Microsoft Defender for Identity
54 TopicsMonthly news - December 2024
Microsoft Defender XDR Monthly news December 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from November 2024. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel Ignite news: What's new in Microsoft Defender XDR? This blog summarizes Ignite news related to Defender XDR. Security Copilot: A game changer for modern SOC We have enhanced numerous features and introduced new skills that significantly improve the efficiency and effectiveness of SOC teams. (Preview)Attack pathsin the incident graph are now available in the Microsoft Defender portal. The attack story now includes potential attack paths that show the paths that attackers can potentially take after compromising a device. This feature helps you prioritize your response efforts. For more information, seeattack paths in the attack story. (Preview) Microsoft Defender XDR customers can now export incident data to PDF. Use the exported data to easily capture and share incident data to other stakeholders. For details, seeExport incident data to PDF. (GA) Thelast update timecolumn in theincident queue is now generally available. (Preview) Cloud-native investigation and response actions are now available for container-related alerts in the Microsoft Defender portal. Security operations center (SOC) analysts can now investigate and respond to container-related alerts in near real-time with cloud-native response actions and investigation logs to hunt for related activities. For more information, seeInvestigate and respond to container threats in the Microsoft Defender portal. (GA) Thearg()operator inadvanced huntingin Microsoft Defender portal is now generally available. Users can now use thearg() operator for Azure Resource Graph queries to search over Azure resources, and no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if already in Microsoft Defender. (Preview) TheCloudProcessEvents table is now available for preview in advanced hunting. It contains information about process events in multicloud hosted environments. You can use it to discover threats that can be observed through process details, like malicious processes or command-line signatures. (Preview) Migrating custom detection queries toContinuous (near real-time or NRT) frequencyis now available for preview in advanced hunting. Using the Continuous (NRT) frequency increases your organization's ability to identify threats faster. It has minimal to no impact to your resource usage, and should thus be considered for any qualified custom detection rule in your organization. You can migrate compatible KQL queries by following the steps inContinuous (NRT) frequency. Ninja Show Episodes: Defender XDR’s Data Security Context with Insider Risk Management Join us as product experts Maayan Magenheim and Sravan Kumar Mera showcase the Public Preview of Microsoft Purview Insider Risk Management (IRM) integration into Defender XDR. Learn how Insider Risk and SOC analysts can now distinguish internal and external threats and gain critical insights, including exfiltration context and user activity tracking. Through a valuable demo, we explore the benefits for incident investigation, threat hunting, the correlation of IRM alerts with other DLP and identity protection alerts and more. Follow up LIVE AMA session Unlocking Advanced Cloud Detection & Response capabilities for containers Learn how the Microsoft Cloud Detection & Response solution empowers SOCs with faster, deeper investigations through near real-time detections, new cloud-native responses, and rich log collection. In this episode Product Managers Maayan Magenheim and Daniel Davrayev demo a real container related incident to show how these new capabilities enhance the entire incident response process, bridging knowledge gaps and proactively securing containerized workloads across multi-cloud environments. Microsoft Sentinel Microsoft Sentinel availability in Microsoft Defender portal! (Preview) Now Microsoft Sentinel is also available in the Defender portal even without Microsoft Defender XDR or a Microsoft 365 E5 license. For more information, see: Microsoft Sentinel in the Microsoft Defender portal Connect Microsoft Sentinel to the Microsoft Defender portal Upcoming Ninja Show Episode Dec 10, 9AM PT: Microsoft Sentinel Data tiering best practices In this episode product experts Yael Bergman and Maria de Sousa-Valadas introduce the powerful new Auxiliary Logs tier, now in Public Preview and explain how to use Summary rules to aggregate data from any log tier in Microsoft Sentinel and Log Analytics. Tune in to learn the full potential of these features, as well as practical tips and use cases to help you reduce ingestion costs and gain more insights from your verbose logs. Upcoming webinar Feb 20, 9AM PT:Mastering API Integration with Sentinel & Unified Security Platform Learn how to effectively integrate APIs with Sentinel and Unified Security Platform. This