Microsoft Defender Weekly Wrap - Issue #83

Dancing on the ceiling

Things from Me

Good Friday, everyone! And welcome back.

For those that are just tuning in this week, both this newsletter and I had the week off last week. I spent the majority of the time off working on getting the house ready to sell. We’re extremely close to feeling comfortable with officially putting it on the market.

On Monday of this week, we had the roof replaced. I don’t know if you’ve ever been through this endeavor, but it’s a noisy affair. My home office is on the second floor of the house so, at times, it seemed like someone would break through the ceiling like the old, 80’s Ratt video, Round and Round.

…

Microsoft Defender for Cloud Apps Usage SURVEY

Help us create the best possible user experience by participating in our Customer Engagement Survey. Your valuable insights will directly influence our product development decisions.

Survey Link: https://forms.office.com/r/EZYv8zmxPQ 

…

If you happen to be in the North Sydney, North Sydney, New South Wales - Australia area Sep 19 – 20, 2023 you should check out ExpertsLive Australia. ExperstLive is a long-running, super-valuable technical conference and it’s making its very first Australia debut this year.

You have until August 9th to take advantage of the A$99.00 Early bird registration. After that the price is still super manageable at A$129.00.

Register today!

https://www.expertslive.au/#/tickets?lang=en

…

That’s it from me for this week. I hope your week ahead is a good one.

Talk soon.

-Rod

Things to Attend

MEMUG July 2023 - MSFT & the Future with AI, Sponsored by ScriptRunner - Featuring 3 sessions in AI with MSFT: demystifying AI, Security Copilot, and M365 Copilot. Featured sponsor presentation from ScriptRunner!

• Date and time: Friday, July 28 · 9am - 3pm MDT

• Location: Microsoft 7595 E Technology Way Suite 400 Denver, CO 80237

Things that are Related

We have a new Learn Module on KQL!

Explore the fundamentals of data analysis using Kusto Query Language (KQL) https://rodtrent.com/j1d

Things to Watch/Listen To

Microsoft Security Insights Show Episode 160 - John O'Neill Sr.

Things in Techcommunity

Discovering options such as adding device groups in defender - Hello everyone, I'm just discovering options such as device groups, and I would like to learn how to set it up correctly. Let me know if I understand it correctly: the option is meant to separate important and less important devices. What are the recommendations for important like servers and for less important ones like  standard user workstations?

Things to Have

Defender for Cloud - Defender CSPM Workbook

Defender for Cloud Things

BLOG: The Importance of Defender for Cloud - Defender for Cloud is a comprehensive security management and threat protection service that helps organizations secure their on-premises workloads as they move to the cloud. Defender for Cloud is a crucial first step in securing on-premises workload migration to the cloud and it’s recommended that it be enabled on any workload that is migrated or created in Azure.

CODE: Defender for Cloud - Defender CSPM Workbook - The Azure Workbook for Defender CSPM Visualization is a dashboard designed to enhance the visualization and analysis of Defender for Cloud's Defender CSPM (Cloud Security Posture Management) information. This workbook provides a centralized and intuitive single pane of view within the Azure Portal, allowing users to easily access and crucial information related to Defender CSPM.

UPDATE: Streamlined multicloud account onboarding with enhanced settings - Defender for Cloud have improved the onboarding experience to include a new streamlined user interface and instructions in addition to new capabilities that allow you to onboard your AWS and GCP environments while providing access to advanced onboarding features.

BLOG: Microsoft Defender for APIs enriches Defender CSPM capabilities - We are excited to unveil the integration of (Preview) and Defender CSPM in the Microsoft Defender for Cloud (MDC) to provide contextual API security findings and guide prioritized remediation.

NEW: Defender for Cloud Ninja Training now has a new certificate for Defender for Servers - Check it out here: https://rodtrent.com/my8

NEW: Data Aware Security Posture is now Generally Available - Data-aware security posture in Microsoft Defender for Cloud is now Generally Available. It helps customers to reduce data risk, and respond to data breaches. Using data-aware security posture you can:

• Automatically discover sensitive data resources across Azure and AWS.

• Evaluate data sensitivity, data exposure, and how data flows across the organization.

• Proactively and continuously uncover risks that might lead to data breaches.

• Detect suspicious activities that might indicate ongoing threats to sensitive data resources

For more information, see Data-aware security posture in Microsoft Defender for Cloud.

