Microsoft Defender Weekly Wrap - Issue #72
In memory...
Things from Me
Happy Friday everyone! Thanks once again for coming along for the ride and for your interest in Microsoft Security.
This week has been a wild one for me. It started with FOMO over the MVP summit happening this week on the Microsoft campus. I had originally intended to be there in-person and to be part of the weeklong event to celebrate our MVPs, but travel budget issues company-wide squelched that idea. I want to personally think all those Security MVPs who posted their pictures and commentary from the week over Twitter and LinkedIn. That definitely helped satiate my longing. I was an MVP myself for over 10 years. Like any program there’s good years and not so good years, but I felt pretty blessed for the years I was part of the program and I always make myself available to help push through nominations for those that should be part of the program. Know someone who should be an MVP? Let me know. LinkedIn is probably the best place to reach out about it.
…
I had a couple opportunities this week to spread the Cloud Security message on a couple different podcasts. You’ll see those in the Things to Watch/Listen To section today. I hope discussions like these are helpful for those organizations still struggling to get a handle on modernization and how security is a key part of that.
…
As the AI security lead on my team, I’ve been heads-down this week working on figuring out how best to monitor security for Azure Open AI instances and deployments. This is something I need to show off for an upcoming conference (MMS MOA) I’m speaking at later this month. It’s an evolving thing. I’m by no means a developer. But to generate enough data to locate opportunities for exposing data, I’ve had to create a few of my own “apps.” If you’re interested in these “apps,” to get an understanding of how to access the Azure Open AI API, check out Getting Responses to Questions from Azure Open AI ChatGPT in a CMD Window. I have a Web chat version of this coming shortly and then eventually I’ll show how to create your very own Security Copilot.
…
Lastly, I want to take moment to be very serious. This week also saw the passing of a dear friend, Duncan McAlynn. Duncan has been part of every community that I’ve been part of for my entire professional career. I first met Duncan sometime in the mid to late 1990’s and we’ve kept in touch ever since. If I’ve not seen him in person every year since we met, we’ve at least kept in touch over email, LinkedIn, Twitter or whatever medium was available at the time. I don’t think 3 or 4 months has ever gone by that I didn’t think of him and reach out to see how he was doing. He made that kind of impact.
I knew he had been struggling with health issues for the last few years but had no clue it had gotten that bad. In fact, the last time we spoke over LinkedIn in January of this year he made no mention of it. He just responded in his normal, Duncan way.
So, when I saw his wife announce the news that Duncan had left us over the past weekend, I was shocked and saddened. It truly impacted my day and the rest of my week. I sat and thought about all of my stories Duncan was part of from all the years we’ve been in touch. And, if you knew Duncan, you have stories, too. It's most sad that I’ll not be able to reach out to him now and get that expected response.
As I mentioned earlier, I’ll be headed to that conference at the end of this month. Duncan was part of the community that attends that conference and I’m looking most forward to commemorating Duncan by telling and hearing everyone’s stories.
That’s it from me for this week.
Be good to each other. Talk soon.
-Rod
Things to Attend
Microsoft Purview Days 2023 - MAY 06, 2023 - 1-Day Virtual Event - Microsoft Purview Days, 2023 is a one-day virtual event organized by the Microsoft 365, Power Platform & Cloud Security India User group . Microsoft Purview provides a unified data governance solution to help manage and govern your on-premises, multicloud, and software as a service (SaaS) data.
Visit Microsoft Security Experts at the RSA Conference 2023 - It’s finally that time of the year. The Microsoft Security Experts team will be at the RSA Conference 2023 (RSAC) starting Sunday, April 23 to Thursday, April 27 in San Francisco. We look forward to connecting with everyone in person and sharing the latest in cybersecurity innovation.
Microsoft Security Insights Show Episode 150 - Mona Ghadiri, BlueVoyant - Join us as we prepare for RSA conference with a chat with MISA partner BlueVoyant.
Things that are Related
Anatomy of a KQL Query Part 1 - Whether you’re new on the SOC or a seasoned Sentinel Ninja, here are some basic queries I keep coming back to when investigating anything odd about my ingest patterns (and thus my overall cost).
Things to Watch/Listen To
AzureTalks Podcast #006 - Cloud Security with Sentinel, Defender for Cloud, AI and KQL - Join Rolf Shutten and myself as we talk about securing cloud workloads, the story of Must Learn KQL, and yes, even AI.
Episode #27 - Series DfC #01 – about Microsoft Defender for Cloud - Introduction - We are thrilled to announce the launch of our brand-new podcast series, "Defender for Cloud: Bridging Worlds" with the incredible Rod Trent as our first guest! In this debut episode, we’ll explore the unique security differences and challenges between cloud and on-prem environments, and how Defender for Cloud emerges as the ultimate solution, bringing the best of both worlds.
KQL Cafe: Session 13 with Guest: Alexander Sloutsky - listen to one of the inventors of KQL.