webinar will cover when to use APIs, how to set them up, potential challenges, and feature live demos to guide you through the process. Microsoft Defender Vulnerability Management Upcoming webinar Jan 14, 9AM PT: How to Get the Most Out of Microsoft Defender for Vulnerability Management Join us to learn about the Defender Vulnerability Management capabilities, business use cases and best practices to develop and implement posture & risk management in your organization. During this session, the engineering team will guide you through the recent released features and capabilities as well as product vision and roadmap. The deprecation process of the Windows authenticated scan will begin on November 2024 and concludes on November 30, 2025. For more information, seeWindows authenticated scan deprecation FAQs. We are aware of issues affecting data collection in several versions of CIS, STIG, and Microsoft benchmarks. We are actively working on a fix and will provide an update when the issue is resolved. For more information, seeKnown issues with data collection. Microsoft Defender for Identity Seamless protection for your on-prem identities with Defender for Identity. This blog summarizes various exciting announcements made at Ignite that simplify how customers deploy and manage their identity threat landscape: One platform, one agent:Streamline your deployment and protection with a single agent across endpoint, OT, identity, and DLP Easily manage your sensors via API:Automate deployment, configuration and monitoring of sensors in your environment Integrate Privileged Access Management solutions:Microsoft Entra Privileged Identity Management, BeyondTrust, CyberArk, and Delinea Ninja Show episode: Microsoft Defender for Identity for Entra Connect In this episode, product experts Lior Shapira and Ayala Ziv explain how Microsoft Defender for Identity sensor for Entra Connect servers enables comprehensive monitoring of synchronization activities between Entra Connect and Active Directory, providing critical insights into potential security threats. Tune in to explore the latest detections and posture recommendations for Entra Connect by learning the importance of protecting hybrid identities and exploring real-world scenarios. Microsoft Security Exposure Management Announcing the General Availability of Microsoft Security Exposure Management! We are excited to announce the general availability of Microsoft Security Exposure Management. This powerful tool helps organizations focus on their most critical exposures and act swiftly. We made enhancements to the Attack path Hybrid attack paths: On-Prem to Cloud DACL-based path analysis to learn more about those, please visit our documentation. External data connectors We have introduced new external data connectors to enhance data integration capabilities, allowing seamless ingestion of security data from other security vendors. Learn more on our docs. Discovery sources available in the inventory and attack surface map The Device Inventory and Attack Surface Map now display the data sources for each discovered asset. This feature provides an overview of which tools or products reported each asset, including Microsoft and external connectors like Tenable or ServiceNow CMDB. Learn more on our docs. Microsoft Security Exposure Management is now supported in Microsoft Defender XDR Unified role-based access control (RBAC). Access control to Microsoft Security Exposure Management can now be managed using Microsoft Defender XDR Unified Role-Based Access Control (RBAC) permissions model with dedicated and granular permissions. Learn more on our docs. OT security initiative The new Operational Technology (OT) security initiative equips practitioners with a powerful tool to identify, monitor, and mitigate risks across the OT environment, ensuring both operational reliability and safety. This initiative aims to identify devices across physical sites, assess their associated risks, and provide faster, more effective protection for OT systems. For more information, see,Review security initiatives Content versioning notifications The new versioning feature in Microsoft Security Exposure Management offers proactive notifications about upcoming version updates, giving users advanced visibility into anticipated metric changes and their impact on their related initiatives. A dedicated side panel provides comprehensive details about each update, including the expected release date, release notes, current and new metric values, and any changes to related initiative scores. Additionally, users can share direct feedback on the updates within the platform, fostering continuous improvement and responsiveness to user needs. For more information on exposure insights, seeOverview - Exposure insights Exposure history for metrics User can investigate metric changes by reviewing the asset exposure change details. From the initiative'sHistorytab, by selecting a specific metric, you can now see the