Monthly news - May 2025
Microsoft Defender XDR Monthly news May 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from April 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel What’s new in Microsoft Defender XDR at Secure 2025 New blog post: Empowering SOC Analysts: Investigating Identity Threats with Microsoft Defender XDR. (GA) Multi Tenant Organizations (MTO) expanded support for up to 100 tenants per view per user is now generally available! We are delighted to announce that Microsoft Defender MTO now supports the ability, for each user, to add up to 100 tenants to their view. We extended the number of tenants you can see in one single pane of glass – from 50 to 100. You can now view incidents, investigate, view device inventory and vulnerabilities on a larger number of tenants at the same time. Expanding Cross Cloud Multitenant Security Operations for Government Customers. This blog post summarizes a new capability that enhances multitenant security operations for government cloud customers, enabling cross-cloud visibility and centralized security management. We invite you to give this new capability a try! (Public Preview) The OAuthAppInfo table is now available for preview in advanced hunting. The table contains information about Microsoft 365-connected OAuth applications registered with Microsoft Entra ID and available in the Defender for Cloud Apps app governance capability. The OnboardingStatus and NetworkAdapterDnsSuffix columns are now available in the DeviceNetworkInfo table in advanced hunting. Automatic attack disruption: Enhanced containment for critical assets and shadow IT. This blog post introduces new, extended capabilities in automatic attack disruption. Announcing Rich Text for Case Management. In the dynamic world of SecOps, managing and communicating information efficiently is vital. Rich Text for Case Management introduces capabilities that allow you to enrich your case documentation with various formatting options, including bold, italics, underlining, code blocks, links, tables, and more. (Public Preview) You can now create data security investigations in the Microsoft Defender portal with the integration of Microsoft Purview Data Security Investigations (preview) and Microsoft Defender XDR. This integration allows security operations center (SOC) teams to enhance their investigation and response to potential data security incidents like data breaches or data leaks. Learn more in our docs. (Public Preview) Containing IP addresses associated with devices that are undiscovered or are not onboarded to Defender for Endpoint is now in preview. Containing an IP address prevents attackers from spreading attacks to other non-compromised devices. Learn more in our docs. Microsoft Defender for Endpoint Updated documentation Schedule antivirus scans using Group Policy Schedule antivirus scans using PowerShell Two new ASR rules are now generally available: Block rebooting machine in Safe Mode: This rule prevents the execution of commands to restart machines in Safe Mode. Block use of copied or impersonated system tools: This rule blocks the use of executable files that are identified as copies of Windows system tools. These files are either duplicates or impostors of the original system tools. (General Available) Defender for Endpoint supports ARM64-based Linux servers across various Linux distributions, including Ubuntu, RHEL, Debian, SUSE Linux, Amazon Linux, and Oracle Linux. All product capabilities that are supported on AMD64 devices are now supported on ARM64-based Linux servers. For more information, see the following articles: Tech Community Blog: Defender for Endpoint extends support to ARM-based Linux servers Microsoft Defender for Endpoint on Linux Microsoft Defender for Office 365 Announcing the Public Preview of Auto-Remediation of Malicious Entity Clusters Identified in Automated Investigation and Response (AIR). Defender for Office 365 automated investigation and response is being enhanced to enable AIR to automatically remediate malicious entity clusters. AIR currently recommends actions for SecOps to approve or decline and this enhancement will allow customers the option to configure auto-remediation for AIR to automatically execute the soft deletion of messages included in malicious URL or malicious file clusters. Options to "tune" controls within Defender for Office 365 for an organization to maximize protection and efficacy. We are pleased to announce that if you are using third-party report message solutions in Microsoft Outlook, such as Knowbe4, Hoxhunt, and Cofense, you can now configure Defender for Office 365 to automatically forward these suspicious messages to Microsoft for analysis. The Outlook.com consumer email service will require compliance with SPF, DKIM, and DMARC email authentication standards for domains sending more than 5000 messages to outlook.com, hotmail.com, and yahoo.com recipients as of 5 May, 2025. Learn more in this blog post.. Microsoft Defender for Cloud Apps Enhanced alert source accuracy. This update, applicable to new alerts only, are reflected across various experiences and APIs, including the Defender XDR portal, Advanced hunting, and Graph API. (Public Preview) Investigate OAuth application attack paths in Defender for Cloud Apps Microsoft Defender for Identity (General available) Identities guided tour New attack paths tab on the Identity profile page New and updated events in the Advanced hunting IdentityDirectoryEvents table Identity page enhancements such as user timeline side panel, password last change field on the UI, devices tab filters and others. Deprecation of Defender for Identity alert email notifications (Public Preview) Defender for Identity integration with Entra Privileged Identity Management (PIM) Privileged Access Management (PAM) vendors integration with Defender for Identity – CyberArk, Delinea and BeyondTrust Microsoft Security Blogs Threat actors leverage tax season to deploy tax-themed phishing campaigns As Tax Day approaches in the United States on April 15, Microsoft has detected several tax-themed phishing campaigns employing various tactics. These campaigns use malicious hyperlinks and attachments to deliver credential phishing and malware including RaccoonO365, AHKBot, Latrodectus, BruteRatel C4 (BRc4), and Remcos. Exploitation of CLFS zero-day leads to ransomware activity Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS) against a small number of targets. Microsoft released security updates to address the vulnerability, tracked as CVE 2025-29824, on April 8, 2025. Stopping attacks against on-premises Exchange Server and SharePoint Server with AMSI Exchange Server and SharePoint Server are business-critical assets and considered crown-jewels for many organizations, making them attractive targets for attacks. Threat actors misuse Node.js to deliver malware and other malicious payloads Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration. Understanding the threat landscape for Kubernetes and containerized assets The dynamic nature of containers can make it challenging for security teams to detect runtime anomalies or pinpoint the source of a security incident, presenting an opportunity for attackers to stay undetected. Microsoft Threat Intelligence has observed threat actors taking advantage of unsecured workload identities to gain access to resources, including containerized environments. Threat Analytics (Access to the Defender Portal needed) Activity profile: Tax and IRS-themed phishing campaigns [TA update] Tool profile: Grandoreiro banking trojan Activity profile - Threat actors using fake Chrome updates to deliver Lumma Stealer Actor profile: Storm-2256 Actor Profile - Storm-1877 [TA update] Vulnerability profile: CVE-2025-26633 Vulnerability profile - CVE-2025-29824 Activity profile: Cryptomining infection by malicious AutoIT scripts uses masqueraded Ncat for C2 communications Technique profile: ClickFix technique leverages clipboard to run malicious commands [TA update] Actor profile: Storm-1249 Tool profile - XCSSET Tool profile: ReedBed Quarterly cyber threat report: MITRE ATT&CK framework trends in OSINT (January to March 2025) Actor Profile - Storm-1125 Activity profile: Sapphire Sleet using GoLang files to download malware Technique Profile: Device Code PhishingAnnouncing Rich Text for Case Management
In the dynamic world of SecOps, managing and communicating information efficiently is vital. Rich Text for Case Management introduces capabilities that allow you to enrich your case documentation with various formatting options, including bold, italics, underlining, code blocks, links, tables, and more. Key Benefits of Rich Text for Case Management Improve Communication Across All Case Elements: Rich text enhances the clarity and impact of case descriptions, comments, tasks, and closing notes. Formatting options help highlight critical information, ensuring important details are not missed, leading to more efficient case handling and better outcomes. Share Queries and Results Using Code Blocks and Tables: Efficient data sharing and analysis are crucial in SecOps. Rich text allows embedding code blocks and tables within case documentation, presenting queries and results clearly and organized, facilitating better analysis and decision-making. Link to Related Content: Rich text supports hyperlinks, enabling direct links to relevant resources, documents, and websites. This ensures all necessary information is easily accessible, enhancing the efficiency of case management. Leveraging Rich Text for Case Management ensures your written content is clear, organized, and effective, ultimately leading to better case outcomes and improved communication within your organization.Monthly news - April 2025
