Microsoft Defender Weekly Wrap - Issue #71
Chatbots R Us
Things from Me
Happy Friday everyone!
For those salty and seasoned veterans, welcome back to the newsletter. And, for the many of you who are just joining us over the past couple weeks, thanks so much for choosing to participate in this community.
The weather has been gorgeous here in SW Ohio for the last week. I’ve been outside running every day this week. Nothing like a long run to clear out the funk of the daily rut and healthy doses of vitamin D to bring renewed creativity. When it gets warm outside, my running mileage goes through the roof - and that’s a good thing. For those keeping track, as of today I’ve found a way to run every day for the last 2,832 days. That’s a LOT of creativity.
For those that have been following along with my plight of torrential rain and a flooded basement, this has been quite a turnaround. And, just as you would expect after we signed the basement waterproofing contract, there’s no rain forecast for another couple weeks.
But, hey…preparation is everything. Right?
So, this renewed creativity thing...
I’ll have more to share soon, but I’ve been working on training an AI model for the very specific job of converting queries and detections from non-Microsoft security products into detections that can be used for Microsoft Sentinel and Defender. I’m by no means a developer, but at the Midwest Management Summit in just a couple weeks, I will be demonstrating this self-branded “RodBot” as part of a modern SIEM discussion/session. Once the session is done, I’ll post all the Python code with instructions on my OpenAI GitHub repo to help drive your creativity in creating your own working models. Stay tuned for that.
That’s it from me this week.
Talk soon.
-Rod
Things to Attend
Generative AI for InfoSec & Hackers: What Security Teams Need to Know - Wednesday, April 26, 2023 - ChatGPT, DALL-E, and other generative AI tools’ ability to process plain-language prompts to create new content is almost cliché by now. What could generative AI craft for your security team? And – perhaps more importantly – what has it already made for hackers today… and what could it create tomorrow?
MISA Month continues on the Microsoft Security Insights show when Mark Shavlik from Senserva joins us to talk about what his company is up to, how MISA has accelerated the company's trajectory, and why he's attending MMSMOA at the end of the month instead of RSA. Join us live on Wednesday, April 19th at 5pm EST, or wait for the replay.
Things that are Related
Tutorial: Change the workspace destination of your already provisioned Data Collection Rule used by the Azure Monitoring Agent - This post is inspired on different setups I saw while working with my clients. More and more clients are leveraging the Azure Monitoring Agent (AMA) and Data Collection Rules (DCR) to collect log data. I’ve noticed that clients sometimes are sending logs data to different Log Analytics Workspace (LAW), without them being aware. Most of the time this is because Azure will create default LAW workspaces without warning about it or they just misconfigured the Data Collection Rule.
Things to Watch/Listen To
Microsoft Security Insights Show Episode 148 - Drew Perry, Chief Innovation Officer at Ontinue - Join us as we prepare for RSA conference with a chat with MISA partner Ontinue. Drew Perry joins the MSI Show crew to catch us up on Ontinue’s super-cool Microsoft Teams-based SIEM solution how to catch demos and Sentinel cost discussions at RSA.
Things in Techcommunity
ATP Legacy portal to defender > missing events in timeline - After the old ATP portal has been closed and redirect to Defender portal I can't find the changes that has been done on user or computers.
How to onboard an Azure VM manually to Microsoft Defender for Cloud? - I know that when turn on the MDC to the subscription, all the new resources belong to the subscription would be onboarded automatically. But is there any manually way to onboard it?
Microsoft Security Tech Community Join the other 68,000 members of the Tech Community to ask questions to the product team and get the latest on product updates. The Security Tech Community is free to join and provides the easiest way to get notified when something new is in product, and how you can implement it into your workflows.
Things to Have
DeviceLastSeen.kql - Device Last Seen time built by my wonderful colleague, Andrea Fisher
Things from Partners
Leveraging AI for Enhanced Cyber Security Incident Management: A Novel Approach to Threat Hunting and Response (Part 1 of 3) - In recent years, cyber security incidents and threats have grown exponentially, prompting the need for advanced solutions to manage, analyse, and respond to these challenges. This paper presents a novel approach to cyber security incident management by integrating artificial intelligence (AI) and natural language processing (NLP) technologies. The proposed solution combines Microsoft Azure's cognitive services, Microsoft Sentinel, GPT4, and a custom ChatGPT threat intelligence plugin to create an intuitive and efficient system for SecOps analysts and threat hunters. We discuss the architecture, implementation, and significance of this new approach and its potential to revolutionise detection and response in the AI era.
