Microsoft Defender Weekly Wrap - Issue #76

Brain fog

Things from Me

Good Friday everyone!

This week has been my week back from being away for a couple weeks. If you remember, I was away first speaking at a conference (MMS MOA) and then I took a week off to recoup. But, unfortunately, that week of recuperation didn’t happen as my wife had plenty of house things for me to do. When things were finally accomplished, I slept for almost 10 1/2 hours straight. I haven’t slept that long since my teenage years. And, even when I finally woke, I had brain fog for a couple hours longer. And this was my first day back on Monday.

So, for anyone that I may have offended, or I just sounded a bit looney during the brain fog, I apologize. Things have finally gotten back to normal. I blame it on getting older.

…

During our Microsoft Security Insights show this week, we had another MISA member, Quorum Cyber, on to discuss the company’s current foray into the US market. It was another awesome episode. However, the company has just opened a new role and is looking to fill it quickly. If this is something of interest to you, hit the following link.

Lead Detection Engineer - The lead detection engineer runs our team of engineers focused on detections for the Managed Detection and Response service. This includes regularly updating our library of Microsoft Sentinel analytics and enrichments, working closely with the SOC, TI and IR teams. The role reports into the Head of Engineering.

…

That’s it from me this for this week. I hope your weekend and week ahead set the bar for being the best.

Talk soon.

-Rod

Things to Attend

Microsoft Go Beyond Data Protection Series: Conversations on Data Security - Friday, 19 May 2023, 1:30 – 3:30 pm BST - Join Microsoft UK’s Chief Security Advisor, Sarah Armstrong Smith, as she has a Data Security conversation with Microsoft customers, partners, and technical advisors. Learn about Data Security best practices, how to address the biggest challenges around the people and process side of Data Security, and get equipped with the three key technology components every organisation needs to build this strategy.

Reimagine secure access with Microsoft Entra - Tuesday, June 20, 2023 9:00 AM – 10:30 AM Pacific Time (UTC-7) - As your digital footprint continues to expand with more identities, resources, apps, and endpoints to secure, identity and access must evolve. Attend Reimagine secure access with Microsoft Entra to hear about the latest identity and access innovations. Learn how establishing identity as your first line of defense can help you be more secure, resilient, and efficient in our connected world.

MAY 31 (9:00AM PT) Microsoft Defender for Cloud Apps | App Governance Inclusion in Defender for Cloud Apps Overview - We recently announced the inclusion of App Governance in Defender for Cloud Apps. Tune in for an overview of the experience and bring any questions you may have about the announcement! 

JUN 7 Microsoft Compliance | Microsoft Purview Advanced Classification Scanning and Protection for Endpoints Running on Mac OS - In this call, we will be covering these new features: 

• Endpoint DLP Support for Network File Shares

• Endpoint DLP Support for Virtualized Environments

• Advanced Classification Support for Mac OS Endpoints

JUN 14 Microsoft Defender for Cloud | Securing APIs with Defender for APIs - APIs are the topmost attack vector in cloud applications with increasing numbers of high-profile attacks. Learn how to secure your APIs through Microsoft Defender for APIs, a new product that brings discovery, & full lifecycle protection, detection, & response coverage for your APIs.

JUN 14 (9:00AM PT) Microsoft Defender for Identity | Become an Advisor to Our Product Engineering Team - The Microsoft Defender for Identity product engineering team is excited to share a program for customers to become trusted advisors and impact our feature planning. Engage directly with the engineering team, learn what's coming, test out private previews, and share your experiences and recommendations.

JUN 21 Microsoft Defender for IoT | Successful Deployment of Microsoft Defender for IoT - The process, considerations, factors involved in the successful deployment and operations of Microsoft Defender for IoT.

JUL 20 Microsoft Defender External Attack Surface Management (EASM) | What's New in Microsoft Defender External Attack Surface Management - Microsoft Defender External Attack Surface Management would like to showcase the new product developments to allow users to identify and report on findings more custom to their needs.