Microsoft Defender XDR Monthly news April 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from March 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. ⏰ April 9th & 10th is Microsoft Secure! Make sure you join this virtual event to hear about our latest product announcements. Three broadcast times are available, offering opportunities to get your questions answered by subject matter experts at a time that suits you best. April 9, 2025 | 8:00 AM – 9:00 AM PT (UTC-7) | Americas broadcast April 10, 2025 | 10:00 AM – 11:00 AM CET (UTC+1) | Europe, Middle East, Africa broadcast April 10, 2025 | 12:00 PM – 1:00 PM SGT (UTC+8) | Asia broadcast Microsoft Secure - Home - Microsoft Secure registration home page. New episodes of the Virtual Ninja Show has been published, covering various products and scenarios. Microsoft's Zero Trust approach Resolving high CPU utilization in Microsoft Defender Antivirus Microsoft Defender for Endpoint Client Analyzer overview Mastering onboarding issues with Defender for Endpoint Client Analyzer Mastering endpoint security settings issues with Defender for Endpoint Client Analyzer Connecting your Apps to Defender for Cloud Apps Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel What’s new in Microsoft Defender XDR at Secure 2025 (Webinar) Microsoft Sentinel Repositories: Manage Your SIEM Content as code Like a Pro (GA Announcement) The content hub offers the best way to find new content or manage the solutions you already installed, now with granular AI search. (Public Preview) The Microsoft Sentinel agentless data connector for SAP and related security content is now included, as public preview, in the solution for SAP applications. Blog post: Transforming public sector security operations in the AI era Discover how Microsoft's AI-powered, unified SecOps can revolutionize public sector security operations and safeguard multiplatform, multi-cloud environments with industry-leading innovation and seamless integration. Ready to elevate your cyber defense? (Public Preview) The incident description has moved within the incident page. The incident description is now displayed after the incident details. For more information, see Incident details. The Microsoft 365 alert policies can now only be managed in the Microsoft Defender portal. For more information, see Alert policies in Microsoft 365. You can now link Threat analytics reports when setting up custom detections. Learn more Microsoft Defender for Endpoint Update to the Microsoft Defender Antivirus group policies documentation. Learn more Addition of the default settings for Potentially Unwanted Applications (PUA) documentation. Learn more New video (9 mins): How Microsoft is redefining endpoint security New documentation: Troubleshoot Microsoft Defender Antivirus scan issues Microsoft Defender for Office 365 User reported messages by third-party add-ins can be sent to Microsoft for analysis: In user reported settings, admins can select Monitor reported messages in Outlook > Use a non-Microsoft add-in button. In the Reported message destination section, select Microsoft and my reporting mailbox, and then provide the email address of the internal Exchange Online mailbox where user-reported messages by the third-party add-in are routed to. Microsoft analyzea these reported messages and provides result on the User reported tab of Submissions page at https://security.microsoft.com/reportsubmission?viewid=user. Create allow entries directly in the Tenant Allow/Block List: You can now create allow entries for domains & addresses and URLs directly in the Tenant Allow/Block List. This capability is available in Microsoft 365 Worldwide, GCC, GCC High, DoD, and Office 365 operated by 21Vianet. Microsoft Defender for Cloud Apps (GA) Unified Identity inventory now general available. Learn more Defending against OAuth based attacks with automatic attack disruption. Microsoft’s Automatic attack disruption capabilities disrupt sophisticated in-progress attacks and prevent them from spreading, now including OAuth app-based attacks. Attack disruption is an automated response capability that stops in-progress attacks by analyzing the attacker’s intent, identifying compromised assets, and containing them in real time. Level Up Your App Governance With Microsoft Defender for Cloud Apps Workshop Series. Join one of these workshops to learn: Real-world examples of OAuth attacks New pre-built templates and custom rules to simplify app governance How to quickly identify and mitigate risks from high-risk or suspicious apps Best practices for operationalizing app governance to improve your security posture These workshops are designed to accommodate global participation, with flexible date and time options. Protecting SaaS apps from OAuth threats with attack path, advanced hunting and more. Read this blog post to learn about various new capabilities rolling out over the next few weeks. Microsoft Defender for Identity Blog post: Discover and protect Service Accounts with Microsoft Defender for Identity Microsoft Defender for Identity now includes a Service Account Discovery capability, offering you centralized visibility into service accounts across your Active Directory environment. New health issue for cases where sensors running on VMware have network configuration mismatch. The Identities page under Assets has been updated to provide better visibility and management of identities across your environment. New LDAP query events were added to the IdentityQueryEvents table in Advanced Hunting to provide more visibility into additional LDAP search queries running in the customer environment. Microsoft Security Blogs Silk Typhoon targeting IT supply chain Malvertising campaign leads to info stealers hosted on GitHub New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware StilachiRAT analysis: From system reconnaissance to cryptocurrency theft Analyzing open-source bootloaders: Finding vulnerabilities faster with AI Threat Analytics (Access to the Defender Portal needed) Vulnerability Profile: CVE-2024-40711 – Veeam Backup Activity profile: Moonstone Sleet using Qilin ransomware [TA update] Actor Profile: Secret Blizzard Actor profile: Berry Sandstorm Activity profile: DarkGate malware samples delivered through fake Notion websites followed by ClickFix technique Activity profile: Secret Blizzard and Aqua Blizzard collaborate to target Ukrainian military devices [TA update] Actor profile - Swirl Typhoon Vulnerability profile: CVE-2024-57726 Multiple vulnerabilities found in SimpleHelp Remote Support Software Activity profile: Lumma Stealer spreads via YouTube video descriptions [TA update] Actor profile: Aqua Blizzard Tool profile: Latrodectus Vulnerability profile: CVE-2025-26633 Tool profile: WinRing0 Activity profile: Storm-0485 phishing activity Activity profile: Silk Typhoon targeting IT supply chain Activity profile: Storm-1877 evolving tactics to target users with ClickFix attacks Threat overview: Business Email Compromise [Snapshot] Actor profile: Storm-2372 [TA update] Actor profile: ZigZag Hail Actor profile: Storm-0287 Activity profile: Secret Blizzard abusing Visual Studio Code tunneling service Activity Profile: Clickfix and Malvertising campaigns leveraging node.exe application Actor profile: Yulong Flood Vulnerability profile: CVE-2024-43451- NTLM Hash Disclosure Spoofing Vulnerability Tool profile: FrostyStash [TA update] Tool profile: Mimikatz Tool profile: Mamba 2FA Activity profile: Phishing campaign deploying PureLogStealer targets users in Central America [TA update] Vulnerability profile: CVE 2025-0282: Ivanti Connect Secure, Policy Secure, and ZTA Gateway [TA update] Actor profile: Silk Typhoon Seamless SSO Abuse via AADInternals [TA update] SystemBC Tool Profile Vulnerability profile: CVE-2025-22224 – VMwareWhat’s new in Microsoft Defender XDR at Secure 2025
Protecting your organization against cybersecurity threats is more challenging than ever before. As part of our 2025 Microsoft Secure cybersecurity conference announcements, we’re sharing new product features that spotlight our AI-first, end-to-end security innovations designed to help - including autonomous AI agents in the Security Operations Center (SOC), as well as automatic detection and response capabilities. We also share information on how you can expand your protection by bringing data security and collaboration tools closer to the SOC. Read on to learn more about how these capabilities can help your organization stay ahead of today’s advanced threat actors. Expanding AI-Driven Capabilities for Smarter SOC Operations Introducing Microsoft Security Copilot’s Phishing Triage Agent Today, we are excited to introduce Security Copilot agents, a major step in bringing AI-driven automation to Microsoft Security solutions. As part of this, we’re unveiling our newest innovation in Microsoft Defender: the Phishing Triage Agent. Acting as a force multiplier for SOC analysts, it streamlines the triage of user-submitted phishing incidents by autonomously identifying and resolving false positives, typically cleaning out over 95% of submissions. This allows teams to focus on the remaining incidents – those that pose the most critical threats. Phishing submissions are among the highest-volume alerts that security teams handle daily, and our data shows that at least 9 in 10 reported emails turn out to be harmless bulk mail or spam. As a result, security teams must sift through hundreds of these incidents weekly, often spending up to 30 minutes per case determining whether it represents a real threat. This manual triage effort not only adds operational strain but also delays the response to actual phishing attacks, potentially impacting protection levels. The Phishing Triage Agent transforms this process by leveraging advanced LLM-driven analysis to conduct sophisticated assessments –such as examining the semantic content of emails– to autonomously determine whether an incident is a genuine phishing attempt or a false alarm. By intelligently cutting through the noise, the agent alleviates the burden on SOC teams, allowing them to focus on high-priority threats. Figure 1. A phishing incident triaged by the Security Copilot Phishing Triage Agent To help analysts gain trust in its decision-making, the agent provides natural language explanations for its classifications, along with a visual representation of its reasoning process. This transparency enables security teams to understand why an incident was classified in a certain way, making it easier to validate verdicts. Analysts can also provide feedback in plain language, allowing the agent to learn from these interactions, refine its accuracy, and adapt to the organization’s unique threat