Monthly news - June 2023

Microsoft

Jun 06, 2023

Microsoft 365 Defender
Monthly news
June 2023 Edition

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from May 2023.

Legend:
	Product videos	Webcast (recordings)	Docs on Microsoft	Blogs on Microsoft
	GitHub	External	Product improvements	Previews / Announcements

Microsoft 365 Defender

	Alert tuning is now generally available. Alert tuning lets you fine-tune alerts to reduce investigation time and focus on resolving high priority alerts. Alert tuning replaces the Alert suppression feature. We also published a blog on how to "Boost your detection and response workflows with alert tuning". This animated GIF shows the new alert tuning
	(Preview) Custom functions: Custom functions are now available in advanced hunting. You can now create your own custom functions so you can reuse any query logic when you hunt in your environment.
	Ninja Show Season 4 is here! In this season we included a special mini-series on incident response, with lots of demos on how to investigate incidents following playbooks. Check out episode 1 "Investigation Capabilities in Microsoft 365 Defender". Add upcoming episodes to your calendar > https://aka.ms/ninjashow Virtual Ninja Show Season 4 is here
	Implement Microsoft Sentinel and Microsoft 365 Defender for Zero Trust. This solution guide walks through the process of setting up Microsoft eXtended detection and response (XDR) tools together with Microsoft Sentinel to accelerate your organization’s ability to respond to and remediate cybersecurity attacks.
	(GA) Automatic attack disruption is now generally available. This capability automatically disrupts human-operated ransomware (HumOR), business email compromise (BEC), and adversary-in-the-middle (AiTM) attacks. Find more resources about Automatic attack disruption here. Great blog post on how "how the built-in attack disruption capabilities in Microsoft 365 Defender help disrupt adversary-in-the-middle (AiTM)".

Microsoft Defender for Endpoint

Performance mode for Microsoft Defender Antivirus is now available for public preview. This new capability provides asynchronous scanning on a Dev Drive, and does not change the security posture of your system drive or other drives. For more information, see Protecting Dev Drive using performance mode.

Microsoft Defender for Cloud Apps

	We are thrilled to introduce a new data type, called Behaviors in Microsoft 365 Defender, that will transform how you investigate alerts across all your workloads, starting with SaaS apps.
	Behavior-generating policies no longer generate alerts (Preview). Starting May 28, 2023, policies that generate behaviors in Microsoft 365 Defender advanced hunting do not generate alerts. The policies will continue generating behaviors regardless of being enabled or disabled in the tenant's configuration. For more information, see Investigate behaviors with advanced hunting (Preview).
	Non-blockable applications: To prevent users from accidentally causing downtime, Defender for Cloud Apps now prevents you from blocking business-critical Microsoft services. For more information, see Govern discovered apps.

Microsoft Defender for Identity

	The Microsoft 365 Identity page now include representation of the on premises Active Directory account controls. The Identity page also includes UI updates for the lateral movement path experience. No functionality was changed. For more information, see Understand and investigate Lateral Movement Paths (LMPs) with Microsoft Defender for Identity.
	New health alert. New health alert for VPN (radius) integration data ingestion failures. For more information, see Defender for Identity sensor health alerts.
	New health alert for verifying that ADFS Container Auditing is configured correctly. For more information, see Microsoft Defender for Identity sensor health alerts.
	The identity Timeline tab now contains new and enhanced features! With the updated timeline, you can now filter by Activity type, Protocol, and Location, in addition to the original filters. You can also export the timeline to a CSV file and find additional information about activities associated with MITRE ATT&CK techniques.

Microsoft Defender for Office 365

Introducing the release of Attack Simulation Training Write API functionality (available in beta). The API documentation can be found on Microsoft Learn.

Responding to targeted mail attacks with Microsoft 365 Defender. This blog post discusses steps that can be taken to respond to such a malicious mailing campaign using Microsoft 365 Defender.

Built-in reporting in Outlook on the web supports reporting messages from shared mailboxes or other mailboxes by a delegate.

Shared mailboxes require Send As or Send On Behalf permission for the user.
Other mailboxes require Send As or Send On Behalf permission and Read and Manage permissions for the delegate.

Blogs on Microsoft Security

	Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. China-based Volt Typhoon (DEV-0391) stealthily achieving and maintaining access to multiple critical infrastructure organizations in Guam and the mainland United States. The low level of activity and long dwell times suggest that DEV-0391’s goal is to retain access as long as possible, until directed to act on objectives.
	New macOS vulnerability, Migraine, could bypass System Integrity Protection. A new zero-day vulnerability, which we refer to as “Migraine”, could allow an attacker to bypass System Integrity Protection (SIP) in macOS and perform arbitrary operations on a device.
	XDR meets IAM: Comprehensive identity threat detection and response with Microsoft.