Monthly news - November 2024

Microsoft

Nov 04, 2024

Microsoft Defender XDR
Monthly news
November 2024 Edition

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from October 2024. Defender for Cloud has it's own Monthly News post, have a look at their blog space.

Legend:
	Product videos	Webcast (recordings)	Docs on Microsoft	Blogs on Microsoft
	GitHub	External	Improvements	Previews / Announcements

Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel

	(Preview) In advanced hunting, Microsoft Defender portal users can now use the arg() operator for Azure Resource Graph queries to search over Azure resources. You no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if you are already in Microsoft Defender. Learn more on our docs.
	Microsoft Unified RBAC roles are added with new permission levels for Microsoft Threat Experts customers to use Ask Defender experts capability.
	Demystify potential data leaks with Insider Risk Management insights in Defender XDR. Microsoft Purview Insider Risk Management adds significant value by identifying and mitigating potential insider risks — such as data leaks or intellectual property theft, covering key scenarios including detecting unusual employee behavior, managing data exfiltration risks from insiders performing riskier activities, and differentiating between external and internal attacks. This blogs details how the integration into Defender XDR empowers SOC teams to detect and respond more effectively to insider threats, enabling them to better distinguish between external and internal attacks
	We published an updated version of the short training video "How to use the Alert page". Watch these 3:40 minutes to get the most out of the alert page during your investigations.
	New filter option on the Ninja Show page. You can now filter all our session on-demand by products to easier find relevant content for you.

Microsoft Sentinel

	(Preview) Use matching analytics to detect threats. Take advantage of threat intelligence produced by Microsoft to generate high-fidelity alerts and incidents with the Microsoft Defender Threat Intelligence Analytics rule. This built-in rule in Microsoft Sentinel matches indicators with Common Event Format (CEF) logs, Windows DNS events with domain and IPv4 threat indicators, syslog data, and more. Learn more on our docs.
	Introducing the Use Cases Mapper workbook. Read this blog to see how Use Case Mapper Workbook is an invaluable tool for identifying gaps in your Sentinel environment and the established Content-Hub-Solutions
	Level Up Your Security Skills with the New Microsoft Sentinel Ninja Training! The Microsoft Sentinel Ninja Training has been completely updated, and the individual knowledge checks will now point to official MS Learning path so you can earn the official badge after completing successfully.
	Save money on your Sentinel ingestion costs with Data Collection Rules. This blog post outlines a strategy you can use to reduce your data volume while also collecting and retaining the information that really matters.
	Cowrie honeypot and its integration with Microsoft Sentinel. Cowrie is an advanced honeypot designed to emulate SSH (Secure Shell) and Telnet services to attract, detect, and analyze malicious activities. Learn in this blog post how this cybersecurity tool is used, how possible attackers activities are logged, and providing valuable insights into their methods and motives.
	Deploy Microsoft Sentinel using Bicep. This blog post walks you through the deployment process of Microsoft Sentinel using Bicep.
	Webinars We have the following two upcoming webinars: Data Tiering Best Practices (Oct 29 2024, 09:00 AM - 10:00 AM (PT)) Mastering API Integration with Sentinel & Unified Security Platform (Dec 5 2024, 09:00 AM - 10:00 AM (PDT)) Last month, these two webinars have been presented and the recordings are now available: Deep Dive: Moving from the Log Analytics Agent to the New Azure Monitor Agent Building Microsoft Sentinel integrations - Part 2: Creating data connectors

Microsoft Defender Vulnerability Management

Guidance for handling CUPS remote code execution vulnerability using Microsoft Security capabilities.

In this blogpost we will demonstrate how you can easily discover if your organization is vulnerable to this critical unauthenticated RCE flaws in CUPS printing systems and view guidelines on remediation.

Microsoft Security Exposure Management

Ninja Show: In this 2 episodes, we explore Microsoft Security Exposure Management, learning how it quantifies risks, generates reports for key stakeholders, unifies the security stack, and optimizes attack surface management. Watch the recordings of Part 1 and Part 2.

Microsoft Security Experts

Phish, Click, Breach: Hunting for a Sophisticated Cyber Attack. Since April 2024, we have observed a significant increase in Teams phishing attacks, which have led to endpoint-related incidents, particularly through the abuse of Remote Monitoring and Management (RMM) tools such as Quick Assist (Ref : Threat actors misusing Quick Assist in social engineering attacks leading to ransomware | Microsoft ...), and other tools such as Any Desk, and Team Viewer. In this blog, we will walk through one of the observed scenarios and discuss hunting approaches for detecting such attacks.

Microsoft Unified RBAC roles are added with new permission levels for Microsoft Threat Experts customers to use Ask Defender experts capability. Learn more on our docs.

Microsoft Defender for Cloud Apps

We released various new data in advanced hunting via the CloudAppEvents table

- Anomaly data

- Conditional Access app control / inline data

- OAuthAppId

We published a new short training video (6 minutes) for App Governance.

Threat actors are using non-human app identities as an attack vector and unfortunately this isn't as well understood as it should be. Customers who own Defender for Cloud Apps can turn on app governance with a few simple clicks and light up powerful capabilities.

Microsoft Defender for Office 365

	Use community queries to hunt more effectively across email and collaboration threats. One of the most valuable and insightful resources within advanced hunting is the community queries feature. This collaborative repository can enhance your threat-hunting capabilities, streamline investigation processes, and empower your security operations center (SOC) team members with easily accessible shared knowledge. Check out this blog to learn about the benefits of using community queries.
	Tenant Allow/Block List in Microsoft 365 now supports IPv6 address. Learn more on our docs.
	Watch this short4 minutes training video on "How to investigate email messages in Microsoft Defender for Office 365".
	Ninja Show episode: In-depth defense with dual-use scenario: We are joined by Senior Product Manager Manfred Fischer and Cloud Solution Architect Dominik Hoefling to explore the built-in protection mechanisms in Defender for Office 365. Tune into this episode as we dive deep into a dual-use scenario demonstration to learn how customers using third-party email filtering services can still leverage the powerful features and controls of Defender for Office 365. Bulk Sender Insights in Microsoft Defender for Office 365: In this episode, Senior Product Manager Puneeth Kuthati explains the importance of bulk sender insights within Defender for Office 365. Discover how these insights help differentiate trustworthy bulk senders from potential threats, tackle the challenges of fine-tuning bulk email filters, and strike the right balance to ensure important emails reach your inbox without overwhelming it. By analyzing sender behavior and trends, organizations can strengthen email security, reduce unwanted bulk traffic, and minimize false positives.

Microsoft Defender for Endpoint

Troubleshoot Network Extension (NetExt) issues in Defender for Endpoint on Mac. Learn more on our documentation.

Microsoft Defender for Identity

(Preview) Defender for Identity is expanding coverage with new 10 Identity posture recommendations. Read the details on our documentation to learn how these new recommendations can help you improve your posture.

Copilot Identity Summary released to Public Preview. Read this blog to see how Copilot for Security can simplify SOC teams’ investigation with the new Identity Summary feature within Defender XDR.

Copilot for Security Identity Summary