landscape. Over time, this continuous feedback loop fine-tunes the agent’s behavior, aligning it more closely with organizational nuances and reducing the need for manual verification. The Security Copilot Phishing Triage Agent is designed to transform SOC operations with autonomous, AI-driven capabilities. As phishing threats grow increasingly sophisticated and SOC analysts face mounting demands, this agent alleviates the burden of repetitive tasks, allowing teams to shift their focus to proactive security measures that strengthen the organization’s overall defense. Security Copilot Enriched Incident Summaries and Suggested Prompts Security Copilot Incident Summaries in Microsoft Defender now feature key enrichments, including related threat intelligence and asset risk –enhancements driven by customer feedback. Additionally, we are introducing suggested prompts following incident summaries, giving analysts quick access to common follow-up questions for deeper context on devices, users, threat intelligence, and more. This marks a step towards a more interactive experience, moving beyond predefined inputs to a more dynamic, conversational workflow. Read more about Microsoft Security Copilot agent announcements here. New protection across Microsoft Defender XDR workloads To strengthen core protection across Microsoft Defender XDR workloads, we're introducing new capabilities while building upon existing integrations for enhanced protection. This ensures a more comprehensive and seamless defense against evolving threats. Introducing collaboration security for Microsoft Teams Email remains a prevalent entry point for attackers. But the fast adoption of collaboration tools like Microsoft Teams has opened new attack surfaces for cybercriminals. Our advancements within Defender for Office 365 allow organizations to continue to protect users in Microsoft Teams against phishing and other emerging cyberthreats with inline protection against malicious URLs, safe attachments, brand impersonation protection, and more. And to ensure seamless investigation and response at the incident level, everything is centralized across our SOC workflows in the unified security operations platform. Read the announcement here. Introducing Microsoft Purview Data Security Investigations for the SOC Understanding the extent of the data that has been impacted to better prioritize incidents has been a challenge for security teams. As data remains the main target for attackers it’s critical to dismantle silos between security and data security teams to enhance response times. At Microsoft, we’ve made significant investments in bringing SOC and data security teams closer together by integrating Microsoft Defender XDR and Microsoft Purview. We are continuing to build upon the rich set of capabilities and today, we are excited to announce that Microsoft Purview Data Security Investigations (DSI) can be initiated from the incident graph in Defender XDR. Ensuring robust data security within the SOC has always been important, as it helps protect sensitive information from breaches and unauthorized access. Data Security Investigations significantly accelerates the process of analyzing incident related data such as emails, files, and messages. With AI-powered deep content analysis, DSI reveals the key security and sensitive data risks. This integration allows analysts to further analyze the data involved in the incident, learn which data is at risk of compromise, and take action to respond and mitigate the incident faster, to keep the organization’s data protected. Read the announcement here. Figure 2. An incident that shows the ability to launch a data security investigation. OAuth app insights are now available in Exposure Management In recent years, we’ve witnessed a substantial surge in attackers exploiting OAuth applications to gain access to critical data in business applications like Microsoft Teams, SharePoint, and Outlook. To address this threat, Microsoft Defender for Cloud Apps is now integrating OAuth apps and their connections into Microsoft Security Exposure Management, enhancing both attack path and attack surface map experiences. Additionally, we are introducing a unified application inventory to consolidate all app interactions into a single location. This will address the following use cases: Visualize and remediate attack paths that attackers could potentially exploit using high-privilege OAuth apps to access M365 SaaS applications or sensitive Azure resources. Investigate OAuth applications and their connections to the broader ecosystem in Attack Surface Map and Advanced Hunting. Explore OAuth application characteristics and actionable insights to reduce risk from our new unified application inventory. Figure 3. An attack path infused with OAuth app insights Read the latest announcement here AI & TI are critical for effective detection & response To effectively combat emerging threats, AI has become critical in enabling faster detection and response. By combining this with the latest threat analytics, security teams can quickly pinpoint emerging risks and respond in real-time, providing organizations with proactive protection against sophisticated attacks. Disrupt more attacks with automatic attack disruption In this era of multi-stage, multi-domain attacks, the SOC need solutions that enable both speed and scale when responding to threats. That’s where automatic attack disruption comes in—a self-defense capability that dynamically pivots to anticipate and block an attacker’s next move using multi-domain signals, the latest TI, and AI models. We’ve made significant advancements in attack disruption, such as threat intelligence-based disruption announced at Ignite, expansion to OAuth apps, and more. Today, we are thrilled to share our next innovation in attack disruption—the ability to disrupt more attacks through a self-learning architecture that enables much earlier and much broader disruption. At its core, this technology monitors a vast array of signals, ranging from raw telemetry data to alerts and incidents across Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) systems. This extensive range of data sources provides an unparalleled view of your security environment, helping to ensure potential threats do not go unnoticed. What sets this innovation apart is its ability learn from historical events and previously seen attack types to identify and disrupt new attacks. By recognizing similar patterns across data and stitching them together into a contextual sequence, it processes information through machine learning models and enables disruption to stop the attack much earlier in the attack sequence, stopping significantly more attacks in volume and variety. Comprehensive Threat Analytics are now available across all Threat Intelligence reports Organizations can now leverage the full suite of Threat Analytics features (related incidents, impacted assets, endpoints exposure, recommended actions) on all Microsoft Threat Intelligence reports. Previously only available for a limited set of threats, these features are now available for all threats Microsoft has published in Microsoft Defender Threat Intelligence (MDTI), offering comprehensive insights and actionable intelligence to help you ensure your security measures are robust and responsive. Some of these key features include: IOCs with historical hunting: Access IOCs after expiration to investigate past threats and aid in remediation and proactive hunting. MITRE TTPs: Build detections based on threat techniques, going beyond IOCs to block and alert on specific tactics. Targeted Industries: Filter threats by industry, aligning security efforts with sector-specific challenges. We’re proud of our new AI-first innovations that strengthen security protections for our customers and help us further our pledge to customers and our community to prioritize cyber safety above all else. Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9. We hope you’ll also join us in San Francisco from April 27th-May 1 st 2025 at the RSA Conference 2025 to learn more. At the conference, we’ll share live, hands-on demos and theatre sessions all week at the Microsoft booth at Moscone Center. Secure your spot today.Monthly news - March 2025
Microsoft Defender XDR Monthly news March 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from February 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel (Public Preview) IP addresses can now be excluded from automated responses in attack disruption. This feature allows you to exclude specific IPs from automated containment actions triggered by attack disruption. For more information, see Exclude assets from automated responses in automatic attack disruption. (Public Preview) The PrivilegedEntraPimRoles column is available for preview in the advanced hunting IdentityInfo table. (General Available) You can now view how Security Copilot came up with the query suggestion in its responses in Microsoft Defender advanced hunting. Select See the logic behind the query below the query text to validate that the query aligns with your intent and needs, even if you don't have an expert-level understanding of KQL. We are excited to announce that we increase the Multi Tenant Organization (MTO) tenant limit - and now you can manage up to 100 tenants to your MTO view. With that, you can view incident, hunt, and see and manage all your data from one single pane of glass. This is only the first step to improve management at scale. Learn more in our docs. (General Available) Sentinel only is now in General Available for Unified Security Operations platform. Customers with no E5 license can now onboard their workspace and work in the unified platform for all features (single workspace only, for single tenant and for multi tenant) (General Available) Gov Clouds/ GCCH and DoD is now in General Available for Unified Security Operations platform. Customers with single workspace (for both multi tenant and single tenant) are now able to work in the unified platform on all features. Query assistant - KQL response explanation. The Security Copilot Query Assistant in Advanced Hunting generates KQL queries from requests in natural language, allowing hunting for threats, without