list of assets where exposure has been either added or removed, providing clearer insight into exposure shifts over time. For more information, see,Reviewing initiative history SaaS security initiative The SaaS Security initiative delivers a clear view of your SaaS security coverage, health, configuration, and performance. Through metrics spanning multiple domains, it gives security managers a high-level understanding of their SaaS security posture. For more information, see,SaaS security initiative Microsoft Defender for Cloud Apps Secure your SaaS landscape with the latest Defender for Cloud Apps innovations. This blog summarizes the following innovations in Defender for Cloud Apps announced at Ignite to help address these challenges: SaaS security initiative: Microsoft Security Exposure Management empowers security teams to reduce risks and limit exposure of the most critical assets with unified exposure management. We are introducing a new SaaS security initiative within Exposure Management to provide best practice SaaS posture recommendations, along with an easy way for security teams to prioritize the most important controls. Enhanced visibility into OAuth apps: Get expanded visibility into OAuth apps to give security teams deeper insights into app origins, privilege levels, and permissions, while allowing them to set controls to mitigate risks more effectively. Streamlined SaaS security operations: To further enhance operational efficiency for SaaS security management, Defender for Cloud Apps now uses the unified role-based access control (RBAC) model in Defender XDR to enable central permission management, alongside a new discovered apps Graph API, and the ability to customize the block page experience. (Preview) Defender for Cloud Apps support for Graph API Defender for Cloud Apps customers can now query data about discovered apps via the Graph API. Use the Graph API to customize views and automate flows on theDiscovered appspage, such as applying filters to view specific data. The API supportsGETcapabilities only. For more information, see: Work with discovered apps via Graph API Microsoft Graph API reference for Microsoft Defender for Cloud Apps SaaS Security initiative in Exposure Management Microsoft Security Exposure Managementoffers a focused, metric-driven way of tracking exposure in specific security areas using securityinitiatives. The "SaaS security initiative" provides a centralized location for all best practices related to SaaS security, categorized into 12 measurable metrics. These metrics are designed to assist in effectively managing and prioritizing the large number of security recommendations. This capability is General Availability (Worldwide) - Note Microsoft Security Exposure Management data and capabilities are currently unavailable in U.S Government clouds - GCC, GCC High and DoD For more information, seeSaaS security initiative. Internal Session Controls application notice The Enterprise application “Microsoft Defender for Cloud Apps – Session Controls” is used internally by the Conditional Access App Control service. Please ensure there is no CA policy restricting access to this application. For policies that restrict all or certain applications, please ensure this application is listed as an exception or confirm that the blocking policy is deliberate. For more information, seeSample: Create Microsoft Entra ID Conditional Access policies for use with Defender for Cloud Apps. (Preview) Visibility into app origin Defender for Cloud Apps users who use app governance will be able to gain visibility into the origin of OAuth apps connected to Microsoft 365. You can filter and monitor apps that have external origins, to proactively review such apps and improve the security posture of the organization. For more information, seedetailed insights into OAuth apps. (Preview) Permissions filter and export capabilities Defender for Cloud Apps users who use app governance can utilize the newPermissionsfilter and export capabilities to quickly identify apps with specific permissions to access Microsoft 365. For more information, seefilters on app governance. (Preview) Visibility into privilege level for popular Microsoft first-party APIs Defender for Cloud Apps users who use app governance can now gain visibility into privilege level for all popular Microsoft first-party API permissions. The enhanced coverage of privilege level classification will enable you to view and monitor apps with powerful permissions into legacy and other non-Graph APIs that have access to Microsoft 365. For more information, seeOAuth app permission related details on app governance. (Preview) Granular data usage insights into EWS API access Defender for Cloud Apps users who use app governance can now get granular insights into data accessed by apps using legacy EWS API alongside Microsoft Graph. The enhanced coverage of data usage insights will enable you to get deeper visibility into apps accessing emails