Blog Post

Microsoft Defender XDR Blog
6 MIN READ

Monthly news - January 2025

HeikeRitter's avatar
HeikeRitter
Icon for Microsoft rankMicrosoft
Jan 02, 2025
Microsoft Defender XDR
Monthly news
January 2025 Edition

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from December 2024.  Defender for Cloud has it's own Monthly News post, have a look at their blog space.
 
Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel
 

(Preview) The Link to incident feature in advanced hunting now allows linking of Microsoft Sentinel query results. 

  (Preview) You can now use the adx() operator to query tables stored in Azure Data Explorer.
 

(GA) In advanced hunting, you can now add your frequently used schema tables, functions, queries, and detection rules in the Favorites sections under each tab for quicker access. Learn more on our docs

 

Hyperscale ML threat intelligence for early detection & disruption. This blog talks about Threat Intelligence Tracking via Dynamic Networks (TITAN) - a groundbreaking approach that uses the power of machine learning to transform threat intelligence and attack disruption by automatically neutralizing malicious activity at scale.

 

You can now view Microsoft Sentinel Workbooks directly from Unified SOC Operations Platform. Learn more about it here.

 

(Preview) Recommendations based on similar organizations - a first-of-its-kind capability for SOC optimizations. Recommendations based on similar organizations use peer-based insights to guide and accelerate your decision-making process.

 

New documentation library for Microsoft's unified security operations platform. Find centralized documentation about Microsoft's unified SecOps platform in the Microsoft Defender portal. Microsoft's unified SecOps platform brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, Microsoft Security Exposure Management, and generative AI into the Defender portal. Learn about the features and functionality available with Microsoft's unified SecOps platform, then start to plan your deployment.

 

SOC Optimization and Auxiliary Logs collaboration

We’re excited to announce the release of our updated recommendation, which now incorporates Auxiliary Logs!

Previously, our recommendation focused on identifying unused tables and suggesting users either increase their utilization or switch the tables’ commitment tier to Basic Logs. With this update, we now recommend eligible tables be moved to Auxiliary Logs. 

 

The following new privacy documents for Microsoft Sentinel and Microsoft Defender XDR have been added:

 

Ninja Show Episodes:

Attack Disruption: Live demo
This episode features Threat Hunter and Microsoft MVP Mattias Borg as he explains the anatomy of an attack. Through a live demo of an attack in action, gain exclusive insights into what attackers do behind the scenes, the tools they use and how Microsoft Defender steps up to counter these threats, offering a robust defense to help keep your organization secure.

Defender XDR’s Data Security Context with Insider Risk Management 
Join us as product experts Maayan Magenheim and Sravan Kumar Mera showcase the Public Preview of Microsoft Purview Insider Risk Management (IRM) integration into Defender XDR. Learn how Insider Risk and SOC analysts can now distinguish internal and external threats and gain critical insights, including exfiltration context and user activity tracking. Through a valuable demo, we explore the benefits for incident investigation, threat hunting, the correlation of IRM alerts with other DLP and identity protection alerts and more.
Follow up LIVE AMA session 

Unlocking Advanced Cloud Detection & Response capabilities for containers
Learn how the Microsoft Cloud Detection & Response solution empowers SOCs with faster, deeper investigations through near real-time detections, new cloud-native responses, and rich log collection. In this episode Product Managers Maayan Magenheim and Daniel Davrayev demo a real container related incident to show how these new capabilities enhance the entire incident response process, bridging knowledge gaps and proactively securing containerized workloads across multi-cloud environments.

 

 

Threat Analytics - New Tool profile: SectopRAT

(You need access to the Defender portal to read this profile.)

 

 

Microsoft Sentinel

 

(Preview) New AWS WAF connector. Use the Amazon Web Services (AWS) S3-based Web Application Firewall (WAF) connector to ingest AWS WAF logs, collected in AWS S3 buckets, to Microsoft Sentinel. Learn more on our docs.

 

Agentless deployment for SAP applications. Microsoft Sentinel for SAP’s latest new capability re-uses the SAP Cloud Connector to profit from already existing setups, established integration processes, and well-understood SAP components.