having a deep knowledge in KQL and schema. With this new feature, it is possible to review the logic behind the KQL queries generated by Copilot, including a breakdown of the query. This enhancement helps validate the query aligns with the intent and needs, even without deep understanding of KQL. (Public Preview) IP addresses can now be excluded from automated containment responses triggered by automatic attack disruption. Microsoft Sentinel Threat Intelligence Ingestion rules: This feature lets you fine-tune your threat intelligence (TI) feeds before they are ingested to Microsoft Sentinel. You can now set custom conditions and actions on Indicators of Compromise (IoCs), Threat Actors, Attack Patterns, Identities, and their Relationships. Learn more in this blog post. Missed the live session? Watch our recorded webinar on "SIEM as Code", a transformative approach shaping the future of SIEM. Learn how to implement it in Microsoft Sentinel using the repositories feature and explore best practices for automation and scalability. Microsoft Defender Experts for XDR Published Scoped coverage in Microsoft Defender Experts for XDR. Microsoft Defender Experts for XDR offers scoped coverage for customers who wish to have Defender Experts cover only a section of their organization (for example, specific geography, subsidiary, or function) that requires security operations center (SOC) support or where their security support is limited. Learn more on our docs. Microsoft Defender for Identity (General Available) New Identity Guide Tour We've added an interactive guide tour in the Defender XDR portal to help you navigate identity security features, investigate alerts, and enhance your security posture with ease. (General Available) New attack paths tab on the Identity profile page. This tab provides visibility into potential attack paths leading to a critical identity or involving it within the path, helping assess security risks. For more information, see Overview of attack path within Exposure Management. (General Available) New and updated events in the Advanced hunting IdentityDirectoryEvents table. We have added and updated various events in the IdentityDirectoryEvents table in Advanced Hunting. Learn more on our docs. (General Available) Identity page enhancements such as user timeline side panel, password last change field on the UI, devices tab filters and so on. Defender for Identity integration with Entra Privileged Identity Management (PIM) - SOC can now view identities in the Defender XDR portal that are eligible to elevate to privileged roles via Entra PIM. New tag and list of user's Entra privileged roles (eligible and assigned) were added to user page and side panel in the Defender XDR portal and Identity Info table. Privileged Access Management (PAM) vendors integration with MDI – CyberArk, Delinea and BeyondTrus. The integration provide the SOC with visibility for on-prem / Entra ID privileged identities managed in the PAM solution, adding new tag on privileged identities in Defender XDR user page, side panel and Identity Info table, allowing for incident prioritization, custom detections, advanced hunting and more. SOC can also initate a remediation action to 'enforce password rotation' on compromised privileged identity directly in the XDR Defender portal. Intagration need to be enabled by the customer in the Partners portal. Go to XDR Technical Partners catalog to see the new partners integrations, and access the PAM vendors marketplace. 2 New Entra Detections and on-prem detection improvement. Entra new detections: "suspicious multiple TAP creation for the same user account" and "suspicious alternative phone number addition". Detection improvement in on-prem: "Blood hound python" - version udpate to cover FN. New recommendations for Identity Security Posture. In this blog we will focus on some key things to consider for your Active Directory (AD) footprints. Active Directory is a critical element of user authentication, and its complexity leaves many opportunities for potential misconfigurations, making it a prime target for attackers. To address these vulnerabilities, we’ve added 10 new recommendations aimed at strengthening your identity security posture and protecting against evolving threats. Microsoft Security Exposure Management The following predefined classification rules were added to the critical assets list: Azure Key Vault with high number of operations: This rule identifies and classifies Azure Key Vaults that experience a high volume of operations, indicating their criticality within the cloud environment. Security Operations Admin Device: This rule applies to critical devices used to configure, manage, and monitor the security within an organization are vital for security operations administration and are at high risk of cyber threats. They require top-level security measures to prevent unauthorized access. For more information, see, Predefined classifications Microsoft Defender for Endpoint (General Available) Aggregated reporting in Microsoft Defender for Endpoint is now generally available. For more information, see Aggregated reporting in Microsoft Defender for Endpoint. Guidance for penetration testing and breach-and-attack-simulation scenarios with Defender for Endpoint. This new article describes common challenges and potential misconfigurations that might arise during penetration testing (pen testing) or using breach and attack simulation (BAS) tools. This article also describes how to submit potential false negatives for investigation. This article describes how to use Microsoft Defender for Endpoint Security Settings Management to manage Microsoft Defender Antivirus. Microsoft Blogs Code injection attacks using publicly disclosed ASP.NET machine keys. The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation Storm-2372 conducts device code phishing campaign. Threat Analytics Reports (access to the Defender XDR portal required) Activity Profile: Emerald Sleet using PowerShell to exploit targets Actor Profile: Storm-1660 Technique Profile: Code injection attacks using disclosed ASP.NET machine keys Tool Profile: GoldBackdoor Activity Profile: Forest Blizzard targeting Western civilian transportation Activity Profile: BadPilot campaign - Seashell Blizzard subgroup conducts multiyear global access operation Activity Profile: Sapphire Sleet uses fraudulent Zoom domains in recent spear-phishing activities Activity Profile: Malvertising campaign leads to info stealers hosted on GitHub Activity Profile: New Zigzag Hail phishing campaigns adapt long-running malware operation to continue targeting Japan Actor Profile: Storm-1830 Activity Profile: Phishing campaign impersonates Booking.com, delivers multiple commodity malware Activity Profile: Storm-2372 conducts device code phishing campaign Activity Profile: Threat landscape for the information technology sector in 2024 Vulnerability Profile: CVE-2025-21333 Multiple vulnerabilities found in Windows Hyper-V NT Kernel Integration VSP Vulnerability Profile: CVE-2025-21391 Activity Profile: IronSentry PhaaS launches after NakedPages shuts down Vulnerability Profile: CVE-2024-43583 - Winlogon Tool Profile: FusionDrive Vulnerability Profile: CVE-2025-21420 Vulnerability Profile: CVE-2025-21419 Activity Profile: Salt Typhoon targets telecommunications and internet service providersMonthly news - January 2025
Microsoft Defender XDR Monthly news January 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from December 2024. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel (Preview) The Link to incident feature in advanced hunting now allows linking of Microsoft Sentinel query results. (Preview) You can now use the adx() operator to query tables stored in Azure Data Explorer. (GA) In advanced hunting, you can now add your frequently used schema tables, functions, queries, and detection rules in the Favorites sections under each tab for quicker access. Learn more on our docs. Hyperscale ML threat intelligence for early detection & disruption. This blog talks about Threat Intelligence Tracking via Dynamic Networks (TITAN) - a groundbreaking approach that uses the power of machine learning to transform threat intelligence and attack disruption by automatically neutralizing malicious activity at scale. You can now view Microsoft Sentinel Workbooks directly from Unified SOC Operations Platform. Learn more about it here. (Preview) Recommendations based on similar organizations - a first-of-its-kind capability for SOC optimizations. Recommendations based on similar organizations use peer-based insights to guide and accelerate your decision-making process. New documentation library for Microsoft's unified security operations platform. Find centralized documentation about Microsoft's unified SecOps platform in the Microsoft Defender portal. Microsoft's unified SecOps platform brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, Microsoft Security Exposure Management, and generative AI into the Defender portal. Learn about the features and functionality available with Microsoft's unified SecOps platform, then start to plan your deployment. SOC Optimization and Auxiliary Logs collaboration. We’re excited to announce the release of our updated recommendation, which now incorporates Auxiliary Logs! Previously, our recommendation focused on identifying unused tables and suggesting users either increase their utilization or switch the tables’ commitment tier to Basic Logs. With this update, we now recommend eligible tables be moved to Auxiliary Logs. The following new privacy documents for Microsoft Sentinel and Microsoft Defender XDR have been added: Data security and retention in Microsoft Defender XDR Geographical availability and data residency in Microsoft Sentinel Ninja Show Episodes: Attack Disruption: Live demo This episode features Threat Hunter and Microsoft MVP Mattias Borg as he explains the anatomy of an attack. Through a live demo of an attack in action, gain exclusive insights into what attackers do behind the scenes, the tools they use and how Microsoft Defender steps up to counter these threats, offering a robust defense to help keep your organization secure. Defender XDR’s Data Security Context with Insider