Microsoft Defender Weekly Wrap - Issue #117
Microsoft Defender Weekly Wrap - Issue #117
Yee-hah, GEHA
Things from Me
Happy Friday everyone!
Thanks so much for being here. Despite the newsletter not delivering last week, I had an awesome time in my buddy road trip which led to riding to the top of the St. Louis arch and eventually meandered us toward GEHA stadium in Kansas City to watch Inter-Miami play soccer. It was a trip full of frolic and fun and included a trip to Joe’s Bar-B-Que that has been featured on Diner’s, Drive-ins, and Dives.
Our visit to GEHA stadium represented the largest-ever attendance to a soccer game in KC history and the second largest in the world.
And what better way to celebrate than to not only enjoy the trip and good friends, but watch Lionel Messi actually score a goal during the Inter-Miami win.
It was a great trip and we’re already planning to make it an annual thing.
…
I have one big note to share for the future of this newsletter. I know there’s been a lot of Copilot for Security content recently. For now, the bulk of Copilot for Security is being designated to this newsletter. However, there’s some additional content specific to Microsoft Sentinel that won’t be available here and you may want to subscribe to the sister publication Microsoft Sentinel this Week to get it.
However, as you can imagine there has been a massive uptick in content for the newly released service, and as such, I’m considering building a newsletter specifically for Copilot for Security. If this is something you’d like to see, let me know in the following survey…
…
That’s it from me for this week. Thanks again for coming along with us on this Microsoft security journey.
Talk soon.
-Rod
Things to Watch/Listen To
Things in Techcommunity
Endpoint DLP isn't working as expected - I have onboarded a couple of devices as a test into MS Defender for endpoint and we already have Microsoft Defender for Endpoint Plan 2 enabled in our tenant as part of our A5 License. I have created a DLP policy to stop copying files with a certain label to a removable storage device/printing but it's not working as expected.
Defender for Endpoint permission for part of Devices - An automation should be able to flag all windows 10 machines in defender for endpoint (only some selected should be flagged, depending on "things"). As it is an automation, we use app registration for permission management. I gave the permission Machine.ReadWrite.All - This works, but I could also flag other machines. So the question is, how can I restrict permissions to Windows 10 machines?
Copilot for Security Things
MVP Morten Knudsen has developed and released some Copilot for Security tools worth reviewing.
Cost Calculator for Scalable Capacity
Deployment script for Scalable Deployment of Capacity
Automation of Capacity Change
https://github.com/KnudsenMorten/Copilot4SecurityTools
Copilot for Security Scalable Capacity Management for non-24×7 SOC scenario - Some of my customers are not having 24×7 SOC but still wants to utilize Microsoft Copilot for Security during their normal workhours, typically Monday-Friday from 8am-4pm. During this time they want to have a scalable capacity with most capacity in the morning (peak) and then less capacity in the afternoon. When they go home, they want the capacity to be removed until next day at 8am. This scenario will decrease the cost for Copilot for Security significantly as it is only running during their workhours.
RansomwareSigns.yaml - Custom Plugin for Defender Signs of ransomware activity.
Automatic Provisioning and Deprovisioning of Copilot for Security Capacity Unit - I took inspiration from https://thoor.tech/Copilot-for-Security-deploy-and-destroy/, and decided to create my own solution based on Bicep, Deployment Stacks, and Azure DevOps Pipelines to automate creating a SCU on weekday mornings, and destroy again on the afternoon.
Is it worth enabling just ONE Security Compute Unit (SCU) of Copilot for Security? 💸 - It is, ONLY if you want to leverage unlimited access to the powerful operational, tactical, and strategic threat intelligence in Microsoft Defender Threat Intelligence (MDTI) — a $50k per seat value, at NO extra cost.
Unleash the Power of Microsoft Copilot for Security: Introducing the Copilot for Security GitHub - Attention to all security enthusiasts! We are pleased to announce the launch of the official Microsoft Copilot for Security GitHub Community
Leverage Custom Promptbooks to Optimize your Security Workflows - Copilot for Security comes with prebuilt promptbooks, a series of prompts that have been put together to accomplish specific security-related tasks. They can function in a similar way as security playbooks, ready-to-use workflows that can serve as templates to automate repetitive steps, for instance, with regards to incident response or investigations. Each prebuilt promptbook requires a specific input (for example, a code snippet or a threat actor name). Custom promptbooks consist of the natural language prompts you choose in the order you wish them to run to meet your unique common security-related use cases to optimize your workflows.
Microsoft Copilot for Security Entra Plugin Overview - When Microsoft announced Microsoft Entra in May 2022, the Microsoft Entra product family consisted of Azure Active Directory (Azure AD), Microsoft Entra Permissions Management, and Microsoft Entra Verified ID. The current product family has expanded beyond identity and access management into new market categories such as security service edge. Microsoft Entra is the new unifying brand for this portfolio of products. To align with this change, Azure AD is now Microsoft Entra ID.
Microsoft Copilot for Security Defender Threat Intelligence and Threat Analytics Plugin Overview - Microsoft Defender Threat Intelligence (MDTI) is a platform that streamlines triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence analyst workflows when conducting threat infrastructure analysis and gathering raw and finished threat intelligence.
