Microsoft Defender Weekly Wrap - Issue #69

Emailing from Mt. Ararat

Things from Me

Happy Friday everyone!

I tell you - it’s been a week. I mentioned in the last newsletter that I was anticipating heavy rains in my area of the world. As of last Friday evening, those rains didn’t come. So, I got cocky and didn’t do the due diligence I normally do to prepare for potential basement flooding.

At around 4am Saturday morning, I woke up and things just didn’t seem right. If you’ve owned a home, you know what I mean. You have an almost 2nd sense. You know the proper sounds of the house. You know when something’s just not right. And that was the case for me.

The first indication of problems was that that HVAC system seemed to be struggling and making gurgling sounds through the house vents. At that moment I knew things were amiss, but I had no clue what to expect when I checked the basement.

Suffice to say, I spent the entire weekend wading barefoot through 40F degree water and pumping about 3 foot of water out of the basement. On Sunday, I went online and sent out requests for every local basement waterproofing service I could find. And, because of my lack of due diligence, we lost a treadmill.

…

Despite the weekend woes, the week has been great. I hope you were all able to register and attend our first-ever Microsoft Secure event this week. Feedback has been great, so I can only assume that the event will be back and even better next year. One of the primary requests after the event has been for more deep dives. Well, good news…we start in April with a Secure-related deep dive called the Microsoft Tech Accelerator.

Join us for our Microsoft Tech Accelerator event: April 13, 2023, where we will dive deeper into the technology as a follow up to what was announced at Microsoft Secure. This virtual event will cover our robust security solutions, with the goal of providing your organization and the IT professionals that support you with the technical depth necessary to use our products successfully. Hear from key members of our product engineering teams who are thoughtfully preparing deep dives, demos, and will be answering questions live at the Ask Microsoft Anything (AMA) sessions.   

Tune in, ask ALL the questions, skill up, and have fun!   

During this three-day technical skilling event, you will be able to: 

• Engage with our product and engineering teams through live Q&A  

• Learn best practices and build community with your security and endpoint management peers 

• Get prescriptive technical guidance that will help you and your organization implement our comprehensive solutions 

Learn more, RSVP, and build your schedule at https://rodtrent.com/s5q

…

As I sit here writing this, we have our first basement waterproofing service appointment scheduled in a couple hours. I’m looking forward to getting this resolved.

That’s it from me for this week. Enjoy the newsletter.

Talk soon.

-Rod

Things to Attend

APR 5 Microsoft Compliance | Endpoint DLP and DLP Incident Management - Join us to learn more about exciting developments in Endpoint DLP and DLP Incident Management.

MAY 2 Microsoft Defender for Cloud | What’s New in the Last 3 Months - Microsoft Defender for Cloud is in active development and receives improvements on an ongoing basis. In this session, we will summarize and demo what we've released for Microsoft Defender for Cloud in the last 3 months that you need to know about.

MAY 3 Microsoft Defender for Cloud | Better Together: Microsoft Defender Vulnerability Management & Microsoft Defender for Servers - In this webinar, you can join Product Managers from Microsoft Defender Vulnerability Management and Microsoft Defender for Servers teams to learn more about the solution, how it is integrated into Defender for Servers, and why it's better to use them together.

MAY 4 Azure Network Security | Azure DDoS IP Protection - Join us for this webinar and learn the features and protection capabilities of Azure DDoS and how Azure DDoS IP Protection can protect your critical Azure resources from DDoS attacks.

MAY 10 Microsoft Defender for Cloud | Shift-Left and Secure Your Code Using Microsoft Defender for DevOps - In this presentation, we’ll focus on showing you a practical demo of how to use Defender for DevOps to protect your organization’s code. We’ll show you the pre-requisites required to start using Defender for DevOps, as well as a step-by-step guide on the current available functionality.

