Microsoft Defender Weekly Wrap - Issue #116

50 year friends

Things from Me

Happy, Friday all!

I hope you are ready to dive into the new season of learning and growing. As always, I’m excited to share with you some of the latest news, tips, and resources from our community of experts.

I hope you enjoy this issue and find it useful and inspiring. As always, I welcome your feedback and suggestions. You can always connect with me in the newsletter’s web page comments, or over LinkedIn or X/Twitter.

Before I sign off for this week, I wanted to let you know that this newsletter will not deliver next week. I have two of the best friends in the world. We’re coming up on our 50th year of friendship. One is a chiropractor in Ohio Amish country and the other is an art professor near Kansas City. My fellow Ohio friend and I will be making a road trip to visit our KC friend next week and I’m looking forward to both the 10 hours or so stuck in a car driving to KC, and the few days we’ll all be together doing who knows what.

I feel super blessed to have been able to build so many memories over so many years with these two and even continue to do so.

The newsletter will resume its regular schedule the week after.

Thank you for your continued support and loyalty. I am always grateful to have you as part of our community.

Talk soon.

-Rod

Things to Attend

Upcoming newly added webinars:

• April 11 - Microsoft Defender Threat Intelligence | TI at Machine Speed: Using MDTI in Copilot for Security

• April 16 - Microsoft Defender for Cloud | Defender CSPM Planning, Operationalization and Best Practices

• April 23 - Azure Network Security | Building a DDoS Response Plan

• April 23 - Microsoft ITDR | POCaaS Session 1: ITDR Introduction and Prevention Capabilities

• April 24 - Microsoft ITDR | POCaaS Session 2: Detection

• April 25 - Microsoft Defender for Cloud | Defender CSPM Internet Exposure Analysis

• April 30 - Microsoft ITDR | POCaaS Session 3: Investigation and Hunting

• May 01 - Microsoft ITDR | POCaaS Session 4: Response

REGISTRATION: https://aka.ms/MSC_Webinars_Page

Things that are Related

Things to Watch/Listen To

Things in Techcommunity

Help with KQL / Advanced Hunting - Antivirus Scan - Trying to come up with a solution to find all devices via Advanced Hunting where a full scan was never successful. The report that can be downloaded via `Defender XDR > Reports > Device Health > Microsoft Defender Antivirus Health` as well as the device health page only provide the result of the last antivirus scan. If a device ran a full scan successfully in the past but the most recent full scan was cancelled the report shows that the full scan failed.

Copilot for Security Things

Microsoft Copilot for Security is now generally available - Microsoft Copilot for Security is the first generative AI security product that empowers security and IT teams to protect at the speed and scale of AI. As announced at Microsoft Secure last month, Copilot for Security is now available for purchase as of April 1, 2024. Customers can get started by provisioning capacity to run all Copilot workloads, both for standalone and for those embedded in our security products beginning with Microsoft Defender XDR.

Copilot for Security Partners page has gotten a big revamp: https://securitypartners.transform.microsoft.com/security-copilot

Scheduling Microsoft Copilot for Security Capacities - However, with the power of Logic Apps, we can automate the scheduling of Security capacity creation and deletion, offering a solution to this challenge.

Limiting Access to Copilot for Security to the Wider Web - There’s an option in Copilot for Security to allow or disallow the service to access to industry information from the public web.

Getting the List of System Capabilities for Copilot for Security - Copilot for Security is an extensible platform that enables enhanced capabilities through the use of plugins, skills, and features. But how will you know what capabilities each plugin provides? You can use the System Capabilities option in the session prompt in Copilot for Security.

Brief: Two Places to Access Copilot for Security Promptbooks - When wanting to access the in-product supplied Promptbooks, or the one’s that you may have created yourself, there’s a couple spots in the standalone experience UI where you can find them.

Adjust Capacity for Copilot for Security - Copilot for Security debuted to the public on April 1. There have been so many articles and questions being published an asked, but I don’t think anything has raised more questions than how to adjust the number of SCUs (if you don’t know what an SCU is you can read about it here). I decided it would be fun use some Azure Automation to increase and lower the amount of SCUs programmatically.

Helping Build a Better Copilot for Security - To help continue the improvement and advancement of more accurate responses, there’s a feedback mechanism directly integrated into Copilot for Security. The feedback supplied here is taken seriously and used to continually improve the service.

Azure Policy can interfere with Copilot for Security installation - Just a quick note to let you know that if you have an Azure Policy set that requires all your resources to be tagged, you will have difficulty provisioning Copilot for Security. Today, when you go to set up your Copilot capacity, there is no option to apply a tag.

KQL queries to identify who enabled Copilot for Security in your tenant, and when SCUs are added or changed

Two ways to investigate Copilot for Security pricing. The pricing table and the calculator.

• Copilot for Security pricing table: https://azure.microsoft.com/pricing/details/microsoft-copilot-for-security/#pricing

• Copilot for Security pricing calculator https://azure.microsoft.com/pricing/calculator/

The Copilot for Security Docs have been updated for GA - Microsoft Copilot for Security documentation https://learn.microsoft.com/security-copilot/

Microsoft Learn Path: Get started with Microsoft Copilot for Security - Training - Learn about Microsoft Copilot for Security, an AI-powered security analysis tool that enables analysts to process security signals and respond to threats at a machine speed, and the AI concepts upon which it's built.

