Microsoft Defender Weekly Wrap - Issue #105

DenMarky-Mark

Jan 12, 2024

Things from Me

Hello and welcome to the first edition of this newsletter for 2024!

It’s been a few weeks since this newsletter was published, and I appreciate all those waiting patiently while I took some time during the holiday to refresh. I took some necessary time to enjoy the joys of family and friendships during the holiday season and I hope you also had a wonderful holiday season and are having a great start to the new year.

We had a steady influx of new subscribers over the holidays, so welcome back to the regulars, and welcome to those just joining us.

I hope you enjoy reading this newsletter and find it useful and informative. I always welcome feedback and suggestions on it can improve and make it more relevant to your needs. You can supply your feedback in the Substack commenting system or just reach out to me directly over LinkedIn or X.

…

By the time you’re reading this, I’ll have wrapped up a couple talks in San Francisco for the Microsoft AI Tour. But if you’re in New York in a couple weeks, I hope you’ll register to stop by to meet with me there.

https://envision.microsoft.com

I’ll be talking on “The Future of Security with AI” and “Securing Generative AI Applications.”

…

Speaking of meet-ups I’ll be in Denmark in March speaking and spending time on a panel for Experts Live Denmark 2024. I’ll be talking about AI, Security, and even Microsoft Security Copilot.

Here’s one of the recent announcements from my good friend Morten Waltorp Knudsen: https://www.linkedin.com/feed/update/urn:li:activity:7150093811308785665/

Tickets are still available, but they are going fast. Last I looked there were less than 150 left. Register to attend: https://events.justattend.com/events/conference-hub/584b32f5

As many of you in the UK that I see joining our weekly Microsoft Security Insights Show, I really hope to meet with you in-person in March.

…

We are excited to introduce a new blog in Microsoft Tech Community for Microsoft Security Copilot, an AI assistant for daily operations in security and IT that brings the power of generative AI to empower teams to defend at machine speed and scale. In this blog, you will find valuable insights and tips from our experts and developers on topics such as:

Education: Learn how Security Copilot works and how it can turn global threat intelligence, industry best practices, and enterprises’ security data into tailored insights for security analysts, IT administrators, and compliance professionals.
Building with Copilot: Discover how to create custom integrations workflows more to extend Security Copilot capabilities.
Product deep dive: Explore the technical details and architecture of Security Copilot and how it uses AI to detect and mitigate security risks.
Best practices: Get guidance and recommendations on how to use Security Copilot effectively and efficiently.
What's new: Stay updated on the latest news and announcements about the Security Copilot roadmap.
Responsible AI: Understand how Security Copilot adheres to the principles of responsible AI and how it protects your data and privacy.

You can find the blog here: https://techcommunity.microsoft.com/t5/microsoft-security-copilot-blog/bg-p/SecurityCopilotBlog

We invite you to share your feedback and questions with us.

…

I wish you a safe and happy new year, and we look forward to serving you in 2024 and beyond.

Talk soon.

-Rod

Things that are Related

Rod’s Blog

The KQL Mysteries: Chapter 3

Catch up on this series by going to: https://aka.ms/KQLMysteries New chapters release weekly. Jon and Sofia rushed to their bank's website to check their accounts and confirm the unauthorized transactions. They both saw that their savings had been drained and their credit cards had been maxed out. They quickly called their bank's customer service and repo…

a year ago · 22 likes · Rod Trent

Things in Techcommunity

Microsoft defender device control not working with GPO - I tried applying Device Control using GPO, but my defender is not working on my xml i created using the guide provided by Microsoft. I tried creating xml file for allowing specific and blocking all other usbs but it is not working. Everyother option is working via GPO but it is not reading policy and groups of xml file. Can someone please look into this matter and help me with that.

Microsoft 365 Business Premium with Cloud App Security - I have a quick question about a customer who has a Microsoft 365 Business Premium subscription. They would like to use Activity policies within Microsoft 365 Cloud App Security. The 'Microsoft Defender for Cloud Apps setup guide' in the Microsoft 365 admin center states that the 'Defender for Cloud Apps standalone' license is required to use the Full suite of Defender for Cloud Apps.

Security Copilot Things

The Ways Microsoft Security Copilot Can Enhance Security Operations with Microsoft Intune - Security Copilot seamlessly integrates with products in the Microsoft Security portfolio such as Microsoft 365 Defender, Microsoft Sentinel, Microsoft Intune, as well as other third-party services such as ServiceNow. In this article, we will explore how Security Copilot can enhance security operations with Microsoft Intune, a cloud-based endpoint management solution that manages user access to organizational resources and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints. You can protect access and data on organization-owned and users personal devices. And, Intune has compliance and reporting features that support the Zero Trust security model.

