security plugin.

Navigating cyberthreats and strengthening defenses in the era of AI | Security Insider - Every day more than 2.5 billion cloud-based, AI-driven detections protect Microsoft customers.

Brief: Copilot for Security as a Tool for Threat Hunting - Copilot for Security can help organizations to transform their security posture from reactive to proactive, and to achieve higher levels of security maturity and resilience. By using Copilot for Security, organizations can benefit from the advantages of threat hunting without the drawbacks, and gain more visibility, control, and confidence over their network and system security.

Microsoft Copilot for Security: The great equalizer for government security - Microsoft Industry Blogs - Cybersecurity for government organizations is a game of speed, with cyberattackers working to compromise networks and steal data as swiftly as possible before defenders can detect and deter them. In this ongoing battle, cyberattackers have traditionally had an asymmetrical advantage. 

Defender for Cloud Things

Enforcement of Defender CSPM for Premium DevOps Security Capabilities - Microsoft Defender CSPM provides advanced security posture capabilities including agentless vulnerability scanning, attack path analysis, integrated data-aware security posture, code to cloud contextualization, and an intelligent cloud security graph. Pricing is dependent on cloud size, with billing based on Server, Storage account, and Database counts. There is no additional charge for DevOps resources with this enforcement.  

Creating a Security Posture Report for a Specific Azure Subscription - Creating a security posture report for a specific Azure subscription involves several steps to ensure that you accurately capture the security recommendations and compliance status.

Defender XDR Things

Defending against Windows Internet Shortcut Files Security Feature Bypass Vulnerability (CVE-2024-21412) | LinkedIn - Proofpoint reported in Q4 2023, .URL file use increased significantly as threat actors abused CVE-2023-36025, a vulnerability in Windows SmartScreen. Threat actors abuse this file type to embed links hosting malware payloads or credential phishing websites.

Defender Experts Things

Hunting for QR Code AiTM Phishing and User Compromise - In the dynamic landscape of adversary-in-the-middle (AiTM) attacks, the Microsoft Defender Experts team has recently observed a notable trend – QR code-themed phishing campaigns. The attackers employ deceptive QR codes to manipulate users into accessing fraudulent websites or downloading harmful content.

Microsoft Purview Things

Labeling with Microsoft Purview Data Map now supports Dataverse, Azure Databricks, and Snowflake - We are pleased to announce that Labeling with Purview Data Map now supports three new data sources:

• Dataverse,

• Azure Databricks and

• Snowflake.

Microsoft Entra Things

Deep Dive of Microsoft-managed Conditional Access Policies in Microsoft Entra ID - In November 2023 at Microsoft Ignite, we announced Microsoft-managed policies and the auto-rollout of multifactor authentication (MFA)-related Conditional Access policies in customer tenants. Since then, we’ve rolled out report-only policies for over 500,000 tenants. These policies are part of our Secure Future Initiative, which includes key engineering advances to improve security for customers against cyberthreats that we anticipate will increase over time. 

Managing MDTI Premium licenses in Microsoft Entra Admin Center - This blog details how to assign and manage Defender Threat Intelligence (MDTI) licenses and contains links to helpful content and resources. It is intended for customers who recently purchased the MDTI Premium SKU or a SKU that enables MDTI Premium access for its user base, such as Copilot for Security. Global administrators or identity governance administrators responsible for assigning MDTI user seat assignments will find it particularly useful. 

Avoid the complexity when utilizing Entra ID multi-tenants and School or Work/Microsoft Accounts - In this post, we outline several patterns for addressing issues that commonly arise in such scenarios and their corresponding solutions. Dealing with authentication and authorization issues related to Entra ID can be time-consuming in the absence of prior knowledge, so we hope this knowledge proves helpful to all.