AI Co-Founders: The Future of Business Innovation and Intellectual Property (Part 2 of 3) - In this article, we'll explore the implications of AI-generated innovations, discuss the issues surrounding ownership and intellectual property in the age of what I dub potential "AI co-founders", and delve into the examples of how GPT-4 contributed to the creation of the solution.
Things in the News
Microsoft and Cohesity are joining forces to fend off ransomware and other cyber threats - The two tech vendors are optimizing services across their platforms to add value for customers of both companies.
Defender for Cloud Things
BLOG: Advanced protection features in Defender for Servers Plan 2: The Intro – Part 0 - I decided to start a blog series about the Advanced protection features which are included in the Defender for Servers Plan 2 provided by Microsoft Defender for Cloud. More and more companies are starting to use Defender for Servers but are uncertain which plan to choose for. With this blog series I would like to provide enhanced information about the Advanced protection features and a guidance how to get started with the different features. I run against a lot of caveats deploying those features and I happy to share this with the community!
NEW: Unified Disk Encryption recommendation (preview)
We have introduced a unified disk encryption recommendation in public preview, Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost and Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost.
These recommendations replace Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources which detected Azure Disk Encryption and the policy Virtual machines and virtual machine scale sets should have encryption at host enabled which detected EncryptionAtHost. ADE and EncryptionAtHost provide comparable encryption at rest coverage, and either being enabled on a virtual machine is recommended. The new recommendations detect whether either ADE or EncryptionAtHost are enabled and only warn if neither are enabled. We also warn if ADE is enabled on some, but not all disks of a VM (this condition isn't applicable to EncryptionAtHost).
The new recommendations require guest config.
These recommendations are based on the following policies:
Learn more about ADE and EncryptionAtHost and how to enable one of them.
NEW: Changes in the recommendation "Machines should be configured securely"
The recommendation Machines should be configured securely was updated. The update improves the performance and stability of the recommendation and aligns its experience with the generic behavior of Defender for Cloud's recommendations.
As part of this update, the recommendation's ID was changed from 181ac480-f7c4-544b-9865-11b8ffe87f47 to c476dc48-8110-4139-91af-c8d940896b98.
No action is required on the customer side, and there's no expected impact on the secure score.
Defender for Endpoint Things
DOCS: Get started with troubleshooting mode in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint troubleshooting mode allows you to troubleshoot various Microsoft Defender antivirus features by enabling them from the device and testing different scenarios, even if they're controlled by the organization policy. The troubleshooting mode is disabled by default and requires you to turn it on for a device (and/or group of devices) for a limited time. Note that this is exclusively an Enterprise-only feature, and requires Microsoft 365 Defender access.
Defender for IoT Things
BLOG: Improve supply chain security and resiliency with Microsoft - Microsoft Defender IoT secures these environments, offering asset discovery, threat detection, incident response, compliance reporting, and more. Defender for IoT can be deployed on-premises or in the cloud and it integrates with Microsoft Defender, Microsoft Threat Intelligence, and Microsoft Sentinel to enable security operations center teams to collaborate more effectively and efficiently. Learn more about Defender for IoT and how a cloud-powered OT security solution delivers the best value.
365 Defender Things
BLOG: MERCURY and DEV-1084: Destructive attack on hybrid environment - Microsoft Threat Intelligence has detected destructive operations enabled by MERCURY, a nation-state actor linked to the Iranian government, that attacked both on-premises and cloud environments. While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation.
Threat actors strive to cause Tax Day headaches - Threat actors often take advantage of current events and major news headlines to align attacks and leverage social engineering when people could be more likely to be distracted or misled. Tax season is particularly appealing to threat actors because not only are people busy and under stress, but it is intrinsically tied to financial information. With U.S. Tax Day approaching, Microsoft has observed phishing attacks targeting accounting and tax return preparation firms to deliver the Remcos remote access trojan (RAT) and compromise target networks beginning in February of this year.