Microsoft Security Insights Show Episode 149 - Mark Shavlik with Senserva - Join us as we prepare for RSA conference with a chat with MISA partner Senserva. Mark Shavlik, long time Microsoft security vet who has created a number of widely used security products will talk about the state of Azure Security from a product creator’s perspective. We'll also ask to find out why Senserva has opted to for the Midwest Management Summit instead of RSA this year.
Things to Have
InternetFacingDevicesWithAvailableExploits.md - List internet facing devices with vulnerabilities that have an exploit available.
Depreciated PowerShell Modules - Use these KQL queries to identify devices / users that are still using the depreciated PowerShell Modules.
Things in Techcommunity
I need to deploy DFI for a couple of users - I need to deploy Defender for Identity for a couple of users in the organization. But the business does not want to buy an E5 license for everyone.
DFI/DFE and IdentityQueryEvents DNS events - Should I expect to see any DNS query events from DFE endpoints in the IdentityQueryEvents schema table if I have DFI enabled?
Microsoft Security Tech Community Join the other 68,000 members of the Tech Community to ask questions to the product team and get the latest on product updates. The Security Tech Community is free to join and provides the easiest way to get notified when something new is in product, and how you can implement it into your workflows.
Things in the News
Government of Albania recovers from cyberattack in three days, builds resilience with Microsoft Security solutions - When the Government of Albania faced a sophisticated nation-state attack, the Albanian National Agency for Information Society (AKSHI) responded quickly and decisively. In the face of a double-pronged assault - a decoy ransomware attack coupled with a "wiper" attack designed to destroy systems and data - AKSHI took swift action by isolating its infrastructure and shutting down critical systems to prevent damage. Working closely with Microsoft Incident Response (Microsoft IR) and Security Modernization and Transformation (M&T), AKSHI deployed cutting-edge security technology, including Microsoft Defender for Endpoint, Defender for Identity, and Microsoft Sentinel, to gain comprehensive visibility across its infrastructure and prepare for future attacks.
See product news and on-demand sessions from Microsoft Secure - “Great speakers and very knowledgeable.” “Brilliant.” “Wonderful and very useful.” The first Microsoft Secure on March 28, 2023, was a huge success—as this attendee feedback shows. Our virtual event brought together more than 20,000 security professionals eager to learn security best practices and hear major product announcements—including the introduction of Microsoft Security Copilot, the first security product that enables defenders to move at the speed and scale of AI. Our event included other exciting product announcements across compliance, identity, and more. If you weren’t able to attend, you still can see those announcements for yourself by watching sessions on-demand.
The world needs cybersecurity experts – Microsoft expands skilling effort with a focus on women - Today, Microsoft is expanding our Cybersecurity Skills Initiative to Argentina, Chile, Indonesia, and Spain, and delivering grants to nonprofits to help skill people for the cybersecurity workforce. With this expansion, we are now working in 28 countries around the world, partnering with nonprofits and other educational institutions to train the next generation of cybersecurity professionals.
Defender for Cloud Things
BLOG: Onboarding your AWS/GCP environment to Microsoft Defender for Cloud with Terraform - The purpose of this article is to provide you with step-by-step guidance on how to use Terraform templates, to onboard your AWS/GCP environment to Microsoft Defender for Cloud. Terraform is an Infrastructure as Code (IaC) tool you can use to build, change, and version your public cloud infrastructure safely and efficiently. In addition to being a widely used tool, an advantage of using Terraform to onboard your environment to Defender for Cloud, is that you can use it for both AWS and GCP. Using Terraform to onboard your AWS/GCP environment to Defender for Cloud, allows you to automate the onboarding process and integrate it into your existing processes.
NEW: Agentless Container Posture in Defender CSPM (Preview) - The new Agentless Container Posture (Preview) capabilities are available as part of the Defender CSPM (Cloud Security Posture Management) plan. Agentless Container Posture allows security teams to identify security risks in containers and Kubernetes realms. An agentless approach allows security teams to gain visibility into their Kubernetes and containers registries across SDLC and runtime, removing friction and footprint from the workloads. Agentless Container Posture offers container vulnerability assessments that, combined with attack path analysis, enable security teams to prioritize and zoom into specific container vulnerabilities. You can also use cloud security explorer to uncover risks and hunt for container posture insights, such as discovery of applications running vulnerable images or exposed to the internet.
Defender for Endpoint Things
BLOG: Enrich your advanced hunting experience using network layer signals from Zeek - Today, we would like to share a variety of Zeek-based events in advanced hunting that will help you expand your investigation, hunting, and detection capabilities for identifying and addressing network-layer anomalies across HTTP, SSH and ICMP protocols. Using the new Zeek events, we will demonstrate how to perform network threat hunting while also covering some of the MITRE ATT&CK Matrix.
BLOG: Automate your SOC – Rise of the machine (risk) - We’re back with another edition of Automate your SOC with Microsoft STAT. Today we’re going to discuss the Microsoft Defender for Endpoint module (MDEModule). This module can retrieve a few pieces of information that can enrich your incident. The module can return the risk level and exposure level from MDE from the machines, the user or the IP address.
