Monthly news - November 2022

Microsoft

Dec 05, 2022

Microsoft 365 Defender
Monthly news
November 2022

This is our monthly "What's new" blog post, summarizing product updates and various assets we have across our Defender products.

Legend:
	Product videos	Webcast (recordings)	Docs on Microsoft	Blogs on Microsoft
	GitHub	External	Product improvements	Previews / Announcements

Microsoft 365 Defender

	Investigate incidents more effectively with the new attack story view in Microsoft 365 Defender.
	Identity Protection alerts are now available in Microsoft 365 Defender.
	(Preview) Microsoft Defender Experts for XDR (Defender Experts for XDR) is now available for preview. Defender Experts for XDR is a managed detection and response service that helps your security operations centers (SOCs) focus and accurately respond to incidents that matter. It provides extended detection and response for customers who use Microsoft 365 Defender workloads: Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Azure Active Directory (Azure AD). For details, refer to Expanded Microsoft Defender Experts for XDR preview.
	DEV-0569 finds new ways to deliver Royal ransomware, various payloads. DEV-0569’s recent activity shows their reliance on malvertising and phishing in delivering malicious payloads. The group’s changes and updates in delivery and payload led to distribution of info stealers and Royal ransomware.
	Vulnerable SDK components lead to supply chain risks in IoT and OT environments. Researchers investigated an electrical grid intrusion that may have used common IoT devices to gain a foothold into the OT network and found a web server component that although discontinued since 2005, is still implemented and prevalent in many IoT devices
	Query resource report in advanced hunting (public preview). The query resources report shows your organization's consumption of CPU resources for hunting based on queries that ran in the last 30 days using any of the hunting interfaces. This report is useful in identifying the most resource-intensive queries and understanding how to prevent throttling due to excessive use.
	New advanced hunting table: DeviceTvmHardwareFirmware. The DeviceTvmHardwareFirmware table in the advanced hunting schema contains hardware and firmware information of devices as checked by Microsoft Defender Vulnerability Management. The information includes the system model, processor, and BIOS, among others.

Microsoft Defender for Cloud Apps

	Introducing the Microsoft Defender for Cloud Apps data protection series. A brand-new blog series focused on information protection in Microsoft Defender for Cloud Apps, various members of the Product Group will walk us through how to protect the data that lives inside your SaaS apps.
	Microsoft Defender for Cloud Apps data protection series: Understand your data types. Our second installment in the Microsoft Defender for Cloud Apps data protection series, where we focus on the different types of data that can be protected.
	App Governance is a Key Part of a Customers' Zero Trust Journey - Watch this webinar now on YouTube. This webinar focused on how App governance helps customers implement Zero Trust in their environments. We walk you through a typical scenario and how it is aligned to Zero Trust pillars.
	Workplace by META API connector is now available in Defender for Cloud Apps. Workplace by META API connector in Defender for Cloud Apps provide you enhanced visibility and control over user activities in Workplace.

