Microsoft Defender Weekly Wrap - Issue #59
Ebony and Ivory...
Things from Me
Good Friday, everyone! Welcome back to this week’s newsletter issue.
It’s been a wacky week, to say the least. It started with what many have coined ASRmageddon and ended with the announcement that around 10,000 people are being let go from Microsoft. Obviously, those two events were unrelated, but still a true spectrum of events and emotions.
…
For those not familiar with the ASRmageddon scenario:
On January 13th, Windows Security and Microsoft Defender for Endpoint customers may have experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to security intelligence builds between 1.381.2134.0 and 1.381.2163.0. These detections resulted in the deletion of files that matched the incorrect detection logic primarily impacting Windows shortcut (.lnk) files.
For those that are still battling with ASRmageddon or somehow missed the tools available to detect and recover from it, here’s a couple good resources:
Recovering from Attack Surface Reduction rule shortcut deletions
ASRmageddon Summary - good Summary including links, KQL, PowerShell, etc.
…
As to the other bit of news, I’m still here at Microsoft (for now).
There were rumors about the layoffs early on Tuesday (1-day prior to the official announcement), so I was sort of prepared that it was possibly coming, but it still seemed like just a made-up story. But the official Microsoft-wide email from Satya on Wednesday morning made it all too real. All day on Wednesday after the announcement, when I would enter into a scheduled Teams meeting, the first thing out of all attendees’ mouths was, “hey, I’m still here.” And if someone was late to the meeting, it made you wonder.
Repercussions from the layoffs will be felt for many months. For some that means looking for new opportunities. For others it means pivoting and doing a lot more with fewer resources. Both camps will need support.
I’ve seen some great folks already caught up in it. It’s an emotional time for everyone. I would simply ask that everyone lay low on comments that are negative and unconstructive. I’ve seen some folks take to social media to blast the event. I see you.
…
Lastly, the Must Learn KQL 2023 mug arrived on Thursday. Super happy with the design and production.
Having a daily reminder as you drink your morning coffee or tea to learn KQL sets you up for success.
Mug and laptop sticker are available here: https://rodtrent.com/wjl
As with anything Must Learn KQL related, all proceeds go to St. Jude Children’s Research Hospital.
…
That’s it from me this week. I’ll catch you all next Friday after a hopefully less disruptive, less consequential week.
Talk soon.
-Rod
Things to Attend
Secure your data with a multilayered defense - Tuesday, February 7, 2023, 9:00 AM – 10:15 AM Pacific Time (UTC-7) - Reimagine what’s possible in data security with new innovations from Microsoft Purview. Join this digital event, Go Beyond Data Protection with Microsoft Purview, to explore how to safeguard your data across clouds, devices, and platforms.
Microsoft Entra Permissions Management AMA on January 30th - Join us on Monday 1/30 at 9:00AM PST for another AMA (Ask Microsoft Anything) with the Microsoft Entra Permissions Management team! This will be a text-based live hour of answering all your questions relating to the product and CIEM solution. Looking forward to seeing you there!
JAN 25 Microsoft Defender for Cloud | Code to Cloud Security using Microsoft Defender for DevOps - In this session, we will see how Microsoft Defender for DevOps helps security team to get a comprehensive view of their Source code Management platforms. Within Microsoft Defender for Cloud, they can get a list of every secret, vulnerability and misconfiguration found on their environments, alongside query the newly released Cloud Security Explorer, they can identify and prioritize their most vulnerable and critical repositories and remediate them.
JAN 26 Microsoft Defender for IoT | Azure Manager Secure Connectivity and Advantages Microsoft Defender for IoT sensors are deployed on-premises to monitor your OT networks. In this session we will overview the security advantages of managing these sensors via the Azure portal.
JAN 31 Microsoft Defender for Cloud | What's New in the Last 3 Months -Microsoft Defender for Cloud is in active development and receives improvements on an ongoing basis. In this session we will summarize and demo what we've released for Microsoft Defender for Cloud in the last 3 months that you need to know about!
Things that are Related
Six Security Considerations for Machine Learning Solutions - Machine learning (ML) technology exposes a new type of attack surface and continues to be an active area for research. As machine learning becomes more embedded into day-to-day activities – think health care, financial transactions, mobile phones, cars, home security systems - we can expect it to become an increasingly attractive target for attackers.
Things to Watch/Listen To
A Day In the Life Series with Microsoft Defender for Cloud - We heard from you that you would like to hear more about how different personas interact and use Microsoft Defender for Cloud. Join us for a unique webinar, where we give you a hands-on approach on different personas that work with Defender for Cloud on a regular basis. The main personas we cover in this webinar are SOC Engineer, Analyst, Workload Owner and Security Decision Maker.
Things in Techcommunity
How to get the Protection History from a device - I would like to get the Protection History without the user intervention. I don't understand why is not in the device page in Microsoft 365 Defender initially...
How to allow an email domain without using message rule (permanently) - I read every documentation with Microsoft, I feel a little bit lost. And I find that is a little bit contradictive. It say is not recommend to use message rule for obvious reason, but provide no other way to doing it properly, only the submission that is not efficient at all because you have no choice to define a expiration date. But, Microsoft recommend to use that option to not bypass any protection....
Microsoft Defender for Email & Collaboration - "Whitelist" - ...time-sensitive messages arrive within/out of business hours. The messages are still quarantined for the users. Any suggestions on how to resolve the issue is much appreciated.
Things to Have
AI Security Risk Assessment- Best practices and guidance to secure AI systems - This document is a first step for organizations to assess the security posture of their AI systems. But instead of adding yet another framework for organizations to follow, we attempted to provide the content in a manner that can be snapped to existing traditional security risk assessment frameworks.
