Blog Post

Microsoft Defender XDR Blog
4 MIN READ

Monthly news - March 2024

HeikeRitter's avatar
HeikeRitter
Icon for Microsoft rankMicrosoft
Mar 05, 2024

Microsoft Defender XDR
Monthly news
March 2024 Edition

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from February 2023.  
Legend:
Product videos Webcast (recordings) Docs on Microsoft Blogs on Microsoft
GitHub External Improvements Previews / Announcements
Microsoft Defender XDR

(Generally available) Dark mode is now available in the Microsoft Defender portal. In the Defender portal, on the top right-hand side of the homepage, select Dark mode. Select Light mode to change the color mode back to the default. 

(Generally available) Assigning severity to incidents, assigning an incident to a group, and the go hunt option from the attack story graph are now generally available. Guides to learn how to assign or change incident severity and assign an incident to a group are in the Manage incidents page. Learn how you can use the go hunt option by exploring attack story.

(Preview) Custom detection rules in Microsoft Graph security API are now available. Create advanced hunting custom detection rules specific to your org to proactively monitor for threats and take action.
Microsoft Security Experts

Hunting for QR Code AiTM Phishing and User Compromise. This blog explains the mechanics of QR code phishing, and details how Defender Experts hunt for these phishing campaigns. Additionally, it outlines the procedures in place to notify customers about the unfolding attack narrative and its potential ramifications.
Welcome to the Microsoft Defender Experts Ninja Hub. We’re excited to announce our Microsoft Defender Experts Ninja Hub. We have compiled document guides, videos, and other resources to help you get familiar with our Defender Experts services and stay up to date on the latest from the Defender Experts team.
Microsoft Defender for Endpoint
Two new ASR rules are now in public preview:
  • Block rebooting machine in Safe Mode (preview): This rule prevents the execution of commands to restart machines in Safe Mode.
  • Block use of copied or impersonated system tools (preview): This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools.
Microsoft Defender for Identity

We published a new Mechanics Video showcasing our ITDR platform. In this video Daniel Lynch, Microsoft Defender for Identity’s Senior Product Manager, shares how Identity Threat Detection and Response can be utilized in daily operations and coordinated actions throughout every phase of an identity-related security incident, strengthening your organization's defense posture. 
New: Alert thresholds configuration option. We've updated our portal to have finer control over alert thresholds and behavior. Learn more on our documentation.

Defender for Identity daily, weekly, monthly operations guide. We just published a new docs page to guide you through common operational tasks. 
Microsoft Defender XDR now includes device descriptions on device details panes and device details pages. The descriptions are populated from the device's Active Directory Description attribute.
Microsoft Defender for Cloud Apps

New App governance alerts for Credential Access and Lateral Movement. 

We've added the following new alerts for App governance customers:

For more information, see App governance in Defender for Cloud Apps.
SSPM support for more connected apps in general availability. Defender for Cloud Apps provides you with security recommendations for your SaaS applications to help you prevent possible risks. These recommendations are shown via Microsoft Secure Score once you have a connector to an application. 

Defender for Cloud Apps has now enhanced its SSPM support in general availability by including the following apps:

SSPM is also now supported for Google Workspace in General Availability.
Microsoft Defender for Office 365

Updates to Configuration Analyzer in Defender for Office 365. We are excited to announce several updates to Configuration analyzer - read this blog post to learn more about these updates. 

Recently these videos have been posted on YouTube:
Microsoft Defender Vulnerability Management

We recently published the Defender Vulnerability Management Ninja Training! Have a look, take the knowledge check and grab your fun certificate. 
Blogs on Microsoft Security
Microsoft Copilot for Security: The great equalizer for government securityMicrosoft Copilot for Security is the first generative AI security product that will help defend organizations at machine speed and scale. It combines the most advanced GPT4 model from OpenAI with a Microsoft-developed security model, powered by Microsoft Security’s unique expertise, global threat intelligence, and comprehensive security products.
Announcing Microsoft’s open automation framework to red team generative AI SystemsToday, we are releasing an open automation framework, PyRIT (Python Risk Identification Toolkit for generative AI) to empower security professionals and machine learning engineers to proactively find risks in their generative AI systems.
Get the most out of Microsoft Copilot for Security with good prompt engineeringGood prompt engineering can greatly improve generative AI outputs, which means more relevant and accurate results. Microsoft Copilot for Security includes featured prompts as well as promptbooks to help security teams better investigate, manage, and respond to cyberthreats.
Updated Oct 29, 2024
Version 2.0
Cloud Applications
defender news
email
microsoft defender for cloud apps
microsoft defender for endpoint
microsoft defender for identity
Microsoft Defender for Office 365
microsoft defender xdr
Ninja Training
Webinars
  • BrechtKUL's avatar
    BrechtKUL
    Copper Contributor
    Mar 08, 2024

    Can you elaborate on "assign an incident to a group" ? This sounds like a way to assign an incident to a group of administrators somehow. But it is only possible to assign it to a single administrator, like it always has been. Am I missing something?

  • BrechtKUL's avatar
    BrechtKUL
    Copper Contributor
    Mar 08, 2024

    You're right, I can indeed search for a group and assign the incident to it.

    The text in the manual "You can select the Assign to box and specify the user account to assign an incident." put me on the wrong foot.

     

    However now I'm wondering what the use case would be. As far as I know, assigning an incident does not have any consequences like alerting the assignees or giving the assignees additional permissions on the incident. The only use case would be filtering for assignments to a group in the indcident list.

  • BrechtKUL's avatar
    BrechtKUL
    Copper Contributor
    Mar 08, 2024

    However, I can't get the group filtering to work. I can choose the group and click apply but the filter clears itself.

     

    Result:

     

     

     

  • HeikeRitter's avatar
    HeikeRitter
    Icon for Microsoft rankMicrosoft
    Mar 11, 2024

    Hi BrechtKUL I checked with the team, and we actually deployed an update for this feature couple of days ago. It is possible that it takes a couple of days to be deployed to all tenants. I'd like to ask you to please try again, and if it doesn't work - try in a couple of days again. Would that be okay?

  • BrechtKUL's avatar
    BrechtKUL
    Copper Contributor
    Mar 19, 2024

    I just checked again and it still shows the same behaviour where the group name disappears and the filter does not seem to work. However this only seems to happen with the group I was using to test the filter functionality. When filtering on other groups, the filter seems to work.

    Maybe because the group I was using to test is empty.