Microsoft Defender for Endpoint

	The new device timeline is now generally available. The device timeline reflects all the event observed on a device in a chronological order, it’s mostly used to deepen the investigation and pivot from an alert to learn what happened on a device before/after the suspicious activity. the new view keeps the existing functionality in pair, in addition to performance several UI improvements. The new timeline offers faster loading time, while seamlessly fetching bigger chunks of data (1000 instead of 200), in addition to several UI improvements for a smoother experience. New event side panel, aligned with the alert story process tree experience, for easy orientation Enhanced MITRE data, showing all related techniques and tactics at a single event panel Linking events to the new user side panel, providing more details and context to the investigation without leaving the page Better visibility to the data set shown in the timeline, by reflecting the applied filters on top of the table
	Detecting and remediating command and control attacks at the network layer. Microsoft Defender for Endpoint helps SecOps teams detect network C2 attacks earlier in the attack chain, minimize the spread by rapidly blocking any further attack propagation, and reduce the time it takes to mitigate by easily removing malicious binaries.
	Mobile Network Protection for Defender for Endpoint on Android and iOS now generally available. Microsoft brings network protection features in Defender for Endpoint to Android and iOS providing more ways to help organizations identify, assess, and remediate endpoint weaknesses with the help of threat intelligence.
	Use the new Microsoft 365 Defender API for all your alerts. The new Microsoft 365 Defender alerts API, currently in public preview, enables customers to work with alerts across all products within Microsoft 365 Defender using a single integration.
	Announcing new removable storage management features on Windows. Over the last several months, Microsoft Defender for Endpoint has rolled out a handful of device control capabilities to help secure removable storage scenarios on Windows.
	Microsoft Defender for Endpoint now integrated with Zeek. The integration of Zeek into Microsoft Defender for Endpoint provides new levels of network analysis capabilities based on deep inspection of network traffic powered by Zeek, a powerful open-source network analysis engine that allows researchers to tackle sophisticated network-based attacks in ways that weren't possible before.
	Built-in protection is now generally available. Built-in protection helps protect your organization from ransomware and other threats with default settings that help ensure your devices are protected. Built-in protection is a set of default settings that are rolling out to help ensure your devices are protected. These default settings are designed to protect devices from ransomware and other threats.
	Check out the Library API to upload/delete/update files in your tenant's library.
	Stopping C2 communications in human-operated ransomware through network protection. Providing advanced protection against increasingly sophisticated human-operated ransomware, Microsoft Defender for Endpoint’s network protection leverages threat intelligence and machine learning to block command-and-control (C2) communications.

Microsoft Defender for Identity

Deprecation of the Defender for Endpoint <> Defender for Identity Integration. At the end of November, integration with Microsoft Defender for Endpoint will no longer be supported. We highly recommend using the Microsoft 365 Defender portal (https://security.microsoft.com) which has the integration built-in.

New option for running the remediation actions by using the sensor's server LocalSystem account. Defender for Identity can now use the LocalSystem account on the domain controller to perform remediation actions (enable/disable user, force user reset password), in addition to the gMSA option that was available before. This enables out of the box support for remediation actions.

New health alert for verifying

that Directory Services Advanced Auditing is configured correctly. New health alert for alerting customers that their Directory Services Advanced Auditing do not include all the categories and subcategories as required.
that the NTLM Auditing is enabled. New health alert for alerting customers that their NTLM Auditing (for eventId 8004) is not enabled.

Microsoft Defender for Office 365

	Build custom email security reporting with Microsoft Defender for Office 365 and PowerBI. In this blog, we will showcase an example on how you can leverage Power BI and the Microsoft 365 Defender Advanced Hunting APIs to build a custom dashboard and share a template that you can customize and extend.
	Microsoft announces partnership with SANS Institute to deliver a new series of computer-based training (CBT) modules in the Attack Simulation Training service. The modules will focus on IT systems and network administrators. Microsoft is excited to collaborate with a recognized market leader in cyber security training to bring our customers training that can help our customers address a critical challenge in the modern threat landscape: educating and upskilling security professionals.
	Why Microsoft is the right choice for healthcare. First in an industry series focusing on why Microsoft is the right choice for your security needs in healthcare.

Microsoft Defender Vulnerability Management

	Reduce OpenSSL 3.0 vulnerabilities risks with Microsoft Defender Vulnerability Management. The OpenSSL team published two high severity vulnerabilities: CVE-2022-3602 and CVE-2022-3786. Any OpenSSL versions between 3.0.0 and 3.0.6 are affected and the guidance is OpenSSL 3.0 users should expedite upgrade to OpenSSL v 3.0.7 to reduce the impact of this threat.
	Announcing Software Usage Insights in public preview. Organizations can view the number of devices using specific Windows software and the median usage for the past 30 days to better inform organizations of the user impact if they want to block software or any vulnerable versions.
	Firmware assessments support now in public preview in Microsoft Defender Vulnerability Management. This new firmware assessments feature provides customers with full visibility into device manufacturer, processor and BIOS information