Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel |
|
(Preview) The Link to incident feature in advanced hunting now allows linking of Microsoft Sentinel query results.
|
|
(Preview) You can now use the adx() operator to query tables stored in Azure Data Explorer. |
|
(GA) In advanced hunting, you can now add your frequently used schema tables, functions, queries, and detection rules in the Favorites sections under each tab for quicker access. Learn more on our docs.
|
|
Hyperscale ML threat intelligence for early detection & disruption. This blog talks about Threat Intelligence Tracking via Dynamic Networks (TITAN) - a groundbreaking approach that uses the power of machine learning to transform threat intelligence and attack disruption by automatically neutralizing malicious activity at scale.
|
|
You can now view Microsoft Sentinel Workbooks directly from Unified SOC Operations Platform. Learn more about it here.
|
|
(Preview) Recommendations based on similar organizations - a first-of-its-kind capability for SOC optimizations. Recommendations based on similar organizations use peer-based insights to guide and accelerate your decision-making process.
|
|
New documentation library for Microsoft's unified security operations platform. Find centralized documentation about Microsoft's unified SecOps platform in the Microsoft Defender portal. Microsoft's unified SecOps platform brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, Microsoft Security Exposure Management, and generative AI into the Defender portal. Learn about the features and functionality available with Microsoft's unified SecOps platform, then start to plan your deployment.
|
|
SOC Optimization and Auxiliary Logs collaboration.
We’re excited to announce the release of our updated recommendation, which now incorporates Auxiliary Logs!
Previously, our recommendation focused on identifying unused tables and suggesting users either increase their utilization or switch the tables’ commitment tier to Basic Logs. With this update, we now recommend eligible tables be moved to Auxiliary Logs.
|
|
The following new privacy documents for Microsoft Sentinel and Microsoft Defender XDR have been added:
|
|
Ninja Show Episodes:
Attack Disruption: Live demo This episode features Threat Hunter and Microsoft MVP Mattias Borg as he explains the anatomy of an attack. Through a live demo of an attack in action, gain exclusive insights into what attackers do behind the scenes, the tools they use and how Microsoft Defender steps up to counter these threats, offering a robust defense to help keep your organization secure.
Defender XDR’s Data Security Context with Insider Risk Management Join us as product experts Maayan Magenheim and Sravan Kumar Mera showcase the Public Preview of Microsoft Purview Insider Risk Management (IRM) integration into Defender XDR. Learn how Insider Risk and SOC analysts can now distinguish internal and external threats and gain critical insights, including exfiltration context and user activity tracking. Through a valuable demo, we explore the benefits for incident investigation, threat hunting, the correlation of IRM alerts with other DLP and identity protection alerts and more. Follow up LIVE AMA session
Unlocking Advanced Cloud Detection & Response capabilities for containers Learn how the Microsoft Cloud Detection & Response solution empowers SOCs with faster, deeper investigations through near real-time detections, new cloud-native responses, and rich log collection. In this episode Product Managers Maayan Magenheim and Daniel Davrayev demo a real container related incident to show how these new capabilities enhance the entire incident response process, bridging knowledge gaps and proactively securing containerized workloads across multi-cloud environments.
|
|
Threat Analytics - New Tool profile: SectopRAT
(You need access to the Defender portal to read this profile.)
|
|
|
Microsoft Sentinel
|
|
(Preview) New AWS WAF connector. Use the Amazon Web Services (AWS) S3-based Web Application Firewall (WAF) connector to ingest AWS WAF logs, collected in AWS S3 buckets, to Microsoft Sentinel. Learn more on our docs.
|
|
Agentless deployment for SAP applications. Microsoft Sentinel for SAP’s latest new capability re-uses the SAP Cloud Connector to profit from already existing setups, established integration processes, and well-understood SAP components.
|
|
Ninja Show Episode
Microsoft Sentinel Data tiering best practices In this episode product experts Yael Bergman and Maria de Sousa-Valadas introduce the powerful new Auxiliary Logs tier, now in Public Preview and explain how to use Summary rules to aggregate data from any log tier in Microsoft Sentinel and Log Analytics. Tune in to learn the full potential of these features, as well as practical tips and use cases to help you reduce ingestion costs and gain more insights from your verbose logs.
Upcoming webinar Feb 20, 9AM PT: Mastering API Integration with Sentinel & Unified Security Platform
Learn how to effectively integrate APIs with Sentinel and Unified Security Platform. This webinar will cover when to use APIs, how to set them up, potential challenges, and feature live demos to guide you through the process.
|
|
|
Microsoft Defender Experts for XDR
|
|
Defender Experts for XDR now offers scoped coverage for customers who wish to define a specific set of devices and/or users, based on geography, subsidiary, or function, for which they'd like Defender Experts to provide support.
|
|
Experts on demand via Message Center. Select Ask Defender Experts directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat hunting questions. Experts can provide insight to better understand the complex threats your organization might face.
|
|
|
Microsoft Defender for Identity
|
|
New security posture assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15). Defender for Identity has added the new Prevent Certificate Enrollment with arbitrary Application Policies (ESC15) recommendation in Microsoft Secure Score. Learn more on our docs. |
|
|
Microsoft Security Exposure Management
|
|
The following predefined classification rules were added to the critical assets list:
Classification |
Description |
Locked Azure Kubernetes Service cluster |
This rule applies to Azure Kubernetes Service clusters that are safeguarded by a lock. |
Premium tier Azure Kubernetes Service cluster |
This rule applies to premium tier Azure Kubernetes Service clusters. |
Azure Kubernetes Service cluster with multiple nodes |
This rule applies to Azure Kubernetes Service clusters with multiple nodes. |
Azure Arc Kubernetes cluster with multiple nodes |
This rule applies to Azure Arc clusters with multiple nodes. |
For more information, see, Predefined classifications
|
|
|
Microsoft Defender for Office 365
|
|
Considerations for integrating non-Microsoft security services with Microsoft 365: Considerations and recommendations for deploying a defense-in-depth email security strategy using third-party security services.
|
|
Defender for Office 365 now detects BEC attacks using large language model (LLM)-based filters to analyze an email's language and infer intent. Read this blog to learn more about it.
|
|
|
Microsoft Defender for Endpoint
|
|
Defender for Endpoint on iOS now supports iOS/iPadOS 16.x as the minimum version.
Defender for Endpoint is ending support for iOS/iPadOS 15 on January 31, 2025. Moving forward, only devices running iOS/iPadOS 16 and later are supported. Learn more on our docs.
|
|
Android low-touch onboarding is now General Available.
Key benefits
- Faster setup on Android devices – Simplified Android onboarding supports silent sign-on and autogranting of certain permissions on a user's device. As such, users are required to grant only the necessary permissions to onboard to Defender for Endpoint.
- Intuitive guidance - A clear and intuitive flow to guide users through each step.
- Broad coverage with support across multiple Android profiles – Android enterprise BYOD, COPE, and fully managed.
Configuring low-touch onboarding
Although low-touch onboarding is disabled by default, security administrators can enable it through app configuration policies in Intune. See Android low-touch onboarding.
|
. |
Ninja Show Episode: Defender for Endpoint RDP Telemetry
In this episode Cyber Security Researcher Danielle Kuznets Nohi and Senior Product Manager Saar Cohen join us to discuss the importance of Remote Desktop Protocol in Human Operated Attacks considering the current threat landscape. Through a demo, witness critical visibility enhancements made to this important layer of telemetry and learn the powerful capabilities of this tool to identify vulnerable assets and provide deeper threat insights.
|
|
|