The Microsoft Secure 2023 Learn Live series is still underway! Join in real-time or watch on demand - Microsoft Secure 2023 may be over, but the learning continues. We have a range of learning opportunities for you that complement key topics and themes from the event, including a series of four Microsoft Secure Learn Live episodes you can join in real-time or watch on demand.  

Things that are Related

BIG NEWS: Introducing Microsoft Security Copilot: Empowering defenders at the speed of AI - Today, at our inaugural Microsoft Secure event, I am delighted to welcome you to the new era of security — shaped by the power of OpenAI’s GPT-4 generative AI — and thrilled to introduce to you Microsoft Security Copilot.

Guidance for investigating attacks using CVE-2023-23397 - This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. A successful exploit of this vulnerability can result in unauthorized access to an organization’s environment by triggering a Net-NTLMv2 hash leak. Understanding the vulnerability and how it has been leveraged by threat actors can help guide the overall investigative process.

Retrieve Azure AD Sign-In Logs with Microsoft.Graph PowerShell Module - In this blog post, we will explore how to retrieve Azure AD Sign-In logs using Microsoft.Graph PowerShell Module. Azure AD Sign-In logs provide crucial insights into user authentication events, helping organizations monitor security and troubleshoot potential issues. The Microsoft.Graph PowerShell Module simplifies the process of accessing these logs, allowing you to manage and analyze them with ease.

Why De-privileging? - This post starts a series explaining why we at Microsoft Security Services for Incident Response recommend some of our favorite protections. Our first post in the series talks about identity hygiene.

Things to Watch/Listen To

Introducing Microsoft Security Copilot - Microsoft Security Copilot can augment security professionals with machine speed and scale, so human ingenuity is deployed where it matters most. Welcome to the new era of security.

Things in Techcommunity

Deploying and Onboarding 2008 R2 - We purchased Defender for Business Servers, and I need to install it on some 2008 R2 servers. There is no Defender for Endpoint software, so following the guides, I only have to install the MMA, but then how I know my server is protected? I need to enroll it at azure?

Possible to Disable ATP Control over OnPrem Account - Is it possible to generally disable ATP to manage OnPrem AD Accounts?

Things to Have

Untitled Goose Tool - Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments. Untitled Goose Tool gathers additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT).

Things from Partners

Next month, the Microsoft Security Insights show kicks off a series talking with several MISA members in the run-up to the RSA conference. I hope you can join.

Learn more here: https://rodtrent.com/9hn

Things in the News

Microsoft Incident Response Retainer is generally available - Microsoft Security is expanding its incident response presence and we’re excited to announce the Microsoft Incident Response Retainer is now generally available.

Microsoft Secure: Explore innovations transforming the future of security - At our inaugural Microsoft Secure event, we’re sharing our latest innovations across security, compliance, identity, management, and privacy. Continue reading this blog post for the top Microsoft Security announcements in AI, identity, and data protection, and watch Microsoft Secure today or on-demand for more information on these exciting innovations.

Defender for Cloud Things

NEW: Improved experience for managing the default Azure security recommendations - To improve your overall security posture, you have to implement security recommendations for your environment. The Microsoft Cloud Security Benchmark is a Microsoft-authored set of guidelines that are being adopted as the default for security and compliance best practices based on common compliance frameworks.

NEWS: Announcing Defender CSPM GA & new data security capabilities in Microsoft Defender for Cloud - With the increasing complexity around the development and adoption of cloud applications, organizations worry about vulnerabilities in code getting deployed, critical misconfigurations, overprivileged access to cloud infrastructure, and evolving threats that can cause sensitive data exposure. Microsoft is leading the next chapter of comprehensive multicloud security so organizations can start secure with proactive posture hardening and stay secure with advanced threat protection across cloud apps, infrastructure, and data.

Defender for Endpoint Things

BLOG: Mapping MDE and Windows Security Events overlap - Today, I will be showing you how we can compare data coverage of data sources in Sentinel with MITRE ATT&CK and OSSEM. In this post you will find guidance about how to plot the MITRE ATT&CK data coverage of Windows Security Events and Microsoft Defender for Endpoint, so we can see the overlap between the two and hopefully can choose which data source to use.

