Microsoft Defender Weekly Wrap - Issue #101
Xie Xie
Things from Me
Happy Friday, dear subscribers!
As always, I hope you are enjoying the newsletter and finding it useful and interesting. I appreciate your support and feedback and am always looking for ways to improve. For feedback, suggestions, and such, please use either the commenting feature that’s part of this newsletter or drop me a note on X or LinkedIn.
I wanted to let you all know that due to the upcoming Thanksgiving holiday, the newsletter will not be delivering next week. I know that this may be disappointing for some of you, but I hope you understand that being away from family for the past couple weeks for Microsoft Ignite, the holiday provides a welcome time to rest and recharge, and to spend some quality time with our families and friends.
The newsletter will resume its regular schedule the following week. In the meantime, I want to wish you a happy and safe Thanksgiving, and I thank you for your loyalty and patience.
I look forward to hearing from you soon!
-Rod
Things that are Related
Microsoft Ignite Book of News - The Book of News is designed to be your guide to all our announcements, making it easy for you to navigate the latest information and provide key details on the topics in which you are most interested. We are excited to share some groundbreaking new products and critical updates that help make work and life easier and more productive.
Microsoft unveils expansion of AI for security and security for AI at Microsoft Ignite - Our new generative AI solution—Microsoft Security Copilot—combined with our massive data advantage and end-to-end security, all built on the principles of Zero Trust, creates a flywheel of protection to change the asymmetry of the digital threat landscape and favor security teams in this new era of security.
Microsoft Security Copilot and NIST 800-171 - It is with bated breath that we await the publication of a Proposed Rule and final draft of Cybersecurity Maturity Model Certification (CMMC) 2.0. Simultaneously, the National Institute of Standards and Technology (NIST) just released the final draft of NIST Special Publication 800-171 Revision 3 (NIST 800-171r3) and initial draft of NIST 800-171Ar3, the assessment requirements for NIST 800-171r3. These publications are important because one of the primary requirements for CMMC is that organizations will need to implement most, if not all, of NIST 800-171r3’s controls for Level 2 certification.
How AI Can Improve Threat Intelligence Gathering and Usage - AI can help automate and enhance various aspects of threat intelligence gathering and usage, such as data collection, in-depth analysis, smart sharing, and cutting-edge technology.
Detect threats using Microsoft Graph activity logs - Part 2 - In part one I focused mostly on detecting offensive security tools like AzureHound, GraphRunner, and PurpleKnight. In part two I will go into more depth how you can use the now available information for hunting and how to correlate it with other datasets to gain deeper insights.
Things to Watch/Listen To
Things in Techcommunity
Understanding the use of the Evidence Role field in Alert Tuning - I am looking for some help with understanding the use of the Evidence Role field when tuning an alert. I currently receive a false positive alert that I am trying to automatically set to resolved. There are a few conditions that need to be met to qualify as this alert and one of those is to have a certain ip involved.
Things in the News
Microsoft debuts new unified security solution with Security Copilot - Security and IT admin teams can now work in one unified security operations platform, combining Microsoft Sentinel, Defender XDR, and the Security Copilot chatbot.
Defender for Cloud Things
Announcing new CNAPP capabilities in Defender for Cloud - In the fast-paced world of cloud computing, security teams are facing unprecedented challenges. As organizations increasingly adopt multicloud environments and prioritize the development of cloud-native applications, the complexity of ensuring robust security has grown exponentially. To tackle these evolving cloud security needs, a powerful solution has emerged – Cloud-Native Application Protection Platforms (CNAPP).
Enhancing Defender CSPM across the application lifecycle - Cloud Security Posture Management (CSPM) solutions help security teams take on these challenges and strengthen their security posture by providing visibility across multicloud environments from development to runtime to predict and prevent cyberattacks.
365 Defender Things
Introducing a Unified Security Operations Platform with Microsoft Sentinel and Defender XDR - Today, we enable SOC teams to build robust protection using Microsoft Defender XDR (formerly Microsoft 365 Defender), the market’s most comprehensive XDR platform. It provides unified visibility, investigation, and response across endpoints, hybrid identities, emails, collaboration tools, cloud apps, cloud workloads and data. Additionally, our cloud native SIEM solution, Microsoft Sentinel, offers unparalleled visibility into the overall threat landscape, extending coverage to every edge and layer of the digital environment. These experiences are natively integrated with bidirectional connectors, enabling security operations teams to benefit from the comprehensiveness and flexibility of the SIEM and the threat-driven approach of the XDR.
Ignite news: XDR in an era of end-user-to-cloud cyberattacks and securing the use of AI - Generative AI is introducing opportunities and challenges for security teams. While the rapid adoption and the influx of available apps using LLM is turning into growing concerns around lack of oversight and associated security risks by security leaders, AI can also act as a means for defenders to gain ground against attackers by processing signal faster and disrupting cyberattacks early.
