Microsoft Defender Weekly Wrap - Issue #93

Know Ledge

Sep 22, 2023

Things from Me

Happy Friday everyone!

I hope this newsletter finds you in great spirits and thriving in your digital endeavors. As loyal members, you are the backbone of this community, and I cannot express enough how much I appreciate your commitment. For those that are new this week, welcome! You’ve joined a group of like-minded people.

In this week's edition, there’s some exciting new topics to keep you informed and well-prepared for the challenges that may come your way. But understand that knowledge is truly powerful when shared!

I was struck by a quote this past week I thought I’d share.

Knowledge is power. Knowledge shared is power multiplied.’ – Robert Boyce

So, I encourage you to spread the word and share this valuable content with your colleagues, friends, and family who might benefit from it.

Whether it's forwarding this newsletter via email, sharing a snippet on social media, or discussing it over a cup of coffee, I believe that fostering awareness and open communication is the key to building a safer and more secure digital world for all.

Once again, thank you for being a part of our cybersecurity family, and happy reading! Here's to empowering each other and making the digital world a better and safer place.

…

This week, I wanted to quickly make you aware of a new, ongoing series I’m putting together called, “Microsoft Sentinel SOC 101.” With this series, I intend to cover the more common threats and how Microsoft Sentinel can be used to monitor, expose, react, and mitigate to these threats. This is something I was made aware recently that is lacking.

The first pieces of the series are already posted to cover Brute Force, Phishing, Malware, and Cross-Site Scripting (XSS):

Already, you’ll find in the series that there are specific instances where connecting Defender products to Microsoft Sentinel is a best practice to help expose the threats more efficiently. But I also plan to expand the series to include scenarios for those customers that don’t use Microsoft Sentinel and are only using specific Defender products. Stay tuned for that.

…

Last week I posted about a new KQL design trucker hat. I had to make some modifications to it, so the URL changed. The new URL is: https://must-learn-kql.creator-spring.com/listing/keep-on-kqlin-hat

And while doing that, I was prodded to put the “KQL is a Superpower” design together. The new pint glass design is pretty fantastic.

If interested, you can find it here: https://must-learn-kql.creator-spring.com/listing/kql-is-a-superpower

As always, all proceeds go to St. Jude.

…

That’s it from me for this week.

Talk soon.

-Rod

Things that are Related

DecipheringUAL Part 06 Update-RoleGroupMember - A threat actor can run a Command (Cmdlet) to replace the entire membership list of an Microsoft Defender for Office (MDO), Purview Compliance or Exchange Online (EXO) role group with an account they've compromised, or clear out this membership list completely as a method of Impact. This would cause a denial of service as it would remove role permissions from legitimate users.

KQL Functions For Security Operations - In recent years Kusto Query Language (KQL) has gotten a more and ever increasing place in the cyber security world. The language offers a powerful arsenal of functions and capabilities that can be leveraged for SOC operations, incident investigation, threat hunting, and detection engineering. In this blog, we explore several KQL functions. We will uncover how security teams can use KQL to get insight into new query possibilities. Whether you use KQL in 365 Defender, Sentinel or Azure Data Explorer, all the functions can be used in all of the places regardless of where your logs are stored.

PowerShell Automation and Scripting for Cybersecurity: Hacking and defense for red and blue teamers - Explore PowerShell’s offensive and defensive capabilities to strengthen your organization’s security.

Basic cyber hygiene prevents 98% of attacks - In today's digital era, businesses rely heavily on technology and online systems. To help safeguard against cyber threats and ensure business continuity, maintaining basic cyber hygiene is imperative. Adhering to basic security hygiene can protect against 98% of attacks.

Enforcing and Managing Azure DDoS Protection with Azure Policy - In today's interconnected digital landscape, Distributed Denial of Service (DDoS) attacks have become a persistent threat to organizations of all sizes. These attacks can disrupt services, compromise sensitive data, and lead to financial losses. To counter this threat, Microsoft Azure offers robust DDoS protection capabilities. In this blog post, we will explore how organizations can leverage Azure Policy to enforce and manage Azure DDoS Protection, enhancing their security posture and ensuring uninterrupted services.

Things to Watch/Listen To

Microsoft Security Insights Show Episode 170 - Just us - Our original guest had fallen ill (and has already been rescheduled for October 11th) and Brodie couldn’t find a restroom, so Edward, Andrea, and Rod spent the time hitting a wide range of topic hotspots.

After the Blog Episode 4: Preparing Microsoft Sentinel for Generative AI - Angelica Faber joins me this episode to close out some burning questions that have plagued my brain for days. Thanks, Angelica for letting me sleep at night again!

Things to Attend

Add to Calendar - Season 5 | Episode 5: Improve Your Security Posture with Microsoft Defender Experts for XDR Monday, September 25, 2023 9:00am Pacific Time

Things in Techcommunity

Preferred method for starting Windows Defender Antivirus Service - Noticing that on some of our Windows 10 machines that the Windows Defender Antivirus Service is set to Disabled. It will not allow you to manually start the service. In all of the troubleshooting that I have done, the only way to set it Automatic and get it running is by editing the Service registry value and changing "Start" from 4 to 2 and rebooting.

How to customize checking newly loaded devices through advanced search? - How do I write a KQL statement?

Things from Partners

Microsoft partner LAB3 helps Angle Finance achieve a fivefold increase in business volume while bolstering security - Leveraging Microsoft services such as Azure, Azure DevOps, Azure Modular Data Centre, Microsoft 365 E5 and Microsoft Sentinel, LAB³ has helped Angle Finance rapidly deploy several solutions focused on improving cloud agility, data governance and security.

