Microsoft Defender Weekly Wrap - Issue #77
What have I become?
Things from Me
Happy Friday everyone!
This past week was an interesting one. Even though I talked about security a bit, my session at Microsoft Build was not about security but about Azure Open AI. I believe this is the first time I’ve given a public discussion on AI without it being security focused. What am I becoming?? It won’t be long, I’ll have to have my own Borg name like Locutus. Maybe, Rodcutus?
If you’re interested in this session, it’s available for replay here: https://rodtrent.com/h9h
And, if you’re interested in hearing and learning more about Azure Open AI, the new weekly newsletter is off to a fantastic start. Subscribe HERE.
…
Speaking of AI and security, myself and my cohosts from the Microsoft Security Insights show have been invited to sit on a panel to discuss AI and security operations. The panel is part of a full, 1-day virtual conference being put on by Petri.
The event, Threat Detection and the role of Operational Resilience, is on Thursday, June 22, 2023. There's lots of value here, including topics on Microsoft Sentinel, Defender for Endpoint, Azure AD and Zero Trust.
The expert roundtable topic is: Can A.I. Replace People in a Security Operations Team?
I hope you can join. Register here: https://rodtrent.com/xs7
…
My good friend and colleague, Richard Diver, is producing a multi-part series that provides some tips and knowledge on how to improve your cybersecurity skills through diagramming! But along the way he’ll also talk about his experiences over 15+ years of consulting in technology and security. I've read through some of the planned content and this is something you don't want to miss.
Check out the intro and subscribe to the series: https://rodtrent.com/qux
…
🌟 This week at Microsoft Build we released a new hands-on experience to try out Microsoft Defender for API’s. Discover how to prevent, detect, and respond to API threats within the Microsoft Defender for Cloud platform. Explore the features, best practices, and advanced guidance here: https://aka.ms/APISecurityLab and check out the additional resources at https://aka.ms/APISecurityCollection
…
For those that participated in season 1 of the Kusto Detective Agency, season 2 is live! On-boarding and case #1 are available already.
Join here: Kusto Detective Agency
…
That’s it from me for this week. Despite frantically finalizing demos at the last minute for my Microsoft Build session, it was a good week. I look forward to digging into what’s next.
Talk soon.
-Rod
Things to Attend
Reimagine secure access with Microsoft Entra - Tuesday, June 20, 2023 9:00 AM – 10:30 AM Pacific Time (UTC-7) As your digital footprint continues to expand with more identities, resources, apps, and endpoints to secure, identity and access must evolve. Attend Reimagine secure access with Microsoft Entra to hear about the latest identity and access innovations. Learn how establishing identity as your first line of defense can help you be more secure, resilient, and efficient in our connected world.
SITs, Custom SITs and EDM in deep (L400+) - Fri, May 26, 11:00 AM - 1:00 PM EDT - Every day solutions like DLP are needed but using them can generate a lot of noise with false-positives or produce data that is not detected. To compensate, administrators generally add exceptions, but this is not the best way to approach. In this session, we will discuss a better way: how to use the built-in sensitive information types on Microsoft 365 and how to create customs ones.
Things that are Related
NEW: Cybersecurity partner-ready campaigns! - Organizations face a range of challenges when it comes to defending against cybersecurity threats. SIEM and XDR solutions are becoming increasingly important in the cybersecurity industry, as they help organizations detect and respond to threats across all systems. Microsoft’s SIEM and XDR provides a comprehensive, integrated cybersecurity solution that can help organizations defend against advanced threats in real-time. We’ve created the Defend Against Cybersecurity Threats campaign with two options available for Microsoft partners to engage customers with Microsoft security solutions and your services.
Introducing Kusto Detective Agency Season 2: Bigger, Better, and Brimming with Prizes! - Greetings, esteemed investigators and data enthusiasts! We are thrilled to announce the highly anticipated launch of Kusto Detective Agency Season 2. After the immense success of Season 1, with over 10,000 participants diving deep into the world of data investigation, we cannot thank you enough for your incredible support and enthusiasm! Season 2 of Kusto Detective Agency is set to be an even grander adventure, filled with more challenges, mind-bending mysteries, and countless opportunities to showcase your analytical skills. Prepare yourself for a journey that will push the boundaries of your data prowess and reward you with an unforgettable experience.
Cyber Signals: Shifting tactics fuel surge in business email compromise - Today we released the fourth edition of Cyber Signals highlighting a surge in cybercriminal activity around business email compromise (BEC).
What’s New in Kusto – Build 2023 ! - We are excited to share the latest features and improvements in Azure Synapse Data Explorer aka Kusto that promise to make your data analysis experience more seamless and productive than ever before.
Things to Watch/Listen To
Things in Techcommunity
How to differentiate SaaS applications vs regular web URLs in MDCA - In MDCA, under cloud discovery what I see is a combination of regular SaaS apps and web URLs. Is there a way to differentiate these two in cloud discovery? Or a way to differentiate them with filters?
MDI Sensor Implications of renaming a DC and or migrating to a new server - One of our clients have a 2 DC (Windows Server 2012 R2) environment. They will soon be migrated to new servers (Windows Server 2019) potentially with Different host names. Has anyone dealt with this before?
Things to Have
Microsoft training guide For SIEM and XDR - his guide points to curated training and documentation resources on Microsoft Defender and Microsoft Sentinel to help your organization meet the evolving threat landscape head on.
Defender for Cloud Things
VIDEO: #28 - DfC series - Defender for Servers - In this episode, we (Frans Oudendorp and Pouyan Khabazi) are joined by Tom Janetscheck to talk about Defender for Servers. Tom is a Senior Program Manager at Microsoft Cloud Security, focused on Azure Security Center. Before that, he spent nearly 20 years in various internal IT and consulting roles, with a strong focus on cloud infrastructure, architecture and security.
