Microsoft Defender Weekly Wrap - Issue #80

Dried hard

Things from Me

Hey, ho, everyone! Another Friday is here and that’s great news.

Our lives settled back into a somewhat normal range this past week as the gutters and downspouts were installed on the house on Monday. With the basement now waterproofed and the gutters and downspouts replaced, we were actually praying for lots of rain to test the new system adequately.

It’s been really dry here in Ohio for the last few weeks, which makes it even more ironic that we’re doing all the home waterproofing. I haven’t had the mow the grass for a couple weeks as the grass is already a crunchy brown. This doesn’t usually happen until mid-July. It did rain this week, but the ground needed it so it was soaked up right away. We have more rain in the forecast so maybe we’ll have a true test of the system in short order.

Before leaving you with the bulk of the newsletter, there’s a couple extras to share first.

…

If you’re a die-hard fan of breaking tech news, I would highly suggest you attend the following upcoming event. Just the speaker list alone should tell you that something is up.

Reimagine secure access with Microsoft Entra - Tuesday, July 11, 2023 9:00 AM – 10:30 AM Pacific Time (UTC-7) - As your digital footprint continues to expand with more identities, resources, apps, and endpoints to secure, identity and access must evolve. Attend Reimagine secure access with Microsoft Entra to hear about the latest identity and access innovations. Learn how establishing identity as your first line of defense can help you be more secure, resilient, and efficient in our connected world.

Speakers:

…

That’s it for me for this week.

Talk soon.

-Rod

Things that are Related

Track Major New Features for Microsoft Security Products Using RSS Feeds - If there’s one piece of feedback I hear constantly from customers is that it’s difficult to keep up with the number of changes in Microsoft’s products. The pace of feature releases and product updates for Microsoft Security product can feel a bit overwhelming at times and not knowing when a new capability is available means not using it even though it may resolve a longstanding request or issue.

Detection Engineering in Azure & Introducing AzDetectSuite - AzDetectSuite is a project created to allow Azure users to establish a basic defense within Azure by giving pre-built KQL queries for each technique within ATRM that are deployable Alerts to Azure Monitor. Now, in ATRM, most (85%+) techniques will have a KQL query and a button that will deploy the query to their Azure subscription.

Things to Attend

Next week! Some of the Microsoft Security Insights show crew will be sitting in on a Petri panel to talk about SOCs and Generative AI. Registration is still live.

Register here: https://rodtrent.com/sir

Things to Watch/Listen To

Microsoft Security Insights Show Episode 157 - Rin Ure - In this episode, we catch up with friend of the show, Rin Ure, about his new role at Microsoft and how he sees AI changing the way SOCs operate. Rin runs the Cyber Defense Operations Center One Cloud SOC Triage and Analysis team in the US. They are the team that handles the triage and analysis SOC requests for Microsoft, it’s services and for their Cloud and AI customers.

Things in Techcommunity

Regulatory Compliance - download report: notApplicableReason - Looking over the Compliance report, I see various reasons under the "notApplicableReason" but I'm not sure where those comments are coming from.  There is no exemption created for the "unhealthy" findings so is this some type of default entry?  I don't see this in the documentation.  Our customer is wanting to edit the reasons but not sure where or how this is done.  

How to remove custom app tag in bulk under MDCA. - Is there a way to remove custom created app tags in bulk from MDCA? I'm not referring to app tags like Sanctioned/Unsanctioned/Monitored. 

Things to Have

Email-EOP-Detection-DailyPercentage.yaml - This query shows the daily percentage of EOP detections.

Things from Partners

How Microsoft and Sonrai integrate to eliminate attack paths - Sonrai integrates with Microsoft Sentinel and Microsoft Defender for Cloud to uncover and remediate sophisticated threats in a timely manner.

How to get more for your security dollars - In this episode of the EY Microsoft Tech Directions podcast, we discuss the benefits of simplifying security and how best to spend money doing so.

Defender for Cloud Things

BLOG: Microsoft Defender for API Security Dashboard - With this blog, we are introducing you to Microsoft Defender for API Security Dashboard, that provides representation of the security posture of your API’s in different pivots that help you understand the overall security findings, threats in your environment and how to prioritize them.

Defender for Endpoint Things

BLOG: Where did my Defender Device Inventory Go? - Recently Microsoft changed some of the defaults in the Microsoft Defender Dashboard, which has made visibility of the Device Inventory only accessible by default for the Security Administrator, and Global Administrator roles.

NEW: Announcing the monthly security summary report for Microsoft Defender for Endpoint - To help Defenders around the world streamline the value of their services while offering clarity to stakeholders on the recent security performance of their organization, we are excited to announce the public preview of the monthly security summary report for Microsoft Defender for Endpoint!

