Monthly news - April 2025
Microsoft Defender XDR Monthly news April 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from March 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. ⏰ April 9th & 10th is Microsoft Secure! Make sure you join this virtual event to hear about our latest product announcements. Three broadcast times are available, offering opportunities to get your questions answered by subject matter experts at a time that suits you best. April 9, 2025 | 8:00 AM – 9:00 AM PT (UTC-7) | Americas broadcast April 10, 2025 | 10:00 AM – 11:00 AM CET (UTC+1) | Europe, Middle East, Africa broadcast April 10, 2025 | 12:00 PM – 1:00 PM SGT (UTC+8) | Asia broadcast Microsoft Secure - Home - Microsoft Secure registration home page. New episodes of the Virtual Ninja Show has been published, covering various products and scenarios. Microsoft's Zero Trust approach Resolving high CPU utilization in Microsoft Defender Antivirus Microsoft Defender for Endpoint Client Analyzer overview Mastering onboarding issues with Defender for Endpoint Client Analyzer Mastering endpoint security settings issues with Defender for Endpoint Client Analyzer Connecting your Apps to Defender for Cloud Apps Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel What’s new in Microsoft Defender XDR at Secure 2025 (Webinar) Microsoft Sentinel Repositories: Manage Your SIEM Content as code Like a Pro (GA Announcement) The content hub offers the best way to find new content or manage the solutions you already installed, now with granular AI search. (Public Preview) The Microsoft Sentinel agentless data connector for SAP and related security content is now included, as public preview, in the solution for SAP applications. Blog post: Transforming public sector security operations in the AI era Discover how Microsoft's AI-powered, unified SecOps can revolutionize public sector security operations and safeguard multiplatform, multi-cloud environments with industry-leading innovation and seamless integration. Ready to elevate your cyber defense? (Public Preview) The incident description has moved within the incident page. The incident description is now displayed after the incident details. For more information, see Incident details. The Microsoft 365 alert policies can now only be managed in the Microsoft Defender portal. For more information, see Alert policies in Microsoft 365. You can now link Threat analytics reports when setting up custom detections. Learn more Microsoft Defender for Endpoint Update to the Microsoft Defender Antivirus group policies documentation. Learn more Addition of the default settings for Potentially Unwanted Applications (PUA) documentation. Learn more New video (9 mins): How Microsoft is redefining endpoint security New documentation: Troubleshoot Microsoft Defender Antivirus scan issues Microsoft Defender for Office 365 User reported messages by third-party add-ins can be sent to Microsoft for analysis: In user reported settings, admins can select Monitor reported messages in Outlook > Use a non-Microsoft add-in button. In the Reported message destination section, select Microsoft and my reporting mailbox, and then provide the email address of the internal Exchange Online mailbox where user-reported messages by the third-party add-in are routed to. Microsoft analyzea these reported messages and provides result on the User reported tab of Submissions page at https://security.microsoft.com/reportsubmission?viewid=user. Create allow entries directly in the Tenant Allow/Block List: You can now create allow entries for domains & addresses and URLs directly in the Tenant Allow/Block List. This capability is available in Microsoft 365 Worldwide, GCC, GCC High, DoD, and Office 365 operated by 21Vianet. Microsoft Defender for Cloud Apps (GA) Unified Identity inventory now general available. Learn more Defending against OAuth based attacks with automatic attack disruption. Microsoft’s Automatic attack disruption capabilities disrupt sophisticated in-progress attacks and prevent them from spreading, now including OAuth app-based attacks. Attack disruption is an automated response capability that stops in-progress attacks by analyzing the attacker’s intent, identifying compromised assets, and containing them in real time. Level Up Your App Governance With Microsoft Defender for Cloud Apps Workshop Series. Join one of these