Microsoft Defender Weekly Wrap - Issue #121

Mergers and Acquisitions

May 17, 2024

Things from Me

Good Friday, folks! Thanks (as always) for showing up back here with me week after week.

I’ve been mulling something recently and want to get your thoughts on it.

Microsoft Sentinel is now being integrated more and more into the Unified Portal (Defender portal) and the standalone experience in the Azure portal is being more and more deemphasized. I suspect we’ll eventually get to a 1:1 feature sync between the Azure portal and the Defender portal, and the Azure side will be needed less and less.

And I’ve also noticed that there’s far less community content being generated specifically for Microsoft Sentinel. That means there’s far less content for this Microsoft Sentinel dedicated newsletter.

So, I’m considering merging the Microsoft Sentinel weekly newsletter with the Microsoft Defender weekly newsletter. I suspected I’d need to do this eventually, but I believe we’re getting closer and closer to that point. I don’t expect to do it right away, but I’d love to hear your thoughts on it. Use the following poll to let me know or connect directly with me on X or LinkedIn.

…

I’ve mentioned it before, but if you forgot, I’ve co-written the official Microsoft Press book on KQL. Originally, the book was slated to release in late June, but I’ve just been notified this week that it’s getting an early release!

You can expect the physical copies of the book to start shipping on May 24. The eBook/Kindle version will distribute electronically on June 13th.

Get it here: https://amzn.to/4buXkCK

And while the book releases May 24th from Amazon, it is already released and shipping from the Microsoft Press Store: https://www.microsoftpressstore.com/store/definitive-guide-to-kql-using-kusto-query-language-9780138293383

…

That’s it from me for this week. Thanks again for all you do for this community through your shares and support. Find something that resonates this week, share it with a colleague. Don’t keep it to yourself.

Talk soon.

-Rod

Things to Attend

Secure AI Briefing: Protect at the Speed and Scale of AI - Join us at a Microsoft Technology Center for this limited series to learn about the power of Microsoft Copilot for Security and Tanium Converged Endpoint Management (XEM) to help protect more within your organization. Join us from 9:00 AM - 12:00 PM local time at a city near you!

New York, NY: May 21st
Detroit, MI: May 22nd
Atlanta, GA: June 4th
Toronto, ON: June 12th
Irvine, CA: June 13th

Things that are Related

Microsoft will require MFA for all Azure users - This July, Azure teams will begin rolling out additional tenant-level security measures to require multi-factor authentication (MFA). Establishing this security baseline at the tenant level puts in place additional security to protect your cloud investments and company.

Things to Watch/Listen To

Things in Techcommunity

MDI Health Issue "Auditing on the Configuration container is not enabled as required" - I have tried to resolve this MDI Health Issue "Auditing on the Configuration container is not enabled as required", but sadly without success.

Strange DNS queries searching for aatp.dns.detection.local being made from MSDI sensors on DCs - We have noticed that DNS queries for aatp.dns.detection.local are coming from MSDI sensors on some of our DCs. The strange thing is that the queries are going to DNS servers that are not configured anywhere on the DC or elsewhere. The DNS servers that the queries are directed to are going to be switched off in the near future - will this cause an issue for MSDI detections?

Partner Things

CRITICALSTART® Named a Major Player in 2024 IDC MarketScape: Worldwide Emerging Managed Detection and Response Services - Critical Start, a leading provider of Managed Detection and Response (MDR) cybersecurity solutions and pioneer of Managed Cyber Risk Reduction (MCRR), was recently named a Major Player in the IDC MarketScape: Worldwide Emerging Worldwide MDR Services (doc #US50101523, April 2024).

Copilot for Security Things

Copilot for Security things now has its own bi-weekly newsletter!

News Things

Microsoft puts its RiskIQ acquisition to work - Microsoft today added two new features to its Microsoft Defender security platform: Microsoft Defender Threat Intelligence and Microsoft Defender External Attack Surface Management. These features are based on the company's acquisition of RiskIQ and with this launch, Microsoft is now bringing some of RiskIQ's core features to its own security platform (all while RiskIQ continues to operate its own services, too).

