This is our monthly "What's new" blog post, summarizing product updates and various assets we have across our Defender products. With this issue we are extending the list of products to include Defender for Defender and Defender for IoT.
New to Microsoft 365 Defender? Learn how you can detect, investigate, and respond across endpoints, identities, email, and applications. Go to the new Microsoft Learn landing page for Microsoft 365 Defender. The link is also available from the portal via the Learning hub.
Unified submission. This video demonstrates the new, unified submissions experience in the Microsoft 365 Defender portal. More information on docs.
Unpacking JSON in KQL. Watch this video to learn how to unpack JSON strings by using the Kusto Query Language.
Malware hashes available for SharePoint and OneDrive. In addition to file hashes available for malware detected in non-Microsoft storage apps, now new malware detection alerts will provide hashes for malware detected in SharePoint and OneDrive. For more information, see our docs Malware detection.
Admin audit enhancements. Additional admin activities have been added:
File monitoring status - switching on/off
Creating and deleting policies
Editing of policies has been enriched with additional data
Expansion to Microsoft Teams. App governance added insights, policy capabilities, and governance for Microsoft Teams. Customers can now see data usage, permissions usage, and create policies on Teams permissions and usage.
Microsoft Secure Score integration. Microsoft Secure Score integration with the app governance (AppG) add-on to Microsoft Defender for Cloud Apps has reached general availability. AppG customers will now receive recommendations in Secure Score, helping them secure their Microsoft 365 OAuth apps. By following AppG-related recommendations and enabling proposed policy settings, enterprises can protect both apps and data from misuse and actual bad actor activity.
Predefined Policies. App governance now has more out of the box policies to detect anomalous app behaviors, such as spike in usage or suspicious new apps
Microsoft Defender for Endpoint
New capabilities in file page. Have you ever investigated files in Defender for Endpoint? We now make it even easier with our recent announcement of enhancements to the file page and side panel. Users can now streamline processes by having a more efficient navigation experience that hosts all this information in one place.
Alert Suppression Experience. Provides tighter granularity and control, allowing users to tune Microsoft Defender for Endpoint alerts and streamlines the alert queue; saving users triage time by hiding or resolving alerts automatically, each time a certain expected organizational behavior occurs, and rule conditions are met.
New contextual exclusions for use with Windows Defender Antivirus in the latest platform (4.18.2205.7). It allows you to be more specific when you define under which context Windows Defender Antivirus shouldn't scan a file or folder. Learn more on our docs.
Microsoft Defender for Identity
User actions: We've decided to divide the Disable User action on the user page into two different actions:
Disable User – which disables the user on the Active Directory level Suspend User – which disables the user on the Azure Active Directory level We understand that the time it takes to sync from Active Directory to Azure Active Directory can be crucial, so now you can choose to disable users in one after the other, to remove the dependency on the sync itself. Note that a user disabled only in Azure Active Directory will be overwritten by Active Directory, if the user is still active there.
New Identities section under "Assets". The Microsoft 365 Defender portal now includes a dedicated Identities section under Assets, this experience includes all identities that were previously available under the "Users and accounts" page on the standalone Defender for Cloud Apps portal from both Azure active directory, cloud apps and the on-premises active directory, provided that Defender for Identity is deployed
An issue was fixed where Suspected Golden Ticket usage (nonexistent account) (external ID 2027) would wrongfully detect macOS devices.
Stream Microsoft Defender for IoT alerts to a 3rd party SIEM. This blog introduces a solution that sends Defender for IoT alerts to an Event Hub that can be consumed by a 3rd party SIEMs. You can use this solution with Splunk, QRadar, or any other SIEM that supports Event Hub ingestion.
Microsoft Defender for Office 365
Priority Accounts for Gov Cloud general availability. Priority Accounts now available in Gov Clouds Environments (GCC, GCC-H, DoD). You can read in this older blog more about Priority Account Protection in Defender for Office 365.
Operations guidance. This video lists the daily, weekly, monthly, and ad-hoc tasks we recommend for operating Microsoft Defender for Office 365 successfully.
Microsoft Defender Vulnerability Management
Updated video. Microsoft Defender Vulnerability Management offers intelligent assessments, risk-based prioritization, and built-in mitigation and remediation tools. These capabilities help you to discover, assess, and remediate vulnerabilities and misconfigurations — all in one place.