Defender for Cloud Things

How to keep track of Defender for Cloud Coverage - While Defender for Cloud plans are enabled per subscription, and can become challenging to know which plan has been enabled on which subscription; especially in larger environments. That is why we added the Coverage workbook to Defender for Cloud's Workbook Gallery. While some plans simply need to be enabled, others will have additional dependencies. For example, in Defender CSPM, it is not enough to enable the plan on an Azure subscription, or multicloud connector, you will also want to enable agentless scanning for machines, agentless Kubernetes discovery, sensitive data discovery, and agentless vulnerability scanning for container registries. While all of these settings are enabled by default when enabling Defender CSPM today at no additional cost, or resource impact, that was not the case in the past. Also, someone might still accidentally disable one or all of these capabilities, while keeping Defender CSPM still enabled. With the updated Coverage workbook, it is easy to detect such misconfigurations.

365 Defender Things

Respond to threats across tenants more effectively with Microsoft 365 Defender multi-tenant support - Today we are excited to expand our current public preview for multi-tenant environments in Microsoft 365 Defender, which provides large organizations with the much-needed visibility and ease of use across their distributed environments. This addition marks the first wave of improvements, with a focus on global SOC investigation flows, including a consolidated view of incidents across tenants, device inventory, vulnerability management, the ability to perform advanced hunting across data in multiple tenants, and more.

Microsoft 365 Defender demonstrates 100 percent protection coverage in the 2023 MITRE Engenuity ATT&CK Evaluations: Enterprise - For the fifth consecutive year, Microsoft 365 Defender demonstrated industry-leading extended detection and response (XDR) capabilities in the independent MITRE Engenuity ATT&CK® Evaluations: Enterprise. The attack used during the test highlights the importance of a unified XDR platform and showcases Microsoft 365 Defender as a leading solution, enabled by next-generation protection, industry-first capabilities like automatic attack disruption, and more.

Introducing credit monitoring and privacy protection for Microsoft Defender - Where there once was a clear distinction between our online identities and our offline selves, today they are increasingly intertwined. Similarly, where people were previously occasionally offline, today we’re living in a world of constant connectivity. This has brought with it many innovations and improvements to our lives but have also made the risks of cyber-attacks seriously disrupting our lives a lot more real.

Defender for Endpoint Things

Deploying MDE to macOS - So, you've been deploying MDE to your Windows devices for some time now and you've finally got to a point where you need to deploy it to the Apple macOS devices in your fleet, but where to start? In this blog post I will run through the steps I take for deploying MDE to macOS devices, along with some supplied configurations to make your life easier, because everyone likes an easy life.

Defender Experts Things

A day in the life of a Defender Experts for XDR analyst - This June Microsoft officially launched Defender Experts for XDR, a new first-party managed extended detection and response (MXDR) service. Since public preview of the service was announced last November, a frequently asked question has been “What actually happens in a day in the life of a Defender Experts analyst?” We can reveal that the analyst team spends their days in customer environments investigating and responding to incidents, threat hunting, and providing guidance on overarching security posture improvements. In fact, we even have a real-life Defender Experts analyst here to share some of their experiences! Read on for case studies that show what a day in the life of a Defender Experts analyst really looks like.

Microsoft Purview Things

Addressing data security challenges in shared tenant - This is a common architecture we see throughout State and Local Government customers (figure 1). This scenario also exists in many multi-national organizations, as well as very large organizations with a centralized structure. For the public sector, agencies (or companies) are typically managed centrally by the State, City, or County’s central IT team.

Defender EASM Things

An introduction to Microsoft Defender EASM’s Data Connections functionality - In June, we released the new Data Connections feature within Defender EASM, which enables seamless integration into Azure Log Analytics and Azure Data Explorer, helping users supplement existing workflows to gain new insights as the data flows from Defender EASM into the other tools. The new capability is currently available in public preview for Defender EASM customers.

Microsoft Entra Things

Just In Time Application Administration Using PIM in Microsoft Entra ID - A Step By Step Guide to Improving Security Posture - One of the critical pillars in the implementation of Zero Trust Security using Azure Security Technologies is the Privileged Identity Management capability. Within this framework, two key components stand out: Just In Time Administration (JIT) and enforcing Multi-Factor Authentication (MFA) at the time of actual role activation.

Simplifying Security: Exploring Microsoft’s Entra Internet Access - In July 2023, Microsoft announced Entra Internet Access, part of the company’s Secure Service Edge offering, that promises enhanced security capabilities when it comes to controlling access to applications. I was personally very much looking forward to that product launch, as I personally think that this is a superb capability and a long-awaited product that finally completes Microsoft’s Zero Trust story by expanding Conditional Access’ policy definition capabilities to the network pillar – and in that respect, it’s importance cannot be overestimated.

Microsoft Entra Internet Access: An Identity-Centric Secure Web Gateway Solution - In our previous blog, we introduced Microsoft’s identity-centric security service edge (SSE) solution and two new services: Microsoft Entra Private Access and Microsoft Entra Internet Access. This blog continues the series around Microsoft’s new SSE solution, where we’ll take a deeper look into the Microsoft Entra Internet Access, currently in public preview for Microsoft 365 scenarios, and soon-to-be available in public preview for all internet traffic. 

Fun Thing This Week

Spirals - Generate beautiful AI spiral art with one click. Powered by Vercel and Replicate.