Things that are Related

Have a JSON headache in KQL? Try mv-expand or mv-apply - One of the more difficult things to learn in KQL (apart from joining tables together) is how to deal with multi-value sets of data. If you work in particular types of data, such as Azure AD sign in data, or Security Alert data, you will see lots of these data sets too. There is no avoiding them. What do I mean by multi-value? We are talking about a set of data that is a JSON array and has multiple objects within it. Those objects may even have further nested arrays. It can quickly get out of hand and become difficult to make sense of.

Advanced threat hunting within Active Directory Domain Services - Knowledge is power! - What is this article about? Showing attacks, compromising domain controllers or even introducing and showing hacking tools? NO. It is about giving you a jump start on how to gather targeted information about attacks and threats in your Active Directory. Is this also a complete and accomplished listing, again no. But my goal is to give you a solid foundation to build on.

Protect Office365 and Windows365 with Azure Firewall - Office 365 customers are looking for the best cloud connectivity experience at scale to achieve end-to-end connectivity through the most optimized route possible. Traffic from the organization’s network to the required Office 365 endpoints should be managed and secured, which could be a time-consuming ongoing task. With the recent announcement of Azure Firewall integration with Office 365, you can now easily manage this traffic and leverage the firewall’s security features to secure it.

​​Microsoft releases CMMC guidance to raise the security and identity baseline for Defense Industry - Today we’re going to share with you some new guidance for configuring Azure Active Directory (Azure AD) to meet the Cybersecurity Maturity Model Certification (CMMC) Level 1 and Level 2 requirements.

Things to Watch/Listen To

Episode #28 - Series DfC #02 – about Microsoft Defender for Servers - In this episode, Frans Oudendorp and Pouyan Khabazi, both Microsoft Security MVP’s and leading speakers on cloud security, talk with Tom Janetscheck, a Senior Program Manager at Microsoft and a former MVP himself. Tom shares his insights and best practices on how to use Defender for Servers to secure your hybrid and cloud-native environments, as well as how to leverage Azure Arc and Azure Security Center for unified management and visibility.

The BlueHat Podcast - Since 2005, BlueHat has been where the security research community, and Microsoft, come together as peers; - to debate, discuss, share, challenge, celebrate and learn. On The BlueHat Podcast, Microsoft and MSRC’s Nic Fillingham and Wendy Zenone will host conversations with researchers and industry leaders, both inside and outside of Microsoft, working to secure the planet’s technology and create a safer world for all.

Microsoft Security Insights Show Episode 153 - Quorum Cyber - Stop by as we talk with Ricky Simpson and Federico Charosky from Quorum Cyber - Managed & Professional Cyber Security Services.

Things in Techcommunity

Demo account to simulate and POC advanced hunting - I'm new in the MS Suite, my company is using the Zero Trust model, therefore I only have the real data instance available upon request, as a result I'd like to familiarize myself in the MS Defender for Endpoint capabilities in UAT kind of environment, please advise.

MITRE ATT&CK Coverage - I am trying to better understand how Defender \ Sentinel protect against the MITRE ATT&CK framework. I am particularly interested in mapping to the tactics \ techniques that tools such as Bloodhound and PingCastle highlight for Active Directory \ Azure Active Directory, but am struggling to see what is available in the product...

Things to Have

XDR-DetectionPercentage-SecurityProducts.yaml - Daily Percentage of Detections by Security Products.

Defender for Cloud Things

BLOG: One click to cover containers & Kubernetes in Defender CSPM (agentless) - Defender CSPM contextual security capabilities assists security teams in the reduction of the risk of impactful breaches. Defender CSPM uses environment context to perform a risk assessment of your security issues. Defender CSPM identifies the biggest security risk issues, while distinguishing them from less risky issues. With attack path analysis and cloud security explorer Defender DCSPM customers can address the security issues that pose immediate threats with the greatest potential of being exploited and proactively identify security risks in their cloud environment by running graph-based queries on the cloud security graph, which is Defender for Cloud's context engine.

