Microsoft Defender Weekly Wrap - Issue #57
The first issue on Substack
Things from Me
Happy Friday and Happy New Year, everyone!
Some of you may be scratching your head today wondering what happened to the old format and old delivery platform for the newsletter. Here’s what happened:
Despite having a wonderful time off with family and friends during the holiday season, I did have to work a little to migrate the newsletter from the old platform. Part of Elon’s cost cutting measures for Twitter, the old platform, Revue (owned by Elon now), will be sun-setted next week. I’m the type of person that hates to have unattended items on my task list, so instead of spending the first week of 2023 performing the migration, I did it during holiday. After much deliberation, discussion, and hearing recommendations, I chose Substack for the new editing, publishing, and delivery mechanism. There are a few reasons for it which I’ll share at a later date but suffice to say the move should be a fantastic one.
One of the biggest reasons, though, is Substack’s ability to expose this periodical to the greater public. Since the migration, this newsletter has seen another 1,000 subscribers! So - for those that are new - welcome! This community is growing at a fantastic rate and it’s an awesome place to be. Just promise to bear with me as I kick the tires and make some adjustments along the way.
For those that have been here for and from the beginning of this long weekly trek - welcome back! I know each of you will appreciate the changes and improvements, but I most hope that you’ll be open to supplying your feedback. I’m energized this year to make this the best resource available.
And I’m actually so thrilled initially with the Substack opportunity, I’m in the process of moving my own blog to Substack and the Microsoft Security Insights show (the team will start blogging this year!), along with a couple other cool things (stay tuned).
So, here’s what’s on Substack right now:
…
BTW: Did you miss out on learning KQL in 2022? No problem! Still a necessary skill, learning KQL makes for a great New Year's resolution and one that's easy to actually obtain. The easiest way to get started is with the Must Learn KQL series which can be found at https://aka.ms/MustLearnKQL
And P.S. The mug or laptop sticker will provide the reminder and incentive you need.
Get either here: https://rodtrent.com/2w9
All profit goes to charity (St. Jude).
…
That’s all from me for this week. I hope the week - and the year - ahead is a good one.
Talk soon.
-Rod
Things to Attend
NEW SERIES: Security Experts Roundtable coming January 25, 2023 - There is a lack of security content that covers timely, newsworthy topics, that is both educational and engaging. After all, we all spend a lot of time in learning mode. Why can’t it be fun? If you’ve ever wondered what your fellow security colleagues think about the latest vulnerabilities, security news, and emerging trends, look no further. The Security Experts Roundtable launches in January to deliver the webinar series of your dreams.
Feb 1st - Microsoft Defender for Cloud Apps Webinar | Protect, Detect and Respond to malicious OAuth applications abusing cloud e-mail services
Microsoft Security disrupted an infrastructure that leverages Identity Provider and SaaS Email applications to abuse business brands and spread fraud to millions. Join us to learn how to protect and detect Azure AD and Exchange Online using Microsoft Defender for Cloud Apps.
Things that are Related
Security MVP Spotlight (Most Valuable Professional) - With Security becoming important than ever before, Most Valuable Professionals (MVPs) have been defending the realm and helping secure our customers against the latest attacks as well as spreading their expertise to benefit the world to become more secure! We want our MVPs’ stories told.
Microsoft Intune: 5 endpoint management predictions for 2023 - The end of the year typically brings with it a small library of reports with predictions for the year ahead. The value in these reports is less in the precise predictions themselves—given how interconnected the world is, no one has a perfect crystal ball. Rather, the forecasts help frame the thinking about the possibilities for the coming year, and what they might mean for you. With that in mind, I would like to share five predictions for 2023 that resonated with me and explain what they could mean for endpoint management in your organization. After reviewing these predictions, I encourage you to review your current endpoint security posture, and how Microsoft Intune can help further improve it in 2023.
Microsoft research uncovers new Zerobot capabilities - Zerobot, a Go-based botnet that spreads primarily through IoT and web application vulnerabilities, is an example of an evolving threat, with operators continuously adding new exploits and capabilities to the malware. The Microsoft Defender for IoT research team has been monitoring Zerobot (also called ZeroStresser by its operators) for months. Zerobot is offered as part of a malware as a service scheme and has been updated several times since Microsoft started to track it. One domain with links to Zerobot was among several domains associated with DDoS-for-hire services seized by the FBI in December 2022.
Things to Watch/Listen To
Microsoft Security Insights Show Episode 134 - New year, New you? - Welcome to 2023! In this episode, catch up with your hosts, hear Ed ramble on (as usual) about his year-end trip, and listen in on musings about Microsoft security in the new year.
Things in Techcommunity
Using Advanced Hunting Query to identify Devices missing patch - Using the following scenario as an example. Microsoft recategorised CVE-2022-37958 in December 2022, it was initially patched in September 2022. I want to query my environment to determine the level of exposure and turned to Advanced Hunting to generate a query.
How to identify which user changed alert status in defender for cloud - I want to find out how can identify which user moved the status of a new alert to in-progress or closed.