Defender for Cloud Apps Things
New cloud app catalog category for Generative AI - The Defender for Cloud Apps app catalog now supports the new Generative AI category for large language model (LLM) apps, like Microsoft Bing Chat, Google Bard, ChatGPT, and more. Together with this new category, Defender for Cloud Apps has added hundreds of generative AI-related apps to the catalog, providing visibility into how generative AI apps are used in your organization and helping you manage them securely. For example, you may want to use Defender for Cloud Apps' integration with Defender for Endpoint to approve or block the usage of specific LLM apps based on a policy.
Microsoft Purview Things
Supercharge security and compliance efficiency with Microsoft Security Copilot in Microsoft Purview - Today, we are excited to announce AI-powered capabilities in private preview to help your SOC, data security and compliance teams achieve more. With Microsoft Purview capabilities in Security Copilot, your SOC team gains unprecedented visibility across your security data – bringing signals together from Defender, Sentinel, Intune, Entra and Purview into a single pane of glass. Purview capabilities are essential here to help SOC teams determine the source of an attack and quickly identify sensitive data that could be at risk.
Integration of Azure Machine Learning with Microsoft Purview - Previously in the blog post Bringing ML assets to the Microsoft Purview Data Map we announced the public preview of Azure Machine Learning assets in Microsoft Purview. With the integration, AI/ML and data professionals can benefit from data discovery, lineage tracking and responsible AI governance in the whole MLOps lifecycle. The integration is only available for the enterprise version of Microsoft Purview.
Microsoft Purview expands data estate support – Amazon Redshift and Tableau - Microsoft Purview enables organizations to easily create a comprehensive, up-to-date map of their data landscape across on-premises, multi-cloud, and SaaS applications with automated data discovery. Purview keeps expanding the data system coverage to meet our customers’ diverse needs. We are glad to announce the latest integration with Amazon Redshift and Tableau.
Enhanced Snowflake integration in Microsoft Purview - Microsoft Purview keeps strengthening its Snowflake integration to help you enrich your data map with metadata from Snowflake. We are glad to share some new features available in Snowflake scan.
Introducing new version of Managed Virtual Network in Microsoft Purview - Managed Virtual Network (VNet) in Microsoft Purview enables the scenario when your Microsoft Purview and/or data systems restrict network access, you can run the scan on the Managed VNet Integration Runtime (IR) – a fully managed service by Purview – to securely connect to them via private endpoints.
GA announcement - Microsoft Purview DevOps policies for Azure SQL Managed Instance - DevOps policies, a special type of Microsoft Purview access policies, allow customers to manage access to system metadata on data sources that have been registered for Data use management in Microsoft Purview. This feature enables IT/DevOps personal to ensure that their critical database estate is healthy, performing to expectations and is secure.
Protect sensitive data Using Microsoft Purview Information Protection for Amazon S3 buckets - Microsoft Purview is a unified data governance service that helps organizations discover, catalog, classify, and protect their data across multiple sources and platforms. With Microsoft Purview, you can apply sensitivity labels to your data assets based on their content and context and enforce label-based policies to restrict access and usage.
Gain comprehensive data protection and efficient investigation with Microsoft Purview DLP - Today we are excited to announce a set of new capabilities in Microsoft Purview DLP that can help comprehensively protect your data and efficiently investigate DLP incidents.
Defender Threat Intelligence Things
Introducing MDTI Free Experience for Microsoft Defender XDR - Today, we are thrilled to announce that we are unleashing the power of threat intelligence to all Microsoft Defender XDR tenants. Starting at Microsoft Ignite, all Defender XDR users will see Microsoft Defender Threat Intelligence (MDTI) in the threat intelligence blade of Defender XDR. This free experience, which is a limited version of MDTI, enables security professionals of all levels to review recent threat research from Microsoft security experts and open-source (OSINT) feeds, search for and pivot between Indicators of Compromise (IoCs) to augment your investigations, and gain actionable threat context by reviewing Microsoft-curated profiles on known threat actors and tools – all within the Microsoft Defender XDR portal.
Unified MDTI APIs in Microsoft Graph Now GA - We’re thrilled to share that the unified APIs that are part of the Microsoft Graph are now generally available! These APIs come with a single endpoint, permissions, auth model, and access token. The Microsoft Defender Threat Intelligence (Defender TI) API for Incidents, Alerts, and Hunting allows organizations to query Defender TI data to operationalize intelligence gleaned from threat actors, tools, and vulnerabilities. Security teams can enrich their understanding of entities inside security incidents, automate triage efforts, and integrate with a broad ecosystem of security tools, including Microsoft Sentinel.
How MDTI Helps Power Security Copilot - Today's cybersecurity challenges mandate that security teams invest more in high-quality threat intelligence to understand the mechanics of sophisticated attacks led by cybercriminals, nation-state actors, and others. With the introduction of Microsoft Security Copilot, security professionals can use Generative AI to quickly understand the full scope of attacks, anticipate the next steps of an ongoing campaign, and drive an optimal security plan for their organizations - all amid the intense, challenging time during an attack.