Microsoft Defender Weekly Wrap - Issue #114
Microsoft Defender Weekly Wrap - Issue #114
KQL'ing Celebrat'ing
Things from Me
Happy Friday everyone!
This Friday is a special one for a couple reasons.
First off, if you haven’t heard during or after the Microsoft Secure event this past week, the Copilot for Security GA was announced. Copilot for Security goes live in just a couple weeks from now on April 1st. I truly hope that releasing on April Fool’s Day is not an omen, but we’re clearly not superstitious at Microsoft or we would never have branded so many different things ‘Mesh’ over the years.
As part of that, I’m headed to Denmark tomorrow to talk about Copilot for Security Experts Live. I’ll be delivering a keynote called Microsoft Security Copilot: The Future of Cybersecurity on Wednesday of next week after spending some time being a tourist, having customer dinners, and enjoying time with my good friend and MVP, Morten Waltorp Knudsen and his family. I’m really looking forward to finally being able to talk about Copilot for Security in a public setting and spending time with many folks in-person that I’ve only connected with over LinkedIn and other online platforms over the year.
NOTE: Because of my travel schedule and the time zone change, this newsletter will not deliver next week.
…
Happy birthday, KQL!
KQL, once just an internal codename at Microsoft, turned 10 years old on Tuesday, March 13, 2024.
I’m proud and happy to see how far KQL has come and how I’ve had a small part in helping it gain greater adoption.
…
And P.S. STILL no grandbaby yet. It’s sort of funny… I offloaded trips to Paris and Berlin to make sure to be at home for the birth, but it looks like it may happen while I’m in Denmark.
Talk soon.
-Rod
Things to Attend
Microsoft Secure Tech Accelerator - Apr 03 2024, 07:00 AM - 11:00 AM (PDT) - Join us on April 3rd at the Microsoft Secure Tech Accelerator for a deep dive into the announcements from the Microsoft Secure digital event on March 13th. You'll have an opportunity to learn technical information that will help you and your team implement Copilot, learn how to Secure your AI, see demonstrations, and get answers to your questions from the product team. All sessions will be streamed live here on the Microsoft Tech Community as well as on YouTube and X.
Microsoft Copilot for Security Beyond Basics: Analysts moving at the speed of AI - When: Tuesday, April 9, 2024 11:00 AM Pacific Time / 02:00 PM Eastern Time - Cybersecurity challenges are constantly evolving and require security operations teams to be agile, efficient, and effective. Copilot for Security uses the power of AI to equip these teams with natural language interaction that can help them to summarize vast data signals into key insights, provide quick guidance and context to respond to incidents, empower and advance junior staff through step-by-step assistance, and much more.
Things that are Related
How to add a constant to a time chart in Kusto | LinkedIn - Time charts are useful for detecting trends, anomalies, and patterns in your data. But what if you want to compare your metric to a fixed value, such as a threshold or a baseline? How can you add a constant line to your time chart that shows the desired value across the entire time range? In this blog post, I will show you how I used Copilot in Edge, an AI-powered code completion tool, to help me solve this problem.
Things in Techcommunity
Enabling JIT Access for Managed Identities through PIM - Possible? - I'm exploring the capabilities of Privileged Identity Management (PIM) and have encountered a scenario where I'm seeking guidance.
Adding a gMSA account to the Access from Network user rights for Entra Joined devices - How should a person be adding this gMSA account to the Entra joined device? When I put it in intune using the SID method (asterisk in front of the sid), the client machine (Windows 11 23H2) errors out with an error Result:(0x80070534) No mapping between account names and security IDs was done. If I leave the SID of the gMSA account out of the policy, then the policy will apply.
Things to Have
Things from Partners
From our partner, Invoke: Microsoft Copilot for Security Readiness Assessment & PoC - With this readiness assessment, customers will work through various demos on copilot in action, relevant user scenarios challenges and pain points to identify top prioritized scenarios for their Security Operations.
Things in the News
Copilot for Security Things
Microsoft Copilot for Security: General Availability details - To help you seize this opportunity, we are excited to announce the general availability of Microsoft Copilot for Security (Copilot) on April 1st. This industry-leading product is the only generative AI solution that helps security and IT professionals amplify their skillset, collaborate more, see more, and respond faster.
Highlight… Microsoft plans to make Copilot for Security generally available for purchase as a consumption offering beginning April 1, 2024. We will have one simple pricing model that covers both the standalone Copilot experience, and embedded experiences across the Microsoft Security product portfolio.
A consumption model means it will be easy to get started quickly and on a small scale, to experiment and learn with no upfront per device or per user charges. Customers will use their existing Azure subscription or sign up for one if they are not already an Azure customer. They will then be able to provision Azure capacity to support all their Copilot for Security workloads, both standalone and embedded. Copilot for Security capacity is anticipated to be billed monthly via a new Security Compute Unit (SCU) at the rate of $4/hr.
Microsoft Copilot for Security is generally available on April 1, 2024 | Microsoft Security Blog - Today, we are excited to announce that Microsoft Copilot for Security will be generally available worldwide on April 1, 2024. The industry’s first generative AI solution will help security and IT professionals catch what others miss, move faster, and strengthen team expertise. Copilot is informed by large-scale data and threat intelligence, including more than 78 trillion security signals processed by Microsoft each day, and coupled with large language models to deliver tailored insights and guide next steps. With Copilot, you can protect at the speed and scale of AI and transform your security operations.
Copilot for Security Resources - With the GA of Copilot for Security now fully announced, it’s time to stay engaged and learn more. Use the following resources to continue your learning path.
