Microsoft Defender Weekly Wrap - Issue #94

Pure Wrapture

Sep 29, 2023

Things from Me

Happy Friday, everyone!

Whether you're a seasoned Defender sage or just starting your journey into the vast universe of security information and event management, I'm always thrilled to have you here. Each week, together we dive deep into the latest updates, tips, tricks, and tales from the world of Microsoft Defender. And guess what? This week is no exception!

Grab your favorite mug of coffee, tea, or whatever keeps your gears turning, and let's unravel the mysteries of Defender together. Remember, every alert, every log, and every query is a step closer to a safer digital world.

Stay curious and let's get started!

…

The new KQL Search just released and is a fantastic upgrade! If you’ve used KQLSearch.com before, you’ll immediately see the improvements that Ugur Koc has made.

As normal, the Standard search spans KQL repos on GitHub and shows the results for what you’re looking for by keyword or topic. But, now there’s so much more:

Assistant: Analyze, improve and update a query based on recommendations.
Generator (AI): Create a query based on your input, idea and use case.
Lab: Run a query based on sample data to see how the results can look like.

Visit and bookmark: https://www.kqlsearch.com/

…

That's it from me for this week.

Talk soon.

-Rod

P.S. Got a Microsoft Defender related story or tip to share? I'd love to hear from you! Are you providing awesome community content and want to be highlighted in the newsletter? When you post and promote your own content online, make sure to use the applicable hashtag: #MicrosoftDefender

Things to Attend

Microsoft Purview Advanced Rich Reports (MPARR) uncovered, a deep dive complete revision - Fri, Sep 29, 11:00 AM - 1:00 PM EDT, Online event

Into the Breach: Microsoft Security Immersion Workshop - Prepare for today’s complex & sophisticated attacks at Into the Breach: Microsoft Security Immersion Workshop. Space is limited - RSVP now! Friday, October 20 · 9am - 3pm EDT. Location: Media & Public Affairs Building, George Washington University, 800 21st Street Northwest Room 308 Washington, DC 20052

Things that are Related

Optimizing Azure Firewall logging costs - In this post I will dive deep and show the expected cost optimization of this new structured logging, and what is causing this saving. I will use a sample record of a network rule log to explain it. Please note that this saving applies only if the sink is Log Analytics.

Part 1 - Managing Network Rules by using Azure Tags with Illumio for Microsoft Azure Firewall - This is the 1st of a 2-part blog series where we will explore the complexities associated with managing firewall rules using IP addresses and explore the advantages of transitioning to a tag-based approach. We'll discover how this shift can not only make your infrastructure more secure but also significantly reduce the burden on your IT teams, allowing them to focus on what truly matters: safeguarding your digital assets in an ever-evolving threat landscape.

Things to Watch/Listen To

Microsoft Security Insights Show

Microsoft Security Insights Show Episode 171 - Maria Chrastka, Brian Hinkelman

Listen now (67 mins) | 🔒 Introducing the Minecraft Education Cybersecurity Pathway: From Learning to Defending 🔒 🚀 Embark on an exciting journey with us as we unveil the groundbreaking Minecraft Education Cybersecurity Pathway! 🚀 We're thrilled to announce a comprehensive cybersecurity program designed to guide individuals from all walks of life, from kindergarten to prof…

Listen now

a year ago · 76 likes · Rod Trent, Andrea Fisher, Brodie Cassell, Edward Walton, Brian Hinkelman, and Maria Chrastka

Things in Techcommunity

Defender for Identity sensor install failed. error code 0x80070643 - Deploying Defender for Identity Sensors on 3 Domain Controllers, DC1 (server 2012R2) - success, DC2 (server 2019) - success, DC3 (server 2012R2) - failed error code 0x80070643. Any guidance would be much appreciated.

Choosing between inter tenancy collaboration options - Give that we now have multiple options to enable collaboration between tenancies, I'm struggling to determine the way forward for my below scenario. We have a 365 tenancy with 500 users and we've acquired a sub entity. We'd like to integrate these two tenancies in the best way possible to allow seamless collaboration across the two tenancies. How should I determine between options "B2B Direct connect, B2B Collaboration, Multi-Tenancy etc.." ?

Things to Have

Superheroes of Cybersecurity - My daughter, who’s nearly 2 and half, has started expressing interest in movies, tv & books and she’s taken a shine to some of the marvel movies (my dream come true!!) so i decided to create her a comic book style book on, “what daddy talks about at work” – in a Super Hero fashion…

Defender for Cloud Things

GitHub Advanced Security for Azure DevOps alerts in Defender for Cloud - September 21, 2023 -You can now view GitHub Advanced Security for Azure DevOps (GHAzDO) alerts related to CodeQL, secrets, and dependencies in Defender for Cloud. Results will be displayed in the DevOps blade and in Recommendations. To see these results, onboard your GHAzDO-enabled repositories to Defender for Cloud. Learn more about GitHub Advanced Security for Azure DevOps.

New expanded visibility into multicloud data security in Microsoft Defender for Cloud - Organizations are challenged with discovering these blind spots across their cloud data estate. Without proactive mitigation, misconfigurations can jeopardize sensitive data if the data resource is exposed or if it’s under an active attack. Top concerns that organizations have in the cloud include loss of sensitive data, improper configuration and security settings, and unauthorized access. Without proper visibility into your cloud data estate to determine where sensitive data is stored, how those resources are configured and accessed, organizations are at a great risk of a cloud data breach.

365 Defender Things

Day 11 - XDR insights - File Analysis - The blog primarily focuses on the foundational aspects of malware analysis, excluding intricate content such as reverse engineering or complex debugging. While I extensively cover Microsoft 365 Defender, I will also utilize third-party tools for in-depth analysis.

Defending against Quishing attack with Microsoft 365 Defender Advanced Hunting - In recent months, many corporate are facing massive quishing email attack from threat actors. Threat actors have used compromised cloud infrastructures to send massive quishing emails to many corporate users.

Defender for Office Things

Test your team’s security readiness with the Gone Phishing Tournament - 74% of breaches involve the human element. Let's face it—technology alone isn't sufficient in the relentless fight against cyber-attacks. With AI technology like LLMs becoming more ubiquitous, phishing attacks are getting more sophisticated and cyber-attackers are honing in on the easiest targets: the users.

Defender Threat Intelligence Things

Enriching Anomali and Other TIPS with MDTI Feeds - In this blog, I'll cover how Microsoft Defender Threat Intelligence (MDTI) can help enable a comprehensive threat intelligence strategy for customers using Threat Intelligence Platforms (TIPs) by filling in vital gaps to show a more complete picture of the global threat landscape showcasing a new solution built in partnership with the Admiral Group Threat intelligence team.

Microsoft Entra Things

Remediate User Risks in Microsoft Entra ID Protection Through On-premises Password Changes - A Zero Trust breach prevention strategy based on user risk is critical for organizations in today's digital landscape. However, managing user risks in hybrid environments has posed several challenges. Today, we’re making it easier to manage user risk in hybrid environments in Microsoft Entra ID Protection (formerly Azure AD Identity Protection) – on-premises password change can now automatically remediate user risk!