Monthly news – January 2024

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

Microsoft Defender XDR
Monthly news
January 2024 Edition

Hempriggs-Blog-Banner.png

This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from November 2023.  

Legend:
Product videos.png Product videos webcast recordings.png Webcast (recordings) Docs on MS.png Docs on Microsoft Blogs on MS.png Blogs on Microsoft
GitHub.png GitHub External.png External Product improvements.png Product improvements Public Preview sign-up.png Previews / Announcements
Microsoft Defender XDR
Public Preview sign-up.png

"Defender Boxed" is back! During January you can get your personalized SOC summary via Defender Boxed. 

Go to the Defender portal, and open the incident page.

Defender BoxedDefender Boxed

Public Preview sign-up.png

Microsoft Defender XDR unified role-based access control (RBAC) model is now generally available. 

We have continuously enhanced and expanded the unified RBAC model in Microsoft Defender XDR, and now we are excited to share the general availability of Microsoft Defender XDR unified RBAC model as well as the latest capabilities to further simplify permission management.

Public Preview sign-up.png

The Microsoft Defender portal's incident queue has updated filters, search, and added a new function where you can create your own filter sets. For details, see Available filters.

Public Preview sign-up.png

You can now assign incidents to a user group or another user. For details, see Assign an incident.

Microsoft Security Experts
Public Preview sign-up.png The Microsoft Security Experts Discussion Space: Your Gateway to Knowledge Sharing. We're excited to spotlight our Microsoft Security Experts Discussion Space—a dedicated community designed for cybersecurity practitioners to connect, share insights, and learn together. As we embark on this journey, we want to provide some tips on how you can kickstart and actively participate in discussions, fostering a vibrant and collaborative community of practice.
Blogs on MS.png Security Analyst Profile: Amanda Cantero SchillingMeet Amanda Cantero Schilling, a highly skilled cybersecurity analyst on a mission to fortify the defenses of Microsoft Defender Experts for XDR customers.
Blogs on MS.png

Investigating malicious OAuth applications using the Unified Audit Log. This blog post provides additional guidance for incident responders on investigating cloud solution providers.

Data retention in Microsoft 365 and Microsoft Entra IDData retention in Microsoft 365 and Microsoft Entra ID

Public Preview sign-up.png

Microsoft Defender Experts for XDR now lets you exclude devices and users from remediation actions taken by our experts and instead get remediation guidance for those entities.

Microsoft Defender for Endpoint
Public Preview sign-up.png

Public Preview of Apple User Enrollment support for Defender for Endpoint on iOS. This new feature offers security and IT teams the flexibility to deploy Defender for Endpoint to user-enrolled devices so that work data and applications are protected, while end-user privacy is upheld on those devices. 

Microsoft Defender for Identity
Public Preview sign-up.png

New Identities area and dashboard in Microsoft Defender XDR (Preview)

In Microsoft Defender XDR, select Identities to see any of the following new pages:

Blogs on MS.png

In August we unveiled our newest Microsoft Defender for Identity sensor specifically designed for Active Directory Certificate Services (AD CS) servers to help our customers gain even more visibility into this critical piece of Identity infrastructure. This blog post discusses some of the AD CS abuse techniques outlined in "Certified Pre-Owned" (by Will Schroeder and Lee Christensen) and gives insight into the upcoming Defender for Identity capabilities designed to help address them. 

Public Preview sign-up.png

Security posture assessments for AD CS sensors (Preview). Learn more here

Microsoft Defender for Cloud Apps
Public Preview sign-up.png

We are thrilled to share that the Defender for Cloud Apps discovery capabilities (extension to over 400 Generative AI apps) is now generally available. To help companies navigate the sprawl of Generative AI apps and provide ways to enable users to safely interact with these apps without sacrificing productivity, we announced at Ignite that Defender for Cloud Apps and Microsoft Purview released new capabilities to help organizations to secure the use of AI

Discovered apps filtered on the “Generative AI,” categoryDiscovered apps filtered on the “Generative AI,” category

Public Preview sign-up.png SSPM support for more connected apps. Defender for Cloud Apps has now enhanced its SSPM support by including the following apps: (Preview)

SSPM is also now supported for Google Workspace in General Availability. 

