Blog Post

Microsoft Defender XDR Blog
6 MIN READ

Monthly news - May 2024

HeikeRitter's avatar
HeikeRitter
Icon for Microsoft rankMicrosoft
Feb 02, 2024

Microsoft Defender XDR
Monthly news
May 2024 Edition

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from April 2024.  

Legend:
Product videos Webcast (recordings) Docs on Microsoft Blogs on Microsoft
GitHub External Improvements Previews / Announcements
Microsoft Defender XDR
RSA news: What's new in Defender XDR? Read this dedicated blog post to learn the details about the latest announcement at RSA: 
  • AI-powered disruption of SaaS attacks: Microsoft Defender XDR is expanding its attack disruption capabilities to new scenarios that include OAuth app compromise within SaaS apps, disabling a malicious OAuth app & broadened compromised user coverage.
  • Native support for Data Security & Operational Technology (OT): OT security is now integrated into XDR along with new insider risk management insights from Microsoft Purview that further brings Data Security into the SOC.
  • End to end protection in the unified security operations platform: new features that benefit both Microsoft Sentinel & Defender XDR customers like unified custom detections, automation rules, and more, as well as new in-browser protection using Microsoft Edge to protect access to SaaS apps.

Device inventory in multitenant management in Microsoft Defender XDR is now available. The device inventory page in multitenant management lists all the devices in each tenant that you have access to. The page is like the Defender for Endpoint device inventory with the addition of the Tenant name column. Device management tasks like managing tags, device exclusion, and reporting inaccuracy becomes available for each device in the list. Learn more in our documentation.

Device inventory

New virtual Ninja Show episodes. Join us for a series of Copilot for Security technical

deep dives, learn more about Defender for Identity, Defender for Server and more. Reserve your calendar now for upcoming episodes, or watch previous episodes on demand :smile: 

Microsoft Security Exposure Management

Respond to trending threats and adopt zero-trust with Exposure Management. This blog post shares updates to Security Initiatives and also gives a heads up about a few updates to attack path analysis. 

Microsoft Security Experts

Hunting in Azure subscriptions. This blog post delves into various strategies and methodologies designed to enhance our grasp of the scope and complexity of how threat actors' manoeuvre within Azure subscriptions, thereby fortifying our defenses against the ever-evolving landscape of cyberattacks.

Follow the Breadcrumbs with Microsoft IR & Defender for Identity: Working Together to Fight Identity-based Attacks. This blog post discusses how Microsoft Incident Response and Defender for Identity work together to fight identity-based attacks. 
Strategies to monitor and prevent vulnerable driver attacksFrom a threat hunting perspective, it is important to understand what data sources are available and what coverage they have; this blog post discusses the challenges and provides guides for threat hunters. 

New short & sweet videos. Watch these 3-5 minutes videos to learn more about:

Microsoft Defender for Endpoint

Two new GA announcements:

Microsoft Defender Core service overview; monitors for sustained CPU usage, memory leaks, crashes and/or hangs, false positive (FP) storm of the Microsoft Defender Antivirus service.

New short & sweet video. Watch this 4 minutes video to learn more about Deception in Defender for Endpoint.
Microsoft Defender for Identity

Easily detect CVE-2024-21427 Windows Kerberos Security Feature Bypass Vulnerability. To help customers better identify and detect attempts to bypass security protocols according to this vulnerability, we have added a new activity within Advanced Hunting that monitors Kerberos AS authentication. Learn more on our documentation. 

You can now watch the recordings of the POCaaS ITDR webinar series:

This bog post discusses the newly introduced Defender for Identity Health issues management API

Health page

New Graph based API for viewing and managing Health issues. Now you can view and manage Defender for Identity health issues through the Graph API.

Activate Defender for Identity capabilities directly on a domain controller; Defender for Endpoint customers, who've already onboarded their domain controllers to Defender for Endpoint, can activate Defender for Identity capabilities directly on a domain controller instead of using a Microsoft Defender for Identity sensor. Learn more  on our documentation. 

KuppingerCole leadership compass for ITDR. Microsoft named an overall leader in KuppingerCole Leadership Compass for ITDR.

Microsoft Defender for Cloud Apps

App Governance is now available in GCCM. App Governance capabilities in Defender for Cloud Apps are now available to opt-in in GCCM environment, and soon to be available in the other gov clouds. (GCCH& DoD) - go ahead and enable it to increase your app protection.

Enable data encryption from the Microsoft Defender portal. Now you can complete the process for encrypting Defender for Cloud Apps data at rest with your own key by enabling data encryption from the Settings area of the Microsoft Defender portal. For more information, see Encrypt Defender for Cloud Apps data at rest with your own key (BYOK).
Microsoft Defender for Office 365

Copy simulations in Attack Simulation Training is now generally availableWe are excited to announce that in Attack Simulation Training, you can now copy an existing simulation and modify it to suit your need which will save you time and effort when creating new simulations based on previous ones. 

Also, Attack Simulation Training is now available for GCC High and DoD customers and has been released for Department of Defense (DoD) and Government Community Cloud High (GCC High) environments.

Gone Phishing Tournament™ Takeaways. In this blog, we would like to share the key takeaways from this report and provide insights on what it means to improve organizational resilience against phishing and social engineering attacks with tools like Attack Simulation and Training.

New short & sweet videos. Watch these 3-5 minutes videos to learn more about:

Last used date added to Tenant Allow/Block List entries for domains and email addresses, files, and URLs.

Enhanced clarity in submissions results: You can now see enhanced results within submissions across email, Microsoft Teams messages, email attachments, URLs, and user-reported messages. Learn more.

Take action replaces the Message actions drop down list on the Email tab (view) of the details area of the All email, Malware, or Phish views in Threat Explorer (Explorer). Learn more

Microsoft Defender Vulnerability Management

Defender support for CVE-2024-3400 affecting Palo Alto Networks firewalls. Read more in this blog post

Microsoft FAQ and guidance for XZ Utils backdoor. On March 28, 2024 a backdoor was identified in XZ Utils. This vulnerability, CVE-2024-3094 with a CVSS score of 10 is a result of a software supply chain compromise impacting versions 5.6.0 and 5.6.1 of XZ Utils. Read this blog post for details and Microsoft response for this vulnerability.
New short & sweet video. Watch this 3:35 minutes video "Get started with Vulnerable Components".
Microsoft Security Blogs
Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters. Microsoft recently uncovered an attack that exploits new critical vulnerabilities in OpenMetadata to gain access to Kubernetes workloads and leverage them for cryptomining activity.
Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials. Since 2019, Forest Blizzard has used a custom post-compromise tool to exploit a vulnerability in the Windows Print Spooler service that allows elevated permissions. Microsoft has issued a security update addressing this vulnerability as CVE-2022-38028.
Updated Oct 29, 2024
Version 3.0