 

Ninja Show Episode

Microsoft Sentinel Data tiering best practices
In this episode product experts Yael Bergman and Maria de Sousa-Valadas introduce the powerful new Auxiliary Logs tier, now in Public Preview and explain how to use Summary rules to aggregate data from any log tier in Microsoft Sentinel and Log Analytics. Tune in to learn the full potential of these features, as well as practical tips and use cases to help you reduce ingestion costs and gain more insights from your verbose logs.

 

Upcoming webinar Feb 20, 9AM PT: Mastering API Integration with Sentinel & Unified Security Platform

Learn how to effectively integrate APIs with Sentinel and Unified Security Platform. This webinar will cover when to use APIs, how to set them up, potential challenges, and feature live demos to guide you through the process.

 

 

Microsoft Defender Experts for XDR

 

Defender Experts for XDR now offers scoped coverage for customers who wish to define a specific set of devices and/or users, based on geography, subsidiary, or function, for which they'd like Defender Experts to provide support.

 

Experts on demand via Message Center. Select Ask Defender Experts directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat hunting questions. Experts can provide insight to better understand the complex threats your organization might face.

 

 

Microsoft Defender for Identity

  New security posture assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15). Defender for Identity has added the new Prevent Certificate Enrollment with arbitrary Application Policies (ESC15) recommendation in Microsoft Secure Score. Learn more on our docs
 

 

Microsoft Security Exposure Management

 

The following predefined classification rules were added to the critical assets list:

Classification Description
Locked Azure Kubernetes Service cluster This rule applies to Azure Kubernetes Service clusters that are safeguarded by a lock.
Premium tier Azure Kubernetes Service cluster This rule applies to premium tier Azure Kubernetes Service clusters.
Azure Kubernetes Service cluster with multiple nodes This rule applies to Azure Kubernetes Service clusters with multiple nodes.
Azure Arc Kubernetes cluster with multiple nodes This rule applies to Azure Arc clusters with multiple nodes.

For more information, see, Predefined classifications

 

 

Microsoft Defender for Office 365

 

Considerations for integrating non-Microsoft security services with Microsoft 365: Considerations and recommendations for deploying a defense-in-depth email security strategy using third-party security services.

 

Defender for Office 365 now detects BEC attacks using large language model (LLM)-based filters to analyze an email's language and infer intent. Read this blog to learn more about it.

 

 

Microsoft Defender for Endpoint

 

Defender for Endpoint on iOS now supports iOS/iPadOS 16.x as the minimum version

Defender for Endpoint is ending support for iOS/iPadOS 15 on January 31, 2025. Moving forward, only devices running iOS/iPadOS 16 and later are supported. Learn more on our docs.

 

Android low-touch onboarding is now General Available.

Key benefits

  1. Faster setup on Android devices – Simplified Android onboarding supports silent sign-on and autogranting of certain permissions on a user's device. As such, users are required to grant only the necessary permissions to onboard to Defender for Endpoint.  
  2. Intuitive guidance - A clear and intuitive flow to guide users through each step. 
  3. Broad coverage with support across multiple Android profiles – Android enterprise BYOD, COPE, and fully managed. 

Configuring low-touch onboarding 

Although low-touch onboarding is disabled by default, security administrators can enable it through app configuration policies in Intune. See Android low-touch onboarding.

.

Ninja Show Episode:  Defender for Endpoint RDP Telemetry

In this episode Cyber Security Researcher Danielle Kuznets Nohi and Senior Product Manager Saar Cohen join us to discuss the importance of Remote Desktop Protocol in Human Operated Attacks considering the current threat landscape. Through a demo, witness critical visibility enhancements made to this important layer of telemetry and learn the powerful capabilities of this tool to identify vulnerable assets and provide deeper threat insights.

 

 

Updated Feb 04, 2025
Version 6.0
  • john66571's avatar
    john66571
    Brass Contributor

    "SOC Optimization and Auxiliary Logs collaboration. "
    I tried finding out more about this news but couldnt, is there a link somewhere? :)
    Enabling Auxiliary or basic logs means big changes in Sentinel, you have to customize all analytic rules, hunting rules and other queries (in workbooks etc) that uses that table. So this being the default recommendation would mean massive impacts on all standalone Sentinels but even bigger on MSP sentinels. Unless its solved in the news about it? that would be a greater news of it self!!