Microsoft Defender Weekly Wrap - Issue #60
Sleepless in Cincinnati
Things from Me
Happy Friday everyone!
It’s been a long, busy week for me with lots of activities and meetings. It’s really been just the normal stuff, but for some reason it seemed busier and longer than normal. I blame it a bit on my wife not sleeping well this past week. Being a bit more tired makes everything more difficult sometimes. But there’s also weeks that just seem to drag out.
And P.S. My wife says she reads the newsletter every week. I’ll let you know if she says something about the mention in this issue.
…
Are you part of an organization that needs to secure many IoT devices? We’re offering a new early access program to evaluate and provide direction on our firmware scanning capabilities in Defender for IoT.
If this interests you, sign-up here: https://rodtrent.com/sar
…
Hey, we have a new digital-only event coming up. This is brand new. For many of you this is the first time you’ve heard about it. It’s been rumored in the halls of Microsoft for the last 6 months or so and has now come to full fruition.
The new digital event is called Microsoft Secure and will happen on March 28, 2023. Registration opens February 7, 2023. You can follow @MSFTSecurity on Twitter (https://twitter.com/msftsecurity) to watch for the details and be some of the first to register. Of course, I’ll make it all clear here in the newsletter, too, if you want to wait for that.
This new digital event is intended to bring our customers, partners, and the defender (security) community together with content and discussions on the security landscape and how to build on real-world experience.
I’m excited about this one and you’ll probably see me participating in some form or another - so keep your eyes peeled.
…
HELP WANTED
I have a big ask from a group within Microsoft working on a super-cool project. They are looking for people who use our security products but have ZERO knowledge of KQL. And I do mean ZERO KNOWLEDGE of KQL.
I realize it might seem that this newsletter might not reach people like that, but you probably know someone on your team - or on an extended team - that has meant to learn KQL, or decided it was just unnecessary for them to learn (God forbid). We need to find THOSE people.
If you know of these people, please reach out to me directly on LinkedIn.
…
That’s it from me this week. I hope you have a great weekend and week ahead. I’m from very near Cincinnati, OH, so as you can imagine I’ll be rooting fiercely for the Bengals over KC this weekend.
In case you don’t know who to root for on Sunday, apparently the Bengals is becoming America’s team. So maybe that says something to you.
Talk soon.
-Rod
Things to Attend
Go Beyond Data Protection with Microsoft Purview Digital event; Tuesday, February 7, 2023, 9:00 AM – 10:15 AM Pacific Time (UTC-7) - Reimagine what’s possible in data security with new innovations from Microsoft Purview. Join this digital event, Go Beyond Data Protection with Microsoft Purview, to explore how to safeguard your data across clouds, devices, and platforms.
Rapidly reduce threat exposure with Logicalis Managed Defender for Endpoint; Tuesday 21st February | 10:00am UTC - Logicalis, in partnership with Microsoft invite you to join us for a 60-minute webinar on the 21st of February at 10am (UTC) which will look at the common challenges that customers face when looking to move towards an EDR solution, what they are trying to achieve in doing so and how we can help deliver the best value out of that platform.
Microsoft Defender for Cloud Apps SaaS Security AMA; Feb 21 2023, 09:00 AM - 10:00 AM (PST) - If you're interested in learning more about Defender for Cloud Apps and have any questions around our SaaS capabilities or on SaaS Security in general, join our Ask Me Anything event to get your questions answered by our product experts!
JAN 31 Microsoft Defender for Cloud | What's New in the Last 3 Months - Microsoft Defender for Cloud is in active development and receives improvements on an ongoing basis. In this session we will summarize and demo what we've released for Microsoft Defender for Cloud in the last 3 months that you need to know about!
FEB 1 (9 am) Microsoft Defender for Cloud Apps | Protect, Detect and Respond to malicious OAuth applications abusing cloud e-mail services - Microsoft Security disrupted an infrastructure that leverages Identity Provider and SaaS Email applications to abuse business brands and spread fraud to millions. Join us to learn how to protect and detect Azure AD and Exchange Online using Microsoft Defender for Cloud Apps.
Things that are Related
Stop letting users increase your vulnerability – turn off user application consent - Application consent (sometimes called OAuth consent) is the process of a user granting authorization to an application to access protected resources on their behalf. It allows users to authenticate third-party apps to use their existing accounts. This may not be a big deal when you’re playing Farmville with your personal account but when a corporate user checks that check box to “Consent on behalf of your organization”, that user could literally be giving that application permissions to your entire organization.
