Microsoft Defender Weekly Wrap - Issue #44
Happy Friday everyone!
I hope your week was good. It's been a minute since we spoke, but I can honestly admit that my time off was good. Too good, I think.
I absolutely love my job at Microsoft. But this was the first vacation in a long while where I wasn't champing at the bit to come back. If you remember from a couple weeks ago, I talked about my intent to take my entire family (wife, kids, their spouses, grandkid, etc.) to the beach. We had not had a family vacation in 5 or 6 years, so it was definitely time.
It was wonderful, to say the least. If you get a chance to do something like that, don't hesitate. There's lots of awesome memories to make.
I want to take a quick second, though, to thank Andrea Fisher for helming the newsletter creation and delivery during my absence. I know you agree she did a wonderful job, and I can't thank her enough. If you get a chance, drop Andrea a line on Twitter (@andreatfisher) to thank her.
This week's newsletter is chocked full of goodness (as usual), so let's get to a couple highlights.
...
This week in a couple YAMS (yet another Microsoft survey), we have a couple opportunities for you to supply your feedback and help us build the products and features you need.
Feedback on Network Protection for macOS and Linux
We would appreciate your feedback regarding our recent public preview of Network Protection for both macOS and Linux. Network Protection enables web threat protection, custom indicators of compromise, web content filtering, and Microsoft Defender for Cloud Apps endpoint enforcement.
Survey link: https://rodtrent.com/54d
Data Security: Your thoughts on securing AWS S3
As a user and a customer, we would like your perspective on the challenges you are facing today in AWS S3. We would like to know the features set most important to you when considering a new plan that protects AWS S3.
Survey link: https://rodtrent.com/2w3
...
A lot of folks are still scrambling for good references to prepare for the SC-100 exam. A book from Microsoft Press featuring my colleagues Yuri Diogenes, Sarah Young, Mark Simos (Author) and Gladys Rodriguez is now available for pre-order. The actual release date isn't until February 2023, but you can expect this one to be a valuable addition to your physical book library.
Get it here: https://amzn.to/3S791WO
...
In another chapter of "Battle of the Books", there's also another awesome SC-100 exam prep guide coming from my good friend Dwayne Natwick. If you're familiar with Dwayne's content, you know this will be a book you absolutely need.
Pre-order for this one is also ready: https://amzn.to/3fcFJYn
Disclaimer: I have written the Forward for this one.
...
I'm still digging out from 2-weeks away from work, so there's lots here to do. A piece of that is preparing for a couple sessions at Microsoft Ignite 2022. I hope you're planning to attend either in-person or virtually.
Due to some ongoing travel budget restrictions at Microsoft, my sessions for Microsoft Ignite 2022 are both virtual events so you can catch them any time after the live event.
Threat response with Microsoft Sentinel playbooks - Wednesday, October 12 3:00 PM-4:00 PM
Plan for cloud workload protections using Microsoft Defender for Cloud - Thursday, October 13 2:00 PM-3:00 PM
I hope you're as excited about Microsoft Ignite as I am.
Registration: https://rodtrent.com/k1e
Talk soon.
-Rod
Things to Attend
Stop Ransomware with Microsoft Security digital event presents threat intelligence in action — www.microsoft.com Throughout the Stop Ransomware with Microsoft Security digital event, we’ll be demonstrating both Microsoft Defender Threat Intelligence and Microsoft Defender External Attack Surface Management. Join us to learn how you can bolster your security strategy by integrating both products into your own security operation center—or connect with cybersecurity professionals during a live question and answer chat if you have questions.
Things that are Related
Kusto Detective Agency - an interactive big data contest — www.youtube.com Welcome to the Kusto Detective agency, rookie! Be prepared to flex your investigative muscles as you use your big data skills to solve our most challenging ...
The art and science behind Microsoft threat hunting: Part 2 - Microsoft Security Blog — www.microsoft.com We discussed Microsoft Detection and Response Team’s (DART) threat hunting principles in part 1 of The art and science behind Microsoft threat hunting blog series. In this follow-up post, we will talk about some general hunting strategies, frameworks, tools, and how Microsoft incident responders work with threat intelligence.
