Microsoft Defender Weekly Wrap - Issue #86
Must Learn Everything
Things from Me
Happy Friday, all!
Sitting with the folks in Denver last week, it was confirmed that time moving too quickly is not just an Ohio thing. It’s August - already. The local school here will start back in just a week which means that the Thanksgiving and Christmas holidays are just around the corner. Heck, I’ve just now gotten my yard under control after a few very hot summer weeks.
The trip to Denver for the “Day of AI” I mentioned last newsletter issue went great. Everything was recorded, so you can catch up on the presentations and discussions. Here are all resources from that event and it includes the recorded videos, presentations, and additional links.
MEMUG’s July 2023 event on AI Transformation with Microsoft: https://memug.org/2023/08/july-2023-meeting-replay-ai-transformation/
…
Based on some ongoing discussions and confirmed last week during the in-person event in Denver, it’s time to start giving AI Security the Must Learn treatment. If you’re just hearing about “Must Learn” I had decided a couple years back because of the success of the Must Learn KQL series that that model should be used for future efforts that needed extra focus.
As of today, that model has introduced the Kusto Query Language to over 40,000 people through blogs, books, samples, and assessments and that number has never stopped growing.
Believe it or not, Security for AI is still a very new thing, but there’s quite a bit already available to think about. Using the Must Learn model, the content can be constantly evolved and updated to match and meet the latest nuances of security.
The main link to find everything will be: aka.ms/MustLearnAISecurity
A couple chapters in the series are already available this week. Check them out when you get a chance…
There will be a couple new chapters released each week and like the Must Learn KQL series, once it hits chapters 3 or 4, I’ll start to compile a downloadable PDF book version for those that like to read and learn later.
…
That’s it from me for this week.
Talk soon.
-Rod
Things that are Related
Always learning, always adapting: Unpacking Azure’s continuous cybersecurity evolution - In the first blog of our series on Azure Security, we discussed our approach to tackling cloud vulnerabilities. Our second blog highlighted our use of variant hunting to detect patterns and enhance security across our services. The third blog in the series introduced game-changing architecture to improve built-in security. In this installment, we share our integrated response strategy which provides a continuous learning model, leveraging big data, to improve response, detections, preventative controls, and governance to measure and improve effectiveness.
Peeling The KQL Potato - The sheer versatility of KQL as a query language is staggering. The fact that there are so many query variations that ultimately deliver to the same results, leads me to think how one query could be more beneficial than another in a given circumstance. Today we’ll explore a crude KQL example that works, but then improve it in more ways than one (think not only compute requirements and time spent crunching, but how the output could be improved upon as well).
SC-400 exam gets a name change to better reflect the updated content: Exam SC-400: Administering Information Protection and Compliance in Microsoft 365 - We recognized the need to expand this certification and exam to include compliance features. This resulted in the addition of two new functional groups (“Monitor and investigate data and activities by using Microsoft Purview” and “Manage insider and privacy risk in Microsoft 365”), which we’ve documented in the study guide for Exam SC-400. The updated exam that includes questions to support these groups was released on June 1, 2023.
AiTM & BEC threat hunting with KQL - The evolving phishing threat is relentless and continues to grow each year. Attackers have been changing their tactics, techniques, and procedures, moving from traditional phishing to more advanced techniques. Especially, AiTM is a great example of how attack techniques have evolved over the past few years and have spread globally.
ERROR: Could not load type ‘Microsoft.Graph.Authentication.AzureIdentityAccessTokenProvider’ from assembly ‘Microsoft.Graph.Core - After upgrading Microsoft Graph, I noticed an issue when trying to run cmdlet Get-MgGroup or Get-MgUser. I could connect to Graph with no issues, but multiple cmdlets failed.
Things to Watch/Listen To
Things in Techcommunity
MDE tuning suppression by file name - Looking to tune a particular in-built MDE rule by file name rather than hash.
How to get audit logs for Ransomware activity Policy under Threat Detection - I need to fetch the logs like who modified the policy is there any PowerShell command I can run?
Defender for Cloud Things
Defender CSPM - recognized as an Overall Leader, Product Leader, Innovation Leader, and Market Champion in KuppingerCole’s 2023 CSPM Leadership Radar – will begin billing on August 1, 2023. Defender CSPM provides full visibility with agentless scanning to monitor misconfigurations, an intelligent cloud security graph synthesizing insights such as data-aware security posture, and attack path analysis to prioritize and mitigate your most critical risks. This is all available in a single view in Microsoft Defender for Cloud, our Cloud-Native Application Protection Platform (CNAPP).