using legacy EWS API. For more information, seeOAuth app data usage insights on app governance. Microsoft Defender for Endpoint Ninja Show Episode: Defender for Endpoint RDP Telemetry In this episode Cyber Security Researcher Danielle Kuznets Nohi and Senior Product Manager Saar Cohen join us to discuss the importance of Remote Desktop Protocol in Human Operated Attacks considering the current threat landscape. Through a demo, witness critical visibility enhancements made to this important layer of telemetry and learn the powerful capabilities of this tool to identify vulnerable assets and provide deeper threat insights. Intune ending support for Android device administrator on devices with GMS in December 2024. Microsoft Intune and Defender for Endpoint are ending support for Device Administrator enrolled devices with access toGoogle Mobile Services(GMS), beginning December 31, 2024. For devices with access to GMS After Intune and Defender for Endpoint ends support for Android device administrator, devices with access to GMS will be impacted in the following ways: Intune and Defender for Endpoint won’t make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions. Intune and Defender for Endpoint technical support will no longer support these devices. For more information, seeTech Community blog: Intune ending support for Android device administrator on devices with GMS in December 2024.428Views1like1CommentIntroducing the new Defender for Identity Health Alert API
Microsoft Defender for Identity (MDI) is a cloud-based security solution that helps monitor and protect identities and infrastructure across your organization. MDI is a core component of Microsoft Defender XDR, leveraging signals from both on-premises Active Directory and cloud identities to help you better identify, detect, and investigate advanced cyberthreats directed at your organization. Recently, Defender for Identity (MDI) introducedGraph based API to view Defender for Identity Health issues.7.3KViews3likes5CommentsIgnite news: Seamless protection for your on-prem identities with Defender for Identity
Easily deploy Defender for Identity with the new, unified agent and integrate four new privileged identity access (PAM) providers for improved prioritization of the most critical identities in your environment.2.8KViews4likes0CommentsMonthly news - November 2024
Microsoft Defender XDRMonthly newsNovember 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from October2024.2.2KViews1like1CommentIgnite news: What's new in Microsoft Defender XDR?
The speed, scale, and precision of AI-powered attacks have introduced an entirely new level of complexity to the cybersecurity landscape. Defending against these advanced threats requires more than just traditional tools; it demands a shift towards AI-enhanced defense mechanisms that not only detect and defend against these attacks, but proactively anticipate and neutralize them before significant damage occurs. To effectively combat these sophisticated threats, not only must organizations build robust strategies around the core pillars of detection and response but establish continuous prevention throughout the entire SOC lifecycle. Today we are excited to share our latest innovations across prevention, detection and response within the unified security operations platform, some of the highlights include: Microsoft Exposure Management is now GA: Exposure insights are now integrated into the SOC investigation experience with visibility into critical assets and potential attack paths. LLM-backed phishing detections to combat a new era of social engineering: these new detections take email security to the next level by using AI to understand attacker intent and block malicious emails from ever being sent to your employees. Threat Intelligence Tracking via Adaptive Networks: Automatic detection and blocking of emerging attacker infrastructure, preventing it from ever being exploited in large-scale attacks. One platform, one agent: Our new unified platform agent built on Defender for Endpoint streamlines deployment and telemetry across endpoints, OT devices, DLP, and identities. Prevention Attackers aren’t thinking about vulnerabilities in lists but instead how they can be combined to build potential attack paths. Preventing these attacks requires the SOC to continuously strengthen their security posture. This process involves having insight into an organization’s exposure and infusing insights from previous attacks to anticipate potential attack paths. This enables defenders to proactively address emerging threats before they can take hold. In March, we introduced Microsoft Security Exposure Management, a unified posture management solution for proactive and continuous threat exposure management. Today, we are excited to announce the general availability of Microsoft Security Exposure Management. It uses graph-based technology to visualize and map relationships between entities, assets, data, entry