workshops to learn: Real-world examples of OAuth attacks New pre-built templates and custom rules to simplify app governance How to quickly identify and mitigate risks from high-risk or suspicious apps Best practices for operationalizing app governance to improve your security posture These workshops are designed to accommodate global participation, with flexible date and time options. Protecting SaaS apps from OAuth threats with attack path, advanced hunting and more. Read this blog post to learn about various new capabilities rolling out over the next few weeks. Microsoft Defender for Identity Blog post: Discover and protect Service Accounts with Microsoft Defender for Identity Microsoft Defender for Identity now includes a Service Account Discovery capability, offering you centralized visibility into service accounts across your Active Directory environment. New health issue for cases where sensors running on VMware have network configuration mismatch. The Identities page under Assets has been updated to provide better visibility and management of identities across your environment. New LDAP query events were added to the IdentityQueryEvents table in Advanced Hunting to provide more visibility into additional LDAP search queries running in the customer environment. Microsoft Security Blogs Silk Typhoon targeting IT supply chain Malvertising campaign leads to info stealers hosted on GitHub New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware StilachiRAT analysis: From system reconnaissance to cryptocurrency theft Analyzing open-source bootloaders: Finding vulnerabilities faster with AI Threat Analytics (Access to the Defender Portal needed) Vulnerability Profile: CVE-2024-40711 – Veeam Backup Activity profile: Moonstone Sleet using Qilin ransomware [TA update] Actor Profile: Secret Blizzard Actor profile: Berry Sandstorm Activity profile: DarkGate malware samples delivered through fake Notion websites followed by ClickFix technique Activity profile: Secret Blizzard and Aqua Blizzard collaborate to target Ukrainian military devices [TA update] Actor profile - Swirl Typhoon Vulnerability profile: CVE-2024-57726 Multiple vulnerabilities found in SimpleHelp Remote Support Software Activity profile: Lumma Stealer spreads via YouTube video descriptions [TA update] Actor profile: Aqua Blizzard Tool profile: Latrodectus Vulnerability profile: CVE-2025-26633 Tool profile: WinRing0 Activity profile: Storm-0485 phishing activity Activity profile: Silk Typhoon targeting IT supply chain Activity profile: Storm-1877 evolving tactics to target users with ClickFix attacks Threat overview: Business Email Compromise [Snapshot] Actor profile: Storm-2372 [TA update] Actor profile: ZigZag Hail Actor profile: Storm-0287 Activity profile: Secret Blizzard abusing Visual Studio Code tunneling service Activity Profile: Clickfix and Malvertising campaigns leveraging node.exe application Actor profile: Yulong Flood Vulnerability profile: CVE-2024-43451- NTLM Hash Disclosure Spoofing Vulnerability Tool profile: FrostyStash [TA update] Tool profile: Mimikatz Tool profile: Mamba 2FA Activity profile: Phishing campaign deploying PureLogStealer targets users in Central America [TA update] Vulnerability profile: CVE 2025-0282: Ivanti Connect Secure, Policy Secure, and ZTA Gateway [TA update] Actor profile: Silk Typhoon Seamless SSO Abuse via AADInternals [TA update] SystemBC Tool Profile Vulnerability profile: CVE-2025-22224 – VMware
Sensor Disconnection Notifications with Microsoft Defender for IoT and Microsoft Sentinel 🚀
What Does This Playbook Do? This new automated playbook sends real-time email notifications whenever a sensor disconnects from the cloud. This ensures you’re immediately alerted if there’s an issue, allowing you to take quick action to investigate and resolve the problem. Why It’s Important: Real-Time Alerts: Get instant notifications when a sensor goes offline. Proactive Monitoring: Identify the issue early, reducing downtime and improving response times. Seamless Integration: Works effortlessly with Microsoft Defender for IoT and Microsoft Sentinel for a unified security approach. How to Set It Up: Setting up this playbook is quick and easy. For step-by-step instructions, check out the detailed setup guide here. This playbook was created in collaboration with Marian Hristov, a leading partner working with Defender for IoT.
