Blog Post

Microsoft Defender XDR Blog
5 MIN READ

Monthly news - June 2024

HeikeRitter's avatar
HeikeRitter
Icon for Microsoft rankMicrosoft
May 31, 2024

Microsoft Defender XDR
Monthly news
June 2024 Edition

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from May 2024.  

Legend:
Product videos Webcast (recordings) Docs on Microsoft Blogs on Microsoft
GitHub External Improvements Previews / Announcements
Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel
Host Microsoft Defender data locally in Switzerland. We are pleased to announce that local data residency support in Switzerland is now generally available for Defender for Endpoint and Defender for Identity. 
Create custom detections that include both Microsoft Sentinel and Defender XDR data. With the Unified Security Operations Platform, you are now able to create a customizable detection to look across both Microsoft Sentinel and Defender XDR data, without requiring any additional ingestion, via Custom detections. You will no longer have to duplicate data across both environments to ensure you are capturing what is necessary. Analytics rules will continue to work on any data ingested into Microsoft Sentinel. Learn more in our documentation.

Advanced hunting query API via Graph API is now available for log analytics data!
A new optional parameter "timespan" for the Graph API was added and allows you to query your log analytics data for any lookback time, not only for 30 days. This new parameter is not yet documented, but will get added to this link

SOC optimization: unlock the power of precision-driven security management

A new experience and API is currently in public preview – Microsoft Sentinel’s SOC Optimization, designed to empower security teams with precision-driven management capabilities. Read the announcement blog, and watch the webinar with a live demo

SOC optimization - Unified Security Operations Platform

New Ninja show episodes:

  • New Defender XDR Copilot for Security Capabilities: Tune into this episode to learn the latest advancements, now available in the April release of Copilot for Security GA. We dive into the notable enhancements and new features, such as Guided Response for all incident types, comprehensive device and file summaries, end-user communications, and much more.
  • Answering Your Questions: Attack Disruption ExplainedAttack Disruption is an automated response feature, designed to contain an ongoing attack quickly and effectively by leveraging high-confidence signals from both Microsoft Defender and non-Microsoft products. This episode addressees the most frequently asked questions about Attack Disruption and shares clarifications on its functionality.
Microsoft Security Exposure Management

Respond to trending threats and adopt zero-trust with Exposure Management.

This blog post shares updates to Security Initiatives and also gives a heads up about a few updates to attack path analysis. 

Microsoft Security Experts

A BlackByte Ransomware intrusion case study. 

This blog details an investigation into a ransomware event. During this intrusion the threat actor progressed through the full attack chain, from initial access through to impact, in less than five days, causing significant business disruption for the victim organization.  

Recover an Active Directory Certificate Services (ADCS) platform from compromise.

This blog describes comprehensive backup and restore strategies for ensuring swift recovery and restoration of essential certificate services following a cyberattack or data breach.

Hunting for MFA manipulations in Entra ID tenants using KQL.

This blog describes how to use Kusto Query Language (KQL) to parse and hunt for MFA modifications in Microsoft Entra audit logs. By the end of this blog, you will have a better understanding of how to track MFA changes in compromised tenants using KQL queries and how to improve your cloud security posture. 

Microsoft Defender Experts Services Expanded Coverage Upcoming Preview. 

The upcoming preview of our Defender Experts services expanded coverage scheduled for June 2024 extends the capabilities to include customers’ cloud estates with servers and virtual machines running in Microsoft Azure and on-premises via Defender for Servers in Microsoft Defender for Cloud. In addition, our coverage will utilize third-party network signals to enhance investigations, create more avenues to generate leads for comprehensive threat hunting, and accelerate response earlier in the attack chain.

Microsoft Defender for Endpoint

Simplify triage with the new Alert Timeline. 

This blog introduces the latest feature to our rich reporting feature set - the alert timeline - a new view that minimizes the time needed for triage and investigation without compromising the quality of analysis.  

Offline Security Intelligence Update is now generally available.

Organizations can now update security intelligence (also referred to as “signatures”) on Linux endpoints with limited or no exposure to the internet using a local hosting server. Details in this blog

Update: The Microsoft Defender for Endpoint plug-in for Windows Subsystem for Linux (WSL) is generally available as of 05/23/2024. Details in this blog.
Update: The streamlined device connectivity experience is generally available as of 5/8/2024. Details in this blog.
Microsoft Defender for Identity

Easily detect CVE-2024-21427 with Defender for Identity.

This blog details the new activity added to the Advanced Hunting experience in the Defender portal which can help you spot potential attempts to exploit this vulnerability.  

Microsoft Defender for Cloud Apps

App Governance capabilities are now available in GCCH & DoDApp Governance capabilities in Defender for Cloud Apps are now available to opt-in in GCCH& DoD - go ahead and enable it to increase your app protection.

Defender for Cloud Apps now provides new in-browser protection capabilities via Microsoft Edge to enable security teams to seamlessly manage how a user can interact with in-app data based on their risk profile. The in-browser protection removes the need for proxies, improving both security and productivity, based on session policies that are applied directly to the browser. Details in this blog

A block message from Defender for Cloud Apps to prevent the download of a sensitive file within the Edge browser

Microsoft Defender for Office 365

Automated responses to users via Automated Investigation and Response (AIR) is now generally available. Details in this blog

Enhanced Response Action Experience from Threat Explorer. 

You can now take multiple actions at the same time on messages via Threat Explorer. This feature makes it easier and faster for SecOps to deal with email threats by giving you logical grouping of actions, contextual availability of actions, and support for tenant level block URLs and files. Details in this blog

Email Protection Basics in Microsoft 365 Part Five: Mastering Overrides.

This blog is the fifth and final part of the "email protection basics" blog series,  and it covers the different overrides, why you may need them, and why it isn’t a good idea to keep them permanently.  

Microsoft Security Blogs

“Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps. 

Microsoft discovered a high impact vulnerability pattern found in popular Android applications that a malicious app can leverage along with an advanced & previously to compromise vulnerable apps on the same device, potentially leading to account credentials, tokens, sensitive data.

Threat actors misusing Quick Assist in social engineering attacks leading to ransomware.

Microsoft Threat Intelligence has observed Storm-1811 misusing the client management tool Quick Assist to target users in social engineering attacks that led to malware like Qakbot followed by Black Basta ransomware deployment.

Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks.

Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a malicious game, and deliver a new custom ransomware.

 

Updated May 31, 2024
Version 2.0