BLOG: Advanced protection features in Defender for Servers Plan 2: Adaptive Application Controls – Part 2 - The topic of this blog will be about how to start with adaptive application controls (ACC). Let’s begin with explaining high level what adaptive application controls is and later on we will dive into the technical configuration of this security feature.

BLOG: Remediating Infrastructure-as-Code Security Misconfigurations with Microsoft Defender for DevOps - In today’s application development landscape, organizations are widely adopting Infrastructure-as-Code (IaC) technology to automate the provisioning and management of resources to support cloud native applications and workloads across their multi-cloud environments. By utilizing IaC, organizations can manage infrastructures with the same versioning, testing, and automation processes that they use for their application code, leading to more reliable, efficient, and secure operations.

Defender for Endpoint Things

BLOG: Hardening Windows Clients with Microsoft Intune and Defender for Endpoint - As a major part of any corporate security program, vulnerabilities on corporate assets are required to be addressed, yet teams that solely focus on the patching aspects may be missing a key area of worry, insecure setup. Whether the asset’s configuration is unrestricted by default, or an operator has made a mistake, assets will end up in an unsecure configuration. Security teams with a proactive attitude will seek methods that automatically address asset misconfiguration, and, where possible, avert them in a centralized fashion. This blog will introduce a solution that uses multiple Microsoft products, including Microsoft Intune and Defender for Endpoint (MDE) to implement industry recognized security baselines consistently that reduces the effect on the end user, along with examining some issues and suggestions for these.

Microsoft Defender for Endpoint in Depth - Understand the history of MDE, its capabilities, and how they can help secure an organization Learn how to implement, operationalize, and troubleshoot MDE from both IT and SecOps perspectives Leverage useful commands, tips, tricks, and real-world insights shared by industry experts.

365 Defender Things

BLOG: Automatically disrupt adversary-in-the-middle (AiTM) attacks with XDR - Microsoft has been on a journey to harness the power of artificial intelligence to help security teams scale more effectively. Microsoft 365 Defender correlates millions of signals across endpoints, identities, emails, collaboration tools, and SaaS apps to identify active attacks and compromised assets in an organization’s environment. Last year, we introduced automatic attack disruption, which uses these correlated insights and powerful AI models to stop some of the most sophisticated attack techniques while in progress to limit lateral movement and damage.  

Microsoft Purview Things

BLOG: Getting started on your data security journey - Data security is a top concern and priority for many organizations. As I'm working with customers, especially in the State and Local Government, I notice that sometimes customers do not know where to begin with their data security strategy. It can be challenging to embark on this journey and there is an endless supply of information out there. To address this challenge, I wanted to provide a checklist that is digestible and will help in the various stages throughout this journey. I will also be providing supporting documentation that you can reference and provide to needed stakeholders.

Defender for Office Things

BLOG: Helping Customers Fix Their Own Issues with Microsoft Defender for Office 365 - The Microsoft 365 commercial support team resolves customer support cases and provides support to help you be successful and realize the full potential and value of your purchase. Our support services extend across the entire lifecycle and include pre-sales, onboarding and deployment, usage and management, accounts and billing, and break-fix support. We also spend a considerable amount of time working to improve the supportability of Microsoft 365 services to reduce the number of issues you experience as well as minimize the effort and time it takes to resolve your issues if they do occur.

Microsoft Entra Things

GA: System-preferred multifactor authentication - To encourage users to authenticate with the strongest method available to them, we’re announcing system-preferred authentication for MFA. This system prompts the user to sign in with the most secure method they’ve registered and the method that’s enabled by admin policy. This will transition users from choosing a default method to use first to always using the most secure method available. If they can’t use the method they were prompted to use they can choose a different MFA method to sign in.

Fun Thing This Week

This week I started my foray into developing apps utilizing DALL-E 2, i.e., image generation. I do this to help build use cases for security monitoring for Defender and Sentinel so detections can be developed. As you can see below, I have a bit of tuning to do. DALL-E took the “baby” part of my request too literally.