Latest Threat Intelligence (March 2025)
Microsoft Defender for IoT has released the March 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Threat Intelligence Research - CPS. The CVE scores are aligned with the National Vulnerability Database (NVD). Starting with the August 2023 threat intelligence updates, CVSSv3 scores are shown if they are relevant; otherwise the CVSSv2 scores are shown. Guidance Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices. Update your system with the latest TI package The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs. MD5 Hash: 3b0522536f51a13701f172a5d2c435d5 For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.Latest Threat Intelligence (January 2024)
Microsoft Defender for IoT has released the January 2024 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Threat Intelligence Research - CPS. The CVE scores are aligned with the National Vulnerability Database (NVD). Starting with the August 2023 threat intelligence updates, CVSSv3 scores are shown if they are relevant; otherwise the CVSSv2 scores are shown. Guidance Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices. Update your system with the latest TI package The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs. MD5 Hash: 462230b55b930c63177530d4b8f69c0a For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.Latest Threat Intelligence (February 2025)
Microsoft Defender for IoT has released the February 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Threat Intelligence Research - CPS. The CVE scores are aligned with the National Vulnerability Database (NVD). Starting with the August 2023 threat intelligence updates, CVSSv3 scores are shown if they are relevant; otherwise the CVSSv2 scores are shown. Guidance Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices. Update your system with the latest TI package The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs. MD5 Hash: 5b052ee069d62916b55fc0aa24e47114 For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.Monthly news - February 2025
Microsoft Defender XDR Monthly news February 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from January 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel (Public Preview) Creating a unified, security-focused case management system. We are excited to be introducing a new solution for case management, built specifically for SecOps teams, and integrated into the experience of Microsoft Sentinel and Defender XDR in the unified SecOps platform. With new case management functionality, available for any customer who has Microsoft Sentinel, customers can benefit from a purpose-built approach to managing and collaborating across security cases. (Public Preview) Device activity events from Microsoft Sentinel's device entity pages are now visible in the Timeline tab on the Device entity page in the Defender portal, in addition to remaining visible on the Sentinel events tab. These device activity events now include blocked, dropped, or denied network traffic originating from a given device. (Public Preview) Users with provisioned access to Microsoft Purview Insider Risk Management can now view and manage insider risk management alerts and hunt for insider risk management events and behaviors in the Microsoft Defender portal. For more information, see Investigate insider risk threats in the Microsoft Defender portal with insights from Microsoft Purview Insider Risk Management. (General Available) Advanced hunting context panes are now available in custom detection experiences. This allows you to access the advanced hunting feature without leaving your current workflow. For incidents and alerts generated by custom detections, you can select Run query to explore the results of the related custom detection. In the custom detection wizard's Set rule logic step, you can select View query results to verify the results of the query you are about to set. (General Available) The Link to incident feature in Microsoft Defender advanced hunting now allows linking of Microsoft Sentinel query results. In both the Microsoft Defender unified experience and in Defender XDR advanced hunting, you can now specify whether an entity is an impacted asset or related evidence. (General Available) Migrating custom detection queries to Continuous (near real-time or NRT) frequency is now generally available in advanced hunting. Using the Continuous (NRT) frequency increases your organization's ability to identify threats faster. It has minimal to no impact to your resource usage, and should thus be considered for any qualified custom detection rule in your organization. Migrate compatible KQL queries by following the steps in Continuous (NRT) frequency. Microsoft Sentinel Threat intelligence for Microsoft Sentinel in the Defender portal has changed! We've renamed the page Intel management and moved it with other threat intelligence workflows. There's no change for customers using Microsoft Sentinel in the Azure experience. Learn more on our docs. Unlock advanced hunting with new STIX objects by opting in to new threat intelligence tables. Tables supporting the new STIX object schema are in private preview. In order to view threat intelligence for STIX objects and unlock the hunting model that uses them, request to opt in with this form. Ingest your threat intelligence into the new tables, ThreatIntelIndicator and ThreatIntelObjects alongside with or instead of the current table, ThreatIntelligenceIndicator, with this opt-in process. For more information, see the blog announcement New STIX objects in Microsoft Sentinel. Threat