Microsoft 365 Defender Monthly news January 2023 Edition
This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this January edition, we are looking at all the goodness from December 2022. NEW: At the end we now include a list of the latest threat analytics reports, as well as other Microsoft security blogs for you.
Docs on Microsoft
Blogs on Microsoft
Previews / Announcements
Microsoft 365 Defender
Optimize your hunting performance with the new query resources report. Visibility into how query resources are being used across the SOC team is critical to optimize performance, ensure queries are executed efficiently, and allow team to operate in the most effective way possible. The new query resources report now enables you to view how hunting resources are consumed in your organization and provides insights into your consumption of CPU resources for hunting activities.
What was your 2022 like? See some cool year highlights with Defender boxed! Defender Boxed shows you your year highlights in numbers. Just go to your incidents queue and clicks on the Defender Boxed icon (top right of the page).
Microsoft Defender for Cloud Apps
Protecting apps that use non-standard ports with Microsoft Defender for Cloud Apps. We are happy to announce that applications that use ports other than 443 can now be protected in real-time using Defender for Cloud Apps.
Azure AD identity protection. Azure AD identity protection alerts will arrive directly to Microsoft 365 Defender. The Microsoft Defender for Cloud Apps policies won't affect the alerts in the Microsoft 365 Defender portal. Azure AD identity protection policies will be removed gradually from the cloud apps policies list in the Microsoft 365 Defender portal. To configure alerts from these policies, see Configure Azure AD IP alert service.
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint Device control Removable storage access control updates. 1. Released Microsoft Endpoint Manager UX support for Removable storage access control. 2. The Default Enforcement policy of Removable storage access control is design for all Device control features, recently we released Printer Protection, so this policy will cover printer as well. If you create Default Deny policy, and now printer will be blocked in your organization. - Intune: ./Vendor/MSFT/Defender/Configuration/DefaultEnforcement, documentation here. - Group policy: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control > Select Device Control Default Enforcement, documentation here.
Disconnected environments, proxies and Microsoft Defender for Endpoint. In this blog, Brian Badock provides recommendations and guidance for those looking to deploy Microsoft Defender for Endpoint in disconnected or air-gapped environments.
Leverage advanced hunting to better understand your discovered devices. In this blog post, we will show a few queries you can use to address various use cases to find devices as well as the ability to create custom alerts in your network.
Vulnerability assessment of apps on iOS devices is now generally available. To configure the feature, read the documentation.
Microsoft 365 Defender Threat Analytics Reports
Actor profile: China-based DEV-0401, lone wolf turned LockBit 2.0 affiliate. The threat actor that Microsoft tracks as DEV-0401 (also known as Bronze Starlight and Emperor Dragonfly) is a China-based cybercriminal group that’s been active since at least July 2021. It is an opportunistic threat actor, relying on unpatched vulnerabilities to gain elevated credentials and obtain initial access.