Monthly news - November 2022
Published Dec 05 2022 01:38 AM 5,566 Views

Microsoft 365 Defender
Monthly news
November 2022

OFT header v4.png

This is our monthly "What's new" blog post, summarizing product updates and various assets we have across our Defender products.  

Product videos.png Product videos webcast recordings.png Webcast (recordings) Docs on MS.png Docs on Microsoft Blogs on MS.png Blogs on Microsoft
GitHub.png GitHub External.png External Product improvements.png Product improvements Public Preview sign-up.png Previews / Announcements
Microsoft 365 Defender
Public Preview sign-up.png Investigate incidents more effectively with the new attack story view in Microsoft 365 Defender.
Product improvements.png Identity Protection alerts are now available in Microsoft 365 Defender. 
Public Preview sign-up.png (Preview) Microsoft Defender Experts for XDR (Defender Experts for XDR) is now available for preview. Defender Experts for XDR is a managed detection and response service that helps your security operations centers (SOCs) focus and accurately respond to incidents that matter. It provides extended detection and response for customers who use Microsoft 365 Defender workloads: Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Azure Active Directory (Azure AD). For details, refer to Expanded Microsoft Defender Experts for XDR preview.
 Blogs on MS.png DEV-0569 finds new ways to deliver Royal ransomware, various payloads. DEV-0569’s recent activity shows their reliance on malvertising and phishing in delivering malicious payloads. The group’s changes and updates in delivery and payload led to distribution of info stealers and Royal ransomware.
 Blogs on MS.png Vulnerable SDK components lead to supply chain risks in IoT and OT environments. Researchers investigated an electrical grid intrusion that may have used common IoT devices to gain a foothold into the OT network and found a web server component that although discontinued since 2005, is still implemented and prevalent in many IoT devices
 Public Preview sign-up.png Query resource report in advanced hunting (public preview). The query resources report shows your organization's consumption of CPU resources for hunting based on queries that ran in the last 30 days using any of the hunting interfaces. This report is useful in identifying the most resource-intensive queries and understanding how to prevent throttling due to excessive use.
Product improvements.png  New advanced hunting table: DeviceTvmHardwareFirmware. The DeviceTvmHardwareFirmware table in the advanced hunting schema contains hardware and firmware information of devices as checked by Microsoft Defender Vulnerability Management. The information includes the system model, processor, and BIOS, among others.
Microsoft Defender for Cloud Apps
Blogs on MS.png Introducing the Microsoft Defender for Cloud Apps data protection series. A brand-new blog series focused on information protection in Microsoft Defender for Cloud Apps, various members of the Product Group will walk us through how to protect the data that lives inside your SaaS apps.
Blogs on MS.png Microsoft Defender for Cloud Apps data protection series: Understand your data types. Our second installment in the Microsoft Defender for Cloud Apps data protection series, where we focus on the different types of data that can be protected.
webcast recordings.png

App Governance is a Key Part of a Customers' Zero Trust Journey - Watch this webinar now on YouTube. This webinar focused on how App governance helps customers implement Zero Trust in their environments. We walk you through a typical scenario and how it is aligned to Zero Trust pillars.

Product improvements.png Workplace by META API connector is now available in Defender for Cloud Apps. Workplace by META API connector in Defender for Cloud Apps provide you enhanced visibility and control over user activities in Workplace. 
Microsoft Defender for Endpoint
Public Preview sign-up.png The new device timeline is now generally available. 

The device timeline reflects all the event observed on a device in a chronological order, it’s mostly used to deepen the investigation and pivot from an alert to learn what happened on a device before/after the suspicious activity.
the new view keeps the existing functionality in pair, in addition to performance several UI improvements.

The new timeline offers faster loading time, while seamlessly fetching bigger chunks of data (1000 instead of 200), in addition to several UI improvements for a smoother experience.

