Microsoft Defender Weekly Wrap - Issue #79
Streams of consciousness
Things from Me
Good Friday everyone!
I hope your week was good and that you have some significant plans for the weekend.
The house improvements continue here at Trent manor. Now that the basement waterproofing is complete, we’re moving on to new gutters and downspouts to give the basement every chance possible to stay dry. If the basement gets flooded now, it’s because it was simply meant to and completely out of our control.
For those new to this community, you can catch up on that recent story in issue #105: Microsoft Sentinel this Week - Issue #105 - by Rod Trent (substack.com)
The Leaf Filter folks will be out this next Monday to replace all of our gutters and downspouts with their state-of-the-art system. With all the home improvements in place and more coming, it seems a shame to be doing all of them just to hand them over to someone else when we move.
…
This may seem like a small thing, but actually it’s a big, super-requested ability that has not existed before now. Our old Docs system had the ability to subscribe to page changes through an RSS feed. Our newest Docs system (learn.microsoft.com) does not. In one sense, we moved our Docs forward and making them better with quicker updates, but in another we moved back in time by not offering customers the ability to monitor page changes.
If you happened to you watch our Microsoft Security Insights show live on Wednesday with Yuri Diogenes, you heard it there first. But in case you missed that huge announcement, the Defender for Cloud What’s New/Release Notes page now has it’s very own RSS page.
You can get notified when this page is updated by copying and pasting the following URL into your favorite feed reader:
https://aka.ms/mdc/rss
Unfortunately, this does not mean there’s RSS feeds sitewide on learn.microsoft.com now. I’m crossing my fingers (and you should, too) that the other pages, like the What’s New for Microsoft Sentinel, also get this capability because for now, the only way to monitor this page is to use a Playbook, an HTTP trigger and a Workbook.
Not a Microsoft Security Insights show fan yet? Check out All the Ways to Catch the Microsoft Security Insights Show Weekly
…
This week, we have a couple Defender for Cloud private previews that need some more attention.
These, specifically, are:
IaC mapping
Container mapping
Private preview participants can locate these in their respective Teams channels.
Not part of the private preview program already? You can join here: https://www.aka.ms/prseccom
…
That’s it from me for this week.
Talk soon.
-Rod
Things to Attend
Join our digital event to learn what’s new in Microsoft Entra - Last year, we introduced you to Microsoft Entra, a comprehensive family of identity and access solutions. Soon, we will be expanding Microsoft Entra to include even more products and capabilities to strengthen your defenses. We hope you will join us on June 20, 2023, as we introduce the next stage of our vision at Reimagine secure access with Microsoft Entra.
JUN 14 Microsoft Defender for Cloud | Securing APIs with Defender for APIs -APIs are the topmost attack vector in cloud applications with increasing numbers of high-profile attacks. Learn how to secure your APIs through Microsoft Defender for APIs, a new product that brings discovery, & full lifecycle protection, detection, & response coverage for your APIs.
JUN 14 (9:00AM PT) Microsoft Defender for Identity | Become an Advisor to Our Product Engineering Team - The Microsoft Defender for Identity product engineering team is excited to share a program for customers to become trusted advisors and impact our feature planning. Engage directly with the engineering team, learn what's coming, test out private previews, and share your experiences and recommendations.
JUN 21 Microsoft Defender for IoT | Successful Deployment of Microsoft Defender for IoT - The process, considerations, factors involved in the successful deployment and operations of Microsoft Defender for IoT.
JUN 27 Azure Network Security | Azure WAF Protection with Bot Manager Scenarios - In this webinar, we shall take a look at the Web Application Bot Protection Manager rules and explore the scenarios and use cases highlighting the protection against malicious Bots.
Things that are Related
How are you protecting your local admin passwords? - Local admin passwords have long been the bane of an administrator’s life. Either every single device has the same local admin password (which is terribly insecure). Or every single device has a different password, or a mish mosh of devices have the same password so it’s all kept on a sticky note in your desk drawer (which is also terribly insecure). Bad guys love to exploit local user accounts with methods like pass-the-hash or lateral-traversal attacks. LAPS was designed to help you protect your devices from these kinds of attacks.
Microsoft 365 Lighthouse provides deployment insights across all tenants on a single pane of glass - Microsoft 365 Lighthouse makes it easier than ever for Managed Service Providers to deliver managed services to small and medium-sized customers, at scale, with multi-tenant management capabilities that help them secure users, devices, apps, and data across all of their customers’ tenants!
General availability: New KQL function to enrich your data analysis with geographic context - We are excited to announce a new function in KQL: geo_info_from_ip_address(). This function allows you to retrieve geolocation information about IPv4 or IPv6 addresses, such as country, state, city, and coordinates.
Things to Watch/Listen To
Microsoft Security Insights Show Episode 156 - Yuri Diogenes, Principal PM - Join us as we endeavor to tap into Yuri Diogenes' vast knowledge and expertise in navigating the landscape of building a career in cybersecurity.
Things in Techcommunity
MDI sensor service will not start on ADFS server - I've exhausted my ability to troubleshoot why my ADFS sensor installs just will not start, so hoping someone can provide some guidance on how to get this working :)
Web Content Filter reports - nearly useful - As we have opened the can of worms that is "becoming aware of what end users are actually doing on their work computers" for a few organizations there are inevitable follow up questions. The default reports available for web protection follow a lot of the really high-level other reports. Just showing the top ten (or so) most visited URLs and the top ten computers visiting blocked/audited sites. This is so almost useful it hurts.