Deploying Microsoft Defender for Servers in Network-Restricted Environments - Microsoft Defender for Servers (part of the Microsoft Defender for Cloud security suite), being a comprehensive solution for server protection across multi-cloud and hybrid environments, requires the deployment of several agents to achieve its multiple protection capabilities. As many of our customers run their Windows/Linux server environments without direct Internet outbound connectivity, there is the need for guidance on how to successfully deploy Defender for Servers with such restrictions. This article aims thus to bring additional clarity by summarizing all the considerations that must be taken when deploying each Defender for Servers component in network-restricted environments.
Preview release of containers Vulnerability Assessment powered by Microsoft Defender Vulnerability Management (MDVM) in Defender for Containers and Defender for Container Registries - July 31, 2023 - We're announcing the release of Vulnerability Assessment (VA) for Linux container images in Azure container registries powered by Microsoft Defender Vulnerability Management (MDVM) in Defender for Containers and Defender for Container Registries. The new container VA offering will be provided alongside our existing Container VA offering powered by Qualys in both Defender for Containers and Defender for Container Registries, and include daily rescans of container images, exploitability information, support for OS and programming languages (SCA) and more. This new offering will start rolling out today (July 31st), and is expected to be available to all customers By August 7. For more information, see Container Vulnerability Assessment powered by MDVM and Microsoft Defender Vulnerability Management (MDVM).
Agentless container posture in Defender CSPM is now Generally Available - July 30, 2023 - Agentless container posture capabilities is now Generally Available (GA) as part of the Defender CSPM (Cloud Security Posture Management) plan. Learn more about agentless container posture in Defender CSPM.
Defender for Experts Things
Cyber Signals: Sporting events and venues draw cyberthreats at increasing rates - Today we released the fifth edition of Cyber Signals, spotlighting threats to large venues, and sporting and entertainment events, based on our learnings and telemetry from delivering cybersecurity support to critical infrastructure facilities during the State of Qatar’s hosting of the FIFA World Cup 2022.
Microsoft Purview Things
Midnight Blizzard conducts targeted social engineering over Microsoft Teams - Customers hunting for related activity in their environment can identify users that were targeted with the phishing lure using content search in Microsoft Purview. A content search can be created for selected Exchange mailboxes (which include Teams messages) using the following keywords (remove the [] around the “.” before use):
msftprotection.onmicrosoft[.]com
identityVerification.onmicrosoft[.]com
accountsVerification.onmicrosoft[.]com
azuresecuritycenter.onmicrosoft[.]com
teamsprotection.onmicrosoft[.]com
We detected a recent change to your preferred Multi-Factor Authentication (MFA)
GA announcement — Microsoft Purview Mooncake (China North 3) - We are thrilled to announce that Microsoft Purview is now generally available in the Mooncake (China North 3) region. Our goal with Microsoft Purview, designed to "Understand and govern data across your entire data estate," is to provide unified data governance solutions to our valued customers, enabling them to effectively manage, govern, protect, and leverage their entire data landscape.
GA announcement— Microsoft Purview Fairfax (USGov Virginia) - Today, we're announcing the General Availability of Microsoft Purview in Fairfax cloud. Our Microsoft Purview Solution which is designed to “Understand and govern data across your entire data estate” is now available in the Fairfax US Gov Cloud Virginia.
SharePoint support for labels configured for user-defined permissions - Rolling out in preview, there's now limited support for labels configured for user-defined permissions. This encryption configuration refers to the setting Let users assign permissions when they apply the label and the checkbox In Word, PowerPoint, and Excel, prompt users to specify permissions.
Defender for Office Things
Announcing the availability of in-product guidance! - Today, we are super proud to announce the general availability of our new in-product guidance, which is an evolution of the step-by-step guides documentation. (aka.ms/step-by-step)
Microsoft Defender for Office 365 gets highest rating in SE Labs Enterprise Email Security Services test for Q1 2023 - We are thrilled to announce that Microsoft Defender for Office 365 has once again received an AAA Protection Award, the highest possible that a vendor can achieve in this test.
Announcing New DMARC Policy Handling Defaults for Enh0anced Email Security - Domain-based Message Authentication, Reporting & Conformance (DMARC) is a standard that helps prevent spoofing by verifying the sender’s identity. If an email fails DMARC validation, it often means that the sender is not who they claim to be, and the email could be fraudulent.
Microsoft Entra Things
What’s new with Microsoft Entra ID Protection - To protect customers with our latest innovations, we’re excited to announce key enhancements to Microsoft Entra ID Protection: a brand-new dashboard to provide key insights, new detections to block existing attacks, a new mechanism for Microsoft to rapidly protect users from emerging threats, and the integration with Microsoft 365 Defender. Read below to learn more about these exciting new features.
Fun Thing This Week
Moviewiser - Ask AI for movies or TV shows about any topic you desire.