Uncovering Anomalies in Time-series Data with Kusto Query Language (KQL) - Anomaly detection is a crucial task in monitoring the performance of various systems. In this blog post, we will discuss how to use Kusto Query Language (KQL) to detect anomalies in CPU performance data.
Things to Watch/Listen To
Microsoft Security Insights Show Episode 137 - Craig Fretwell, MVP, Cybersecurity Architect - The One Where Craig Fretwell's Grandma is an MVP
Private Link integration with Azure Firewall - In this webinar we will look at Private Link integration with Azure Firewall. Azure Private Link provides private connectivity from a virtual network to Azure platform as a service (PaaS), customer-owned, or Microsoft partner services. Azure Firewall is an Azure platform managed firewall service that provides comprehensive threat protection, network filtering, TLS inspection amongst other network security services. We shall look at the benefits of this integration and how Azure firewall can inspect and protect your Private Endpoints.
Code to Cloud Security using Microsoft Defender for DevOps - In this session, we will see how Microsoft Defender for DevOps helps security team to get a comprehensive view of their Source code Management platforms. Within Microsoft Defender for Cloud, they can get a list of every secret, vulnerability and misconfiguration found on their environments, alongside query the newly released Cloud Security Explorer, they can identify and prioritize their most vulnerable and critical repositories and remediate them.
Things in Techcommunity
List all Exemptions with expiration date - I found this query which give some good information but when I try to tweak, it breaks. I'm not great at the ARG so I'm not sure how to pull info from within property tables. I'd like to have a report similar to the Export you can generate from the Regulatory Compliance section but have the added information of Exemption category and their date of expiration along with any notes.
Need some resources to help me with very SMB type questions about Conditional Access - Helping a company that has just upgraded some of it's core users from Business Standard to Business Premium. Half of the team are part timers that are on Business Basic licenses. I'm a Defender for M365 noob trying to get my head around Conditional Access but all the guides I've found tend to concentrate on enterprise scenarios where most people are in an office on corporate-owned devices. The business is in serviced offices so don't have its own network, therefore, all the on-prem stuff is irrelevant. Does anyone know of any resources on Defender for M365 that focuses on small business/Business Premium licenses?
Things to Have
KQL Advanced Hunting Queries & Analytics Rules - The purpose of this repository is to share KQL queries that can be used by anyone and are understandable. These queries are intended to increase detection coverage through the logs of Microsoft Security products. Not all suspicious activities generate an alert by default, but many of those activities can be made detectable through the logs. These queries include Detection Rules, Hunting Queries and Visualisations.
Things in the News
Microsoft Security reaches another milestone—Comprehensive, customer-centric solutions drive results - Yesterday, we shared some exciting news about the momentum we’re seeing in the security industry. Microsoft Chief Executive Officer Satya Nadella announced that Microsoft Security has surpassed USD20 billion in revenue. I’m grateful to all our customers and partners who have been on this journey with us, for trusting us to protect them, for partnering with us in defining great security, and for making this milestone possible. I am also incredibly proud of the Microsoft team for their continued dedication to excellence and to our mission to make the world a safer place for all.
Frasers Group fearlessly scales with a modernized Microsoft Security solution - Behind the celebrations of a company’s rapid growth, there are often scattered operational teams trying to bring new acquisitions into the fold as smoothly as possible. But the complexity of absorbing different IT environments creates inefficient decentralization. The lean IT team at Frasers Group simplified processes, making maximum use of the interoperability of Microsoft 365 Defender and Microsoft Defender for Endpoint coupled with Microsoft Sentinel. It also improved user identity with Azure AD Identity Protection and is adopting data governance capabilities in Microsoft Purview. Frasers prides itself on pushing boundaries, and it now has the IT infrastructure to accommodate its ambitions.
Defender for Cloud Things
NEW: Allow continuous export to Event Hubs behind a firewall. You can now enable the continuous export of alerts and recommendations, as a trusted service to Event Hubs that are protected by an Azure firewall. You can enable this as the alerts or recommendations are generated or you can define a schedule to send periodic snapshots of all of the new data. Learn how to enable continuous export to an Event Hub behind an Azure firewall.
