Microsoft Defender Weekly Wrap - Issue #62

Home, James

Things from Me

Happy Friday all!

As I noted in last week’s newsletter issue, I spent time on the Microsoft campus this past week attending BlueHat.

The week was a good one. The were some amazing opportunities to reconnect with people I hadn’t seen in a long while and strengthen those relationships, to put faces with names who I’ve only known through Teams meetings or over community channels, and to connect with a lot of great people for the first time. Intimate events like BlueHat are great for this type of thing.

I was happy to also hear from many who are regular subscribers to this newsletter. So, if you’re reading this and you’re one of those that mentioned the newsletter to me this week, thanks so much for going out of your way to find me and connect this week.

For those not at BlueHat this week, I look forward to connecting with you at an upcoming conference in the near future.

…

Defender for Servers Capabilities Survey

Microsoft Defender for Cloud (MDC) helps customers improve their security posture by getting visibility and remediating vulnerabilities through Cloud Security Posture Management (CSPM) and to protect against threats through Cloud Workload Protection (CWP) capabilities. MDC has a Defender for Server plan that secures and protects servers on-prem and in multi-cloud environments, including cloud-native protection, agentless and agent-based scanning, on top of leading EDR capabilities (from MDE).

We're conducting this survey to understand how you currently use Defender for Servers and how you find the current capabilities useful in protecting your cloud, as well as to get your input on how we might provide better protection within Defender for Servers.

Survey link: https://rodtrent.com/g2j

…

As good as the week was, I’m ready to head home. As you’re reading this, I still have one more day of on-campus activities before I spend my Saturday making the trek back home.

Talk soon.

-Rod

Things to Attend

Microsoft Secure registration is live! - Join us March 28 at 8:30 AM PDT for a brand-new digital event, Microsoft Secure—a place for security professionals to learn and share comprehensive security strategies to protect everything.

Things that are Related

The New Microsoft Security Customer Connection Program (CCP) -Today, we are happy to announce that these two communities have now come together under one team – The Microsoft Security Customer Connection Program.

Boost your security skills with the new 30 Days to Learn It challenge - Recently, Microsoft Learn has introduced a new security-themed challenge called Information Protection Administrator. Participating in this challenge (and others) can help you skill up at your own pace while pursuing your career and organizational goals. Even better, successful completion can earn you a 50 percent off certification exam voucher.

Interactive KQL Cheatsheet - A cheatsheet can be a useful tool for individuals who are looking to quickly access key information in a well-organized format. However, traditional cheatsheets can often lack the depth of information necessary to fully understand a subject. This can lead to frustration and decreased efficiency, negating the benefits of having a cheatsheet in the first place. To address these issues, I have created an interactive KQL cheatsheet that not only provides a well-organized and compressed summary of key information, but also goes beyond what is typically expected from a cheatsheet by filling in the missing gaps.

Things to Watch/Listen To

Ready to be a Kusto Detective with Azure Data Explorer? - Your detective journey starts with the Kusto Detective Agency for Azure Data Explorer. This is a really fun way to learn the Kusto Query Languate (KQL)! Patrick gets you started! And, it's FREE!

Things in Techcommunity

VMs Deletion - Our SOC team got an alert where 25 VMs were deleted in a single session. The investigation logs in 365 Defender show that the VMs were successfully deleted the same was confirmed with the user who deleted those VMs. But I still see those VMs as resources in the subscription. They are still there. What could be the reason? Probably that it was not deleted properly. Please help.

Unsupported alerts - Can anyone tell me why the Investigation state for some alerts from MCAS show up in M365 Defender as "unsupported alerts" ?

Things to Have

KQL XDR Hunting - Email-Microsoft-Defender-for-Office365

Defender for Cloud Things

BLOG: Remediating Security Issues in Code with Pull Request Annotations - It is no secret that security and development teams operate in silos. Security administrators often struggle with getting developers to remediate vulnerabilities in code because they are not able to provide remediation guidance and feedback directly within the tools are most familiar with (e.g., GitHub and Azure DevOps). Additionally, for developers that embrace the practice of DevOps, they are used to moving quickly and automating as many processes as possible, causing security to struggle to keep up with the speed of development. To simplify the remediation process, reduce time to remediation, and help security teams build stronger relationships with developers, Microsoft Defender for DevOps can expose security findings as annotations in Pull Requests (PR) within Azure DevOps and GitHub Enterprise.

CODE: Microsoft Defender for Servers - CVE Dashboard - This interactive workbook provides an overview of machines in your environment that are affected by open vulnerabilities with a focus on CVE IDs. It will show vulnerability findings for either Microsoft Defender Vulnerability Management, or the integrated Qualys VA scanner.

BLOG: Protect your storage resources against blob-hunting - Threat actors use tools to exfiltrate sensitive information from exposed storage resources open to unauthenticated public access. This process is called blob-hunting, also known as Container Enumeration on Leaky Buckets. It is a common collection tactic, easy to do, cheap to carry out, does not require authentication, and there is no shortage of open-source tools that help facilitate and automate its process.

Defender for Endpoint Things

BLOG: How to Manage Microsoft Defender Policies with Intune on Non-Managed Devices - From the endpoint security management architecture perspective, this scenario fulfills the gap of managing endpoint security features on unmanaged devices. For Intune managed devices, either cloud-only or co-management scenarios provided the endpoint security management capabilities. Also, Intune and Configuration Manager integration provided similar management capabilities for on-prem (ConfigMgr) managed devices.

BLOG: Properly Configure MDE for Windows - We’re going to look at what a properly configured device looks like to combat todays threats. We’ll walk through the settings our lab device will have configured to give us a strong security posture when it comes to fighting the current landscape. Let’s kick things off, we’re going to get a few things set up so that you can follow along should you want to replicate any testing for yourselves.

BLOG: Protecting Against LSASS Dumps - In this week’s Defend(er) Against, we are going to look at the project called DumpThatLSASS by D1rkMtr, where the objective is to leverage MiniDumpWriteDump. I have seen many people talking about this one, so I figured it was a good one to start with.

365 Defender Things

BLOG: Microsoft 365 Defender Monthly news - This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from January 2023. NEW: At the end we now include a list of the latest threat analytics reports, as well as other Microsoft security blogs for you.

BLOG: MSSPs and Identity: Q&A - After I published the last blog post on MSSPs and Identity, I received various questions, and I thought it would be useful to answer the most common ones via this follow-up post. Let’s jump right in!

Microsoft Purview Things

BLOG: Introducing Adaptive Protection in Microsoft Purview—People-centric data protection for a multiplatform world - in this blog, I’ll address how our newest innovations can help your team keep your data safe while empowering productivity and collaboration. We’ll also look at steps you can take to build a layered data security defense within your organization.