Things to Have
Microsoft Defender for Endpoint In-Depth - This book starts with a history of the product and a primer on the various feature areas. From prevention to attack surface reduction to detection and response, you will learn the reasoning behind the features, the applicability, as well as get an overview of common misconceptions and caveats. After planning and preparation, then deployment and configuration towards a successful implementation, you will be taken through a day in the life of a security analyst working with the product. You will understand common issues, techniques, and tools used for troubleshooting along with answers to some of the most common challenges people face. Finally, the book will wrap up with a reference guide that includes tips and tricks that will keep you coming back to the book regularly.
Create-MDEDeviceTagAzure - This Logic App can be set to run daily, weekly. Upon scheduled trigger it will match Azure VMs to MDE Devices and Set a defined MDE Device Tag on the Server in MDE. This can be useful to help with reporting in MDE portal and MDE Tag can also be tied to a Device Group so you can Separate Permissions to Servers and also set Automation Investigation & Remediation (AIRs) to none, Semi, or Full for the Servers onboarded to MDE from Defender for Servers P1/P2.
KQL Search - This is an aggregator for KQL queries that are shared on GitHub
Defender for Cloud Things
VIDEO: Defender for Cloud in the Field: Defender Threat Intelligence - In this episode of Defender for Cloud in the Field, Alexandra Roland joins Yuri Diogenes to talk about Microsoft Defender Threat Intelligence (Defender TI). Alexandra explains how Defender TI works and how it integrates with Defender EASM. Alexandra goes over and end-to-end scenario to demonstrate how to use Defender TI to perform a security investigation based on the data collected by the platform.
VIDEO: Defender for Cloud in the Field #20: Cloud security explorer and Attack path analysis - In this episode of Defender for Cloud in the Field, Tal Rosler joins Yuri Diogenes to talk about Cloud security explorer and Attack path analysis, two new capabilities in Defender for CSPM that were released at Ignite. The talk explains the rationale behind creating these features and how to use these features to prioritize what is more important to keep your environment more secure. Tal also demonstrates how to use these capabilities to quickly identify vulnerabilities and misconfigurations in cloud workloads.
BLOG: How to migrate from Qualys and enable Microsoft Defender Vulnerability Management (MdeTvm) in Microsoft Defender for Cloud? - In case you have started to use Qualys vulnerability assessment as part of Defender for Cloud, and you now want to switch to use Defender for Vulnerability management instead, it is currently not supported to handle the migration from Qualys to MdeTvm by policies. This is why I made this blog, as it automates the disabling of Qualys and onboarding to MdeTvm in an automated approach using REST api.
BLOG: Initial access techniques in Kubernetes environments used by Kinsing malware - In this blog post, we will focus on a specific angle of Kinsing: the initial access techniques in Kubernetes environments. While Kinsing uses multiple initial access vector techniques, in Microsoft Defender for Cloud, we recently observed two methods that are especially common: Exploitation of weakly configured PostgreSQL containers and exploiting vulnerable images.
365 Defender Things
Optimize your hunting performance with the new query resources report - Visibility into how query resources are being used across the SOC team is critical to optimize performance, ensure queries are executed efficiently, and allow team to operate in the most effective way possible. The new query resources report now enables you to view how hunting resources are consumed in your organization and provides insights into your consumption of CPU resources for hunting activities.
Microsoft Purview Things
BLOG: Create custom attributes that uses multiple choices in Microsoft Purview - We know that Managed attributes in Microsoft Purview is helpful to enrich technical assets and help a data consumer get more context about the asset to which it is applied. In order to create these Managed Attributes, the Purview UI does a very good job and is probably the easiest and recommended approach. At the same time, Purview also offers the flexibility to create them using APIs.
BLOG: Now in Public Preview: Approval workflow for data asset curation - As part of public preview, we have enabled workflows for Self-service data access workflow for hybrid data estate and Approval workflow for business glossary Continuing our journey on workflows, we are now happy to introduce approval workflow for asset curation in Microsoft Purview. You can now streamline the entire approval process for asset updates like adding a business term, changing a classification, adding or removing owners, etc. by defining a workflow as per your organizational needs. With the enablement of approval workflow, the updates are saved to the Purview data catalog only after approval by data owners.
Microsoft Entra Things
NEW LEARN MODULE: Manage your multi-cloud identity infrastructure with Microsoft Entra - Microsoft Entra Permissions Management gives security operation administrators insight into over-privileged workload and user identities, actions, and resources across multicloud infrastructures.
VIDEO: Manage your multi-cloud identity infrastructure with Microsoft Entra - A single solution to centrally manage your entire identity infrastructure with Microsoft Entra. Whether hybrid across your on-premises systems and the Microsoft Cloud, or across services spanning multiple clouds, like AWS, Google Cloud Platform and your favorite SaaS apps.
BLOG: How to build a secure foundation for identity and access - The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Christina Richmond, a cybersecurity expert who formerly worked as a Program Vice President at IDC. The thoughts below reflect Christina’s views, not the views of her former employer or Microsoft, and are not legal advice.
BLOG: Manage your multi-cloud identity infrastructure with Microsoft Entra - A single solution to centrally manage your entire identity infrastructure with Microsoft Entra. Whether hybrid across your on-premises systems and the Microsoft Cloud, or across services spanning multiple clouds, like AWS, Google Cloud Platform and your favorite SaaS apps.