Microsoft Purview Things
VIDEO: Unlock the Secrets of Microsoft Purview eDiscovery Premium - In this video, we show you how to:
Name & describe your case
Setup custodial data sources
Setup non custodial data sources
Create a collection
Commit your collection to a Review set
Start interpreting the results
NEWS: Retirement notification for the Azure Information Protection Unified Labeling add-in for Office - We are officially announcing the retirement of the AIP Unified Labeling add-in for Office and starting the 12-month clock, after which it will reach retirement on April 11, 2024. All customers with Azure Information Protection service plans will also receive a Message Center post with this announcement.
BLOG: Microsoft Purview Information Protection in Microsoft 365 Apps - April 2023 - Welcome back to the quarterly newsletter from Word, Excel, PowerPoint, and Outlook discussing what’s new and coming soon with sensitivity labels, powered by Microsoft Purview Information Protection. We pick up where we left off in January 2023.
Defender for Office Things
BLOG: Attack Simulation Training: Using machine learning to drive more effective simulations - Attack Simulation Training (AST) is an advanced tool for reducing the risk of phishing across an organization that measures behavior change and automates the deployment of an integrated security awareness training program across an organization. It allows security teams to run intelligent simulations, consume actionable insights and remediate risk with hyper-targeted training designed to change behavior, and then measure behavioral progress against that benchmark through repeated simulations.
BLOG: Training only campaign is now available with an expanded training module library - Attack Simulation Training is an intelligent phish risk reduction tool that measures behavior change and automates deployment of an integrated security awareness training program across an organization. It is available with Microsoft 365 E5 or Microsoft Defender for Office 365 P2 plan. We are extremely excited to announce that Attack Simulation Training now provides the capability for admins to launch a Training only campaign!
Defender Threat Intelligence Things
DEV-0196: QuaDream’s “KingsPawn” malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia - Microsoft is sharing information about DEV-0196 with our customers, industry partners, and the public to improve collective knowledge of how PSOAs operate and raise awareness about how PSOAs facilitate the targeting and exploitation of civil society. For more info, read Standing up for democratic values and protecting stability of cyberspace.
MERCURY and DEV-1084: Destructive attack on hybrid environment - Microsoft Threat Intelligence has detected destructive operations enabled by MERCURY, a nation-state actor linked to the Iranian government, that attacked both on-premises and cloud environments. While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation.
BLOG: Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign - This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. UEFI bootkits are particularly dangerous as they run at computer startup, prior to the operating system loading, and therefore can interfere with or deactivate various operating system (OS) security mechanisms such as BitLocker, hypervisor-protected code integrity (HVCI), and Microsoft Defender Antivirus. Though this could impede investigations and threat hunting efforts, several artifacts can still be leveraged to identify affected devices.
Windows Defender Things
Endpoint security reports in Intune admin center for tenant attached devices - We’re excited to announce that we’ve added data from tenant attached devices to the Microsoft Defender Antivirus reports in the Microsoft Intune admin center. These reports help you monitor your devices for status on malware and antivirus states.
Microsoft Entra Things
BLOG: Entra Identity Governance with Entra Verified ID – Higher Fidelity Access Rights + Faster Onboarding - I’m excited to announce the integration of Entra Identity Governance Entitlement Management with a very cool technology we recently introduced, Microsoft Entra Verified ID!
NEWS: LinkedIn and Microsoft Entra introduce a new way to verify your workplace - In the digital world, when you meet professional contacts for the first time online, you need additional trust signals to increase your confidence that they are who they say they are. We’re thrilled to announce that millions of LinkedIn members will be able to verify their place of work with a Microsoft Entra Verified ID credential. By simply looking for a Verification, members and organizations can be more confident that the people they collaborate with are authentic and that work affiliations on their profiles are accurate.
Microsoft Priva Things
BLOG: Microsoft Priva: Helping you build a privacy resilient workplace - Last week, the 2023 IAPP Global Privacy Summit was held in Washington DC. There, privacy professionals and leaders from around the world came together to promote learning and awareness for data privacy. IAPP GPS served as a platform for individuals and organizations to come together to put privacy at the forefront of business practices—showcasing that the right set of tools can help meet fast-paced privacy regulatory changes.
A Parting Word (and dance)
You miss one live episode of the Microsoft Security Insights show, you miss a lot. If you’re an audio podcast listener only, you’re missing Brodie’s hard work getting his Intro Dance together.
Catch the show live every Wednesday at 5pm EST, on Substack directly after, or from your favorite podcast platform on Fridays.