Risk Management Join us as product experts Maayan Magenheim and Sravan Kumar Mera showcase the Public Preview of Microsoft Purview Insider Risk Management (IRM) integration into Defender XDR. Learn how Insider Risk and SOC analysts can now distinguish internal and external threats and gain critical insights, including exfiltration context and user activity tracking. Through a valuable demo, we explore the benefits for incident investigation, threat hunting, the correlation of IRM alerts with other DLP and identity protection alerts and more. Follow up LIVE AMA session Unlocking Advanced Cloud Detection & Response capabilities for containers Learn how the Microsoft Cloud Detection & Response solution empowers SOCs with faster, deeper investigations through near real-time detections, new cloud-native responses, and rich log collection. In this episode Product Managers Maayan Magenheim and Daniel Davrayev demo a real container related incident to show how these new capabilities enhance the entire incident response process, bridging knowledge gaps and proactively securing containerized workloads across multi-cloud environments. Threat Analytics - New Tool profile: SectopRAT (You need access to the Defender portal to read this profile.) Microsoft Sentinel (Preview) New AWS WAF connector. Use the Amazon Web Services (AWS) S3-based Web Application Firewall (WAF) connector to ingest AWS WAF logs, collected in AWS S3 buckets, to Microsoft Sentinel. Learn more on our docs. Agentless deployment for SAP applications. Microsoft Sentinel for SAP’s latest new capability re-uses the SAP Cloud Connector to profit from already existing setups, established integration processes, and well-understood SAP components. Ninja Show Episode Microsoft Sentinel Data tiering best practices In this episode product experts Yael Bergman and Maria de Sousa-Valadas introduce the powerful new Auxiliary Logs tier, now in Public Preview and explain how to use Summary rules to aggregate data from any log tier in Microsoft Sentinel and Log Analytics. Tune in to learn the full potential of these features, as well as practical tips and use cases to help you reduce ingestion costs and gain more insights from your verbose logs. Upcoming webinar Feb 20, 9AM PT: Mastering API Integration with Sentinel & Unified Security Platform Learn how to effectively integrate APIs with Sentinel and Unified Security Platform. This webinar will cover when to use APIs, how to set them up, potential challenges, and feature live demos to guide you through the process. Microsoft Defender Experts for XDR Defender Experts for XDR now offers scoped coverage for customers who wish to define a specific set of devices and/or users, based on geography, subsidiary, or function, for which they'd like Defender Experts to provide support. Experts on demand via Message Center. Select Ask Defender Experts directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat hunting questions. Experts can provide insight to better understand the complex threats your organization might face. Microsoft Defender for Identity New security posture assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15). Defender for Identity has added the new Prevent Certificate Enrollment with arbitrary Application Policies (ESC15) recommendation in Microsoft Secure Score. Learn more on our docs. Microsoft Security Exposure Management The following predefined classification rules were added to the critical assets list: Classification Description Locked Azure Kubernetes Service cluster This rule applies to Azure Kubernetes Service clusters that are safeguarded by a lock. Premium tier Azure Kubernetes Service cluster This rule applies to premium tier Azure Kubernetes Service clusters. Azure Kubernetes Service cluster with multiple nodes This rule applies to Azure Kubernetes Service clusters with multiple nodes. Azure Arc Kubernetes cluster with multiple nodes This rule applies to Azure Arc clusters with multiple nodes. For more information, see, Predefined classifications Microsoft Defender for Office 365 Considerations for integrating non-Microsoft security services with Microsoft 365: Considerations and recommendations for deploying a defense-in-depth email security strategy using third-party security services. Defender for Office 365 now detects BEC attacks using large language model (LLM)-based filters to analyze an email's language and infer intent. Read this blog to learn more about it. Microsoft Defender for Endpoint Defender for Endpoint on iOS now supports iOS/iPadOS 16.x as the minimum version. Defender for Endpoint is ending support for iOS/iPadOS 15 on January 31, 2025. Moving forward, only devices running iOS/iPadOS 16 and later are supported. Learn more on our docs. Android low-touch onboarding is now General Available. Key benefits Faster setup on Android devices – Simplified Android onboarding supports silent sign-on and autogranting of certain permissions on a user's device. As such, users are required to grant only the necessary permissions to onboard to Defender for Endpoint. Intuitive guidance - A clear and intuitive flow to guide users through each step. Broad coverage with support across multiple Android profiles – Android enterprise BYOD, COPE, and fully managed. Configuring low-touch onboarding Although low-touch onboarding is disabled by default, security administrators can enable it through app configuration policies in Intune. See Android low-touch onboarding. . Ninja Show Episode: Defender for Endpoint RDP Telemetry In this episode Cyber Security Researcher Danielle Kuznets Nohi and Senior Product Manager Saar Cohen join us to discuss the importance of Remote Desktop Protocol in Human Operated Attacks considering the current threat landscape. Through a demo, witness critical visibility enhancements made to this important layer of telemetry and learn the powerful capabilities of this tool to identify vulnerable assets and provide deeper threat insights.Monthly news - February 2025
Microsoft Defender XDR Monthly news February 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from January 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel (Public Preview) Creating a unified, security-focused case management system. We are excited to be introducing a new solution for case management, built specifically for SecOps teams, and integrated into the experience of Microsoft Sentinel and Defender XDR in the unified SecOps platform. With new case management functionality, available for any customer who has Microsoft Sentinel, customers can benefit from a purpose-built approach to managing and collaborating across security cases. (Public Preview) Device activity events from Microsoft Sentinel's device entity pages are now visible in the Timeline tab on the Device entity page in the Defender portal, in addition to remaining visible on the Sentinel events tab. These device activity events now include blocked, dropped, or denied network traffic originating from a given device. (Public Preview) Users with provisioned access to Microsoft Purview Insider Risk Management can now view and manage insider risk management alerts and hunt for insider risk management events and behaviors in the Microsoft Defender portal. For more information, see Investigate insider risk threats in the Microsoft Defender portal with insights from Microsoft Purview Insider Risk Management. (General Available) Advanced hunting context panes are now available in custom detection experiences. This allows you to access the advanced hunting feature without leaving your current workflow. For incidents and alerts generated by custom detections, you can select Run query to explore the results of the related custom detection. In the custom detection wizard's Set rule logic step, you can select View query results to verify the results of the query you are about to set. (General Available) The Link to incident feature in Microsoft Defender advanced hunting now allows linking of Microsoft Sentinel query results. In both the Microsoft Defender unified experience and in Defender XDR advanced hunting, you can now specify whether an entity is an impacted asset or related evidence. (General Available) Migrating custom detection queries to Continuous (near real-time or NRT) frequency is now generally available in advanced hunting. Using the Continuous (NRT) frequency increases your organization's ability to identify threats faster. It has minimal to no impact to your resource usage, and should thus be considered for any qualified custom detection rule in your organization. Migrate compatible KQL queries by following the steps in Continuous (NRT) frequency. Microsoft Sentinel Threat intelligence for Microsoft Sentinel in the Defender portal has changed! We've renamed the page Intel management and moved it with other threat intelligence workflows. There's no change for customers using Microsoft Sentinel in the Azure experience. Learn more on our docs. Unlock advanced hunting with new STIX objects by opting in to new threat intelligence tables. Tables supporting the new STIX object schema are in private preview. In order to view threat intelligence for STIX objects and unlock the hunting model that uses them, request to opt in with this form. Ingest your threat intelligence into the new tables, ThreatIntelIndicator and ThreatIntelObjects alongside with or instead of the current table, ThreatIntelligenceIndicator, with this opt-in process. For more information, see the blog announcement New STIX objects in Microsoft Sentinel. Threat intelligence upload API now supports more STIX objects. The upload API supports the following STIX objects: indicator attack-pattern identity threat-actor relationship For more information, see the following articles: Connect your threat intelligence platform with the upload API (Preview) Import threat intelligence to Microsoft Sentinel with the upload API (Preview) New STIX objects in Microsoft Sentinel Both premium and standard Microsoft Defender Threat Intelligence data connectors are now generally available (GA) in content hub. For more information, see the following articles: Explore Defender Threat Intelligence licenses Enable the Microsoft Defender Threat Intelligence data connector (Public