BLOG: Update to enrollment pre-requisites for Windows devices managed by Defender for Endpoint with Intune - Later this month, we'll be making architectural updates to the security settings management capabilities in Microsoft Defender for Endpoint that simplify the device enrollment process. The updates include removing Azure Active Directory (AD) join or Hybrid Azure AD join as a pre-requisite for onboarding Windows devices that use security settings management in Defender for Endpoint.

365 Defender Things

Share your feedback on Microsoft 365 Defender via the new feedback portal - We’re excited to announce that Microsoft 365 Defender is now part of the new community feedback experience, and our customers now have a dedicated platform to submit their suggestions and feature requests for our security products.

Microsoft Purview Things

BLOG: Microsoft Purview- Paint By Numbers Series (Part 10)- Defender for Cloud Apps & DLP - Overview - Microsoft Defender for Cloud Apps (MDCA) is the Microsoft Cloud App Security Broker (CASB). So even though we are looking at it in this blog series to provide DLP functionality, it has a broader range of security features.

BLOG: Filter by asset type, bulk delete assets, and import assets into collections in Microsoft Purview - Our latest release, Manage access to business assets via collections, also makes it easier to work with assets in Collections.

NEW: Encryption algorithm changes in Microsoft Purview Information Protection - Starting in August 2023, AES256 in cipher block chaining mode (AES256-CBC) will be the default encryption mode across all applications using Microsoft Purview Information Protection. Organizations with Azure Rights Management service plans will also receive a Message Center post with this announcement and instructions to help them prepare for this change.

NEW: Announcing multicloud assessments in Compliance Manager - Multicloud strategies have become the new norm for most enterprises, with over 90% of organizations adopting multiple cloud infrastructures (IaaS), platforms (PaaS), and services (SaaS) to run their businesses.

NEW: Prevent data leak through web apps with Microsoft Purview Data Loss Prevention - Today we are excited to announce a new capability in Microsoft Purview Data Loss Prevention that can help organizations create policies that prevent their users from pasting sensitive data to specific websites, including personal email, generative AI prompts, social media sites and more when accessed through a supported web browser.

NEW: Manage insider risks in multicloud environments - Today, we are pleased to announce new features to help tailor the Insider Risk Management solution for your organization’s use across multiple environments:

• Bring your own detections to manage insider risks across multiple environments holistically

• Prevent high risk users from pasting sensitive data into browser applications

• Customize insider risk detections for different user groups

• Bolster your investigation efforts with new enhancements

• Get started easily with insider risk analytics and enhanced quick policies

Defender for Office Things

NEWS: Forrester names Microsoft a Leader in the 2023 Enterprise Email Security Wave - We are proud to announce that Microsoft Defender for Office 365 has been recognized as a leader in The Forrester Wave ™: Enterprise Email Security, Q2 2023 report, which we believe demonstrates its strong track record for being a comprehensive and robust email and collaboration security solution.¹ Forrester noted that “Microsoft’s continued investment in security is paying off as it protects end users from attacks that target communication and collaboration environments in addition to email,” and that “email and collaboration security are key elements of Microsoft’s extended detection and response (XDR) strategy, adding prevention capabilities to its unified approach to detection, investigation, response, and remediation.”

Defender Threat Intelligence Things

BLOG: Detecting and mitigating a multi-stage AiTM phishing and BEC campaign - Microsoft Defender Experts uncovered a multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attack against banking and financial services organizations. The attack originated from a compromised trusted vendor and transitioned into a series of AiTM attacks and follow-on BEC activity spanning multiple organizations. This attack shows the complexity of AiTM and BEC threats, which abuse trusted relationships between vendors, suppliers, and other partner organizations with the intent of financial fraud.

THREAT ACTOR: Details about Cadet Blizzard from Microsoft Defender Threat Intelligence - Cadet Blizzard (DEV-0586) is a Russian GRU-sponsored threat group that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022. During this time, Russian troops backed with tanks and artillery were surrounding the Ukrainian border as the military prepared for an offensive attack.

Microsoft Entra Things

Strategies for securing identities in Azure Active Directory with Sean Metcalf - The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Senior Product Marketing Manager Brooke Lynn Weenig talks with Trimarc Founder and Chief Technology Officer Sean Metcalf, who is a Microsoft Certified Master in Active Directory, co-hosts the Enterprise Security Weekly podcast, and created the adsecurity.org website. The thoughts below reflect Sean’s views, not the views of Sean’s employer, and are not legal advice. In this blog post, Sean talks about securing identities.  

Fun Thing This Week

Quiz Maker: AI-generated quizzes about anything. Just enter a topic or URL to content and let AI do the rest.