BLOG: Microsoft Defender for Cloud - Automate Notifications when new Attack Paths are created - Microsoft Defender for Cloud is a Cloud Native Application Protection Platform (CNAPP) that offers crucial insights and protective measures through its Attack Path risk analysis feature. A frequent requirement from customers is the ability to receive notifications whenever new attack paths are detected. This article presents an automated solution utilizing Azure Logic Apps to address this need. By deploying a custom Logic App using an Azure Resource Manager (ARM) template, organizations can establish a streamlined notification system for newly reported attack paths by Microsoft Defender for Cloud. This solution guarantees that security teams receive prompt alerts, empowering them to promptly respond and safeguard their cloud resources efficiently.
BLOG: Your Ultimate Solution for Catching Container Image Exposure Before It Happens - As the use of container technology continues to grow, it has become increasingly important to understand the risks and potential vulnerabilities that come along with it. One of the key components of any container ecosystem is the container registry, which is responsible for storing and distributing container images. One popular registry provider is Microsoft Azure, which offers the Azure Container Registry Images.
Public Preview: Agentless container VA powered by MDVM in Defender CSPM - We're announcing the release of Vulnerability Assessment for Linux images in Azure container registries powered by Microsoft Defender Vulnerability Management (MDVM) in Defender CSPM. This release includes daily scanning of images. Findings used in the Security Explorer and attack paths rely on MDVM Vulnerability Assessment instead of the Qualys scanner.
UPDATED: Microsoft Defender for Cloud Onboarding workbook V2 - The Defender for Cloud Onboarding Workbook V2 is the latest version of this workbook that was originally published August 2022.
NEW: Multiple changes to identity recommendations - The following recommendations are now released as General Availability (GA) and are replacing the V1 recommendations that are now deprecated:
General Availability (GA) release of identity recommendations V2 https://rodtrent.com/2b7
Deprecation of identity recommendations V1 https://rodtrent.com/cxo
BLOG: Microsoft Defender for DevOps Azure DevOps Connector - Microsoft Defender for Cloud PoC Series - This article is a continuation of Microsoft Defender PoC Series which provides you guidelines on how to perform a proof of concept for a specific Microsoft Defender plan. For a more holistic approach where you need to validate Microsoft Defender for Cloud, please read How to Effectively Perform an Microsoft Defender for Cloud PoC article. There are two DevOps platforms currently covered by Defender for DevOps- GitHub and Azure DevOps. This article will go into detail about Azure DevOps Services.
365 Defender Things
NEW: Boost your detection and response workflows with alert tuning - As cyber threats become more sophisticated and frequent, organizations need to be vigilant in monitoring their digital assets for potential security breaches. Microsoft 365 Defender is an XDR platform that delivers a unified investigation and response experience and provides native protection across endpoints, hybrid identities, email, collaboration tools, and cloud applications with centralized visibility, powerful analytics, and automatic attack disruption. Today we are excited to introduce alert tuning in Microsoft 365 Defender to help security teams detect and respond to potential security threats even more effectively.
BLOG: Learn to defend against threats with Microsoft Defender and Microsoft Sentinel - The combination of Microsoft Defender and Sentinel helps SecOps teams detect, investigate, respond to, and defend against threats with a fully integrated and comprehensive set of capabilities. Today we’re sharing some new training resources and opportunities to help you build skills with these solutions—so you can use them now or get ready for a Microsoft certification exam.
NEW: Transform the way you investigate by using Behaviors & new detections in XDR, starting w/SaaS apps - Behaviors are a new data layer available in Microsoft 365 Defender, they represent an abstraction above the raw data level to offer a deeper understanding of events. Like alerts, they are attached to the MITRE attack categories and techniques. Security teams can consume them by creating queries or custom detections using the Behaviors tables in advanced hunting.
Microsoft Purview Things
BLOG: Use sensitivity labels on all e-mail messages, use encryption and protection where warranted - Many organizations would like to apply encryption to all e-mail messages since it improves the information security posture. Is encrypting all messages the right way to go? E-mail encryption is described as the process by which information is encoded so that only an authorized recipient can decode and consume the information. On top of this Microsoft Purview Information Protection (MIP) also provides effective protection after the content has been decrypted and opened. MIP provides both encryption and protection.
BLOG: Advanced hunting for Microsoft Purview Data Loss Prevention (DLP) incidents - As part of the investigative capabilities available in Microsoft 365 Defender, advanced hunting provides the ability to query raw compliance and security data signals generated by Microsoft 365 to proactively detect known and potential risks in your organization as well as visualizing the attack chain. Advanced hunting can boost your investigation workflow and help you learn more about the types of alerts you receive across your estate. This blog provides guidance on how to get started and leverage advanced hunting for Microsoft Purview DLP investigations. We are sharing sample queries for high value scenarios to help you get started.
Microsoft Entra Things
PREVIEW: Microsoft Entra External ID public preview: Developer-centric platform - Today, we’re excited to announce new developer-centric capabilities for customer and partner identity experiences in our next generation customer identity and access management (CIAM) solution - Microsoft Entra External ID, and a next milestone in making our Microsoft Entra Verified ID solution easy to integrate into any application with Microsoft Entra Verified ID SDK.
Fun Thing This Week
If Clippy had survived the AI wars. Someone has built a ChatGPT wrapper for a web representation of Windows XP and the old Office assistants. Try it here: https://rodtrent.com/6jf
Rodcutus :-D