Defender for Cloud Things

Native-first cloud security approach - Customers are migrating to Public Cloud (Azure, AWS, Google Cloud) often doing lift and shift with their existing toolset. Or in many cases customers have a misleading notion that a best of breed approach is better than using Cloud Native solutions. As a result, their cloud workloads suffer from security and efficiency gaps. 

Unleashing the Power of Microsoft Defender for Cloud – Unique Capabilities for Robust Protection - Microsoft Defender for Cloud (MDC) is a cloud-native application protection platform (CNAPP) that is made up of security measures and practices that are designed to protect cloud-based applications from various cyber threats and vulnerabilities.

Microsoft Defender for Cloud Free Trial per Plan - MDC is rolling out the "Trial per Plan". This change is designed with flexibility and customer needs in mind.

Secrets scanning for Cloud deployments - Today, we are excited to unveil a new capability in Public Preview: Secrets scanning for cloud deployments! Covering Azure and AWS during Public Preview, this capability marks an important step in our commitment to providing a holistic secret management solution across various resource types and different stages of software development lifecycle (SDLC).  

Defender for Cloud Monthly news - April 2024 - This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month. In this edition, we are looking at all the goodness from February 2024.

Defender for Endpoint Things

Offline Security Intelligence Update is now in Public Preview - We are extremely excited to share that Offline Security Intelligence Update is now in Public Preview!

Defender XDR Things

Monthly news - April 2024 - This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from March 2023.  

Get end-to-end protection with Microsoft's unified security operations platform, now in public preview | Microsoft Security Blog - Today, I am excited to announce the public preview of our unified security operations platform. When we announced a limited preview in November 2023, it was one of the first security operations center platforms that brought together the full capabilities of an industry-leading cloud-native security information and event management (SIEM), comprehensive extended detection and response (XDR), and generative AI built specifically for cybersecurity. This powerful combination of capabilities delivers a truly unified analyst experience in the security operations center (SOC).

Connect Microsoft Sentinel to Microsoft Defender XDR (preview) - Microsoft Sentinel is available as part of the public preview for the unified security operations platform in the Microsoft Defender portal. When you onboard Microsoft Sentinel to the Microsoft Defender portal, you unify capabilities with Microsoft Defender XDR like incident management and advanced hunting. Reduce tool switching and build a more context-focused investigation that expedites incident response and stops breaches faster.

Microsoft Security Exposure Management Things

Exposure Management : Device Exposure Levels - This query provides a list of devices with 'Medium' or 'High' exposure levels, along with Exposure Management affecting source items.

Defender for Office Things

Hunting and responding to QR code-based phishing attacks with Defender for Office 365 - To help our customers defend against this emerging threat, Microsoft Defender for Office 365 has introduced several enhancements to its prevention capabilities that can detect and block QR code-based attacks. Check out this blog to learn more about QR codes and how Defender for Office 365 is protecting end users against such attacks: Protect your organizations against QR code phishing with Defender for Office 365

Defender Threat Intelligence Things

A Copilot for Security Customer’s Guide to MDTI - With just one Security Compute Unit (SCU), Copilot for Security customers have unlimited access to the powerful operational, tactical, and strategic threat intelligence in Microsoft Defender Threat Intelligence (MDTI), a $50k per seat value, at no extra cost. This compendium of high-fidelity intelligence developed by Microsoft's team of more than 10,000 multidisciplinary security experts and informed by over 78 trillion security signals enables teams to unmask and neutralize adversaries quickly and efficiently.  

Defender EASM Things

Microsoft Defender External Attack Surface Management Walkthrough – Part 2 - In the previous post we talked about what is External Attack Surface Management and how it discovers assests with various methods of discovering. In this post we will dig deep on discovering assets and we will look into dashboard.

Defender Vulnerability Management

Defender Vulnerability Management GA in government cloud - Microsoft has established itself as a leading solution for vulnerability risk management (VRM) by leveraging its industry-leading threat intelligence and security expertise. Microsoft Defender Vulnerability Management covers the end-to-end VRM lifecycle to identify, assess, prioritize, and remediate vulnerabilities across platforms and workloads.  Making it an ideal tool for an expanded attack surface taking advantage of our context-aware, risk-based prioritization breach likelihood predictions and business contexts to prioritize vulnerabilities across their portfolio of managed and unmanaged devices.  

Microsoft FAQ and guidance for XZ Utils backdoor - On March 28, 2024 a backdoor was identified in XZ Utils. This vulnerability, CVE-2024-3094 with a CVSS score of 10 is a result of a software supply chain compromise impacting versions 5.6.0 and 5.6.1 of XZ Utils. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recommended organizations to downgrade to a previous non-compromised XZ Utils version. See below details and Microsoft response for this vulnerability.

Microsoft Entra Things

Microsoft Entra resilience update: workload identity authentication - Microsoft Entra is not only the identity system for users; it’s also the identity and access management (IAM) system for Azure-based services, all internal infrastructure services at Microsoft, and our customers’ workload identities. This is why our 99.99% service-level promise extends to workload identity authentication, and why we continue to improve our service’s resilience through a multilayered approach that includes the backup authentication system. 

What's new in Microsoft Entra - Today, we’re sharing feature release information for January – March 2024, and first quarter change announcements. We also communicate these via release notes, email, and the Microsoft Entra admin center.  

Introducing new and upcoming Entra Recommendations to enhance security and productivity - Today, we’re thrilled to announce the upcoming general availability of four recommendations, and another three recommendations in public preview. We’re also excited to share new updates on Identity secure score. These recommendations cover a wide spectrum, including credentials, application health, and broader security settings—equipping you to safeguard your digital estate effectively.