Preview) Bicep template support for repositories. Use Bicep templates alongside or as a replacement of ARM JSON templates in Microsoft Sentinel repositories. Bicep provides an intuitive way to create templates of Azure resources and Microsoft Sentinel content items. Not only is it easier to develop new content items, Bicep makes reviewing and updating content easier for anyone that's a part of the continuous integration and delivery of your Microsoft Sentinel content. View granular solution content in the Microsoft Sentinel content hub. You can now view the individual content available in a specific solution directly from the Content hub, even before you've installed the solution. This new visibility helps you understand the content available to you, and more easily identify, plan, and install the specific solutions you need. For more information, see Discover content. Microsoft Defender for Cloud Apps Get visibility into your DeepSeek use with Defender for Cloud Apps. Defender for Cloud Apps helps you discover and protect more than 800 generative AI applications, now including DeepSeek. It provides the necessary overview of an app's usage in your organization, combined with the potential risk that the app poses for your organization. In fact, it profiles more than 90 separate risk attributes for each application in the Cloud App Catalog so you can make informed choices in a unified experience. Learn more in this blog post. Microsoft Defender for Identity Introducing the new Defender for Identity sensor management API. This blog discusses the new Defender for Identity sensor management API.This blog discusses Microsoft Security Exposure Management Metrics enhancements The metrics have been enhanced to show the improvement of the exposure levels with a progress bar, progressing from left to right and from 0% (indicating high exposure) to 100% (indicating no exposure). In addition, the metrics weight is now displayed as high, medium, or low, based on the metric's importance to the initiative. The weight can also be defined as risk accepted. For more information, see, Working with metrics Microsoft Defender for Office 365 Use the built-in Report button in Outlook: The built-in Report button in Outlook for iOS and Android version 4.2446 or later now supports the user reported settings experience to report messages as Phishing, Junk, and Not Junk. Build custom email security reports and dashboards with workbooks in Microsoft Sentinel. In this blog, we will showcase how you can use workbooks in Microsoft Sentinel to build a custom dashboard for Defender for Office 365. We will also share an example workbook that is now available and can be customized based on your organization’s needs. Microsoft Defender for Endpoint (Public Preview) Aggregated reporting in Defender for Endpoint: Aggregated reporting extends signal reporting intervals to significantly reduce the size of reported events while preserving essential event properties. This feature is available for Defender for Endpoint Plan 2. For more information, see Aggregated reporting in Defender for Endpoint. (Public Preview) Defender for Endpoint extends support to ARM-based Linux servers. As the demand for ARM64 servers continues to rise, we are thrilled to announce that Microsoft Defender for Endpoint now supports ARM64 based Linux servers in Public Preview. This update marks a new milestone in our commitment to providing comprehensive endpoint security across all devices and platforms. More details in this announcement blog. Microsoft Defender for IoT Aggregating multiple alerts violations with the same parameters. To reduce alert fatigue, multiple versions of the same alert violation and with the same parameters are grouped together and listed in the alerts table as one item. The alert details pane lists each of the identical alert violations in the Violations tab and the appropriate remediation actions are listed in the Take action tab. For more information, see our docs.Monthly news - December 2024
Microsoft Defender XDR Monthly news December 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from November 2024. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel Ignite news: What's new in Microsoft Defender XDR? This blog summarizes Ignite news related to Defender XDR. Security Copilot: A game changer for modern SOC We have enhanced numerous features and introduced new skills that significantly improve the efficiency and effectiveness of SOC teams. (Preview) Attack paths in the incident graph are now available in the Microsoft Defender portal. The attack story now includes potential attack paths that show the paths that attackers can potentially take after compromising a device. This feature helps you prioritize your response efforts. For more information, see attack paths in the attack story. (Preview) Microsoft Defender XDR customers can now export incident data to PDF. Use the exported data to easily capture and share incident data to other stakeholders. For details, see Export incident data to PDF. (GA) The last update time column in the incident queue is now generally available. (Preview) Cloud-native investigation and response actions are now available for container-related alerts in the Microsoft Defender portal. Security operations center (SOC) analysts can now investigate and respond to container-related alerts in near real-time with cloud-native response actions and investigation logs to hunt for related activities. For more information, see Investigate and respond to container threats in the Microsoft Defender portal. (GA) The arg() operator in advanced hunting in Microsoft Defender portal is now generally available. Users can now use the arg() operator for Azure Resource Graph queries to search over Azure resources, and no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if already in Microsoft Defender. (Preview) The CloudProcessEvents table is now available for preview in advanced hunting. It contains information about process events in multicloud hosted environments. You can use it to discover threats that can be observed through process details, like malicious processes or command-line signatures. (Preview) Migrating custom detection queries to Continuous (near real-time or NRT) frequency is now available for preview in advanced hunting. Using the Continuous (NRT) frequency increases your organization's ability to identify threats faster. It has minimal to no impact to your resource usage, and should thus be considered for any qualified custom detection rule in your organization. You can migrate compatible KQL queries by following the steps in Continuous (NRT) frequency. Ninja Show Episodes: Defender XDR’s Data Security Context with Insider Risk Management Join us as product experts Maayan Magenheim and Sravan Kumar Mera showcase the Public Preview of Microsoft Purview Insider Risk Management (IRM) integration into Defender XDR. Learn how Insider Risk and SOC analysts can now distinguish internal and external threats and gain critical insights, including exfiltration context and user activity tracking. Through a valuable demo, we explore the benefits for incident investigation, threat hunting, the correlation of IRM alerts with other DLP and identity protection alerts and more. Follow up LIVE AMA session Unlocking Advanced Cloud Detection & Response capabilities for containers Learn how the Microsoft Cloud Detection & Response solution empowers SOCs with faster, deeper investigations through near real-time detections, new cloud-native responses, and rich log collection. In this episode Product Managers Maayan Magenheim and Daniel Davrayev demo a real container related incident to show how these new capabilities enhance the entire incident response process, bridging knowledge gaps and proactively securing containerized workloads across multi-cloud environments. Microsoft Sentinel Microsoft Sentinel availability in Microsoft Defender portal! (Preview) Now Microsoft Sentinel is also available in the Defender portal even without Microsoft Defender XDR or a Microsoft 365 E5 license. For more information, see: Microsoft Sentinel in the Microsoft Defender portal Connect Microsoft Sentinel to the Microsoft Defender portal Upcoming Ninja Show Episode Dec 10, 9AM PT: Microsoft Sentinel Data tiering best practices In this episode product experts Yael Bergman and Maria de Sousa-Valadas introduce the powerful new Auxiliary Logs tier, now in Public Preview and explain how to use Summary rules to aggregate data from any log tier in Microsoft Sentinel and Log Analytics. Tune in to learn the full potential of these features, as well as practical tips and use cases to help you reduce ingestion costs and gain more insights from your verbose logs. Upcoming webinar Feb 20, 9AM PT: Mastering API Integration with Sentinel & Unified Security Platform Learn how to effectively integrate APIs with Sentinel and Unified Security Platform. This webinar will cover when to use APIs, how to set them up, potential challenges, and feature live demos to guide you through the process. Microsoft Defender Vulnerability Management Upcoming webinar Jan 14, 9AM PT: How to Get the Most Out of Microsoft Defender for Vulnerability Management Join us to learn about the Defender Vulnerability Management capabilities, business use cases and best practices to develop and implement posture & risk management in your organization. During this session, the engineering team will guide you through the recent released features and capabilities as well as product vision and roadmap. The deprecation process of the Windows authenticated scan will begin on November 2024 and concludes on November 30, 2025. For more information, see Windows authenticated scan deprecation FAQs. We are aware of issues affecting data collection in several versions of CIS, STIG, and Microsoft benchmarks. We are actively working on a fix and will provide an update when the issue is resolved. For more information, see Known issues with data collection. Microsoft Defender for Identity Seamless protection for your on-prem identities with Defender for Identity. This blog summarizes various exciting announcements made at Ignite that simplify how customers deploy and manage their identity threat landscape: One