Defender for Cloud Things
VIDEO: Defender for Cloud in the Field #25: AWS ECR Coverage in Defender for Containers - In this episode of Defender for Cloud in the Field, Tomer Spivak joins Yuri Diogenes to talk about the new AWS ECR coverage in Defender for Containers. Tomer explains how Defender for Containers performs vulnerability assessment for ECR workloads in AWS and how to enable this capability. Tomer demonstrates the user experience in Defender for Cloud, showing the vulnerability findings in the dashboard and the onboarding process.
DOCS: Integrate security solutions in Microsoft Defender for Cloud - This document helps you to manage security solutions already connected to Microsoft Defender for Cloud and add new ones.
BLOG: Defender for Servers Security Alerts Improvements - As part of Defender for Servers’ security alert quality improvement process, in April 2023, some alerts for Windows and Linux servers will be removed and instead sourced from Defender for Endpoint. Note that all security scenarios covered by the deprecated alerts are fully covered Defender for Endpoint threat alerts. With this change, organizations will not only maintain all their existing security coverage but will also see a significant reduction in redundant alerts and greater alert accuracy, with fewer false positives.
Defender for Endpoint Things
BLOG: Recovering from Attack Surface Reduction rule shortcut deletions - On January 13th, Windows Security and Microsoft Defender for Endpoint customers may have experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to security intelligence builds between 1.381.2134.0 and 1.381.2163.0. These detections resulted in the deletion of files that matched the incorrect detection logic primarily impacting Windows shortcut (.lnk) files.
BLOG: Microsoft Defender for Endpoint series – integrations with other products – Part7 - It is time for part 7 of the Microsoft Defender for Endpoint (MDE) series. All previous parts were focused on Defender for Endpoint and additional configurations. Now it is time for the integration part with other products and services.
BLOG: 101: Introducing Microsoft Defender For Endpoint - 101: Introducing Microsoft Defender for Endpoint, one of my favourite role functions is to talk with customers about Microsoft security, of course I like to speak about security in general as well but Microsoft do a really great job covering 80% of what organisations need from a cyber security perspective so I almost always start with that.
365 Defender Things
BLOG: Centrally manage permissions with the Microsoft 365 Defender role-based access control (RBAC) model - We are excited to announce the public preview of a central role-based access control (RBAC) capability to help unify roles and permissions management across Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity.
BLOG: Master the Art of Microsoft Advanced Hunting: KQL Queries Best Practices for Uncovering Hidden Threats - Apply these recommendations to get results faster and avoid timeouts while running complex queries.
BLOG: Securing your email with M365 Defender and Exchange Online Protection - Email is one of the most critical business communication tools, and it’s also one of the most vulnerable to cyber attacks. Microsoft 365 Defender and Exchange Online Protection (EOP) are both powerful security solutions that can help you protect your email from cyber threats. In this post, we’ll take a closer look at how these two tools work together to keep your email secure.
BLOG: Build custom incident response actions with Microsoft 365 Defender APIs - As a security analyst or incident responder, you not only want to closely observe everything happening in an environment, but also react quickly and efficiently once malicious activity is detected. While Microsoft 365 Defender has powerful detection capabilities, it also provides response actions at the file, device and user level, that can be triggered both manually and automatically.
BLOG: Good UAL Hunting - In this blog post, we will be taking a deeper dive into one of those data sources, the Office 365 Unified Audit Log (UAL). This is a key data source in any cloud investigation because it contains a record of all the activity that has occurred in Office 365 and Azure Active Directory: whether a threat actor adds a new application secret, sets up a mailbox rule, accesses an email message, or joins a Teams call, it will be logged in the UAL. If we use this resource correctly, it can help us build a full story of a threat actor’s activity in Office 365.
Defender for Identity Things
MDI: PowerShell Configuration Checker - Raymond Roethof (Thalpius) has developed a C# application to check if all those events are configured properly. It is an amazing solution but I wanted to run the checker as a command line and thought why not use Raymond's work and adapt it as a script using PowerShell?!
Microsoft Defender for Identity Lateral Movement from Forest to Forest Without a Forest Trust - In this blog post, I will explain how multi-forest authentication works, how you can use the REST API endpoint to hop from forest to forest without a forest trust, and the risks associated with using Directory Service Account within Microsoft Defender for Identity.
Defender for Business Things
Secure your business like you secure your home: 5 steps to protect against cybercrime - Running a business requires a lot of determination and sometimes a leap of faith. Every day brings a new challenge, and many times it can feel like the stress and uncertainty are too much. That’s when you remind yourself why you took the leap—the satisfaction of realizing your own vision—and you keep going.
Defender for Office Things
Defender for Office 365 Blog Series - Part 2 - Going into the new year with my part 2 of the Microsoft Defender for Office 365 Blog Series and in this part we will look into the configuration piece of MDO.
Defender EASM Things
Seeking Out Dead and Dying Servers - Peruse any social media platform where InfoSec practitioners interact and share their findings, and you will likely find a mention of the latest and greatest 0-day exploit making the rounds. Although 0-days represent the cutting edge of threat activity, aside from a specific error of backdoors in easily identifiable software, these are often the result of misconfigurations, poor defense-in-depth design, or lack of regular patching and updating.
Windows Defender Things
BLOG: How to implement a gradual (ring) rollout-process for Microsoft Defender updates - It is important to ensure that client components are up-to-date to deliver critical protection capabilities and prevent attacks. I will cover both how the process is and how to manage it with a gradual release process in this blog.