points, and pathways, unifying the broadest, native security dataset in the market that spans cloud, SaaS apps, endpoints, identities, and email, and can now be extended with 3 rd party data. Further, we are enabling these prevention insights to uniquely inform SOC processes by integrating asset criticality information and mapping the attack path to other high-value assets within the existing incident graph. This integration unlocks the ability for exposure insights to inform a continuous cycle of strengthening an organization’s defenses. . This motion graphic shows the new attack paths that are now integrated into the incident view in Defender XDR As part of the general availability, we are also introducing a new posture initiative in Exposure management focused on SaaS security. It provides best practice recommendations, along with an easy way for security teams to prioritize the most important controls to improve the SaaS security posture of their organization in one place. Learn more about today’s Microsoft Security Exposure Management announcements here. Detection and Protection As we observe adversaries increasingly use GenAI, it is critical that security solutions advance alongside and ahead of these new tactics by using GenAI to boost security defenses across all stages of the lifecycle. Over the past year we have heavily invested in detection and protection capabilities to build capabilities grounded in AI, while also expanding the native signal that is automatically correlated via Microsoft Defender XDR. The combination of AI-powered detections and breadth of signal, uniquely enables Microsoft Defender XDR to protect against the latest threats, while providing the most comprehensive, out-of-the-box incident investigation for SOC teams. Our research teams have been observing a trend where adversaries are now using GenAI to craft phishing emails, making it harder for recipients and email security solutions to identify them. That’s why we are redefining email and collaboration security in Microsoft Defender for Office 365 by uses purpose-built Large Language Models (LLM) at scale to tackle this new era of social engineering. Our solution now parses language to understand and identify attacker intent and classifies threats at machine speed – keeping malicious emails out of your inbox and giving security operations (SOC) teams a new level of insight into adversary techniques. Since our initial rollout to select customers over the past few months, we’ve seen a tremendous impact in keeping malicious emails out of our customers’ inboxes and as of today this is generally available across all customers. For the complete announcement, read our blog here. While detection and protection logic is critical to an effective response, so is the breadth of signal that is natively correlated without cumbersome, manual work by the security team. Earlier this year at RSA, we introduced the integration between Microsoft Purview Insider Risk Management (IRM) and Defender XDR, which added context to a user’s activity timeline with insights from IRM. Today, we are excited to share that IRM alerts are now automatically correlated into the unified incident experience in Defender, with complete alert context. In addition, we are providing new data security tables in advanced hunting, so analysts can build queries to better understand the impact of incidents and more easily identify attack patterns. Of course, all this data is also available through the Graph API so customers can integrate it into their case management workflows. While detection is key to identifying threats early, a swift and effective response is essential to mitigate potential damage and ensure business continuity. We are excited to share how we’ve taken insights from real world customers attack and used them to help us prevent them at the earliest stage in the kill chain. Response Attackers will continue to evolve and organizations will continue to be breached. The Microsoft Security research division continuously analyzes the methods threat actors use to infiltrate environments and have identified a pattern where threat actors are highly likely to replicate methods for different target. The same applies to the type of infrastructure used to breach an organization - attackers rely on interconnected toolkits like command-and-control servers, domain names, and phishing kits to execute their operations. At Microsoft, we’ve made significant investments to use these insights to feed our most powerful response capability - automatic attack disruption - which enables Defender XDR to now prevent advanced attacks at the pre-breach stage. Traditionally, security researchers manually update detection models, but attackers continuously evolve their tactics, creating an ongoing cycle of evasion and detection. We’re excited to introduce a new capability called Threat Intelligence Tracking via Adaptive Networks (TITAN) that combines Microsoft Threat Intelligence