Monthly news - January 2024

Microsoft

Jan 10, 2024

Microsoft Defender XDR
Monthly news
January 2024 Edition

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from December 2023.

Legend:
	Product videos	Webcast (recordings)	Docs on Microsoft	Blogs on Microsoft
	GitHub	External	Product improvements	Previews / Announcements

Microsoft Defender XDR

	"Defender Boxed" is back! During January you can get your personalized SOC summary via Defender Boxed. Go to the Defender portal, and open the incident page. Defender Boxed
	Microsoft Defender XDR unified role-based access control (RBAC) model is now generally available. We have continuously enhanced and expanded the unified RBAC model in Microsoft Defender XDR, and now we are excited to share the general availability of Microsoft Defender XDR unified RBAC model as well as the latest capabilities to further simplify permission management.
	The Microsoft Defender portal's incident queue has updated filters, search, and added a new function where you can create your own filter sets. For details, see Available filters.
	You can now assign incidents to a user group or another user. For details, see Assign an incident.

Microsoft Security Experts

	The Microsoft Security Experts Discussion Space: Your Gateway to Knowledge Sharing. We're excited to spotlight our Microsoft Security Experts Discussion Space—a dedicated community designed for cybersecurity practitioners to connect, share insights, and learn together. As we embark on this journey, we want to provide some tips on how you can kickstart and actively participate in discussions, fostering a vibrant and collaborative community of practice.
	Security Analyst Profile: Amanda Cantero Schilling. Meet Amanda Cantero Schilling, a highly skilled cybersecurity analyst on a mission to fortify the defenses of Microsoft Defender Experts for XDR customers.
	Investigating malicious OAuth applications using the Unified Audit Log. This blog post provides additional guidance for incident responders on investigating cloud solution providers. Data retention in Microsoft 365 and Microsoft Entra ID
	Microsoft Defender Experts for XDR now lets you exclude devices and users from remediation actions taken by our experts and instead get remediation guidance for those entities.

Microsoft Defender for Endpoint

Public Preview of Apple User Enrollment support for Defender for Endpoint on iOS. This new feature offers security and IT teams the flexibility to deploy Defender for Endpoint to user-enrolled devices so that work data and applications are protected, while end-user privacy is upheld on those devices.

Microsoft Defender for Identity

New Identities area and dashboard in Microsoft Defender XDR (Preview).

In Microsoft Defender XDR, select Identities to see any of the following new pages:

Dashboard: Shows graphs and widgets to help you monitor identity threat detection and response activities. For more information, see Work with Defender for Identity's ITDR dashboard.
Health issues: Now moved from the Settings > Identities area, and lists any current health issues for your general Defender for Identity deployment and specific sensors. For more information, see Microsoft Defender for Identity sensor health issues.
Tools: Links to helpful information and resources when working with Defender for Identity, including links to documentation, specifically on the capacity planning tool, and the Test-MdiReadiness.ps1 script.

In August we unveiled our newest Microsoft Defender for Identity sensor specifically designed for Active Directory Certificate Services (AD CS) servers to help our customers gain even more visibility into this critical piece of Identity infrastructure. This blog post discusses some of the AD CS abuse techniques outlined in "Certified Pre-Owned" (by Will Schroeder and Lee Christensen) and gives insight into the upcoming Defender for Identity capabilities designed to help address them.

Security posture assessments for AD CS sensors (Preview). Learn more here.

Microsoft Defender for Cloud Apps

	We are thrilled to share that the Defender for Cloud Apps discovery capabilities (extension to over 400 Generative AI apps) is now generally available. To help companies navigate the sprawl of Generative AI apps and provide ways to enable users to safely interact with these apps without sacrificing productivity, we announced at Ignite that Defender for Cloud Apps and Microsoft Purview released new capabilities to help organizations to secure the use of AI. Discovered apps filtered on the “Generative AI,” category
	SSPM support for more connected apps. Defender for Cloud Apps has now enhanced its SSPM support by including the following apps: (Preview) Atlassian Dropbox NetDocuments Workplace Zendesk SSPM is also now supported for Google Workspace in General Availability. For more information, see: SaaS security posture management (SSPM)
	New IP addresses for portal access and SIEM agent connection.
	Backlog period alignments for initial scans. We've aligned the backlog period for initial scans after connecting a new app to Defender for Cloud Apps.

Microsoft Defender for Office 365

Protect your organizations against QR code phishing with Defender for Office 365. This blog post discusses more details on how we’re helping defenders address this threat and keeping end-users safe.

Microsoft Defender XDR Unified RBAC is now generally available: Defender XDR Unified RBAC supports all Defender for Office 365 scenarios that were previously controlled by Email & collaboration permissions and Exchange Online permissions. To learn more about the supported workloads and data resources, see Microsoft Defender XDR Unified role-based access control (RBAC).

Microsoft Defender for IoT

	OT network sensors now run on Debian 11. Sensor versions 23.2.0 run on a Debian 11 operating system instead of Ubuntu. Learn more on our docs.
	Default privileged user is now admin instead of support. Starting with version 23.2.0, the default, privileged user installed with new OT sensor installations is the admin user instead of the support user. Learn more on our docs.
	New architecture for hybrid and air-gapped support. Defender for IoT now provides new guidance for connecting to and monitoring hybrid and air-gapped networks. The new architecture guidance is designed to add efficiency, security, and reliability to your SOC operations, with fewer components to maintain and troubleshoot. Learn more on our docs.
	On-premises management console retirement. The legacy on-premises management console won't be available for download after January 1st, 2025. We recommend transitioning to the new architecture using the full spectrum of on-premises and cloud APIs before this date. Learn more on our docs.
	Live statuses for cloud-based sensor updates. When running a sensor update from the Azure portal, a new progress bar appears in the Sensor version column during the update process. As the update progresses the bar shows the percentage of the update completed, showing you that the process is ongoing, is not stuck or has failed. For more information, see Update Defender for IoT OT monitoring software.
	When integrating with Microsoft Sentinel, the Microsoft Sentinel SecurityAlert table is now updated immediately only for changes in alert status and severity. Other changes in alerts, such as last detection of an existing alert, are aggregated over several hours and display only the latest change made. For more information, see Understand multiple records per alert.

Blogs on Microsoft Security

	Threat actors misuse OAuth applications to automate financially driven attacks. In attacks observed by Microsoft Threat Intelligence, threat actors launched phishing or password spraying attacks to compromise user accounts that did not have strong authentication mechanisms and had permissions to create or modify OAuth applications.
	Patching Perforce perforations: Critical RCE vulnerability discovered in Perforce Helix Core Server. Microsoft discovered, responsibly disclosed, and helped remediate four vulnerabilities that could be remotely exploited by unauthenticated attackers in Perforce Helix Core Server (“Helix Core Server”), a source code management platform largely used in the videogame industry and by multiple organizations spanning government, military, technology, retail, and more.
	Star Blizzard increases sophistication and evasion in ongoing attacks. Microsoft Threat Intelligence continues to track and disrupt malicious activity attributed to a Russian state-sponsored actor we track as Star Blizzard (formerly SEABORGIUM, also known as COLDRIVER and Callisto Group). Star Blizzard has improved their detection evasion capabilities since 2022 while remaining focused on email credential theft against the same targets.
	New Microsoft Incident Response team guide shares best practices for security teams and leaders. While there are a number of incident response guides and materials readily available online, the Microsoft Incident Response team has created a downloadable, interactive guide specifically focused on two key factors that are critical to effective, timely incident response: People and process.