platform, one agent: Streamline your deployment and protection with a single agent across endpoint, OT, identity, and DLP Easily manage your sensors via API: Automate deployment, configuration and monitoring of sensors in your environment Integrate Privileged Access Management solutions: Microsoft Entra Privileged Identity Management, BeyondTrust, CyberArk, and Delinea Ninja Show episode: Microsoft Defender for Identity for Entra Connect In this episode, product experts Lior Shapira and Ayala Ziv explain how Microsoft Defender for Identity sensor for Entra Connect servers enables comprehensive monitoring of synchronization activities between Entra Connect and Active Directory, providing critical insights into potential security threats. Tune in to explore the latest detections and posture recommendations for Entra Connect by learning the importance of protecting hybrid identities and exploring real-world scenarios. Microsoft Security Exposure Management Announcing the General Availability of Microsoft Security Exposure Management! We are excited to announce the general availability of Microsoft Security Exposure Management. This powerful tool helps organizations focus on their most critical exposures and act swiftly. We made enhancements to the Attack path Hybrid attack paths: On-Prem to Cloud DACL-based path analysis to learn more about those, please visit our documentation. External data connectors We have introduced new external data connectors to enhance data integration capabilities, allowing seamless ingestion of security data from other security vendors. Learn more on our docs. Discovery sources available in the inventory and attack surface map The Device Inventory and Attack Surface Map now display the data sources for each discovered asset. This feature provides an overview of which tools or products reported each asset, including Microsoft and external connectors like Tenable or ServiceNow CMDB. Learn more on our docs. Microsoft Security Exposure Management is now supported in Microsoft Defender XDR Unified role-based access control (RBAC). Access control to Microsoft Security Exposure Management can now be managed using Microsoft Defender XDR Unified Role-Based Access Control (RBAC) permissions model with dedicated and granular permissions. Learn more on our docs. OT security initiative The new Operational Technology (OT) security initiative equips practitioners with a powerful tool to identify, monitor, and mitigate risks across the OT environment, ensuring both operational reliability and safety. This initiative aims to identify devices across physical sites, assess their associated risks, and provide faster, more effective protection for OT systems. For more information, see, Review security initiatives Content versioning notifications The new versioning feature in Microsoft Security Exposure Management offers proactive notifications about upcoming version updates, giving users advanced visibility into anticipated metric changes and their impact on their related initiatives. A dedicated side panel provides comprehensive details about each update, including the expected release date, release notes, current and new metric values, and any changes to related initiative scores. Additionally, users can share direct feedback on the updates within the platform, fostering continuous improvement and responsiveness to user needs. For more information on exposure insights, see Overview - Exposure insights Exposure history for metrics User can investigate metric changes by reviewing the asset exposure change details. From the initiative's History tab, by selecting a specific metric, you can now see the list of assets where exposure has been either added or removed, providing clearer insight into exposure shifts over time. For more information, see, Reviewing initiative history SaaS security initiative The SaaS Security initiative delivers a clear view of your SaaS security coverage, health, configuration, and performance. Through metrics spanning multiple domains, it gives security managers a high-level understanding of their SaaS security posture. For more information, see, SaaS security initiative Microsoft Defender for Cloud Apps Secure your SaaS landscape with the latest Defender for Cloud Apps innovations. This blog summarizes the following innovations in Defender for Cloud Apps announced at Ignite to help address these challenges: SaaS security initiative: Microsoft Security Exposure Management empowers security teams to reduce risks and limit exposure of the most critical assets with unified exposure management. We are introducing a new SaaS security initiative within Exposure Management to provide best practice SaaS posture recommendations, along with an easy way for security teams to prioritize the most important controls. Enhanced visibility into OAuth apps: Get expanded visibility into OAuth apps to give security teams deeper insights into app origins, privilege levels, and permissions, while allowing them to set controls to mitigate risks more effectively. Streamlined SaaS security operations: To further enhance operational efficiency for SaaS security management, Defender for Cloud Apps now uses the unified role-based access control (RBAC) model in Defender XDR to enable central permission management, alongside a new discovered apps Graph API, and the ability to customize the block page experience. (Preview) Defender for Cloud Apps support for Graph API Defender for Cloud Apps customers can now query data about discovered apps via the Graph API. Use the Graph API to customize views and automate flows on the Discovered apps page, such as applying filters to view specific data. The API supports GET capabilities only. For more information, see: Work with discovered apps via Graph API Microsoft Graph API reference for Microsoft Defender for Cloud Apps SaaS Security initiative in Exposure Management Microsoft Security Exposure Management offers a focused, metric-driven way of tracking exposure in specific security areas using security initiatives. The "SaaS security initiative" provides a centralized location for all best practices related to SaaS security, categorized into 12 measurable metrics. These metrics are designed to assist in effectively managing and prioritizing the large number of security recommendations. This capability is General Availability (Worldwide) - Note Microsoft Security Exposure Management data and capabilities are currently unavailable in U.S Government clouds - GCC, GCC High and DoD For more information, see SaaS security initiative. Internal Session Controls application notice The Enterprise application “Microsoft Defender for Cloud Apps – Session Controls” is used internally by the Conditional Access App Control service. Please ensure there is no CA policy restricting access to this application. For policies that restrict all or certain applications, please ensure this application is listed as an exception or confirm that the blocking policy is deliberate. For more information, see Sample: Create Microsoft Entra ID Conditional Access policies for use with Defender for Cloud Apps. (Preview) Visibility into app origin Defender for Cloud Apps users who use app governance will be able to gain visibility into the origin of OAuth apps connected to Microsoft 365. You can filter and monitor apps that have external origins, to proactively review such apps and improve the security posture of the organization. For more information, see detailed insights into OAuth apps. (Preview) Permissions filter and export capabilities Defender for Cloud Apps users who use app governance can utilize the new Permissions filter and export capabilities to quickly identify apps with specific permissions to access Microsoft 365. For more information, see filters on app governance. (Preview) Visibility into privilege level for popular Microsoft first-party APIs Defender for Cloud Apps users who use app governance can now gain visibility into privilege level for all popular Microsoft first-party API permissions. The enhanced coverage of privilege level classification will enable you to view and monitor apps with powerful permissions into legacy and other non-Graph APIs that have access to Microsoft 365. For more information, see OAuth app permission related details on app governance. (Preview) Granular data usage insights into EWS API access Defender for Cloud Apps users who use app governance can now get granular insights into data accessed by apps using legacy EWS API alongside Microsoft Graph. The enhanced coverage of data usage insights will enable you to get deeper visibility into apps accessing emails using legacy EWS API. For more information, see OAuth app data usage insights on app governance. Microsoft Defender for Endpoint Ninja Show Episode: Defender for Endpoint RDP Telemetry In this episode Cyber Security Researcher Danielle Kuznets Nohi and Senior Product Manager Saar Cohen join us to discuss the importance of Remote Desktop Protocol in Human Operated Attacks considering the current threat landscape. Through a demo, witness critical visibility enhancements made to this important layer of telemetry and learn the powerful capabilities of this tool to identify vulnerable assets and provide deeper threat insights. Intune ending support for Android device administrator on devices with GMS in December 2024. Microsoft Intune and Defender for Endpoint are ending support for Device Administrator enrolled devices with access to Google Mobile Services (GMS), beginning December 31, 2024. For devices with access to GMS After Intune and Defender for Endpoint ends support for Android device administrator, devices with access to GMS will be impacted in the following ways: Intune and Defender for Endpoint won’t make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions. Intune and Defender for Endpoint technical support will no longer support these devices. For more information, see Tech Community blog: Intune ending support for Android device administrator on devices with GMS in December 2024.Monthly news - November 2024
Microsoft Defender XDR Monthly news November 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from October 2024.Ignite news: What's new in Microsoft Defender XDR?