BLOG: Enabling Microsoft Defender for Cloud for Arc Enabled SQL Server Machines - Welcome back to the third installment of our multi part blog series on enhancing the security and management of Azure Arc Enabled SQL Server. In our previous posts, we explored how to evaluate SQL Server configurations using Best Practices Assessment for Azure Arc Enabled SQL Server (Post 1) and learned how to efficiently onboard multiple SQL servers at scale using Azure Policy (Post 2). Now, in multi part series, we will take another crucial step towards fortifying your SQL Server environment by enabling Microsoft Defender for Cloud on Arc Enabled SQL Server Machines.

Correlating alerts in Microsoft Defender for Cloud -In this blog, we will talk about the mechanisms of security alerts and incidents and explain incident templatization with recent research on crypto mining as an example.

Defender for Endpoint Things

NEWS: Microsoft Defender for Endpoint is ranked number one in market share in the IDC Worldwide Corporate Endpoint Security Market Shares report, 2022 - Microsoft security researchers tracked a 130.4 percent increase in organizations that have encountered ransomware over the last year. Endpoints are an important attack vector and ensuring that organizations have modern endpoint security as part of a broader extended detection and response strategy, is top of mind for chief information security officers (CISOs). In line with these trends, IDC reports that the endpoint security market grew by 29.2 percent in 2022, reaching an all-time high of USD13.1 billion.

Now in Public Preview: Device isolation and AV scanning for Linux and macOS - Today we are thrilled to announce that we are adding more capabilities for macOS and Linux-based devices in Microsoft Defender for Endpoint with the introduction of Device isolation and Running Antivirus Scan as newly available response actions. These response actions will provide security teams with more flexibility and control across their multi-platform enterprise to quickly address advanced threats targeting their devices. Both response actions are now in public preview. 

PREVIEW: Manage security settings for Windows, macOS, and Linux natively in Defender for Endpoint - Starting today, customers will benefit from a host of new capabilities:

• Native security settings management capabilities in Defender for Endpoint that support Windows, macOS, and Linux

• Existing endpoint security policies are automatically ingested in the Microsoft 365 Defender portal

• Create and edit AV policies directly from the Microsoft 365 Defender portal

• Policies are automatically synced with Microsoft Intune to ensure coordination between IT and Security teams for organizations who use Intune as a full management suite.

• A new list on the device page, that shows all security policies and their settings

• Simplified device onboarding: Removal of Azure Active Directory hybrid join as a management prerequisite

CODE: MDE-troubleshooter - This tool is designed to assist you in analyzing issues related to Defender for Endpoint on your local endpoint. It offers a centralized view of the security configuration, log files, updates, and provides access to the Performance Analyzer.

365 Defender Things

BLOG: Defending against TeamsPhisher attack with Microsoft 365 Defender Advanced Hunting - For SecOps blue team, if your Microsoft tenant have Office 365 Defender enabled and safelinks for Teams enabled. You can easily use Microsoft 365 Defender Advanced Hunting KQL to hunt for all external organization inbound teams message (containing links) to your tenant Teams users.

NEW: New file analysis and pivoting capabilities in Microsoft 365 Defender - We’re excited to introduce a new file page that revolutionizes the way security teams can analyze and pivot across devices and cloud applications. This enhancement enables defenders to gain deeper insights into files, their prevalence across the organization, and their impact on security incidents. Let's explore the exciting new file analysis and pivot capabilities in Microsoft 365 Defender.

BLOG: How to Stream Defender 365 Logs to a Separate Org - I was recently asked by a customer can we use the Defender 365 Streaming API and send the Defender 365 logs and alerts to a different Azure Subscription in a different Azure AD tenant. This was asked out of a mergers and acquisitions and helping improve organization A’s security operations visibility into organization B’s security telemetry and alerts.

Defender for Identity Things

BLOG: Leveraging the convergence of Microsoft Defender for Identity in Microsoft 365 Defender Portal - In this blog post, we explore the remarkable advantages this convergence brings, and guide you through the new ways you can access some of the core elements of the old Identity experience.  

BLOG: Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity - Honeytokens are a great tool for defenders to augment their security posture with traps hidden within their digital environments. Similar to honeypots, Honeytokens are decoy accounts set up purely to lure attackers and divert their attention away from actual targets. Where honeypots are interactive and responsive systems pretending to be applications or services running on vulnerable servers on the network, honeytokens form a more granular item within in a database, file share, hsm key vault, or identity systems. These fake entities provide security teams a mechanism to better detect, deflect, or study attempted attacks.