365 Defender Things

BLOG: Multi-cloud Cyberattack Response | How Microsoft's SIEM & XDR work together - Investigate and contain sophisticated attacks in real-time using updates to Microsoft’s integrated XDR solutions. Get an inside look at a multi-stage and multi-cloud incident inspired by real tactics, techniques, and procedures in Microsoft Sentinel, and visibility into the attack sequence and timeline of alerts with Microsoft 365 Defender. Use Threat Intelligence to investigate and stop threat actors in their tracks with real-time threat disruption and automate mitigations to contain the damage.

BLOG: Unlimited Advanced Hunting for Microsoft 365 Defender with Azure Data Explorer - More and more customers ask me what the options are to extend the retention in Microsoft 365 Defender beyond the default 30 days.

Microsoft Purview Things

BLOG: Automatically Classify & Protect Documents & Data | Microsoft Purview Information Protection - Discover, classify, and protect sensitive information automatically, wherever it lives or travels with Microsoft Purview Information Protection. Built-in protections follow documents on mobile, in the browser, or as you coauthor them, with no add-ins required. Policy tips keep end users compliant without compromising productivity.

NEWS: A proactive and comprehensive approach to data security with Microsoft Purview Data Loss Prevention - Today, we are extremely excited to announce several new capabilities in public preview in Microsoft Purview DLP.

NEWS: Simplify the lifecycle of sensitive data - Scoped administration in Data Lifecycle Management enables you to assign an administrator to configure retention and label policies for only one or more administrative units. They can only see their administrative unit's policies in the Microsoft Purview compliance portal. Previously, you could only assign a tenant-wide admin for Data Lifecycle Management. The public preview of scoped administration for Data Lifecycle Management is coming in April 2023.

NEWS: Learn how Microsoft Purview Information Protection discovers and protects your most sensitive data - With Microsoft Purview, our goal is to provide a built-in, intelligent, unified, and extensible solution to protect sensitive data across your digital estate. This includes Microsoft clouds such as Microsoft 365 and Azure, as well as on-premises, hybrid and third-party clouds, and SaaS applications. With Microsoft Purview Information Protection, we are building a unified set of capabilities for data classification, labeling, and protection for our customer’s multicloud and multiplatform IT landscape.

NEWS: Streamline your multi-cloud assessments with Microsoft Purview Compliance Manager - Today, we are excited to announce the public preview of the integration between Microsoft Purview Compliance Manager and Microsoft Defender for Cloud to address our customers’ multi-cloud reality.

NEWS: Manage the most critical data security risks inside your organization with intelligent automation - Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

Defender for Office Things

BLOG: Insider Threat: Malicious admin reading your emails! - Email privacy is a very sensitive subject. Permissions to inboxes are heavily managed and it’s a very bad idea to give yourself as an IT Admin permissions to a mailbox of an end-user. There are multiple options to get access to the content of a mailbox, but some are more stealthy than others. In this blog post, I zoom in the most stealthy way (according to me) to view the content of a mailbox.

NEWS: Announcing Collaboration Security for Microsoft Teams - Attacks like phishing and ransomware that for decades have primarily used email as an entry point, are now also targeting users on collaboration tools with growing frequency. To help organizations defend against these emerging cyber-attacks, we are excited to announce the public preview of Collaboration Security for Microsoft Teams. If you are a customer of Microsoft E5, Microsoft E5 Security, or Microsoft Defender for Office 365 you can take advantage of this new capability immediately and improve the security of your Microsoft Teams.

