Microsoft Defender Weekly Wrap - Issue #102

Kith and Kin

Nov 24, 2023

Things from Me

Happy Friday all!

Surprise! If you remember, I announced last issue that I’d skip delivering this week’s newsletter because of the Thanksgiving holiday. But a couple things happened along the way.

First, there’s just some great content this week that I felt it was necessary to go ahead and build and deliver the newsletter.

Secondly, I was sort of shamed into doing it. There were a few people that sent me sad faces and sad comments about the lack of the newsletter and then my good friend, Andrea Fisher, who has graciously filled in for me before, admonished me for not reaching out to her about it. So, I caved. Next time, though, I’ll make sure to ask Andrea for help. I know she’s reading this, so this is my formal, public apology for not asking.

That all said, as you’re reading this, I’m doing my best to enjoy my friends and family this holiday week. The older I get the more thankful I truly am for the opportunity to have my family all together under a single roof. Listening to my four kids joking and laughing like they still lived here is a memory that I will always treasure. They may all be talking about adult stuff now, but every once in a while, they throw in a childhood reference or two. I like to believe that’s just for me.

So, I hope you’re not upset about this week’s issue hitting your inboxes. If you’re enjoying the joy of kith and kin, please don’t read this issue until next week.

…

There are a few things to cover this week. As you are all aware, I’ve spent much of the last month traveling. First to Miami, speaking the MMS Miami edition, then on to Microsoft Ignite last week to deliver a pre-day workshop and participate in a couple sessions with my good friends and colleagues. I have one more trip planned before the end of the year. I’ll be heading to Houston, Texas to speak about Security of AI next month. If you’re in the area, I’d love to see you. You can read more about it and register here: HASMUG 2023 | December 13 - Microsoft Security, Compliance, and Identity

Also, based on some discussions last week, I may be part of an upcoming tour of Europe to bring the Security of AI and AI for Security message. Stay tuned for that. I’ll share details as I have them. I would love to finally get some in-person discussions going outside the USA.

…

Speaking of the Microsoft Ignite pre-day workshop, I’ve GA’d the workshop material so anyone can experience it. The discussion decks and the hands-on-lab guide are available. The HOL guide requires an active environment (we have a partner that provided that for us for Ignite), but the guide can give you enough idea to create your own.

The Security Pre-day Workshop content is available to all from here: https://aka.ms/PreDayLab346

The workshop was a huge success. We had over 80 attendees sit through 5 hours of instruction and the content was delivered by several of our PMs and proctored by some really awesome MVPs.

I’d like to publicly thank all of them…

Our section leaders:

For Entra: Janice Ricketts, David Hoerster, John Flores
For Microsoft Sentinel: Kerinne Browne, Beth Bischoff
For Defender for Cloud: Alex Steele, Fernanda Vela
For Purview: Edward Walton, Sarah Young, Rod Trent (Me)

And our MVP Proctors: Alan Armstrong, Dean Ellerby, and Morten Waltorp Knudsen.

…

And, speaking of the sessions I participated in at Microsoft Ignite 2023, I may be a bit biased, but I truly believe the Discussion Sessions were some of the best and most effective at Microsoft Ignite 2023. These enabled direct engagement by in-person and remote attendees in an almost AMA style format. The feedback was enormously valuable.

There were some common questions around Securing AI and AI Security frameworks that I'm sure you've been asking yourself that may be answered in either of these sessions. Take a listen.

Technical Foundations of Secure AI Q&A: https://ignite.microsoft.com/en-US/sessions/ee29b066-17c3-4b89-8858-a0f8121fecc0?source=/rodtrent
The AI effect: how are organizations securing the use of Generative AI: https://ignite.microsoft.com/en-US/sessions/06f9ad3a-06a4-435f-ba4a-ebae63c5b268?source=/rodtrent

…

BIG OPPORTUNITY

Don’t miss this! We’re looking for design partners to help us develop Security for Generative AI apps and ensure our products align with your AI based apps security needs.

You must meet the following requirements:

You are developing (or plan to develop) Gen-AI enabled apps
You are using Azure Open AI
You are an organization using some Defender for Cloud workloads
You are willing to share data with a VERY limited number of MS Security researchers (for improving the quality of classification and anomaly detection)

If this is you and your organization is interested, please fill out the following form: Protect your AI-based apps - Join the Design Partner Program

…

Lastly, a book that a couple colleagues and I have been working on is now available from Amazon for pre-order. The Definitive Guide to KQL: Using Kusto Query Language for Operations, Defending, and Threat Hunting (https://aka.ms/KQLMSPress) has been a true labor trying to fit in writing some advanced KQL stuff while being super busy.

Notice that I didn’t say labor of “love.” In the 1990’s, after writing a few books consecutively, I swore off writing books after realizing the effort was nowhere equal to the return of investment. But this one just needed to be written - and for Microsoft Press, no less.

That’s it from me for this week.

Talk soon.

-Rod

Things that are Related

The KQL Mysteries: Prologue - In the shadowy corners of the digital universe, where menacing threats lurk behind every line of code, there exists a breed of professionals tasked with a mission no less than the preservation of order itself. Among these cyber guardians, one name stood out, striking fear into the hearts of hackers and evoking reverence from his peers: Jon Block. As a top-tier security analyst, Jon had developed an uncanny ability to root out even the most elusive of cyber threats. His weapon of choice? A powerful and versatile query language known as KQL - Kusto Query Language.

Introducing the Microsoft Defender Bounty Program - We are excited to announce the new Microsoft Defender Bounty Program with awards of up to $20,000 USD.

Things to Attend

NOV 29 Microsoft Defender for Cloud | What's New in Microsoft Defender for Cloud Container Security - In this webinar, we will show you how to secure your containerized environment using Microsoft Defender for Cloud. This webinar was originally scheduled for October 25 but has been rescheduled for November 29.