UI Components of Microsoft Security Copilot - Microsoft Security Copilot is a new platform that helps security analysts and administrators interact with their security data using natural language. Security Copilot can answer questions, run commands, and generate reports using various Microsoft security services as plugins. In this blog post, I will show you how to navigate the Security Copilot portal and use its features to get the most out of it.

Accessing Microsoft Security Copilot Promptbooks - A promptbook is a collection of prompts that have been put together to accomplish specific security-related tasks in Microsoft Security Copilot. Each promptbook requires a specific input (for example, a code snippet or a threat actor name).

Security Copilot Promptbook: Threat Actor Profile - Discover how Security Copilot transforms threat actor data into actionable intelligence for effective cyber defense strategies.

Preparing for Microsoft Security Copilot - Microsoft Security Copilot is a new service that leverages artificial intelligence and cloud computing to help organizations improve their cybersecurity posture.

Microsoft Security Copilot Demos from Microsoft Ignite 2023 - If you missed Microsoft Ignite this year - either virtually or in-person - you really missed the reemergence of Ignite as a top technical conference. The Security track alone was phenomenal and monumentally important. Securing AI and using AI for Security were hot topics and it was quickly evident that both of these areas are top of mind for many organizations and many individuals.

Defender for Cloud Things

Microsoft Defender for Cloud Labs - Our labs project help you get ramped up with Microsoft Defender for Cloud and provide hands-on practical experience for product features, capabilities, and scenarios. The labs are divided into 3 main tracks, a beginner (level 100/200) and an advanced (level 300+) track. The labs contain several modules cover different pillars such as Cloud Security Posture Management (CSPM) to Cloud Workload Protection (CWP).

Defender for Cloud - Qualys retirement plan for Vulnerability assessment on cloud workloads - Effective May 1st, 2024, the built-in Qualys offering within the Defender for Servers plan will be retired. Any new Defender for Servers customers will be offered the built-in Qualys option until January 15th, 2024.

Consolidation of Defender for Cloud's Service Level 2 names - We're consolidating the legacy Service Level 2 names for all Defender for Cloud plans into a single new Service Level 2 name, Microsoft Defender for Cloud. Today, there are four Service Level 2 names: Azure Defender, Advanced Threat Protection, Advanced Data Security, and Security Center. The various meters for Microsoft Defender for Cloud are grouped across these separate Service Level 2 names, creating complexities when using Cost Management + Billing, invoicing, and other Azure billing-related tools.

Defender for Servers: Now with granular plan assignment - Microsoft quietly made public this week a significant new feature of their flagship Cloud Workload Protection (CWP) product for servers also known as Defender for Servers (DfS). Since the launch of Azure Security Center (ASC) in February 2018 and the rename of the product to Microsoft Defender for Cloud (DfC) in November 2021, enabling DfS plans was only possible at the Azure management group level and Azure subscription level. The new feature allows you to granularly enable or disable DfS plan coverage at the resource group or individual server level. This removes a barrier to implementation of DfS at some large organizations and provides flexibility to customers of all sizes.

Agentless scanning for virtual machines in the cloud – technical deep dive - Over the past three years, a notable shift has unfolded in the realm of cloud security. Increasingly, security vendors are introducing agentless scanning solutions to enhance the protection of their customers. These solutions empower users with visibility into their security posture and the ability to detect threats — all achieved without the need to install any additional software, commonly referred to as an agent, onto their workloads.

Securing DevOps with Microsoft's CNAPP: Defender for Cloud - As the landscape of DevOps continues to expand and confront increasingly sophisticated security threats, the need for proactive attack surface reduction measures has never been more critical. To enhance DevOps security and prevent attacks, Defender for Cloud, a Cloud Native Application Protection Platform (CNAPP), is enabling customers with new capabilities: DevOps Environment Posture Management, Code to Cloud Mapping for Service Principals, and new DevOps Attack Paths. These features represent a strategic shift towards a more integrated and holistic approach to cloud native application security throughout the entire development lifecycle.

Security of AI is critical to protect data, systems, and users from malicious attacks, misuse, or errors that could compromise integrity, functionality, and trustworthiness. https://amzn.to/48xGDoE

Defender XDR Things

Microsoft Defender XDR unified role-based access control (RBAC) model is now generally available - Microsoft has continuously enhanced and expanded the unified RBAC model in our Microsoft Defender XDR. Today we are excited to share the general availability (GA) of Microsoft Defender XDR unified RBAC model as well as the latest capabilities to further simplify permission management.

(Preview) Query history in advanced hunting is now available. You can now rerun or refine queries you have run recently. Up to 30 queries in the past 28 days can be loaded in the query history pane.
(Preview) Additional features you can use to drill down further from your query results in advanced hunting are now available.

