Microsoft Defender Weekly Wrap - Issue #88
Horse and buggy
Things from Me
Happy Friday everyone!
Another week, another fantastic newsletter issue.
Toward the end of next week, I’ll be taking a couple weeks off. The time off will be in preparation for some hard-core focus on helping get Microsoft Ignite off the ground this year. For the first part of my time off, I’m headed to Ohio Amish country for a long overdue visit to my best friend. For those that have been reading the newsletter long enough, you’ll remember that my best friend is a chiropractor in Amish country. There’s a longer story as to why he’s a chiropractor to the Amish, but he’s been so successful there, he built a house and lives there full time. It’s an amazing, slow-paced area and a great place to rest, recuperate, and build up energy for the busy weeks ahead.
The newsletter will definitely deliver next week, but I’m not 100% positive it will deliver the week of September 1st. I’ll know more next week and let you all know.
…
Many of you know I recently started the Must Learn AI Security series. The series is already up to Chapter 3 and is showing signs that readership will surpass the Must Learn KQL series.
With Chapter 3 on the wires, I’ve begun the process of updating and compiling the eBook version for each new chapter. So, the Must Learn AI Security eBook is now available and will now be updated when each new part in this series is released.
The book version (pdf) of this series is located here: https://github.com/rod-trent/OpenAISecurity/tree/main/Must_Learn/Book_Version
This is the permanent location of the book and when updated will get revisioning and timestamped, so you know you always have the most up to date edition.
…
Episode 2 of the new After the Blog podcast series is released. In it, my good friend Richard “Disney” Diver helps fill in some blanks from a recent blog post around using Microsoft Sentinel for things other than security purposes and if Content Filtering and Abuse Monitoring for AI is a component of Cybersecurity.
Listen here: Episode 2: Azure OpenAI Content Filtering and Abuse Monitoring with Microsoft Sentinel
…
That’s it for me for this week.
Thanks all for your continued support and love of Microsoft Security products!
Talk soon.
-Rod
Things to Attend
Microsoft Security Insights Show Episode 166 - Merill Fernando - Wed, Aug 23, 2023, 5:00 PM (your local time) - Join us this week as we talk with Merill Fernando, Principal Product Manager about all things Microsoft Entra. There's been lots of news and announcement recently. In this episode, Merill will attempt to explain them all. And, maybe we can get his take on the rebranding of AAD.
Secure Across Horizons: Empowering Partners with Microsoft's Defender Suite and Microsoft Sentinel - Field and Industry Perspectives August 21, 2023 11:00 AM America/New_YorkRegister Now
Secure Across Horizons: Empowering Partners with Microsoft's Defender Suite and Microsoft Sentinel | Day 1 August 22, 2023 11:00 AM America/New_YorkRegister Now
Secure Across Horizons: Empowering Partners with Microsoft's Defender Suite and Microsoft Sentinel | Day 2 August 23, 2023 11:00 AM America/New_YorkRegister Now
Secure Across Horizons: Empowering Partners with Microsoft's Defender Suite and Microsoft Sentinel | Day 3 August 24, 2023 11:00 AM America/New_York
Things that are Related
Microsoft Quarterly Cyber Signals Report: Issue 5, State of Play - Welcome to Microsoft’s fifth edition of Cyber Signals. Cyber Signals is a quarterly cyber threat intelligence report informed by the latest Microsoft threat data and research, offering an expert perspective into the current threat landscape, while discussing trending tactics, techniques, and strategies used by the world’s most prolific threat actors.
Things to Watch/Listen To
Things in Techcommunity
Microsoft defender for endpoint setup wizard ended prematurely because of an error - I have an issue where I am installing EDR on OS 2012R2 servers. I`ve downloaded the .msi and onboarding files from security.microsoft.com and I`ve installed it on more than 100 machines. Now I`ve run to an issue with one specific machine where the .msi does not want to proceed with the installation.
MDI sensors fail to start on new core servers - Core servers with the same settings as our other servers keep having issues with starting the sensor. Main error seems to be a 500 http error. We have checked the connectivity (gives 503 as it should), also reinstalled the network drivers just to be sure, firewall logs show nothing being blocked.