Things to Watch/Listen To

Rod’s Blog

Episode 6: Security Copilot at Microsoft Ignite 2023

Listen now (10 mins) | Join me this episode as I talk about Microsoft Security Copilot at Microsoft Ignite 2023. I give you an overview of the excitement generated by this upcoming product, a quick summary of announcements, and how to get access now. I also talk about one of our latest integration partners…

Listen now

a year ago · 1 like · Rod Trent

Microsoft Security Insights Show

Microsoft Security Insights Show Episode 179 - Brodie's Choice

Listen now (65 mins) | Brodie has something planned and he won't tell us what it is. Are you as curious as we are? Show Notes/Links: Microsoft Ignite Books of News: https://aka.ms/book-of-news Andrea's blog post - Using KQL in a Playbook for Sentinel: https://securityinsights.substack.com/p/using-kql-in-a-playbook-for-sentinel…

Listen now

a year ago · 1 like · Rod Trent

Things in Techcommunity

Defender exclude program from real-time scanning, but not scheduled - We are using MS Defender as our main AV, we have some in house applications that are having troubles with defender, each time we start the executable of our in-house program the real-time protection is scanning like crazy, this is resulting in a slow working state of our in-house program.

Force MDE device management (instead of configuration manager) for Windows Server - We are trying to managed Windows server 2016 and 2019 using the MDE /Intune policies. The status for Device management is showing the status managed by 'config mgr' ( should be changed to managed by MDE).

Security Copilot

How Microsoft Security Copilot works - Use GPT-powered natural language to investigate and respond to security incidents, threats and vulnerabilities with Microsoft Security Copilot, a new security AI assistant. Skilled with Microsoft’s vast cybersecurity expertise, it helps you perform common security-related tasks quickly using generative AI. This includes embedded experiences within Microsoft Defender XDR, Microsoft Intune for endpoint management, Microsoft Entra for identity and access management, and Microsoft Purview for data security. Security Copilot as an enterprise-grade natural language interface to your organization’s security data.

Defender for Cloud Things

Securing your GitLab Environment with Microsoft Defender for Cloud - At Microsoft Ignite 2023, Microsoft Defender for Cloud unveiled a new integration, extending its DevOps security coverage outside of the Microsoft ecosystem and integrating with the all-in-one DevOps platform GitLab. With this integration, security practitioners can monitor the security posture of their GitLab environments and kick off developer remediation workflows. Additionally, customers with Defender CSPM will receive advanced contextualization and prioritization capabilities for their GitLab environments.

Defender for Cloud unified Vulnerability Assessment powered by Defender Vulnerability Management - We are thrilled to announce that Defender for Cloud is unifying our vulnerability assessment engine to Microsoft Defender Vulnerability Management (MDVM) across servers and containers. Security admins will benefit from Microsoft’s unmatched threat intelligence, breach likelihood predictions and business contexts to identify, assess, prioritize, and remediate vulnerabilities - making it an ideal tool for managing an expanded attack surface and reducing overall cloud risk posture.

Enable Permissions Management in Microsoft Defender for Cloud (Preview) - Cloud Infrastructure Entitlement Management (CIEM) is a security model that helps organizations manage and control user access and entitlements in their cloud infrastructure. CIEM is a critical component of the Cloud Native Application Protection Platform (CNAPP) solution that provides visibility into who or what has access to specific resources. It ensures that access rights adhere to the principle of least privilege (PoLP), where users or workload identities, such as apps and services, receive only the minimum levels of access necessary to perform their tasks.

365 Defender Things

Microsoft Defender XDR, Security Copilot & Microsoft Sentinel now in one portal - Manage SIEM, XDR, and threat intelligence from one place with new updates in the Microsoft Defender portal. Interact with all of your security data using generative AI with Security Copilot. View incidents across your digital estate — whether they’re related to endpoints, SaaS services, your network in the cloud or on prem. This unified approach eliminates the inefficiency of SOC teams having to switch between multiple systems and manually piece together incident details, while maintaining all the current functionalities of each connected service.

Microsoft Purview Things

Using Microsoft Purview for Data Classification and Labeling to Secure Generative AI - Generative AI is a branch of artificial intelligence that can create new and original content, such as text, images, audio, or video, based on a given input or prompt. Generative AI has many potential applications and benefits, such as enhancing creativity, productivity, and customer experience. However, Generative AI also poses significant security risks and challenges, such as data breaches, malicious attacks, ethical issues, and regulatory compliance.

Learn about the new Microsoft Purview portal (preview) - The Microsoft Purview portal (preview) provides access to data governance, data security, and risk and compliance solutions. Selecting risk and compliance solutions in the portal currently opens these solutions in the classic Microsoft Purview compliance portal.

Defender for Office Things

Enhanced action experience (Action wizard V2) from Email entity / Summary panel - We are excited to announce the new “Take actions” experience in the Email Entity and Email Summary panel. This new experience will allow users to act on threats faster, while also enabling more efficient resolution of issues like False Positives/False Negatives (FP/FN)

Microsoft Entra Things

Microsoft Entra Permissions Management integration with Microsoft Defender for Cloud (Preview) - Cloud Infrastructure Entitlement Management (CIEM) is a security model that helps organizations manage and control user access and entitlements in their cloud infrastructure. CIEM is a critical component of a Cloud Native Application Protection Platform (CNAPP) solution providing visibility into who has access to what resources and ensuring access rights align with the principle of least privilege (PoLP), where users have the minimum levels of access necessary to perform their tasks.

Integration services deployment wizard now supports Microsoft Entra interactive authentication - Integration services deployment wizard now supports interactive authentication (MFA) option for Microsoft Entra accounts.