Microsoft Defender Weekly Wrap - Issue #113
NO to notifications
Things from Me
Happy Friday, everyone! Thank you for your continued support of this community.
There’s plenty to catch up in today’s newsletter issue, so just want to share a couple things I think you might find interesting before leaving you to the newsletter content.
…
First…
A couple colleagues and I have written an “official” book on KQL for Microsoft Press. Titled, The Definitive Guide to KQL: Using Kusto Query Language for Operations, Defending, and Threat Hunting, this book goes from basic to advanced. And, while the book itself is cool, an even cooler thing is that there’s also a GitHub repo for it that includes all of the example queries and data sources in the book, plus plenty more that were donated by several product teams at Microsoft. We finalized the GitHub repo this past weekend and realized there are over 500 ready-to-use queries. That’s quite an addition value for the price of a book.
The repo will be public and available closer to the book release (June 2024).
You can pre-order the book from Amazon: https://amzn.to/49sTgSR
There will be a Kindle/eBook version of the book, but that may not show up until after the book releases.
…
Second…
Hopefully you know by now, but me, Brodie Cassell, Edward Walton, and Andrea Fisher host a weekly security show called The Microsoft Security Insights Show. We’re nearing our 200th episode and this month we have a stacked guest list for Women in Cybersecurity month.
But more than that, we’re also starting to branch out and use our skillsets to participate in other areas. Later this month, we will be delivering some Learn Live events as part of a Copilot for Security motion.
We hope you’ll join to learn more: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/learn-about-ai-and-microsoft-copilot-for-security-with-learn/ba-p/4076305
…
Lastly…
As you can probably tell, there’s been a growing amount of Copilot for Security content in this newsletter each week. That’s to be expected as we get closer to Copilot for Security reaching GA. If you’re interested in knowing more about that special GA date, make sure you attend the online Microsoft Secure event next week <wink, wink - nudge, nudge>.
But, if there’s a couple pieces of content I’d recommend reviewing this week, check out the following:
Improving Threat Hunting Efficiency using Copilot for Security
Introduction to Mad Prompts: Copilot for Security is a blank
…
The wife and I are on pins-and-needles the last week or so after returning from our wedding anniversary weekend (I mentioned this over the past couple newsletter issues). Why? Our oldest daughter is severely close to giving birth to our second grandbaby. She’s due March 10th. So, every noise during the night now, we both instantly wake up wondering if it was message or notification that it was time to act.
So, I’m a bit sleep deprived this week. I thought losing sleep over babies would be over once your own babies were grown. I guess not.
Talk soon.
-Rod
Things to Attend
Learn about AI and Microsoft Copilot for Security with Learn Live - Microsoft is launching a Learn Live Series called “Getting Started with Microsoft Copilot for Security.” This weekly online seminar series will run from March 19th through April 9th and will review skill development resources and discuss topics related to AI and Copilot for Security. Hosts Edward Walton, Andrea Fisher, and Rod Trent will guide you through four topics each with a corresponding Microsoft Learn module designed to help anyone interested in getting users ready for Microsoft Copilot for Security.
Things that are Related
Azure DDoS Protection – SecOps Deep Dive - Azure DDoS protection is a security solution offered by Microsoft Azure to protect applications and resources from Distributed Denial of Service (DDoS) attacks. DDoS attacks are a type of attacks that attempt to overwhelm a target application or service by flooding it with a massive volume of malicious traffic, thereby rendering it unavailable to legitimate users.
ITDR vs XDR - Cybersecurity is a constantly evolving field that requires organizations to keep up with the latest threats and solutions. One of the challenges that many organizations face is how to integrate and manage different security tools and data sources across their networks.
Enhancing protection: Updates on Microsoft’s Secure Future Initiative | Microsoft Security Blog - At Microsoft, we’re continually evolving our cybersecurity strategy to stay ahead of threats targeting our products and customers. As part of our efforts to prioritize transparency and accountability, we’re launching a regular series on milestones and progress of the Secure Future Initiative (SFI)—a multi-year commitment advancing the way we design, build, test, and operate our technology to help ensure that we deliver secure, reliable, and trustworthy products and services, enabling our customers to achieve their digital transformation goals and protect their data and assets from malicious actors.
Announcing the Public Preview of Change Actor - Identifying who made a change to your Azure resources and how the change was made just became easier! With Change Analysis, you can now see who initiated the change and with which client that change was made, for changes across all your tenants and subscriptions.
Things to Watch/Listen To
Things in Techcommunity
Get Device Description from Defender API - I'm using the Defender for Endpoint API to generate customized server vulnerability reports. When I use the Defender portal to look up a server under Device Inventory, I can in the bottom of the screen under Directory data see a device Description that seems to be derived from on-prem AD server objects description.
Defender Alert for Unsecured Wireless - I have a requirement that users be prohibited from connecting to unsecured wireless networks. From what I understand, Intune does not have the ability to restrict users from connecting to unsecure or open wireless networks. So I was looking at Defender to see if there is a way to at least notify/alert me if a user connects to an open network, or a network that only users WEP, for instance. Anyone have any experience with this type of requirement?
