Microsoft Defender Weekly Wrap - Issue #50
Happy Friday all!
This newsletter is 50!
I just want to make it a quick point to thank you all for tuning in and continuing to tune in. This newsletter - and this community - continues to grow by leaps and bounds. Who knew 50 weeks ago that a simple idea like this could swell into something so far reaching and valuable to many of you. I receive commentary frequently from folks that count on this newsletter weekly and participate heavily in the associated LinkedIn group.
Your community patronage is amazing and always appreciated. Remember, if you see something you like in the newsletter content don't keep it to yourself. Share it with someone that needs it. That's how we continue to grow.
...
GitLab Survey - Defender for DevOps GitLab Integration
The Defender for DevOps team is looking to broaden the Microsoft Defender for Cloud ecosystem by offering customers the ability to onboard their GitLab resources into Defender for DevOps. If your DevOps team uses GitLab in any capacity, we request your feedback to better understand how you interact with the GitLab platform.
Survey link: https://rodtrent.com/o9o
...
The Must Learn KQL Christmas edition has been relaunched for the holidays!
Know someone (or yourself) that lives KQL? Could be better than a Christmas Hallmark movie.
https://must-learn-kql.creator-spring.com/listing/get-kql-for-christmas
All proceeds go to St. Jude.
...
Even with the purposeful effort to consolidate security portals I think you'll agree with me that Microsoft still has portal glut. I found the Microsoft Cloud command line this past week and thought I'd share with all of you. If you've not seen this already, you'll thank me for the link: https://cmd.ms/
...
That's it from me for this week. Have a wonderful weekend and week ahead!
Talk soon.
-Rod
Things to Attend
Registration: Azure AD - Identity Governance
Join us for this event! November 17, 2022. 2:00-3:00 PM, UTC+3
Registration: Entra Permissions Management - Perform Remediations and Permissions on-demand
Please note - This event has been updated from the Introduction to CIEM: How Entra Permissions Management helps IAM/Security/Cloud Operations on October 31, 2022. 11:00 - 11:30 AM, SGT (03:00 – 03:30, UTC) Join us for this event! November 14, 2022. 11:00 - 12:00 PM, SGT (03:00 – 04:00, UTC)
When Threats Occur Beyond MDR Security Workflows | BlueVoyant — www.bluevoyant.com
Join this webinar to learn what to do when threats occur beyond MDR security workflows by using Azure Digital Forensic Incident Response (ADFIR) retainers. November 10 at 10 a.m. PT/1 p.m. ET
Changing the Game with KQL — insights.difenda.com
Take a Deep dive into Microsoft's most popular security language: KQL and maximize your relationship with Microsoft Sentinel and Defender for Endpoint. November 15, 1pm EST
Things that are Related
Ep.S4E1 - Ann Johnson - Corporate Vice President - Security, Compliance, & Identity at Microsoft - CISO's Secrets — cp.buzzsprout.com In this week’s episode of CISO’s Secret, Cyber Security Evangelist Grant Asplund hosts Ann Johnson - Corporate Vice President - Security, Compliance, & Identity @ Microsoft Microsoft Corporation is a multinational technology corporation producing computer software, consumer electronics, perso...
Identifying cyberthreats quickly with proactive security testing - Microsoft Security Blog — www.microsoft.com The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Matthew Hickey, Co-founder, Chief Executive Officer (CEO), and hacker of Hacker House. The thoughts below reflect Matthew’s views, not the views of Matthew’s employer, and are not legal advice. In this blog post, Matthew talks about application security.
Microsoft Security Insights Show, Episode 126 — www.youtube.com
The Microsoft Security Insights show for November 2, 2022 is ready for replay! Great show. How did we cram so many topics in a single hour??
Microsoft Security tips for mitigating risk in mergers and acquisitions - Microsoft Security Blog — www.microsoft.com Sixty-two percent of organizations that undertake mergers and acquisitions face significant cybersecurity risks or consider cyber risks their biggest concern post-acquisition.1 Threat actors that focus on corporate espionage often target the acquiring company, which we will refer to as the Parent, early in the bidding process to gain a competitive advantage. Other threat actors focus on planting backdoors in the entity being acquired, which we will refer to as the Acquisition with the intent of later compromising the Parent company.
Create Emergency Access Accounts for AAD and Use Log Analytics to Monitor Sign-ins from them — techcommunity.microsoft.com Happy Halloween! It's my favorite holiday, because candy is my favorite food. In my last post , I covered some Business Continuity Disaster Recovery
KQL’s mv-apply command – Yet Another Security Blog — garybushey.com I am sure a lot of you, like me, miss being able to call sub-routines in KQL. You can always create a function and call that, but it isn’t quite the same thing. This is where mv-apply comes into play. The official documentation for mv-apply (located here) states that it “Applies a subquery to each record and returns the union of all the results of the subqueries.” But what does that really mean?
Things in Techcommunity
Azure Security baseline for Defender for Cloud - Microsoft Community Hub — techcommunity.microsoft.com Hi, Looking for some help with this. LT-4 for the Azure Security baseline for Defender For Cloud -
Skype for Business in MDCA? - Microsoft Community Hub — techcommunity.microsoft.com Hi I'm curious as to why Skype for Business appears as our number one (in terms of data) cloud app in MDCA when we're now using Teams. Anyone know? Thanks
Things to Have
Microsoft-Defender-for-Cloud/Powershell scripts/Remove Log Analytics Agent At Scale at main · Azure/Microsoft-Defender-for-Cloud · GitHub — github.com Powershell script found in this folder will remove the Log Analytics Agent for all your Azure virtual machines
Hunting-Queries-Detection-Rules/DFIR at main · Bert-JanP/Hunting-Queries-Detection-Rules · GitHub — github.com Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules. - Hunting-Queries-Detection-Rules/DFIR at main · Bert-JanP/Hunting-Queries-Detection-Rules
GitHub - reprise99/kql-for-dfir: A guide to using Azure Data Explorer and KQL for DFIR — github.com The concept behind using KQL for DFIR is simple. We want to leverage the hunting capabilities of KQL to aid in our incident response or forensic investigations.