The speed, scale, and precision of AI-powered attacks have introduced an entirely new level of complexity to the cybersecurity landscape. Defending against these advanced threats requires more than just traditional tools; it demands a shift towards AI-enhanced defense mechanisms that not only detect and defend against these attacks, but proactively anticipate and neutralize them before significant damage occurs. To effectively combat these sophisticated threats, not only must organizations build robust strategies around the core pillars of detection and response but establish continuous prevention throughout the entire SOC lifecycle. Today we are excited to share our latest innovations across prevention, detection and response within the unified security operations platform, some of the highlights include: Microsoft Exposure Management is now GA: Exposure insights are now integrated into the SOC investigation experience with visibility into critical assets and potential attack paths. LLM-backed phishing detections to combat a new era of social engineering: these new detections take email security to the next level by using AI to understand attacker intent and block malicious emails from ever being sent to your employees. Threat Intelligence Tracking via Adaptive Networks: Automatic detection and blocking of emerging attacker infrastructure, preventing it from ever being exploited in large-scale attacks. One platform, one agent: Our new unified platform agent built on Defender for Endpoint streamlines deployment and telemetry across endpoints, OT devices, DLP, and identities. Prevention Attackers aren’t thinking about vulnerabilities in lists but instead how they can be combined to build potential attack paths. Preventing these attacks requires the SOC to continuously strengthen their security posture. This process involves having insight into an organization’s exposure and infusing insights from previous attacks to anticipate potential attack paths. This enables defenders to proactively address emerging threats before they can take hold. In March, we introduced Microsoft Security Exposure Management, a unified posture management solution for proactive and continuous threat exposure management. Today, we are excited to announce the general availability of Microsoft Security Exposure Management. It uses graph-based technology to visualize and map relationships between entities, assets, data, entry points, and pathways, unifying the broadest, native security dataset in the market that spans cloud, SaaS apps, endpoints, identities, and email, and can now be extended with 3 rd party data. Further, we are enabling these prevention insights to uniquely inform SOC processes by integrating asset criticality information and mapping the attack path to other high-value assets within the existing incident graph. This integration unlocks the ability for exposure insights to inform a continuous cycle of strengthening an organization’s defenses. . This motion graphic shows the new attack paths that are now integrated into the incident view in Defender XDR As part of the general availability, we are also introducing a new posture initiative in Exposure management focused on SaaS security. It provides best practice recommendations, along with an easy way for security teams to prioritize the most important controls to improve the SaaS security posture of their organization in one place. Learn more about today’s Microsoft Security Exposure Management announcements here. Detection and Protection As we observe adversaries increasingly use GenAI, it is critical that security solutions advance alongside and ahead of these new tactics by using GenAI to boost security defenses across all stages of the lifecycle. Over the past year we have heavily invested in detection and protection capabilities to build capabilities grounded in AI, while also expanding the native signal that is automatically correlated via Microsoft Defender XDR. The combination of AI-powered detections and breadth of signal, uniquely enables Microsoft Defender XDR to protect against the latest threats, while providing the most comprehensive, out-of-the-box incident investigation for SOC teams. Our research teams have been observing a trend where adversaries are now using GenAI to craft phishing emails, making it harder for recipients and email security solutions to identify them. That’s why we are redefining email and collaboration security in Microsoft Defender for Office 365 by uses purpose-built Large Language Models (LLM) at scale to tackle this new era of social engineering. Our solution now parses language to understand and identify attacker intent and classifies threats at machine speed – keeping malicious emails out of your inbox and giving security operations (SOC) teams a new level of insight into adversary techniques. Since our initial rollout to select customers over the past few months, we’ve seen a tremendous impact in keeping malicious emails out of our customers’ inboxes and as of today this is generally available across all customers. For the complete announcement, read our blog here. While detection and protection logic is critical to an effective response, so is the breadth of signal that is natively correlated without cumbersome, manual work by the security team. Earlier this year at RSA, we introduced the integration between Microsoft Purview Insider Risk Management (IRM) and Defender XDR, which added context to a user’s activity timeline with insights from IRM. Today, we are excited to share that IRM alerts are now automatically correlated into the unified incident experience in Defender, with complete alert context. In addition, we are providing new data security tables in advanced hunting, so analysts can build queries to better understand the impact of incidents and more easily identify attack patterns. Of course, all this data is also available through the Graph API so customers can integrate it into their case management workflows. While detection is key to identifying threats early, a swift and effective response is essential to mitigate potential damage and ensure business continuity. We are excited to share how we’ve taken insights from real world customers attack and used them to help us prevent them at the earliest stage in the kill chain. Response Attackers will continue to evolve and organizations will continue to be breached. The Microsoft Security research division continuously analyzes the methods threat actors use to infiltrate environments and have identified a pattern where threat actors are highly likely to replicate methods for different target. The same applies to the type of infrastructure used to breach an organization - attackers rely on interconnected toolkits like command-and-control servers, domain names, and phishing kits to execute their operations. At Microsoft, we’ve made significant investments to use these insights to feed our most powerful response capability - automatic attack disruption - which enables Defender XDR to now prevent advanced attacks at the pre-breach stage. Traditionally, security researchers manually update detection models, but attackers continuously evolve their tactics, creating an ongoing cycle of evasion and detection. We’re excited to introduce a new capability called Threat Intelligence Tracking via Adaptive Networks (TITAN) that combines Microsoft Threat Intelligence and Microsoft Defender XDR to automatically detect and block emerging attacker infrastructure before it can be used in large-scale attacks. TITAN automatically runs in the background using machine learning and AI to analyze the relationships between millions of entities (alerts, incidents, etc) and can effectively unveil new infrastructure associated with them. For example, in a recent real-world attack, a threat actor exploited malicious OAuth applications to gain access to emails, alter inbox rules, and send phishing emails both internally and externally. With TITAN, we identified 26 similar incidents across 21 organizations, enabling Defender XDR to confidently disable the malicious OAuth app whenever its use was detected in other environments at the initial access stage, blocking attackers from even starting their campaigns. TITAN fundamentally changes the game for defenders – it allows a shift from post-breach intervention where the goal is minimizing the impact, to true, preventive protection using known Threat Intelligence to pre-emptively stop sophisticated attacks before they happen. Platform Lastly, we’ve made significant investments across the platform that further streamline deployment and operations across our platform. Agents serve as one of the first lines of defense against threat actors, as they continuously scan corporate resources for malicious activity or misconfigurations, but they can add deployment overhead. Today, we're streamlining this with a unified Defender for Identity agent integrated into Defender for Endpoint. This single agent now provides protection and telemetry across endpoints, OT devices, DLP, and identities, simplifying deployment and reducing maintenance. Defender for Endpoint customers can easily deploy Defender for Identity from the Defender portal, gaining immediate protection against on-premises identity attacks. All telemetry is correlated within Microsoft’s security platform, giving SOC teams a comprehensive, real-time view for faster response. To learn more about the unified agent, read more in our announcement blog. Finally, we are expanding the unified role-based access control (RBAC) model in Defender XDR to include SaaS security. As organizations increasingly rely on SaaS apps, the complexity of securing this landscape has grown substantially. To make it easier for security teams to prioritize SaaS security, Defender for Cloud Apps is now integrated with the unified RBAC model in Defender XDR to enable central permission management across SaaS apps, endpoint, email, and identities. By using the unified RBAC model, SaaS security can now be managed with greater granularity, consistent role assignments, and the flexibility to manage multiple roles effectively. To learn about other innovations in the SaaS security space, check out our Ignite blog. Prevention is key to staying ahead of threats As cyber threats continue to evolve, investing in prevention is more crucial than ever. By embedding prevention throughout the SOC lifecycle, organizations can proactively reduce risk and stop attacks before they escalate. We're excited to share these groundbreaking security innovations designed to empower your SOC teams, enhance threat detection, and strengthen your defenses. With these new capabilities, we're committed to helping you stay one step ahead, better protecting your organization from the ever-growing landscape of cyber threats. Be sure to check out resources on all the exciting Ignite news throughout the week! More information Join us online or in-person to see these capabilities in action: o Simplify your SOC with Rob Lefferts & Allie Mellen o AI-Driven Ransomware Protection at Machine Speed: Microsoft Defender for Endpoint o Innovating security operations with Microsoft Sentinel And there’s so much more! Read up on announcements we made today across Microsoft Security: Microsoft Sentinel Microsoft Defender for Endpoint Microsoft Defender for Business Microsoft Defender for Identity Microsoft Defender for Cloud Apps Microsoft Security Copilot Learn more about Microsoft Defender XDR or start a free trial today!