BLOG: Discovering internet-facing devices using Microsoft Defender for Endpoint - Last year, we announced the evolution of the device inventory view in Microsoft Defender for Endpoint. The revamped device inventory view gave SOC analysts visibility into all discovered devices, counts and functional features (such as, search) that enhanced the overall user experience. To build on top of this work, we are expanding our device discovery capabilities through our existing network telemetry and RiskIQ integration. We’re thrilled to announce the ability to discover internet-facing devices is now in public preview.
Microsoft Purview Things
BLOG: Multi-Geo Exchange Online Admin Audit Logs - We’re excited to announce that Exchange admin audit logs are now available from all geo locations for Multi-Geo tenants in Office 365. This feature is only applicable for tenants utilizing Multi-Geo Capabilities in Microsoft 365 using Multi-Geo license. In a Multi-Geo environment, a Microsoft 365 Tenant consists of a Primary provisioned location (where Microsoft 365 subscription was originally provisioned) and one or more satellite locations.
BLOG: Protect intellectual property with Govern 365 and Microsoft Purview - Global supply chains face a broad range of risks, from physical threats to cybersecurity threats. Sharing information with suppliers is essential for the supply chain to function effectively, but it creates significant risks simultaneously with a potential loss of intellectual property (IP). Security is only as strong as the weakest link in the supply chain. Data compromised in the supply chain can be as damaging as that from within the organization. Digital rights management (DRM) is used by many industries, such as the music industry, to protect intellectual property. Organizations are beginning to look at this technology to protect their corporate IP. Netwoven Govern 365 and Microsoft Purview Information Protection provide a robust solution for managing your IP.
NEW: Introducing Data collaboration in Microsoft Purview data catalog with Ratings feature - Imagine you are a data analyst tasked with building customer usage metrics for the last six months. Using Microsoft Purview data catalog, you can now search and find all the customer related data assets. However, you will now face the challenge that there are multiple data assets which have customer information, and you are not sure which one is the trusted one. One way to understand this would be to get access to all the customer data assets which you think are relevant, read the data, and then determine which one to use. This process can be cumbersome and time consuming, and ratings can help alleviate some of the inefficiencies. As users in your organization use data assets, they can now provide a rating of 1- 5 and leave comments on the data asset. Now, as an analyst you can use these ratings and reviews to understand and use the most trusted and used data.
Defender Threat Intelligence Things
BLOG: What's New: Hash and URL Search Intelligence - Microsoft Defender Threat Intelligence (Defender TI) now includes File Hash and URL Search capabilities, enabling researchers, analysts, hunters, and security responders to search for high-quality threat intelligence, including verdicts and associated metadata. This feature empowers security professionals to effectively utilize threat intelligence in their threat-hunting and investigation activities.
BLOG: Microsoft shifts to a new threat actor naming taxonomy - Today, Microsoft is excited to announce that we are shifting to a new threat actor naming taxonomy aligned to the theme of weather. The complexity, scale, and volume of threats is increasing, driving the need to reimagine not only how Microsoft talks about threats but also how we enable customers to understand those threats quickly and with clarity. With the new taxonomy, we intend to bring better context to customers and security researchers that are already confronted with an overwhelming amount of threat intelligence data. It will offer a more organized, memorable, and easy way to reference adversary groups so that organizations can better prioritize threats and protect themselves. Simply put, security professionals will instantly have an idea of the type of threat actor they are up against, just by reading the name.
BLOG: Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets - Over the past several months, Microsoft has observed a mature subgroup of Mint Sandstorm, an Iranian nation-state actor previously tracked as PHOSPHORUS, refining its tactics, techniques, and procedures (TTPs). Specifically, this subset has rapidly weaponized N-day vulnerabilities in common enterprise applications and conducted highly-targeted phishing campaigns to quickly and successfully access environments of interest. This Mint Sandstorm subgroup has also continued to develop and use custom tooling in selected targets, notably organizations in the energy and transportation sectors. Given this subgroup’s capabilities, the profile of past targets, and the potential for cascading effects, Microsoft is publishing details on known tradecraft alongside corresponding detections and mitigations to help organizations protect against this and similar threats.
DOCS: How Microsoft names threat actors - Microsoft has shifted to a new naming taxonomy for threat actors aligned with the theme of weather. With the new taxonomy, we intend to bring better clarity to customers and other security researchers already confronted with an overwhelming amount of threat intelligence data and offer a more organized, articulate, and easy way to reference threat actors so that organizations can better prioritize and protect themselves.
Microsoft Entra Things
Microsoft Entra delivers 240 percent ROI, according to new Forrester study - In total, Forrester’s financial analysis found that a composite organization based on these interviewed customers experienced benefits of USD12.14 million over three years, versus costs of USD3.57 million. This adds up to a net present value of USD8.57 million and a return on investment (ROI) of 240 percent. Forrester left no stone unturned in examining the financial impact of Microsoft Entra. The results were divided into five categories common to most organizations.
Fun Thing This Week