For more information, see: SaaS security posture management (SSPM)

Public Preview sign-up.png New IP addresses for portal access and SIEM agent connection.
Public Preview sign-up.png Backlog period alignments for initial scans. We've aligned the backlog period for initial scans after connecting a new app to Defender for Cloud Apps.
Microsoft Defender for Office 365
Blogs on MS.png Protect your organizations against QR code phishing with Defender for Office 365. This blog post discusses more details on how we’re helping defenders address this threat and keeping end-users safe.
Public Preview sign-up.png Microsoft Defender XDR Unified RBAC is now generally available: Defender XDR Unified RBAC supports all Defender for Office 365 scenarios that were previously controlled by Email & collaboration permissions and Exchange Online permissions. To learn more about the supported workloads and data resources, see Microsoft Defender XDR Unified role-based access control (RBAC).
Microsoft Defender for IoT
Public Preview sign-up.png OT network sensors now run on Debian 11Sensor versions 23.2.0 run on a Debian 11 operating system instead of Ubuntu. Learn more on our docs
Public Preview sign-up.png Default privileged user is now admin instead of support. Starting with version 23.2.0, the default, privileged user installed with new OT sensor installations is the admin user instead of the support user. Learn more on our docs
Public Preview sign-up.png New architecture for hybrid and air-gapped support. Defender for IoT now provides new guidance for connecting to and monitoring hybrid and air-gapped networks. The new architecture guidance is designed to add efficiency, security, and reliability to your SOC operations, with fewer components to maintain and troubleshoot. Learn more on our docs
Public Preview sign-up.png On-premises management console retirementThe legacy on-premises management console won't be available for download after January 1st, 2025. We recommend transitioning to the new architecture using the full spectrum of on-premises and cloud APIs before this date. Learn more on our docs
Public Preview sign-up.png Live statuses for cloud-based sensor updatesWhen running a sensor update from the Azure portal, a new progress bar appears in the Sensor version column during the update process. As the update progresses the bar shows the percentage of the update completed, showing you that the process is ongoing, is not stuck or has failed. sensor-version-update-bar.png

For more information, see Update Defender for IoT OT monitoring software.

Public Preview sign-up.png

When integrating with Microsoft Sentinel, the Microsoft Sentinel SecurityAlert table is now updated immediately only for changes in alert status and severity. Other changes in alerts, such as last detection of an existing alert, are aggregated over several hours and display only the latest change made.

For more information, see Understand multiple records per alert.

Blogs on Microsoft  Security
Blogs on MS.png Threat actors misuse OAuth applications to automate financially driven attacksIn attacks observed by Microsoft Threat Intelligence, threat actors launched phishing or password spraying attacks to compromise user accounts that did not have strong authentication mechanisms and had permissions to create or modify OAuth applications.
Blogs on MS.png Patching Perforce perforations: Critical RCE vulnerability discovered in Perforce Helix Core Server. Microsoft discovered, responsibly disclosed, and helped remediate four vulnerabilities that could be remotely exploited by unauthenticated attackers in Perforce Helix Core Server (“Helix Core Server”), a source code management platform largely used in the videogame industry and by multiple organizations spanning government, military, technology, retail, and more.
Blogs on MS.png Star Blizzard increases sophistication and evasion in ongoing attacksMicrosoft Threat Intelligence continues to track and disrupt malicious activity attributed to a Russian state-sponsored actor we track as Star Blizzard (formerly SEABORGIUM, also known as COLDRIVER and Callisto Group). Star Blizzard has improved their detection evasion capabilities since 2022 while remaining focused on email credential theft against the same targets.
Blogs on MS.png New Microsoft Incident Response team guide shares best practices for security teams and leadersWhile there are a number of incident response guides and materials readily available online, the Microsoft Incident Response team has created a downloadable, interactive guide specifically focused on two key factors that are critical to effective, timely incident response: People and process.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.