Defender for Cloud Things

Securing your API Management service from day one with Defender for APIs - We are excited to announce that you can now secure your Azure API Management (APIM) managed APIs from day one with Defender for APIs. This allows you to enable security as soon as you create your APIM service within the Azure portal. This means that security for APIs is no longer an afterthought and API management administrators do not need to leave the Azure API Management portal experience to turn on protection for their APIs which is a critical entry point into the API attack surface.

Defender XDR Things

Host Microsoft Defender data locally in Switzerland - We are pleased to announce that local data residency support in Switzerland is now generally available for Microsoft Defender for Endpoint and Microsoft Defender for Identity.

Easily detect CVE-2024-21427 with Microsoft Defender for Identity - The recently published CVE-2024-21427 Windows Kerberos Security Feature Bypass Vulnerability fixed the potential bypass of authentication policies configured in Active Directory. We strongly recommend that you deploy the latest security updates, including the most recent patch, to your servers and devices to help ensure you have the latest protections available.

Microsoft Purview Things

Prioritize Security Incidents Based on Data Importance | Microsoft Defender with Microsoft Purview - Prioritize incidents based on data significance, detect insider risks, and adapt protections in real-time with Microsoft Defender XDR and Microsoft Purview. Customize thresholds and risk indicators to detect anomalous behavior and prevent potential breaches with Adaptive Protection. Receive real-time DLP alerts triggered by policy matches, ensuring immediate action to safeguard sensitive data. Gain comprehensive visibility into threats and enforce policies across all devices and applications.

Microsoft Teams DLP Playbook - This document provides an overview of how enterprise customers can deploy Microsoft Teams-DLP for protecting sensitive information. Microsoft Purview Data Loss Prevention has integrations with multiple workloads that help to protect customer data with a single policy. Teams DLP is one of the workloads within Microsoft Purview Data Loss Prevention. This guide walks through the different aspects of deploying use cases across content/containers.

Dos and Don'ts for Microsoft Purview | LinkedIn - Microsoft Purview is a comprehensive governance solution designed to help organizations manage and govern their on-premises, multi-cloud, and software-as-a-service (SaaS) data. Understanding the best practices and common pitfalls is crucial for maximizing its benefits and ensuring data compliance and security.

Defender for Office Things

Email Protection Basics in Microsoft 365 Part Five: Mastering Overrides - Microsoft Support is excited to continue the blog series that will demystify how Microsoft 365 email protection works. In this fifth and final part of the series, we will cover the different overrides, why you may need them, and why it isn’t a good idea to keep them permanently.

Microsoft Entra Things

Microsoft Entra delivers increased transparency - Seventy-five percent of cybersecurity professionals say the current threat landscape is the most challenging it has been in the last five years, according to the 2023 ISC2 Cybersecurity Workforce Study. You’re probably on the hook to secure access for your organization – preventing identity attacks and securing least privilege access. And we know it’s intense.

Completing DFSR SYSVOL migration of domains that use Entra ID passwordless SSO - Heya folks, Ned here again. A customer recently reached out to me in the comments section of the well-worn Streamlined Migration of FRS to DFSR SYSVOL article, asking about a problem he was seeing with a single DC that wouldn't complete the process. Today I'll explain how to fix the issue introduced by a very modern authentication add-on.

How to Apply Easy Auth on Web App under a High-security policy environment - With increasing emphasis on security issues, enterprises are imposing significant restrictions on internal resources and operations accessible to employees. If your Azure account does not have sufficient AAD (i.e., of Microsoft Entra) permissions, you will be unable to swiftly create easy auth in a web app. This article serves as a simple guide to walk you through the process of setting up easy authentication for your web app.

Microsoft Entra Private Access for on-prem users - Microsoft Entra Private Access, part of Microsoft’s Security Service Edge (SSE) solution, securely connects users to any private resource and application, reducing the operational complexity and risk of legacy VPNs. It enhances the security posture of your organization by eliminating excessive access and preventing lateral movement. As traditional VPN enterprise protections continue to wane, Private Access improves a user’s ability to connect securely to private applications easily from any device and any network—whether they are working at home, remotely, or in their corporate office.