Things in Techcommunity
Defender for endpoint P1 license and defender for server p1 - Microsoft Tech Community — techcommunity.microsoft.com Hi All, Appreciate your advice for below: 1. If customers have multiple shared devices which will log in by different front link workers, how do they
Qualys vulnerability assessment - Microsoft Tech Community — techcommunity.microsoft.com Hey, Qualys assessments work fine when I have a virtual machine however, the non-Azure devices don't have an option.. do I need to add them to Azure Arc
Things to Have
KQL-for-Everything/TrackMDCChanges.txt at main · rod-trent/KQL-for-Everything · GitHub — github.com Track when someone makes MDC portal environment settings
Defender for Cloud Things
BLOG: Configure File Integrity Monitoring (FIM) using Defender for Cloud and AMA-agent — jeffreyappel.nl File Integrity Monitoring (FIM) is a technology that monitors and detects file changes that could be indicative of a cyberattack. File Integrity Monitoring is part of Defender for Servers P2 and enables monitoring of operating system files, Windows Registry, Application Software files, and Linux system files for changes that might indicate an attack or configuration change. FIM is a core requirement in many compliance standards like PCI-DSS, NERC CIP, FISMA, SOX, NIST, and HIPAA.
VIDEO: Defender for Azure Cosmos DB | Defender for Cloud in the Field #18 — www.youtube.com Defender for Azure Cosmos DB | Defender for Cloud in the Field #18
Defender for Endpoint Things
LEARN: Check the health state of the sensor at Microsoft Defender for Endpoint | Microsoft Learn — learn.microsoft.com Check the sensor health on devices to identify which ones are misconfigured, inactive, or aren't reporting sensor data.
BLOG: Tamper protection will be turned on for all enterprise customers — techcommunity.microsoft.com To further protect our customers, we are announcing that tamper protection will be turned on for all existing customers, unless it has been explicitly turned off in the Microsoft 365 Defender portal.
BLOG: Microsoft Defender for Endpoint is now available on Android company-owned personally enabled devices — techcommunity.microsoft.com This provides admins full management control within the work profile while only limited visibility into the personal profile. This practice helps admins continue to enforce policies while maintaining employee privacy.
BLOG: Onboard Microsoft Defender for Endpoint using Azure Arc and Defender for Cloud — jeffreyappel.nl It is time for part 3C of the ultimate Microsoft Defender for Endpoint (MDE) series. After Part 3B (Onboard Defender for Endpoint using Defender for Cloud) it is now time for some more technical deep-dive scoped on Azure Arc and onboarding of non-azure servers. Part 3C is focused on onboarding using Defender for Cloud and Azure Arc for on-premises / non-Azure cloud servers. Azure Arc makes it possible to onboard non-Azure servers in Defender for Cloud and Defender for Endpoint.
Microsoft 365 Defender Things
BLOG: Malicious OAuth applications used to compromise email servers and spread spam - Microsoft Security Blog — www.microsoft.com Microsoft has been monitoring the rising popularity of OAuth application abuse. One of the first observed malicious usage of OAuth applications in the wild is consent phishing. Consent phishing attacks aim to trick users into granting permissions to malicious OAuth apps to gain access to user’s legitimate cloud services (mail servers, files storage, management APIs, etc.). In the past few years, Microsoft has observed that more and more threat actors, including nation-state actors, have been using OAuth applications for different malicious purposes – command-and-control (C2) communication, backdoors, phishing, redirections, and so on.
BLOG: Top Threat Protection use cases in Microsoft Defender for Cloud Apps — techcommunity.microsoft.com The combined power of Microsoft Defender for Cloud Apps and Microsoft 365 Defender provides unique threat protection capabilities which leverage the native integration between a multi-purpose Cloud Access Security Broker (CASB) and an integrated XDR+SIEM platform.
BLOG: Discover XDR integrations and services in the New Microsoft 365 Defender Partner Catalog - Microsoft Tech Community — techcommunity.microsoft.com Cybersecurity strategies are often complex and include a wide range of solutions, or sometimes even managed security services partners to help run them
BLOG: Rewards plus: Fake mobile banking rewards apps lure users to install info-stealing RAT on Android devices - Microsoft Security Blog — www.microsoft.com Our analysis of a recent version of a previously reported info-stealing Android malware, delivered through an ongoing SMS campaign, demonstrates the continuous evolution of mobile threats.
BLOG: Microsoft Defender Mind Map - Cyber Geeks | Cyber Security & Cloud Computing — cybergeeks.cloud
Are you trying to understand all the products that are part of the Microsoft Defender family?! I have created this Mind Map to help you with that. You can download the PDF at the
Defender for Office Things
BLOG: Email Protection Basics in Microsoft 365: Spoof and Impersonation - Microsoft Tech Community — techcommunity.microsoft.com Microsoft Support is excited to continue this blog series to demystify how Microsoft 365 email protection works. Earlier, we covered how phishing has the
Defender for IoT Things
IoT Entity Page - Enhance IoT/OT Threat Monitoring in Your SOC with Sentinel and Defender for IoT — techcommunity.microsoft.com Intro OT/IoT devices, including Programmable Logic Controllers (PLCs), Human-Machine Interface (HMIs), Engineering Workstations, Network Devices, and