and Microsoft Defender XDR to automatically detect and block emerging attacker infrastructure before it can be used in large-scale attacks. TITAN automatically runs in the background using machine learning and AI to analyze the relationships between millions of entities (alerts, incidents, etc) and can effectively unveil new infrastructure associated with them. For example, in a recent real-world attack, a threat actor exploited malicious OAuth applications to gain access to emails, alter inbox rules, and send phishing emails both internally and externally. With TITAN, we identified 26 similar incidents across 21 organizations, enabling Defender XDR to confidently disable the malicious OAuth app whenever its use was detected in other environments at the initial access stage, blocking attackers from even starting their campaigns. TITAN fundamentally changes the game for defenders – it allows a shift from post-breach intervention where the goal is minimizing the impact, to true, preventive protection using known Threat Intelligence to pre-emptively stop sophisticated attacks before they happen. Platform Lastly, we’ve made significant investments across the platform that further streamline deployment and operations across our platform. Agents serve as one of the first lines of defense against threat actors, as they continuously scan corporate resources for malicious activity or misconfigurations, but they can add deployment overhead. Today, we're streamlining this with a unified Defender for Identity agent integrated into Defender for Endpoint. This single agent now provides protection and telemetry across endpoints, OT devices, DLP, and identities, simplifying deployment and reducing maintenance. Defender for Endpoint customers can easily deploy Defender for Identity from the Defender portal, gaining immediate protection against on-premises identity attacks. All telemetry is correlated within Microsoft’s security platform, giving SOC teams a comprehensive, real-time view for faster response. To learn more about the unified agent, read more in our announcement blog. Finally, we are expanding the unified role-based access control (RBAC) model in Defender XDR to include SaaS security. As organizations increasingly rely on SaaS apps, the complexity of securing this landscape has grown substantially. To make it easier for security teams to prioritize SaaS security, Defender for Cloud Apps is now integrated with the unified RBAC model in Defender XDR to enable central permission management across SaaS apps, endpoint, email, and identities. By using the unified RBAC model, SaaS security can now be managed with greater granularity, consistent role assignments, and the flexibility to manage multiple roles effectively. To learn about other innovations in the SaaS security space, check out our Ignite blog. Prevention is key to staying ahead of threats As cyber threats continue to evolve, investing in prevention is more crucial than ever. By embedding prevention throughout the SOC lifecycle, organizations can proactively reduce risk and stop attacks before they escalate. We're excited to share these groundbreaking security innovations designed to empower your SOC teams, enhance threat detection, and strengthen your defenses. With these new capabilities, we're committed to helping you stay one step ahead, better protecting your organization from the ever-growing landscape of cyber threats. Be sure to check out resources on all the exciting Ignite news throughout the week! More information Join us online or in-person to see these capabilities in action: o Simplify your SOC with Rob Lefferts & Allie Mellen o AI-Driven Ransomware Protection at Machine Speed: Microsoft Defender for Endpoint o Innovating security operations with Microsoft Sentinel And there’s so much more! Read up on announcements we made today across Microsoft Security: Microsoft Sentinel Microsoft Defender for Endpoint Microsoft Defender for Business Microsoft Defender for Identity Microsoft Defender for Cloud Apps Microsoft Security Copilot Learn more aboutMicrosoft Defender XDR or start a free trial today!3KViews0likes0CommentsMicrosoft Defender for Identity now detects suspicious certificate usage
Cybercriminals are increasingly targeting Active Directory Certificate Services to gain access to your domain. Learn how to spot these attacks and see how Microsoft Defender for Identity can help protect your organization.26KViews10likes1CommentProtect and Detect: Microsoft Defender for Identity Expands to Entra Connect Server
We are excited to announce a new Microsoft Defender for Identity sensor for Entra Connect servers. This addition is a significant step in our ongoing commitment to expanding Defender for Identity’s coverage across hybrid identity environments. It reinforces our vision of overseeing and protecting the entire identity fabric, greatly enhancing the SOC’s visibility and protections for these complex environments.19KViews11likes7Comments