Defender Threat Intelligence Things

NEWS: What's New at Microsoft Secure for Microsoft Defender Threat Intelligence - Since introducing Microsoft Defender Threat Intelligence (Defender TI) in August, our customers have made their organizations safer by proactively addressing threats with its array of raw intelligence and having unparalleled insight into the threat ecosystem with its extensive library of finished intelligence. Today, we are excited to announce several new features and capabilities that put more threat actor insights at our customers' fingertips and enhance SIEM and XDR capabilities in their existing tools and workflows, including the integration of Defender TI into Microsoft 365 Defender.

BLOG: Properly Setting Up the New MDTI Solution for Microsoft Sentinel - I’m writing this blog post for no other reason than to highlight and point folks to the proper steps for installing and configuring the Microsoft Defender Threat Intelligence solution announced this week in public preview. You’d think a blog post like this wouldn’t be necessary, but you’d think wrong.

BLOG: Get Ahead of Cyberattacks with Microsoft Defender Threat Intelligence - With sophisticated cyber-attacks on the rise, get detailed and current intel on trending attacks with Microsoft Defender Threat Intelligence. Enrich investigations and contain threats before they impact your organization with exclusive access to the same raw attack signals our Microsoft Researchers have. Easily gauge the severity of a threat and seek specialist assistance with Threat Profiles that link threats and their methods to known threat actors.

NEW: What's New: MDTI Microsoft Sentinel Playbooks - Microsoft Defender Threat Intelligence (Defender TI) now has new ways to boost interoperability and help the SOC punch above its weight by responding to threats at scale. During Microsoft Secure, we introduced capabilities that help enterprise users power up automation with Microsoft Defender Threat intelligence, including an API and Microsoft Sentinel Playbooks. These new playbooks will enable defenders to tap into Defender TI's raw and finished intelligence at scale to quickly boost their understanding of and automatically triage threats.

NEW: What's New: Intel Profiles Deliver Crucial Information, Context About Threats - We're thrilled to introduce Intel Profiles, a single, reliable source of information in Microsoft Defender Threat Intelligence (Defender TI) security operations teams can use to have instant insight into the threat ecosystem, including pertinent details about vulnerabilities, threat actors, and infrastructure used in attacks. Intel profiles combine 65 trillion threat signals with the expertise of over 8,500 dedicated security professionals to translate that global threat landscape into immediately actionable insights. By comprehending their tactics, infrastructure, and methods of operation, security teams can take proactive steps to prevent threat actors from breaching their organization's defenses.

VIDEO: Get Ahead of Attacks | Microsoft Defender Threat Intelligence - With sophisticated cyber-attacks on the rise, get detailed and current intel on trending attacks with Microsoft Defender Threat Intelligence. Enrich investigations and contain threats before they impact your organization with exclusive access to the same raw attack signals our Microsoft Researchers have. Easily gauge the severity of a threat and seek specialist assistance with Threat Profiles that link threats and their methods to known threat actors.

Defender EASM Things

NEW: Data Connectors for Azure Log Analytics and Data Explorer Now in Public Preview - The Microsoft Defender EASM (Defender EASM) team is excited to share that new Data Connectors for Azure Log Analytics and Azure Data Explorer are now available in public preview.

Microsoft Entra Things

BLOG: Latest Microsoft Entra advancements strengthen identity security - At the recent Microsoft Secure event, I shared ways to strengthen your identity defenses using the latest innovations we’re delivering in Microsoft Entra. These include new governance controls and real-time access protections to help you secure identities and the resources they access.

BLOG: Microsoft Entra Updates You May Have Missed - The second quarter of the Microsoft year saw several security feature updates for Microsoft Entra, as well as the announcement of general availability in a wide number of capability areas throughout the security space to help you improve your organization’s security posture.

NEWS: 2023 State of Cloud Permissions Risks report now published - As organizations are embracing and adopting multicloud infrastructures, identity permissions have increased across three leading cloud platforms: Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GPC). Although this shift brings new opportunities for innovation, it presents new permission challenges organizations have never faced before. Today, we’re thrilled to announce our 2023 State of Cloud Permissions Risks report. The report covers key risk findings surrounding identities and permissions across multicloud infrastructures.