Things to Have
MDE-visualizing-ASRrule-detections.yaml - MDE - Visualizing ASR Rule Detections with KQL - This KQL hunting query will provide a summary of all devices based on ASR rule detection, including the filename and timeline. Things from Partners
Defender for Cloud Things
Microsoft Defender for Cloud Gets More Multicloud - With Microsoft Defender for Cloud, cloud security posture management features are now available for Google Cloud Platform, as well as AWS and Azure.
Proactively secure your AWS Cloud Resources with Microsoft Defender for Cloud - In this blog, I will walk through a few scenarios of misconfigured AWS Cloud resources and how Microsoft Defender for Cloud can help proactively identify misconfigurations and allow security teams prevent risks and remediate quickly.
Defender for Endpoint Things
Announcing mobile device tagging for iOS and Android - To ensure that admins can group all endpoint devices across their environment with ease, we are pleased to announce that Microsoft Defender for Endpoint enables admins to tag iOS and Android mobile devices, now available in Public Preview.
Microsoft Defender data can now be hosted locally in Australia - We are pleased to announce that Microsoft Defender for Endpoint, Microsoft 365 Defender and Microsoft Defender for Identity now support data residency in Australia and are available for public preview.
#MicrosoftDefender #Security #MicrosoftSecurity #Cybersecurity #M365D
Defender for IoT Things
Latest Threat Intelligence (August 2023) - Microsoft Defender for IoT has released the August 2023 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file).
365 Defender Things
DecipheringUAL Github series - This repo aims to help you decipher the UAL from a Digital Forensics & Incident Response (DFIR) perspective. The UAL is the Microsoft 365 Unified Audit Log.
Defender for Identity Things
Step-by-Step: Deploy Microsoft Defender for Identity - Comprehensive Guide - In today’s digital landscape, securing sensitive data and maintaining a robust cybersecurity posture is paramount. Microsoft Defender for Identity (MDI) is a cutting-edge solution that offers advanced threat protection by leveraging cloud intelligence and behavioral analytics.
Microsoft Defender for Identity expands its coverage with new AD CS sensor - This new sensor builds on the existing detections for suspicious certificate usage available today and extends Defender for Identities capabilities and coverage more comprehensively across identity environments.
Microsoft Defender External Attack Surface Management
Latest functionalities uplevel asset management and enhance data visibility - Microsoft Defender External Attack Surface Management (Defender EASM) discovers and classifies assets and workloads across your organization's digital presence to enable teams to understand and prioritize exposed weaknesses in cloud, SaaS, and IaaS resources to strengthen security posture. Recently added features and enhancements uplevel asset management and enhance data visibility within the tool, helping customers gain efficiency and stay organized. Learn about these exciting new functionalities below and how you can start using them today.
Microsoft Entra Things
How to Setup User Risk Reports to Email in Microsoft Entra - Evaluating the risk of a user in Microsoft Entra is something that Microsoft handles quite intelligently. For example, if a user reports a notification on the Microsoft Authenticator app as not being the one who requested it, their identity will be marked as high risk, as to get as far as an MFA notification, the correct password must have been entered. On the other hand, a series of unexpected actions on a user account could indicate malicious intent, which would result in a low-risk evaluation.
Microsoft Entra Management and Security Tools - List of external resources and tools for IAM Security + Management from #Azure community, Microsoft and cloud (security) vendors
Fun Thing This Week
Fable Wizard - Create personalized children’s tales in seconds.
thanks for the ASR hunting query, that's a keeper.
Question: would you prioritize the Defender for Cloud Apps connector when monitoring AWS, or the Sentinel connector?
ref: https://learn.microsoft.com/en-us/defender-cloud-apps/protect-aws
I see the Defender for Cloud Apps connector monitors much of what I would need right out of the box without worrying that the AWS admin isn't sending me to much junk from Cloudtrail.
And the suggested policies for Sentinel > AWS connector seem a bit broad, do you have suggestions for say just collecting CloudTrail (more resource related - better security value) vs CloudWatch (more API related - noisy and less security value)?
I guess I'm looking for a best practices for AWS security logging to Sentinel/Defender. eg:
- Enable Defender for Cloud > AWS
- Enable Defender for Cloud Apps > AWS
- Enable Sentinel > AWS - for Cloudtrail
Secondary Considerations:
- Sentinel > AWS - for traffic - good for TI if there's in/outbound traffic
- Sentinel > AWS - Cloudwatch - for api activity - but can be very noisy/costly.