Microsoft Defender Weekly Wrap - Issue #124

1978-ish

Jun 07, 2024

Things from Me

Happy Friday everyone!

I don’t have a lot going on this week more than prepping some internal sessions for Copilot for Security and preparing for our next fiscal year’s projects. Microsoft’s fiscal year comes to an end at the end of this month, so there’s lots of miscellaneous happenings in preparation for the next year ahead.

I mentioned last week that I had an upcoming Virtual Ninja Show episode. That went off - but not without a hitch or two. Due to some strange (and still undiscovered) security setting on my Microsoft managed PC, local video recording couldn’t upload to our partner (who manages the production), so instead of a live version of me during the episode, you’ll find a static image instead. It’s sort of comical.

If you get some time, you can have a look: The Virtual Ninja Show | Season 8 Episode 7: Introducing the Copilot for Security Prompting Workshop

I joked with our production partner that we could have at least used AI to generate stop animation.

…

Next week, we’re making our annual trip to Ohio Amish country to visit my best friend. If you’ve been subscribing here for very long, you’ve heard this story before. If not, my best friend is a chiropractor to the Amish. The Amish love their chiropractors.

It’s his birthday. I feel very lucky to have my friend and I’m always honored to share another birthday with him. We’ve been best friends since 1978. He jokes quite often with my wife that he’s known me longer than she has.

Not to worry, though, the newsletter will be ready to go as usual next Friday.

Talk soon.

-Rod

Things to Attend

Upcoming Microsoft Webinars…

June 12 - Azure Network Security | Azure Firewall Integration in Microsoft Copilot for Security
June 13 - Microsoft Defender for Cloud | Shift Left with Microsoft Defender for Cloud
June 20 - Microsoft Defender for Cloud | Elevate Cloud Security Using Permissions Management in Microsoft Defender for Cloud
June 25 - Microsoft Defender for Cloud | New Version for File Integrity Monitoring

Use the following link to register: https://aka.ms/msc_webinars_page

Things in Techcommunity

Suspected identity theft (pass-the-ticket) on multiple endpoints false positive - I have recently analyzed a few Suspected identity theft (pass-the-ticket) alerts which I think are false positives. I've been digging into the logs to try and figure this out, but I'm starting to think the reason was staring me in the face all along.

Disable Microsoft Monitoring Agent (MMA) automatic installation - We have ARC enabled on-premises server and we want to uninstall MMA agent but each time we uninstall it from our server it installs again, and Azure Log Analytics workspace is configured again. Anyone has an idea where can we find the automatic rule for the installation, please?

Copilot for Security Things

Copilot for Security stuff now has its own bi-weekly newsletter!

Defender for Cloud Things

Defender for Cloud Monthly news - June 2024 - This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month. In this edition, we are looking at all the goodness from May 2024.

Cloud security posture and contextualization across cloud boundaries from a single dashboard - Have you ever found yourself in a situation where you wanted to prioritize the riskiest misconfigurations on cloud workloads across Azure, AWS, and GCP? Have you ever wondered how to implement a unified dashboard for cloud security posture across a multicloud environment?

Defender XDR Things

Microsoft a Leader in the Forrester Wave for XDR | Microsoft Security Blog - Today, we are excited to announce that Microsoft has been named a leader in The Forrester Wave: Extended Detection and Response (XDR) platforms, Q2, 2024, with the highest scores in the strategy, current offering, and market presence categories. Microsoft Defender XDR was rated the highest possible in 15 out of 22 evaluation criteria, including Endpoint Native Detection, Surface Investigation, Threat Hunting, Analyst Experience, Vision, and Innovation.

Microsoft Entra Things

Entra Private Access/GSA – Automatic Network Detection - This blog covers a custom script solution for Intune, that can be used to automatically detect, if the Entra Private Access (GSA) client is connected to the internal network – or off-site. When the client is connected to the internal network, we don’t want to send the network traffic into the GSA tunnel through Microsoft – but use direct connectivity to the servers.

Secure Azure File Shares Access With Microsoft Entra Private Access - Internet Service Providers (ISP) often block TCP port 445, so we cannot access and map a drive on a Windows Client computer with an Azure File Share. Microsoft has documented that we could configure a Point-to-Site (P2S) VPN on Windows or a Site-to-Site VPN for Azure Files in these scenarios.

Use Microsoft Entra to connect Azure Database for MySQL via Function App - This tutorial will introduce how to integrate Microsoft Entra with Azure Database for MySQL to avoid using fixed usernames and passwords. By utilizing system-assigned managed identities and user-assigned managed identities as a programmatic bridge, it becomes easier for Azure-related PaaS services (such as Function App or App Services) to communicate with the database without storing connection information in plain text.

Hunting for MFA manipulations in Entra ID tenants using KQL - Cloud security is a top priority for many organizations, especially given that threat actors are constantly looking for ways to compromise cloud accounts and access sensitive data. One of the common, and highly effective, methods that attackers use is changing the multi-factor authentication (MFA) properties for users in compromised tenants. This can allow the attacker to satisfy MFA requirements, disable MFA for other users, or enroll new devices for MFA. Some of these changes can be hard to detect and monitor, as they are typically performed as part of standard helpdesk processes and may be lost in the noise of all the other directory activities occurring in the Microsoft Entra audit log.