Things from Partners
Guide: The Ultimate Guide To Maximizing Microsoft Security ROI - Difenda — www.difenda.com Learn about our Microsoft-backed Difenda labs research and attack-driven approach to identify threat hunt criteria from IT to OT and beyond. Plus, see a real-time simulated attack with OT malware.
Managed Detection and Response for Operational Technology (MDR for OT) on Vimeo — vimeo.com This is "Managed Detection and Response for Operational Technology (MDR for OT)" by Difenda on Vimeo, the home for high quality videos and the people who…
Defender for Cloud Things
BLOG: New OpenSSL v3 vulnerability: prepare with Microsoft Defender for Cloud - Microsoft Community Hub — techcommunity.microsoft.com (This post will be edited and expanded as more information about this vulnerability is released. Check back after November 1 st for more details) Last
Defender for Endpoint Things
BLOG: Stopping C2 communications in human-operated ransomware through network protection - Microsoft Security Blog — www.microsoft.com Command-and-control (C2) servers are an essential part of ransomware, commodity, and nation-state attacks. They are used to control infected devices and perform malicious activities like downloading and launching payloads, controlling botnets, or commanding post-exploitation penetration frameworks to breach an organization as part of a ransomware attack. Blocking these communications can mitigate attacks, sometimes before they’re even started.
BLOG: Microsoft Defender for Endpoint series – Configure AV/ next-generation protection – Part4 — jeffreyappel-nl.cdn.ampproject.org It is time for part 4 of the ultimate Microsoft Defender for Endpoint (MDE) series. All previous parts were focused on the initial Defender for Endpoint onboarding. Now it is time for the initial configuration of the additional components part of Defender for Endpoint; one of the main components is Defender Antivirus, also known as next-generation protection.
365 Defender Things
BLOG: How to Use Microsoft 365 Defender and Sentinel to Defend Against Zero Day Threats: Part I — practical365.com This article discusses the four main steps to mitigate a zero-day threat Using Microsoft 365 Defender and Sentinel.
BLOG: Monthly news - October 2022 - Microsoft Community Hub — techcommunity.microsoft.com Microsoft 365 Defender Monthly news October 2022 This is our monthly "What's new" blog post, summarizing product updates and various assets we
BLOG: Using Microsoft Security APIs for Incident Response - Part 2 - Microsoft Community Hub — techcommunity.microsoft.com This blog is part two of a three-part series focused on facilitating programmatic data pulls from Microsoft APIs. In part one of this series we discussed
Defender for Identity Things
VIDEO: Microsoft Defender for Identity (Part 1) - Offering, Architecture & Deployment — www.youtube.com This video demonstrates, why should organizations consider Microsoft Defender for Identity, it's architecture and deployment.Link to deck,https://1drv.ms/p/s...
VIDEO: Microsoft Defender for Identity (Part 2) - Attack Simulation and Detection — www.youtube.com This video demonstrates several attack scenarios on Active Directory Domain Services and how MDI can detect, and prevent major security incidences such as id...
Defender for Cloud Apps Things
VIDEO: Protecting cloud apps in Microsoft 365 Defender — www.youtube.com Get more things done in one place! Defender for Cloud Apps portal is now located in the Microsoft 365 Defender portal. Watch how this unification can help ma...
BLOG: Introducing the Microsoft Defender for Cloud Apps data protection series - Microsoft Community Hub — techcommunity.microsoft.com One of the core challenges our customers face is how to protect data in their environment. While the cloud enables new scenarios with hybrid and remote
Defender for Office Things
VIDEO: Attack Simulation Training | Virtual Ninja Training with Heike Ritter — www.youtube.com Attack simulation training is an intelligent phish risk reduction tool that empowers employees to prevent attacks, measures their awareness of phishing risks...
BLOG: Microsoft announces partnership with SANS Institute - Microsoft Community Hub — techcommunity.microsoft.com Microsoft Defender for Office 365 is pleased to announce a partnership with SANS Institute to deliver a new series of computer-based training (CBT)
BLOG: Build custom email security reporting with Microsoft Defender for Office 365 and PowerBI - Microsoft Community Hub — techcommunity.microsoft.com Security teams in both small and large organizations track key metrics to make critical security decisions, as well as identify meaningful trends in their
Microsoft Purview Things
BLOG: Catalog Adoption: Discover more with Data estate insights in Microsoft Purview - Microsoft Community Hub — techcommunity.microsoft.com Adoption and usage of data governance tools are critical and lack of user engagement can be a serious blocker for the whole organization in its data
Windows Defender Things
BLOG: Guest Configuration Artifacts and Examples — swiftsolves.substack.com You know I hate to ask... But, are 'friends' electric?
BLOG: Announcing enhanced control for configuring Firewall rules with Windows Defender - Microsoft Community Hub — techcommunity.microsoft.com By: Laura Arrizza - Product Manager 2 | Microsoft Intune, Nick Welton - Senior Product Manager | Microsoft 365 Defender, and Jess Krynitsky - Product