Microsoft Purview Things

BLOG: Now in PREVIEW: Export your business assets from Microsoft Purview - One of the easiest ways to curate metadata is to pull all the information you need into a csv file so you work quickly in a spreadsheet, then make updates in bulk by importing information. You can now do this in Microsoft Purview.

BLOG: Grant users access to data assets in your enterprise through the Microsoft Purview policies API - Microsoft Purview Data owner policies is a cloud-based service that helps you provision access to data sources and datasets securely and at scale. Data owner policies expose a REST API through which you can grant any Azure AD identity (user, group or service principal) to have Read or Modify access to a dataset or data resource. The scope for the access can range from fine-grained (e.g., Table or File) to broad (e.g., entire Azure Resource Group or Subscription). This API provides a consistent interface that abstracts the complexity of permissions for each type of data source.

BLOG: Microsoft Purview and Data Security - I have spoken to a lot of customers about Purview, its use cases, and how it's viewed, and I usually get the same response - it's all about meeting regulatory compliance, right? No doubt, that's something that the capability can help you achieve, but I view it as more of a byproduct of what we are actually trying to do - and that is to protect your data, safeguard it from exfiltration activities, and prevent both malicious and accidental insiders from doing the wrong things with it.

Defender Threat Intelligence Things

BLOG: AiTM/ MFA phishing attacks in combination with “new” Microsoft protections (2023 edition) - Adversary-in-the-middle phishing attacks are still more common in use. Since the removal of basic authentication from Exchange Online more and more attackers are using more modern attacks like adversary-in-the-middle phishing, cookie theft, and other used attacks. Last year I blogged about several modern attacks and explained MFA fatigue, AiTM, MFA Fatigue, PRT, OAuth attacks, and more. Time for a new update focussed on adversary-in-the-middle phishing.

BLOG: Future Proof your SOC with the Power of the Azure Ecosystem and Defender Threat Intelligence - Microsoft Sentinel, along with the Defender Extended Detection and Response (XDR) platform, provides an enhanced toolset of top-grade technologies for your SOC to achieve its goals in today’s difficult threat landscape. With Microsoft’s XDR + SIEM/SOAR capabilities, you are future proofing your company’s security and modernizing your capabilities.

Microsoft Entra Things

NEWS: Azure AD is Becoming Microsoft Entra ID - Today we announced significant milestones for identity and network access, including the news that Microsoft Azure Active Directory (Azure AD) is becoming Microsoft Entra ID.  

NEWS: Microsoft Entra expands into Security Service Edge and Azure AD becomes Microsoft Entra ID - Today, we’re thrilled to announce the next milestone in our vision of making it easy to secure access with two new products: Microsoft Entra Internet Access and Microsoft Entra Private Access. We’re adding these capabilities to help organizations instill trust, not only in their digital experiences and services but in every digital interaction that powers them.

BLOG: Microsoft Entra new feature and change announcements - Today, we’re sharing the new feature releases for the last quarter (April – June 2023) and the changes to existing features (June 2023 change management train). We also communicate these changes on release notes and via email. We’re continuing to make it easier for our customers to manage lifecycle changes (deprecations, retirements, service breaking changes) within the new Entra admin center as well.

DOCS: New name for Azure Active Directory - To unify the Microsoft Entra product family, reflect the progression to modern multicloud identity security, and simplify secure access experiences for all, we're renaming Azure Active Directory (Azure AD) to Microsoft Entra ID.

BLOG: Introducing Restricted Management Administrative Units in Microsoft Entra ID - We’re excited to share the public preview of restricted management administrative units, a new role-based access control (RBAC) feature in Microsoft Entra ID. 

AD FS to Microsoft Entra | How to migrate your cloud apps - Migrate from Active Directory Federation Services to Microsoft Entra ID (Azure Active Directory). Many key blockers have been removed with Microsoft Entra ID, including capabilities like certificate-based auth, group filtering, group transformation, and token augmentation. Additional capabilities include conditional access and phish-resistant passwordless authentication.

Fun Thing This Week

Generate artistic AI QR codes - Enter your URL and then describe how you want the artwork for your QR code to look. https://rodtrent.com/lp4