intelligence upload API now supports more STIX objects. The upload API supports the following STIX objects: indicator attack-pattern identity threat-actor relationship For more information, see the following articles: Connect your threat intelligence platform with the upload API (Preview) Import threat intelligence to Microsoft Sentinel with the upload API (Preview) New STIX objects in Microsoft Sentinel Both premium and standard Microsoft Defender Threat Intelligence data connectors are now generally available (GA) in content hub. For more information, see the following articles: Explore Defender Threat Intelligence licenses Enable the Microsoft Defender Threat Intelligence data connector (Public Preview) Bicep template support for repositories. Use Bicep templates alongside or as a replacement of ARM JSON templates in Microsoft Sentinel repositories. Bicep provides an intuitive way to create templates of Azure resources and Microsoft Sentinel content items. Not only is it easier to develop new content items, Bicep makes reviewing and updating content easier for anyone that's a part of the continuous integration and delivery of your Microsoft Sentinel content. View granular solution content in the Microsoft Sentinel content hub. You can now view the individual content available in a specific solution directly from the Content hub, even before you've installed the solution. This new visibility helps you understand the content available to you, and more easily identify, plan, and install the specific solutions you need. For more information, see Discover content. Microsoft Defender for Cloud Apps Get visibility into your DeepSeek use with Defender for Cloud Apps. Defender for Cloud Apps helps you discover and protect more than 800 generative AI applications, now including DeepSeek. It provides the necessary overview of an app's usage in your organization, combined with the potential risk that the app poses for your organization. In fact, it profiles more than 90 separate risk attributes for each application in the Cloud App Catalog so you can make informed choices in a unified experience. Learn more in this blog post. Microsoft Defender for Identity Introducing the new Defender for Identity sensor management API. This blog discusses the new Defender for Identity sensor management API.This blog discusses Microsoft Security Exposure Management Metrics enhancements The metrics have been enhanced to show the improvement of the exposure levels with a progress bar, progressing from left to right and from 0% (indicating high exposure) to 100% (indicating no exposure). In addition, the metrics weight is now displayed as high, medium, or low, based on the metric's importance to the initiative. The weight can also be defined as risk accepted. For more information, see, Working with metrics Microsoft Defender for Office 365 Use the built-in Report button in Outlook: The built-in Report button in Outlook for iOS and Android version 4.2446 or later now supports the user reported settings experience to report messages as Phishing, Junk, and Not Junk. Build custom email security reports and dashboards with workbooks in Microsoft Sentinel. In this blog, we will showcase how you can use workbooks in Microsoft Sentinel to build a custom dashboard for Defender for Office 365. We will also share an example workbook that is now available and can be customized based on your organization’s needs. Microsoft Defender for Endpoint (Public Preview) Aggregated reporting in Defender for Endpoint: Aggregated reporting extends signal reporting intervals to significantly reduce the size of reported events while preserving essential event properties. This feature is available for Defender for Endpoint Plan 2. For more information, see Aggregated reporting in Defender for Endpoint. (Public Preview) Defender for Endpoint extends support to ARM-based Linux servers. As the demand for ARM64 servers continues to rise, we are thrilled to announce that Microsoft Defender for Endpoint now supports ARM64 based Linux servers in Public Preview. This update marks a new milestone in our commitment to providing comprehensive endpoint security across all devices and platforms. More details in this announcement blog. Microsoft Defender for IoT Aggregating multiple alerts violations with the same parameters. To reduce alert fatigue, multiple versions of the same alert violation and with the same parameters are grouped together and listed in the alerts table as one item. The alert details pane lists each of the identical alert violations in the Violations tab and the appropriate remediation actions are listed in the Take action tab. For more information, see our docs.Latest Threat Intelligence (December 2024)
Microsoft Defender for IoT has released the December 2024 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Threat Intelligence Research - CPS. The CVE scores are aligned with the National Vulnerability Database (NVD). Starting with the August 2023 threat intelligence updates, CVSSv3 scores are shown if they are relevant; otherwise the CVSSv2 scores are shown. Guidance Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices. Update your system with the latest TI package The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs. MD5 Hash: 1a4f92389b5014d34e46cb655b96f047 For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.Monthly news - December 2024
Microsoft Defender XDR Monthly news December 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from November 2024. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel Ignite news: What's new in Microsoft Defender XDR? This blog summarizes Ignite news related to Defender XDR. Security Copilot: A game changer for modern SOC We have enhanced numerous features and introduced new skills that significantly improve the efficiency and effectiveness of SOC teams. (Preview) Attack paths in the incident graph are now available in the Microsoft Defender portal. The attack story now includes potential attack paths that show the paths that attackers can potentially take after compromising a device. This feature helps you prioritize your response efforts. For more information, see attack paths in the attack story. (Preview) Microsoft Defender XDR customers can now export incident data to PDF. Use the exported data to easily capture and share incident data to other stakeholders. For details, see Export incident data to PDF. (GA) The last update time column in the incident queue is now generally available. (Preview) Cloud-native investigation and response actions are now available for container-related alerts in the Microsoft Defender portal. Security operations center (SOC) analysts can now investigate and respond to container-related alerts in near real-time with cloud-native response actions and investigation logs to hunt for related activities. For more information, see Investigate and respond to container threats in the Microsoft Defender portal. (GA) The arg() operator in advanced hunting in Microsoft Defender portal is now generally available. Users can now use the arg() operator for Azure Resource Graph queries to search over Azure resources, and no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if already in Microsoft Defender. (Preview) The CloudProcessEvents table is now available for preview in advanced hunting. It contains information about process events in multicloud hosted environments. You can use it to discover threats that can be observed through process details, like malicious processes or command-line signatures. (Preview) Migrating custom detection queries to Continuous (near real-time or NRT) frequency is now available for preview in advanced hunting. Using the Continuous (NRT) frequency increases your organization's ability to identify threats faster. It has minimal to no impact to your resource usage, and should thus be considered for any qualified custom detection rule in your organization. You can migrate compatible KQL queries by following the steps in Continuous (NRT) frequency. Ninja Show Episodes: Defender XDR’s Data Security Context with Insider Risk Management Join us as product experts Maayan Magenheim and Sravan Kumar Mera showcase the Public Preview of Microsoft Purview Insider Risk Management (IRM) integration into Defender XDR. Learn how Insider Risk and SOC analysts can now distinguish internal and external threats and gain critical insights, including exfiltration context and user activity tracking. Through a valuable demo, we explore the benefits for incident investigation, threat hunting, the correlation of IRM alerts with other DLP and identity protection alerts and more. Follow up LIVE AMA session Unlocking Advanced Cloud Detection & Response capabilities for containers Learn how the Microsoft Cloud Detection & Response solution empowers SOCs with faster, deeper investigations through near real-time detections, new cloud-native responses, and rich log collection. In this episode Product Managers Maayan Magenheim and Daniel Davrayev demo a real container related incident to show how these new capabilities enhance the entire incident response process, bridging knowledge gaps and proactively securing containerized workloads across multi-cloud environments. Microsoft Sentinel Microsoft Sentinel availability in Microsoft Defender portal! (Preview) Now Microsoft Sentinel is also available in the Defender portal even without Microsoft Defender XDR or a Microsoft 365 E5 license. For more information, see: Microsoft Sentinel in the Microsoft Defender portal Connect Microsoft Sentinel to the Microsoft Defender portal Upcoming Ninja Show Episode Dec 10, 9AM PT: Microsoft Sentinel Data tiering best practices In this episode product experts Yael Bergman and Maria de Sousa-Valadas introduce the powerful new Auxiliary Logs tier, now in Public Preview and explain how to use Summary rules to aggregate data from any log tier in Microsoft Sentinel and Log Analytics. Tune in to learn the full potential of these features, as well as practical tips and use cases to help you reduce ingestion costs and gain more insights from your verbose logs. Upcoming webinar Feb 20, 9AM PT: Mastering API Integration with Sentinel & Unified Security Platform Learn how to effectively integrate APIs with Sentinel and Unified Security Platform. This webinar will cover when to use APIs, how to set them up, potential challenges, and feature live demos to guide you through the process. Microsoft Defender Vulnerability Management Upcoming webinar Jan 14, 9AM PT: How to Get the Most Out of Microsoft Defender for Vulnerability Management Join us to learn about the Defender Vulnerability Management capabilities, business use cases and best practices to develop and implement posture & risk management in your organization. During this session, the engineering team will guide you through the recent released features and capabilities as well as product vision and roadmap. The deprecation process of the Windows authenticated scan will begin on November 2024 and concludes on November 30, 2025. For more information, see Windows authenticated scan deprecation FAQs. We are aware of issues affecting data collection in several versions of CIS, STIG, and Microsoft benchmarks. We are actively working on a fix and will provide an update when the issue is resolved. For more information, see Known issues with data collection. Microsoft Defender for Identity Seamless protection for your on-prem identities with Defender for Identity. This blog summarizes various exciting announcements made at Ignite that simplify how customers deploy and manage their identity threat landscape: One platform, one agent: Streamline your deployment and protection with a single agent across endpoint, OT, identity, and DLP Easily manage your sensors via API: Automate deployment, configuration and monitoring of sensors in your environment Integrate Privileged Access Management solutions: Microsoft Entra Privileged Identity Management, BeyondTrust, CyberArk, and Delinea Ninja Show episode: Microsoft Defender for Identity for Entra Connect In this episode, product experts Lior Shapira and Ayala Ziv explain how Microsoft Defender for Identity sensor for Entra Connect servers enables comprehensive monitoring of synchronization activities between Entra Connect and Active Directory, providing critical insights into potential security threats. Tune in to explore the latest detections and posture recommendations for Entra Connect by learning the importance of protecting hybrid identities and exploring real-world scenarios. Microsoft Security Exposure Management Announcing the General Availability of Microsoft Security Exposure Management! We are excited to announce the general availability of Microsoft Security Exposure Management. This powerful tool helps organizations focus on their most critical exposures and act swiftly. We made enhancements to the Attack path Hybrid attack paths: On-Prem to Cloud DACL-based path analysis to learn more about those, please visit our documentation. External data connectors We have introduced new external data connectors to enhance data integration capabilities, allowing seamless ingestion of security data from other security vendors. Learn more on our docs. Discovery sources available in the inventory and attack surface map The Device Inventory and Attack Surface Map now display the data sources for each discovered asset. This feature provides an overview of which tools or products reported each asset, including Microsoft and external connectors like Tenable or ServiceNow CMDB. Learn more on our docs. Microsoft Security Exposure Management is now supported in Microsoft Defender XDR Unified role-based access control (RBAC). Access control to Microsoft Security Exposure Management can now be managed using Microsoft Defender XDR Unified Role-Based Access Control (RBAC) permissions model with dedicated and granular permissions. Learn more on our docs. OT security initiative The new Operational Technology (OT) security initiative equips practitioners with a powerful tool to identify, monitor, and mitigate risks across the OT environment, ensuring both operational reliability and safety. This initiative aims to identify devices across physical sites, assess their associated risks, and provide faster, more effective protection for OT systems. For more information, see, Review security initiatives Content versioning notifications The new versioning feature in Microsoft Security Exposure Management offers proactive notifications about upcoming version updates, giving users advanced visibility into anticipated metric changes and their impact on their related initiatives. A dedicated side panel provides comprehensive details about each update, including the expected release date, release notes, current and new metric values, and any changes to related initiative scores. Additionally, users can share direct feedback on the updates within the platform, fostering continuous improvement and responsiveness to user needs. For more information on exposure insights, see Overview - Exposure insights Exposure history for metrics User can investigate metric changes by reviewing the asset exposure change details. From the initiative's History tab, by selecting a specific metric, you can now see the list of assets where exposure has been either added or removed, providing clearer insight into exposure shifts over time. For more information, see, Reviewing initiative history SaaS security initiative The SaaS Security initiative delivers a clear view of your SaaS security coverage, health, configuration, and performance. Through metrics spanning multiple domains, it gives security managers a high-level understanding of their SaaS security posture. For more information, see, SaaS security initiative Microsoft Defender for Cloud Apps Secure your SaaS landscape with the latest Defender for Cloud Apps innovations. This blog summarizes the following innovations in Defender for Cloud Apps announced at Ignite to help address these challenges: SaaS security initiative: Microsoft Security Exposure Management empowers security teams to reduce risks and limit exposure of the most critical assets with unified exposure management. We are introducing a new SaaS security initiative within Exposure Management to provide best practice SaaS posture recommendations, along with an easy way for security teams to prioritize the most important controls. Enhanced visibility into OAuth apps: Get expanded visibility into OAuth apps to give security teams deeper insights into app origins, privilege levels, and permissions, while allowing them to set controls to mitigate risks more effectively. Streamlined SaaS security operations: To further enhance operational efficiency for SaaS security management, Defender for Cloud Apps now uses the unified role-based access control (RBAC) model in Defender XDR to enable central permission management, alongside a new discovered apps Graph API, and the ability to customize the block page experience. (Preview) Defender for Cloud Apps support for Graph API Defender for Cloud Apps customers can now query data about discovered apps via the Graph API. Use the Graph API to customize views and automate flows on the Discovered apps page, such as applying filters to view specific data. The API supports GET capabilities only. For more information, see: Work with discovered apps via Graph API Microsoft Graph API reference for Microsoft Defender for Cloud Apps SaaS Security initiative in Exposure Management Microsoft Security Exposure Management offers a focused, metric-driven way of tracking exposure in specific security areas using security initiatives. The "SaaS security initiative" provides a centralized location for all best practices related to SaaS security, categorized into 12 measurable metrics. These metrics are designed to assist in effectively managing and prioritizing the large number of security recommendations. This capability is General Availability (Worldwide) - Note Microsoft Security Exposure Management data and capabilities are currently unavailable in U.S Government clouds - GCC, GCC High and DoD For more information, see SaaS security initiative. Internal Session Controls application notice The Enterprise application “Microsoft Defender for Cloud Apps – Session Controls” is used internally by the Conditional Access App Control service. Please ensure there is no CA policy restricting access to this application. For policies that restrict all or certain applications, please ensure this application is listed as an exception or confirm that the blocking policy is deliberate. For more information, see Sample: Create Microsoft Entra ID Conditional Access policies for use with Defender for Cloud Apps. (Preview) Visibility into app origin Defender for Cloud Apps users who use app governance will be able to gain visibility into the origin of OAuth apps connected to Microsoft 365. You can filter and monitor apps that have external origins, to proactively review such apps and improve the security posture of the organization. For more information, see detailed insights into OAuth apps. (Preview) Permissions filter and export capabilities Defender for Cloud Apps users who use app governance can utilize the new Permissions filter and export capabilities to quickly identify apps with specific permissions to access Microsoft 365. For more information, see filters on app governance. (Preview) Visibility into privilege level for popular Microsoft first-party APIs Defender for Cloud Apps users who use app governance can now gain visibility into privilege level for all popular Microsoft first-party API permissions. The enhanced coverage of privilege level classification will enable you to view and monitor apps with powerful permissions into legacy and other non-Graph APIs that have access to Microsoft 365. For more information, see OAuth app permission related details on app governance. (Preview) Granular data usage insights into EWS API access Defender for Cloud Apps users who use app governance can now get granular insights into data accessed by apps using legacy EWS API alongside Microsoft Graph. The enhanced coverage of data usage insights will enable you to get deeper visibility into apps accessing emails using legacy EWS API. For more information, see OAuth app data usage insights on app governance. Microsoft Defender for Endpoint Ninja Show Episode: Defender for Endpoint RDP Telemetry In this episode Cyber Security Researcher Danielle Kuznets Nohi and Senior Product Manager Saar Cohen join us to discuss the importance of Remote Desktop Protocol in Human Operated Attacks considering the current threat landscape. Through a demo, witness critical visibility enhancements made to this important layer of telemetry and learn the powerful capabilities of this tool to identify vulnerable assets and provide deeper threat insights. Intune ending support for Android device administrator on devices with GMS in December 2024. Microsoft Intune and Defender for Endpoint are ending support for Device Administrator enrolled devices with access to Google Mobile Services (GMS), beginning December 31, 2024. For devices with access to GMS After Intune and Defender for Endpoint ends support for Android device administrator, devices with access to GMS will be impacted in the following ways: Intune and Defender for Endpoint won’t make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions. Intune and Defender for Endpoint technical support will no longer support these devices. For more information, see Tech Community blog: Intune ending support for Android device administrator on devices with GMS in December 2024.Latest Threat Intelligence (November 2024)
Microsoft Defender for IoT has released the November 2024 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Threat Intelligence Research - CPS. The CVE scores are aligned with the National Vulnerability Database (NVD). Starting with the August 2023 threat intelligence updates, CVSSv3 scores are shown if they are relevant; otherwise the CVSSv2 scores are shown. Guidance Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices. Update your system with the latest TI package The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs. MD5 Hash: 9ca38769e04c3eade790c1f317cb9ed4 For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.