Brief: MDTI and Copilot for Security - MDTI powers Copilot for Security via a wide range of Threat Intelligence skills and promptbooks. Skills are natural language commands that allow you to retrieve and operate on MDTI data and content.
Tip: Running Copilot for Security in the Microsoft Edge Sidebar for Quick Access - I don’t know how many of you use the sidebar feature for Microsoft Edge, but I use it periodically, and it’s a highly recommended feature if you need quick access to certain websites. In particular, the sidebar has become a valuable tool more recently to host the link to CfS for easy access.
Microsoft introduces a preview of Copilot in Intune - Microsoft Intune is at the cusp of transforming endpoint management and security with Microsoft Copilot, introducing new ways for organizations to help protect and drive productivity for your workers and simplify IT and security operations. April 1, 2024 will mark the beginning of a new era of endpoint management with the public preview of Copilot in Intune.
Grab a new Copilot for Security Windows Background https://github.com/rod-trent/Security-Copilot/tree/main/Images/WindowsBackgrounds
Defender for Cloud Things
Exposure Management: The Evolution of Vulnerability Management - Despite common attacks exploiting known vulnerabilities and often following well defined tactics, techniques, and procedures (TTPs), we still find it challenging to identify and prevent them within our organizations. Misconfigurations and vulnerabilities, even those that are well-known and have patches and fixes available, continue to be a common cause of successful breaches.
From Microsoft Secure…
Defender for Cloud: Defender CSPM enhances risk prioritization, remediation, and compliance for multicloud environments https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-cspm-enhances-risk-prioritization-remediation-and/ba-p/4082119
Defender for Endpoint Things
Microsoft named as a Leader in three IDC MarketScapes for Modern Endpoint Security 2024 - Microsoft continues to develop solutions that help protect organizations of all sizes and today we are thrilled to announce that we have been recognized as a Leader in the IDC MarketScape reports for Worldwide Modern Endpoint Security across three (3) segments for enterprise[2], midsize[3], and small businesses[4] – the only vendor positioned in the “Leaders” category in all three reports.
Defender XDR Things
From Microsoft Secure…
Defender, Entra, Intune: How to Secure and govern AI usage https://techcommunity.microsoft.com/t5/security-compliance-and-identity/security-for-ai-how-to-secure-and-govern-ai-usage/ba-p/4082269
What’s new in Defender: How Copilot for Security can transform your SOC https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/what-s-new-in-defender-how-copilot-for-security-can-transform/ba-p/4084222
Defender for Cloud Apps Things
Using MDCA user and entity behavioral analytics (UEBA) and machine learning (ML) to monitor Copilot for Microsoft 365 activities 🤖 | LinkedIn - In this article I will share with you on how you can configure a MDCA Cloud Discovery for Copilot for Microsoft 365.
Microsoft Purview Things
From Microsoft Secure…
Purview: Protect at the speed and scale of AI with Copilot for Security in Microsoft Purview https://techcommunity.microsoft.com/t5/security-compliance-and-identity/protect-at-the-speed-and-scale-of-ai-with-copilot-for-security/ba-p/4078785
Purview: How business conduct violations can help understand data security risks https://techcommunity.microsoft.com/t5/security-compliance-and-identity/how-business-conduct-violations-can-help-understand-data/ba-p/4083002
Defender Threat Intelligence Things
MDTI Standalone Portal Retirement and Transition to Defender XDR - On June 30th, 2024, the Microsoft Defender Threat Intelligence (MDTI) standalone portal will reach end-of-life and the Microsoft Defender XDR portal will become MDTI’s exclusive home for both standard and premium users. In this blog, we’ll guide customers using the standalone portal that wish to continue using MDTI in Defender XDR through the simple migration process. We’ll also help customers, and their teams, prepare to take advantage of the benefits MDTI brings to Microsoft’s XDR, SIEM, and AI solutions.
Microsoft Secure Announcements…
MDTI: Entire Collection of Intel Profiles Now Available in Defender XDR https://techcommunity.microsoft.com/t5/microsoft-defender-threat/new-at-secure-entire-collection-of-intel-profiles-now-available/ba-p/4083161
MDTI: Enhanced Vulnerability Profiles and CVE Search within MDTI https://techcommunity.microsoft.com/t5/microsoft-defender-threat/new-at-secure-enhanced-vulnerability-profiles-and-cve-search/ba-p/4083159
MDTI: MDTI integrated into Defender XDR Global Search https://techcommunity.microsoft.com/t5/microsoft-defender-threat/new-at-secure-mdti-integrated-into-defender-xdr-global-search/ba-p/4083158
MDTI: Corpus of Intel Profiles Available in Defender XDR https://techcommunity.microsoft.com/t5/microsoft-defender-threat/new-at-secure-corpus-of-intel-profiles-available-in-defender-xdr/ba-p/4083161
Defender EASM Things
From Microsoft Secure…
DEAS: Get visibility into your curated external assets with enhanced generative AI capabilities https://techcommunity.microsoft.com/t5/microsoft-defender-external/get-visibility-into-your-curated-external-assets-with-enhanced/ba-p/4081757
Microsoft Entra Things
From Microsoft Secure…
Entra: Microsoft Entra adds identity skills to Copilot for Security https://techcommunity.microsoft.com/t5/microsoft-entra-blog/microsoft-entra-adds-identity-skills-to-copilot-for-security/ba-p/4081857
Microsoft Security Exposure Management Things
From Microsoft Secure….
MSEM: Introducing Microsoft Security Exposure Management https://techcommunity.microsoft.com/t5/security-compliance-and-identity/introducing-microsoft-security-exposure-management/ba-p/4080907