Defender for Identity Things

Securing AD CS: Microsoft Defender for Identity's Sensor Unveiled - In August we unveiled our newest Microsoft Defender for Identity sensor specifically designed for Active Directory Certificate Services (AD CS) servers to help our customers gain even more visibility into this critical piece of Identity infrastructure. Today I am excited to discuss some of the AD CS abuse techniques outlined in "Certified Pre-Owned" (by Will Schroeder and Lee Christensen) and share more insight into the upcoming Defender for Identity capabilities designed to help address them.

Microsoft Purview Things

Microsoft Purview Exact Data Match (EDM) support for multi-token corroborative evidence - One of the key components of EDM is corroborative evidence, which are additional fields in your data source that provide more context and confidence for the detection of the primary field. For example, if you have a data source that contains social security numbers (SSNs) and names of your customers, you can use the name field as corroborative evidence for the SSN field, so that only the SSNs that are associated with the correct names in your data source are detected as matches. This reduces the chances of false positives and increases the accuracy of EDM detection.

Microsoft Purview and Azure Databricks Better Together - Microsoft Purview integrates with Azure Databricks and Unity Catalog to help you discover Lakehouse data and bring its metadata into Data Map. Microsoft Purview empowers you to govern your entire data estate across on-premises, multi-cloud, and SaaS applications, serving as a complete “catalog of catalogs”

Public Preview: Separation of scan levels for Azure SQL Database and Snowflake in Microsoft Purview - Scanning is a key function that captures metadata from data sources and brings it to Microsoft Purview. In Microsoft Purview Data Map terminology, there are three different levels of scanning based on the metadata scope and functionalities:

L1 scan: Extracts basic information and metadata like file name, size, and fully qualified name
L2 scan: Extracts schema for structured file types and database tables
L3 scan: Extracts schema where applicable and subjects the sampled file to the system and custom classification rules

Public Preview: Microsoft Purview Data Map Audit History - We are excited to announce the public preview of the Data Map Audit history feature in Microsoft Purview.

Defender for Office Things

Protect your organizations against QR code phishing with Defender for Office 365 - Given these attack techniques, it is clear that QR code phishing is functionally identical to credential harvesting. Let’s take a closer look at how Defender for Office 365 protects against them.

Microsoft Entra Things

Entra - Private Access (A first look) - Introducing Microsoft Entra Private Access, dubbed as the modern alternative to Virtual Private Networks and the replacement solution that we've been holding out for, and it's finally here - At least in Public Preview at the time of writing.

Authentication and Authorization in Generative AI applications with Entra ID and Azure AI Search - In this blog, I will address a scenario where a customer wishes to implement authentication and authorization for their generative AI applications. Recently, customers have been implementing RAG patterns to construct the generative AI application.

Easily Manage Privileged Role Assignments in Microsoft Entra ID Using Audit Logs - One of the best practices for securing your organization's data is to follow the principle of least privilege, which means granting users the minimum level of permissions they need to perform their tasks. Microsoft Entra ID helps you apply this principle by offering a wide range of built-in roles as well as allowing you to create custom roles and assign them to users or groups based on their responsibilities and access needs. You can also use Entra ID to review and revoke any role assignments that are no longer needed or appropriate.

Strengthening identity protection in the face of highly sophisticated attacks - On November 2nd, 2023, we launched the Secure Future Initiative (SFI). It’s a multi-year commitment to advance the way we design, build, test, and operate our technology to ensure we deliver solutions that meet the highest possible standards of security.

Introducing New Features of Microsoft Entra Permissions Management - Today, we’re thrilled to unveil the details of our Ignite announcement and introduce new features and APIs for Permissions Management, enhancing your overall permissions management experience.

Enhancements to Microsoft Entra certificate-based authentication - Customers now have more control and flexibility to tailor authentication policies by certificate and resource type, as well as user group and select certificate strength for different users, use CBA with other methods for multi-factor or step-up authentication, and set high affinity (strong) binding for either the entire tenant or by user group.  

Advancing Cybersecurity: The Latest enhancement in Phishing-Resistant Authentication - Today, I’m excited to share with you several new developments in the journey towards phishing-resistant authentication for all users! This isn’t just essential for compliance with Executive Order 14028 on Improving the Nation's Cybersecurity but is increasingly critical for the safety of all the orgs and users who bet on digital identity.

Microsoft Entra Internet Access — hands-on - I have got my hands on Microsoft Entra Internet Access which is part of the Global Secure Access and Security Service Edge suite. This feature is now in public preview. (❗️ preview means no full support and potential costs can come up, once the feature goes GA, be careful!)