Things from Partners
NEW: Data Security partner-ready campaigns! - The Data Security 6-week digital campaign and the Data Security campaign-in-a-box are available to enable Microsoft partners to drive top and mid funnel leads for the Data Security solutions and your services.
Things in the News
A.I. will give cyberattack defenders an 'asymmetrical advantage,' says Microsoft - Tom Burt of Microsoft says that while cyberattacks have become more sophisticated, in the longer run, he is optimistic that A.I. will grant an advantage to defenders rather than those who weaponize it.
Defender for Cloud Things
NEW: Onboarding directly (without Azure Arc) to Defender for Servers is now Generally Available - Previously, Azure Arc was required to onboard non-Azure servers to Defender for Servers. However, with the latest release you can also onboard your on-premises servers to Defender for Servers using only the Microsoft Defender for Endpoint agent. This new method simplifies the onboarding process for customers focused on core endpoint protection and allows you to take advantage of Defender for Servers’ consumption-based billing for both cloud and non-cloud assets. The direct onboarding option via Defender for Endpoint is available now, with billing for onboarded machines starting on July 1. For more information, see Connect your non-Azure machines to Microsoft Defender for Cloud with Defender for Endpoint.
BLOG: Replacing agent-based discovery with agentless discovery for containers capabilities in Defender CSPM - With Agentless Container Posture capabilities available in Defender CSPM, the agent-based discovery capabilities are now retired. If you currently use container capabilities within Defender CSPM, please make sure that the relevant extensions are enabled to continue receiving container-related value of the new agentless capabilities such as container-related attack paths, insights, and inventory. (It can take up to 24 hours to see the effects of enabling the extensions). Learn more about agentless container posture.
GA: Defender for SQL Vulnerability Assessment Updates - Microsoft Defender for SQL provides full database protection and benefit from the following components: threat protection to detect attacks in real-time and vulnerability assessment (VA) that scans, flags, and reports on database misconfigurations that may result in vulnerabilities for attackers to exploit.
Defender for Endpoint Things
365 Defender Things
BLOG: Unlimited Advanced Hunting for Microsoft 365 Defender with Azure Data Explorer - A month ago I've published an article about extending your Microsoft 365 Defender logs beyond the default of 30 days by leveraging Azure Event Hubs and Azure Data Explorer. I promised a second part to that article where I want to zoom in on sizing, performance and cost considerations.
BLOG: Safeguarding your OAuth apps with App Governance - App governance provides an essential layer of defense to help you to protect and improve the security posture of your OAuth enabled apps. Back in April, we announced that App governance will be included in Microsoft Defender for Cloud Apps, at no additional cost. We also did a walkthrough and overview of the features in our latest webinar. Today, we will share how easy it is to deploy and the immediate value it provides in your SaaS Security strategy.
BLOG: Prevent repeat attacks with threat-informed security posture recommendations - Microsoft 365 Defender now makes it easy for security operations (SOC) teams to identify and prioritize the right controls with the general availability of threat-informed security posture recommendations.
Microsoft Purview Things
BLOG: Manage access to business assets using collections in Microsoft Purview - You can now manage access to business assets using collections. Business assets help describe the business use and context of your data. You can show how data is used by an application service or business process to meet a particular business use case. Until recently, these were managed in Purview as a flat list. Now you can store business assets in a collection so these can be curated by the right experts and assigned to physical data.
BLOG: Don't get caught unprepared: three steps to manage the risks of multicloud - This month's episode of Uncovering Hidden Risks discusses what it means to support multicloud, the risks of running a multicloud strategy, and how customers can think about this as they accelerate their digital transformation. Considering over 90% of organizations are already multicloud – meaning they rely on more than one cloud provider; it is important to understand how to protect people and data in a constantly evolving digital environment.
Defender Threat Intelligence Things
NEW: New Threat Actor Intel Profiles Added to Defender TI - The Microsoft Defender Threat Intelligence (Defender TI) team has recently launched twenty-six new threat actor Intel Profiles and more than 50 additional articles customers can leverage immediately to take an intel-led approach to defend their organization from the latest threats.
Microsoft Entra Things
BLOG: Increasing Transparency into Azure Active Directory's Resilience Model - Today, we’re excited to announce two new ways that we’re enhancing our transparency into these resilience capabilities and furthering our resilience journey: You can now see the actual SLA performance for your own tenant, in addition to the global SLA attainment for all tenants.
GA: Microsoft Entra ID Governance is generally available - Today, I’m pleased to announce the general availability of Microsoft Entra ID Governance, our complete identity governance product that ensures the right people have the right access to the right resources at the right time. This cloud-delivered product includes capabilities that were already available in Azure Active Directory, part of Microsoft Entra, plus our most advanced tools that simplify identity, management, and governance of on-premises and cloud apps and resources.
Defender for IoT Things
NEW: Microsoft Defender for IoT moves to site-based licensing for protecting OT environments - On June 1, 2023, Microsoft Defender for IoT moved to site-based licensing for organizations looking to protect their operation technology (OT) environments. The previous Azure consumption model for this solution will no longer be available for purchase by new customers. Existing customers can choose to transition to site-based licensing or remain on the consumption model.
Fun Thing This Week
LoveGenius AI writes your optimized bio. Showcase your true personality and attract 5x better matches.