Defender for Endpoint Things
NEW: Microsoft Defender for Endpoint for Linux and Microsoft Defender for Servers - When it comes to protecting servers in hybrid and multicloud environments, Microsoft Defender for Servers as part of Microsoft Defender for Cloud is the solution you might be looking for. However, with all the features, dependencies, and complexity, it might become challenging to always make the right decision when planning, integrating, and deploying Defender for Servers across your environment. With this blog, we are focusing on deployment and integration of Microsoft Defender for Endpoint with Microsoft Defender for Servers on Linux machines.
BLOG: Microsoft Defender for Endpoint series – Advanced hunting and custom detections – Part8 - It is time for part 8 of the Microsoft Defender for Endpoint (MDE) series. Part 8 is focused on the hunting experience in Microsoft 365 Defender. Part of the security portal is the advanced hunting feature and custom detection feature. Advanced hunting is based on the Kusto Query Language (KQL).
Defender for Office Things
NEW: Automatic Tenant Allow/Block List Expiration Management is Now Available in MDO 365! - If you've set up allowed domains, emails, URLs, or files in the Microsoft 365 Defender Tenant Allow/Block List, Microsoft will now automatically remove entries from the allow list once the system has learned from. If the system is treating the entity as good, there is no reason to have a redundant allow entry. Alternatively, Microsoft will also extend the expiration time of the allows if the system has not updated yet. This will prevent your legitimate emails from being sent to junk or quarantine. Spoof allow entries do not expire, so the automatic extension and removal doesn't apply in this case. Smart allow management is now live worldwide, which means the Tenant Allow/Block list will be shorter and more useful to you & your security team.
Defender for IoT Things
VIDEO: Azure Defender for IoT - Comprehensive security across all IoT/OT devices has become a critical component of overall network cybersecurity. Watch this video demo for a detailed walkthrough on Azure Defender for IoT which allows continuous asset discovery, vulnerability management, and threat detection for your IoT devices and operational technology (OT) environment.
365 Defender Things
CODE: M365 Defender Custom Playbooks - "Ransomware Recovery “SOC – Automated Restore Playbook" - A power automate playbook that integrate as connected application to Microsoft Defender for Endpoint and OneDrive for business to allow SOC to recover from ransomware files/data disruption via an automated process. Noting that the playbook trigger can be replaced with a recurrence schedule instead of MDE alert base.
BLOG: Azure AD Identity Protection Integrations with Microsoft Security Solutions - In this blog, I will share details on how these integrations are actually working underneath the hood. I will also emphasize what needs to take into account when planning the integration in general and from the SIEM solution point of view.
Microsoft Entra Things
BLOG: 2023 identity security trends and solutions from Microsoft - Welcome to 2023! I wanted to kick this year off by having a quick look at the trends in identity security, what you can do about it, and what Microsoft is doing to help you. One of the things we talk about on the team is “shiny object syndrome”—there are a ton of innovative and scary attacks and research out there. Unfortunately, each one tends to pull us into “but what about…” where we’re being asked how we will handle the nascent headline grabber. This approach can whipsaw teams and prevent the completion of our defense projects, leaving us exposed to old and new ones.
Microsoft Purview Things
BLOG: Microsoft Purview Information Protection in M365 Apps - January 2023 - Happy new year and welcome back to the quarterly newsletter from Word, Excel, PowerPoint, and Outlook discussing what’s new and coming soon when using sensitivity labels, powered by Microsoft Purview Information Protection. We pick up where we left off in October 2022.
DOC: Microsoft Purview in the Real World (Jan 20, 2022) - This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.
Defender Threat Intelligence Things
BLOG: Defender for Cloud and Defender for Threat Intelligence are Better Together - Organizations today face the continually changing and complicated task of protecting their ever-expanding attack surface from cyber-attacks. The move to the Cloud and remote workspaces has pushed the boundary of their digital ecosystem well beyond their traditional physical network. Data, users, and systems are in multiple locations, creating significant challenges for security operations teams tasked with defending their organizational assets. Information Security personnel need to be equipped with solutions to identify new adversaries and threats like ransomware.
Defender Vulnerability Management
Leverage authenticated scans to prevent attacks on your Windows devices - Many of our customers face challenges installing agents on all of their devices and in some cases, not all Windows-based devices support the agent if they are using older versions of Windows. To combat these challenges, we’re excited to share a new capability within Microsoft Defender Vulnerability Management to remotely scan Windows-based devices that do not have agents installed.
CODE: MDE Attack Surface Reduction Rule State - Use the below query to retrieve information about the state of the individual Attack Surface Reduction rules by using the DeviceTvmInfoGathering table from Microsoft Defender Threat and Vulnerability Management.