Copilot for Security Things
Introduction to Mad Prompts: Copilot for Security is a blank - Prompting is key to producing the best results when using a Generative AI assistant to augment your daily tasks or produce desired information. Let’s gamify the learning.
Improving Threat Hunting Efficiency using Copilot for Security - Copilot for Security is the next level in the ongoing story to resolve efficiency in security. It is a solution that can help organizations overcome the challenges of threat hunting and achieve better security outcomes.
How Microsoft Copilot for Security helps defend against human-operated ransomware attacks | Microsoft Security Blog - The availability of Microsoft Copilot for Security, brings SecOps teams a new tool with the power of generative AI to help outpace and outsmart threat actors. In the following demonstration videos, we take a detailed, step-by-step look at how it can help surface, contain, and mitigate a human-operated ransomware attack.
Microsoft Copilot for Security and NIST 800-171: Access Control - Early reports indicate organizations are reducing time and resource constraints by deploying Security Copilot in private preview and the early access program.
CISO Insider Briefings coming up for Microsoft Copilot for Security
NYC - Wednesday, March 27, 2024, 1:00 – 4:30 PM (GMT-04:00) - https://msevents.microsoft.com/event?id=1578191803
Bellevue, WA - Tuesday, March 26, 2024, 1:00 – 4:30 PM PST - https://msevents.microsoft.com/event?id=2187443513
An Introduction to Microsoft Copilot for Security - Microsoft Copilot for Security is one of the first security products to enable defenders to move at the speed and scale of AI. It combines an advanced large language model (LLM) with a security-specific model from Microsoft.
Things to Have
The Copilot for Security Windows background has been updated. Download here: https://github.com/rod-trent/Security-Copilot/blob/main/Images/CopilotforSecurityBackground_2_0.jpg
Thanks to Andrey Vistavkin for the update!
Defender for Cloud Things
Defender for Cloud Monthly news - March 2024 - This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month. In this edition, we are looking at all the goodness from February 2024.
Securing the Clouds: Achieving a Unified Security Stance and threat-based approach to Use Cases - With this new post, we focus on a different topic: the importance of adopting a threat-based approach. In the process, we discuss how this can be achieved and provide you with a few practical ideas you can apply to your scenarios.
Defender for Endpoint Things
Use the new investigation and response capabilities for macOS and Linux - Today we are excited to announce a new set of investigation and response capabilities across macOS and Linux operating systems. These include file and investigation package collection for macOS and Linux and troubleshooting mode for macOS.
Defender XDR Things
Automatic attack disruption in Microsoft Defender XDR and containing users during Human-operated Attacks - Microsoft announced last year a new feature with the name; Automatic Attack Disruption in Defender XDR (Microsoft 365 Defender). Since October last year, Microsoft expanded the Automatic attack disruption feature with the support of human-operated attacks and the ability of user containment. My earlier published blog includes the basics of Attack disruption; this blog will go more in-depth about Human-operated ransomware and user containment as part of Defender XDR. With this new feature, Microsoft can stop human-operated attacks on its own with the use of automated actions.
Defender for Office Things
Navigating Permissions Management: Microsoft Defender XDR's RBAC Walkthrough for Microsoft Defender - We are very excited about the Microsoft Defender XDR RBAC announcement as GA on December 2023, also available in GCC, GCC-High, and DoD environments. Microsoft Defender XDR unified role-based access control is the new permissions model across the various Defender workloads, and is a critical step forward in our “least privilege” permissions principle for Microsoft Defender for Office 365.
Announcing persistent views and UX enhancements in Threat Explorer - In response to the ever-evolving landscape of cyber threats, Threat Explorer plays a critical role in identifying and mitigating security risks within Office 365 environments. Microsoft Defender for Office 365 is focused on refining the user interface and functionality in threat Explorer to provide a more intuitive, responsive, and seamless experience for users to empower them with robust security solutions, ensuring a proactive and effective defense against cyber threats.
Microsoft Entra Things
Entra Private Access & Windows Hello for Business Kerberos Trust - Network Drive Fails for 10 min. after restart and user login - Blog by Morten Knudsen about Microsoft Security, Azure, M365 & Automation - If you are using Entra Private Access (or other SSE solutions) – together with Windows Hello for Business Kerberos Trust, you might experience that access to network drives fails for 10 mins. after restart and user login. Error “The system cannot contact a domain controller to service the authentication request”. After 10 min, it works!
Purview Things
Troubleshoot and Manage Microsoft Purview Data Loss Prevention for your Endpoint Devices - Endpoint Data Loss Prevention (Endpoint DLP) is part of the Microsoft Purview Data Loss Prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services. Microsoft Endpoint DLP allows you to detect and protect sensitive content across onboarded Windows 10, Windows 11 and macOS devices. Learn more about all of Microsoft's DLP offerings.
Hi Rod,
I'm definitely interested in the upcoming book release on KQL! I would like to pre-order it but ultimately, I want a Kindle version. If we order the paperback, does that give us access to the kindle version? Or should I wait until the Kindle version comes out? Thank you!
-dave