Microsoft Copilot for Security Defender XDR Plugin Overview - Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
How to build a Copilot for Security API Plugin – Part 1 - API plugins allow Copilot to make REST API calls, to both Microsoft and non-Microsoft services and hence are the most powerful and relatively complex of the plugins. In this article, we how to build a simple API plugin that utilizes a GET request with no parameters.
How to Become a Microsoft Copilot for Security Ninja: The Complete Level 400 Training - This course is designed to equip you with the necessary skills to effectively utilize Microsoft Copilot for Security, a cloud-based platform renowned for providing comprehensive visibility and safeguarding of organizational assets and data. You'll learn to monitor, detect, analyze, and respond to security threats across hybrid environments.
Filtering My Sessions in Copilot for Security - Knowing how to properly filter the My Sessions list in Copilot for Security becomes important as you find you need to develop management policies around cleaning up the constantly cached information.
Copilot for Security Custom Plugin to Track SCU Changes - In addition to setting alerts in Microsoft Sentinel or Azure Monitor, or manually watching the Usage Monitoring screens to know when Copilot for Security capacity changes, you can use a custom plugin.
Brief: Getting a Monthly Cost for Resource Email for Copilot for Security - In the Microsoft Copilot for Security compute capacities service in the Azure portal, you can setup a Task for each compute capacity you have created.
Microsoft Copilot for Security Azure Bicep File - This repository contains an Azure Bicep file for deploying a Microsoft.SecurityCopilot/capacities resource, along with GitHub Actions workflows for automated deployment and destruction of resources.
Brief: Where to Adjust Copilot for Security SCUs - There are currently three different places where a Copilot for Security owner can adjust the number of SCUs being utilized for the organization. This is important as customers begin to envision how much compute will be needed for various times of the day based on security team activity and build policies around these capacity needs.
Copilot for Security Custom Plugins - Plugins listed here are for informational and educational purposes only and do not come with support.
Microsoft Copilot for Security Plugins - This repository contains lessons as part of the Microsoft Copilot for Security walk through series. The series is a starting point for anyone willing to master the skills of creating custom Plugins for Microsoft Security Copilot.
Defender for Cloud Things
How to better manage cost of API calls that Defender for Cloud makes to AWS - Have you ever found yourself in a situation where you enabled GuardDuty or CloudTrail on Amazon Web Service (AWS) and onboarded your AWS environment to Microsoft Defender for Cloud? Have you ever wondered how to minimize costs in AWS associated with having GuardDuty or CloudTrail enabled, while Defender for Cloud makes API calls to your AWS environment?
Microsoft Defender for Cloud Full Coverage for Azure Open-Source Relational Databases - Microsoft Defender for Cloud now provides full threat protection coverage for all instances of Azure open-source relational databases: PostgreSQL, MySQL and MariaDB – helping customers safeguard their business-critical database against cyberattacks.
eBPF-Powered Threat Protection using Inspektor Gadget - Inspektor Gadget is a Cloud Native Computing Foundation (CNCF) project that aims to change the way we consume and execute eBPF programs by managing its packing, deployment and execution. If you aren't familiar with eBPF, you can read more about it on ebpf.io, but in short – eBPF allows us to execute sandboxed programs that extends the Linux kernel without having to change it. In this post we will use eBPF to attach to a tracepoint event when a specific system call is made by a process.
Defender Experts Things
Strategies to Monitor and Prevent Vulnerable Driver Attacks - Threat actors discover vulnerabilities in the drivers and exploit them to achieve privilege escalation, circumvent the Windows Driver Signature Enforcement (DSE) and install a self-developed driver as rootkit or unhook security and monitoring solutions. This presents a significant cybersecurity risk, as it can provide threat actors with complete control over a system, enabling them to hide processes, network communication, evade detection and so on.
Microsoft Purview Things
Intro to MS Purview Information Protection – Part 2 - As we know from the previous document that Azure Information Protection (AIP) is a comprehensive solution offered by Microsoft for classifying, labeling, and protecting sensitive information. As organizations increasingly rely on AIP to safeguard their data, it becomes imperative to ensure a positive user experience. This post explores the user experience within AIP & DLP, identifying key areas for improvement and strategies to enhance usability and satisfaction.
Programmatically documenting table columns in Microsoft Purview with Purview Python SDK - This article shows how to use the Python SDK for Purview to programmatically document Purview table columns in bulk - assuming there are many tables and columns that needed to be automatically documented based off a reference tables - as in this example, the data dictionary maintained in Excel.
Defender for Office Things
Copy simulations in Attack Simulation Training is now GA - We are excited to announce that in Attack Simulation Training, you can now copy an existing simulation and modify it to suit your need which will save you time and effort when creating new simulations based on previous ones.
Microsoft Entra Things
Introducing "What's New" in Microsoft Entra - With more than 800,000 organizations depending on Microsoft Entra to navigate the constantly evolving identity and network access threat landscape, the need for increased transparency regarding product updates — particularly changes you may need to take action on — is critical.
Enforce least privilege for Entra ID Company Branding with the new Organizational Branding role - I’m pleased to announce General Availability (GA) of the Organizational Branding role for Microsoft Entra ID Company Branding.