  • New event side panel, aligned with the alert story process tree experience, for easy orientation
  • Enhanced MITRE data, showing all related techniques and tactics at a single event panel
  • Linking events to the new user side panel, providing more details and context to the investigation without leaving the page
  • Better visibility to the data set shown in the timeline, by reflecting the applied filters on top of the table
Public Preview sign-up.png Detecting and remediating command and control attacks at the network layer. Microsoft Defender for Endpoint helps SecOps teams detect network C2 attacks earlier in the attack chain, minimize the spread by rapidly blocking any further attack propagation, and reduce the time it takes to mitigate by easily removing malicious binaries.
Public Preview sign-up.png Mobile Network Protection for Defender for Endpoint on Android and iOS now generally available.  Microsoft brings network protection features in Defender for Endpoint to Android and iOS providing more ways to help organizations identify, assess, and remediate endpoint weaknesses with the help of threat intelligence.
Public Preview sign-up.png Use the new Microsoft 365 Defender API for all your alerts. The new Microsoft 365 Defender alerts API, currently in public preview, enables customers to work with alerts across all products within Microsoft 365 Defender using a single integration. 
Public Preview sign-up.png Announcing new removable storage management features on Windows. Over the last several months, Microsoft Defender for Endpoint has rolled out a handful of device control capabilities to help secure removable storage scenarios on Windows.
Public Preview sign-up.png

Microsoft Defender for Endpoint now integrated with Zeek. The integration of Zeek into Microsoft Defender for Endpoint provides new levels of network analysis capabilities based on deep inspection of network traffic powered by Zeek, a powerful open-source network analysis engine that allows researchers to tackle sophisticated network-based attacks in ways that weren't possible before. 

Public Preview sign-up.png Built-in protection is now generally available. Built-in protection helps protect your organization from ransomware and other threats with default settings that help ensure your devices are protected. Built-in protection is a set of default settings that are rolling out to help ensure your devices are protected. These default settings are designed to protect devices from ransomware and other threats.
Docs on MS.png

Check out the Library API to upload/delete/update files in your tenant's library. 

Blogs on MS.png

Stopping C2 communications in human-operated ransomware through network protection. Providing advanced protection against increasingly sophisticated human-operated ransomware, Microsoft Defender for Endpoint’s network protection leverages threat intelligence and machine learning to block command-and-control (C2) communications.

Microsoft Defender for Identity
Public Preview sign-up.png Deprecation of the Defender for Endpoint <> Defender for Identity Integration. At the end of November, integration with Microsoft Defender for Endpoint will no longer be supported. We highly recommend using the Microsoft 365 Defender portal ( which has the integration built-in.
Public Preview sign-up.png

New option for running the remediation actions by using the sensor's server LocalSystem account. Defender for Identity can now use the LocalSystem account on the domain controller to perform remediation actions (enable/disable user, force user reset password), in addition to the gMSA option that was available before. This enables out of the box support for remediation actions.

Product improvements.png

New health alert for verifying

Microsoft Defender for Office 365
Blogs on MS.png Build custom email security reporting with Microsoft Defender for Office 365 and PowerBI. In this blog, we will showcase an example on how you can leverage Power BI and the Microsoft 365 Defender Advanced Hunting APIs to build a custom dashboard and share a template that you can customize and extend.
Public Preview sign-up.png Microsoft announces partnership with SANS Institute to deliver a new series of computer-based training (CBT) modules in the Attack Simulation Training service. The modules will focus on IT systems and network administrators. Microsoft is excited to collaborate with a recognized market leader in cyber security training to bring our customers training that can help our customers address a critical challenge in the modern threat landscape: educating and upskilling security professionals.
Blogs on MS.png Why Microsoft is the right choice for healthcare. First in an industry series focusing on why Microsoft is the right choice for your security needs in healthcare.
Microsoft Defender Vulnerability Management
Blogs on MS.png

Reduce OpenSSL 3.0 vulnerabilities risks with Microsoft Defender Vulnerability Management. The OpenSSL team published two high severity vulnerabilities: CVE-2022-3602 and CVE-2022-3786. Any OpenSSL versions between 3.0.0 and 3.0.6 are affected and the guidance is OpenSSL 3.0 users should expedite upgrade to OpenSSL v 3.0.7 to reduce the impact of this threat.

Public Preview sign-up.png Announcing Software Usage Insights in public preview. Organizations can view the number of devices using specific Windows software and the median usage for the past 30 days to better inform organizations of the user impact if they want to block software or any vulnerable versions.
Public Preview sign-up.png Firmware assessments support now in public preview in Microsoft Defender Vulnerability Management. This new firmware assessments feature provides customers with full visibility into device manufacturer, processor and BIOS information
Version history
Last update:
‎Apr 20 2023 03:28 AM
Updated by: