microsoft defender xdr
83 TopicsIntroducing the new PowerShell Module for Microsoft Defender for Identity
Today, I am excited to introduce a new PowerShell module designed to help further simplify the deployment and configuration of Microsoft Defender for Identity. This tool will make it easier than ever to protect your organization from identity-based cyber-threats.40KViews17likes18CommentsMonthly news - May 2024
Microsoft Defender XDR Monthly news May 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from April 2024.45KViews9likes17CommentsThe next frontier in endpoint security: Securing local AI agents with Microsoft Defender
AI agents are now doing real work on the endpoint — reading files, running commands, browsing the web, and acting on behalf of the users they run under. That same power is also what makes them dangerous: agents act on whatever content they take in, and much of it comes from outside the user's control — a web page, a repository, a command's output. A single malicious instruction hidden in that content can turn an agent against the very environment it's trusted to work in. With access to source code, secrets, and the corporate resources, its identity can reach — from cloud infrastructure to SharePoint, email, and internal apps — a compromised agent becomes a path to everything that identity is trusted with. Yet most security teams can't see this activity at all. Local AI agents run as ordinary processes, with little of the visibility or context SOC teams need to understand — let alone investigate — what an agent actually did. That’s why today, we're extending Microsoft Defender to secure AI agents running locally on devices. Security teams now have the visibility, context, and control needed to manage this new frontier of endpoint risk without slowing down the developers driving innovation forward. This includes: Discover 20+ types of local AI agents running on managed Windows and macOS devices Block malicious AI agent activity on the device in real time Assess local agent exposure across identities and reachable resources Investigate local AI agent activity in Advanced Hunting In preview, Defender now discovers these agents across the endpoint — AI coding agents, AI assistants, local AI runtimes, agentic IDE extensions, and Model Context Protocol (MCP) servers — and adds runtime protection for popular coding agents, with coverage expanding over time. Just as important, it brings them into the same security platform teams already use for endpoints, identities, email, and cloud, so local agents are no longer running unseen alongside the tools security teams already protect, but part of one coordinated defense. Watch this episode of the Ninja Show to see how Microsoft Defender brings visibility, context, and control to local AI agents, helping security teams securely adopt AI and stay ahead of emerging threats. Discover local AI agents on managed devices Security Operation Center (SOC) teams can now identify AI agents running locally as first-class assets, not just operating system (OS) processes. In the Defender portal, security teams can view a dedicated inventory of AI agents across their environment, spanning categories such as: Coding CLIs and terminal agents: GitHub Copilot CLI, Codex CLI, Claude Code CLI, Gemini CLI, Antigravity CLI, OpenCode Agentic IDEs and VS Code extensions: Cursor, Windsurf, Antigravity, Claude Code, Codex, Cline, Gemini, GitHub Copilot, Roo Code Desktop AI assistants: ChatGPT Desktop, Claude Desktop, Codex Desktop, Poe Desktop, Antigravity Desktop, GitHub Copilot App Local AI runtimes and autonomous platforms: OpenClaw, Nanobot, ZeroClaw, Ollama Desktop Each agent is surfaced as a security asset, with runtime context including user identity, device and process relationships, trust indicators, and integrity level. Security teams can also see configuration signals, such as “auto-approve” settings and connected services via MCP servers. Defender discovers more than 20 supported local AI agents across Windows and macOS, with coverage continuing to expand. Block malicious AI agent activity in real time Discovery is the starting point. Once SOC teams know which agents are present, they need confidence that malicious behavior will be stopped to reduce impact to their organization’s environment. For popular coding agents, Defender now provides runtime protection that helps block malicious behavior inline and in real time. This capability starts with Claude Code and GitHub Copilot CLI, with OpenClaw and OpenAI Codex coming soon. When Defender identifies that an agent activity is malicious, it can automatically block it. As with other threats, the user can be notified, and the activity is logged in the protection history. The SOC analyst receives a detailed alert with agent and session context for investigation, including details on the detected threat. At the same time, the user sees a notification on the device that the activity was blocked. The corresponding security alert in the Defender portal, with the process tree and session context for investigation Assess local agent exposure Knowing an agent exists is only half the picture. The next step is mapping the potential blast radius: the resources the agent touches, the identities it can use, and the assets exposed to its next moves. That’s why every agent discovered is automatically mapped to the device it runs on, the identity associated with that device, the MCP servers it’s connected to, and the cloud resources the identity can reach. The exposure graph turns "this agent exists" into “this agent can do these things” by providing an understanding of the agent’s connectivity across your environment. As an example, in the map below, the SOC analyst can see that a ChatGPT Desktop agent is tied to a single AWS account, and from that identity its reach extends to S3 buckets, an AWS KMS key, EC2 instances, and an AWS Bedrock agent. The agent has no cloud permissions of its own, but it inherits the account's — so if it were compromised or misused, that reach becomes a path to encrypted data and key material. This view gives security teams a clear picture of the agent's blast radius, so they can decide how to contain it before it's abused. Investigate local AI agent activity in Advanced Hunting Beyond the inventory and exposure views, security teams often need to hunt across the environment — to ask which agents are behaving unusually, and what else they touch. Every AI agent discovery event, MCP server connection, and configuration signal is queryable in Advanced Hunting, alongside the endpoint, identity, email, and cloud security telemetry your team already uses every day. This capability unlocks two use cases that security teams have been asking for: Correlate agent activity with process, file, network, identity, and cloud telemetry to see the full picture of what the agent did Hunt for risky configurations – for example, agents running in auto-approve mode under an identity with privileged access to production, source code, or CI/CD systems Security teams can turn any of these queries into a custom detection rule — for instance, raising an alert whenever a newly discovered agent appears with a risky configuration on a device tied to a privileged identity. Securing the next frontier of endpoint activity The risk that opened this post — an agent acting on a malicious instruction and reaching everything its identity can touch — is exactly what this protection is built to contain. By bringing local AI agents into the same platform teams already use for endpoints, identities, and cloud, Defender turns that blind spot into something security teams can see, investigate, and stop — without getting in the developer's way. Developers keep the AI tools accelerating their work. Defenders get the visibility and real-time protection to stay ahead of attackers as they turn to this new surface. That balance — speed for builders, control for defenders — is what securing the AI era actually requires. Learn more Discover local AI agents with Microsoft Defender Block malicious AI agent behavior with runtime protection Manage and secure your agents with Microsoft Agent 3657.4KViews8likes1CommentMonthly news - May 2024
Microsoft Defender XDR Monthly news May 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from April 2024.9.6KViews8likes1CommentExpanding the Identity perimeter: the rise of non-human identities
Expanding the Identity perimeter With the rise of cloud applications and AI, machine-to-machine access and authentication has become even more prevalent. From automating workflows, integrating applications, managing cloud services and even powering AI agents, non-human identity (NHI) has become vital to modern work. These digital constructs come in many different varieties, each with their own unique characteristics, but because they are foundational elements of many critical business processes, they represent a prime target for cyber-criminals. Not only do NHI greatly outnumber their human counterparts but they are also often highly privileged, eliminating the need for the attacker to elevate this status themselves. AI agents are expected to drive even faster growth machine identities. Copilot Studio alone has more than 230,000 organizations — including 90% of the Fortune 500- already using it to build AI agents and automations. What are non-human Identities? Non-human identities or machine identities like service accounts in Active Directory, Entra registered service principals and third-party OAuth apps, cloud workload identities, AI agents and Secrets each have their own unique roles, responsibilities and vulnerabilities. Despite their importance, there is no team dedicated to securing them holistically, leading to a lack of: Visibility: Different teams are often responsible for the creation of the various types of NHI. Due to this, organizations are often blind to what accounts exist, where, and who owns them. Governance and Management: Limited policies and regulations on how these accounts should be set up, used and managed can create situations where accounts are overprivileged or shared across multiple applications and even where their credentials are stored in plain text or their passwords become stale and susceptible to exploitation. Gaps like these in policy and the lifecycle management of NHI expose organizations to increased risk. Protection: Without dedicated security controls, non-human identities (NHIs) are often left exposed to threats such as credential theft, misuse, or unauthorized access. Many of these identities operate with elevated privileges, making them attractive targets for attackers. A lack of consistent monitoring, anomaly detection, and automated response mechanisms further increases the risk. Effective protection requires implementing least privilege access, rotating credentials regularly, encrypting secrets, and integrating NHIs into a broader identity threat detection and response strategy. How can Microsoft help protect your NHI? While NHIs are a recent term, they have been a critical focus area within Microsoft Security for a long time. Today, Microsoft Security delivers an end-to-end solution for monitoring, securing, and managing non-human identities across their entire lifecycle. Organizations benefit from a comprehensive set of unified capabilities, including: Full-spectrum discovery and visibility: Identify all non-human identities and secrets - including service principals, tokens, keys, and application credentials, across hybrid and multi-cloud environments. Enrichment and risk analysis: Gain deep insights into each identity’s privileges, activity patterns, ownership, and authentication methods to prioritize risks and streamline remediation. Secrets management: Detect secrets in insecure or inappropriate locations, validate their usage, and provide actionable recommendations for protection and remediation. Lifecycle and access governance: Monitor for stale or orphaned accounts, govern OAuth enabled and third-party connections, enforce credential rotation, manage ownership transfer, and ensure secure decommissioning of machine identities. Threat detection and response: Get alerts on suspicious activity or policy deviations, such as unusual privilege escalation, excessive app permissions, or risky machine-to-machine communications. Together, these integrated capabilities empower organizations to proactively identify and mitigate NHI risks, reduce attack surfaces, and strengthen access controls, no matter where identities live or how fast they change. Microsoft brings these protections together, so you can secure every identity -– human and non-human -– across your digital estate. For example, automatic classification rules help organizations quickly find and secure Service Accounts within their organization. 1: Service Account classification capabilities from Defender for Identity And the Microsoft's "Attack Paths" capabilities allow users to see all their NHIs, their connections, associated risks and context, as well as potential lateral movement paths. 2: Attack path mapping in Microsoft Defender illustrates a scenario where a resource contains a service principal certificate that can authenticate asa service principal with permissions to a sensitive database. This represents a risky lateral movement path — one that is now visible and can be proactively secured. What does this mean for you? Non-human identities (NHI) have become a critical yet overlooked component of modern security practices. While each type of NHI poses distinct challenges, they are tightly interconnected and require expertise across the security landscape. This is what makes Microsoft such a powerful partner. Our leadership in identity, security and now AI make us uniquely qualified to help your organization, and your machine identities, stay protected against threats. Our unified approach: consolidating visibility, control, and protection across AI, cloud, apps, data, devices and identities helps comprehensively secure all NHI and your organization. And this is only the beginning. Our team is already hard at work building the cohesive, intelligent defense layer our customers will need to remain protected today and, in the future, including leveraging our leadership in AI to help our customers secure their organizations, and their AI agents, against attacks.2.5KViews6likes1CommentDetecting browser anomalies to disrupt attacks early
Uncover the secrets of early attack disruption with browser anomaly detections! This blog post explores how Microsoft Defender XDR leverages advanced techniques to identify unusual browser activities and stop cyber threats in their tracks. Learn about the importance of monitoring unusual browser activities, session hijacking, Business Email Compromise (BEC), and other critical attack paths. With real-world examples and insights into the systematic approach used by Defender XDR, you'll gain a deeper understanding of how to enhance your organization's security posture. Don't miss out on this essential read for staying ahead of cyber threats!9.9KViews6likes1Comment