Monthly news – June 2024

Advanced hunting query API via Graph API is now available for log analytics data!
A new optional parameter "timespan" for the Graph API was added and allows you to query your log analytics data for any lookback time, not only for 30 days. This new parameter is not yet documented, but will get added to this link. 

SOC optimization: unlock the power of precision-driven security management. 

A new experience and API is currently in public preview – Microsoft Sentinel’s SOC Optimization, designed to empower security teams with precision-driven management capabilities. Read the announcement blog, and watch the webinar with a live demo. 

SOC optimization - Unified Security Operations Platform

New Ninja show episodes:

• New Defender XDR Copilot for Security Capabilities: Tune into this episode to learn the latest advancements, now available in the April release of Copilot for Security GA. We dive into the notable enhancements and new features, such as Guided Response for all incident types, comprehensive device and file summaries, end-user communications, and much more.
• Answering Your Questions: Attack Disruption Explained: Attack Disruption is an automated response feature, designed to contain an ongoing attack quickly and effectively by leveraging high-confidence signals from both Microsoft Defender and non-Microsoft products. This episode addressees the most frequently asked questions about Attack Disruption and shares clarifications on its functionality.

Respond to trending threats and adopt zero-trust with Exposure Management.

This blog post shares updates to Security Initiatives and also gives a heads up about a few updates to attack path analysis. 

A BlackByte Ransomware intrusion case study. 

This blog details an investigation into a ransomware event. During this intrusion the threat actor progressed through the full attack chain, from initial access through to impact, in less than five days, causing significant business disruption for the victim organization.  

Recover an Active Directory Certificate Services (ADCS) platform from compromise.

This blog describes comprehensive backup and restore strategies for ensuring swift recovery and restoration of essential certificate services following a cyberattack or data breach.

Hunting for MFA manipulations in Entra ID tenants using KQL.

This blog describes how to use Kusto Query Language (KQL) to parse and hunt for MFA modifications in Microsoft Entra audit logs. By the end of this blog, you will have a better understanding of how to track MFA changes in compromised tenants using KQL queries and how to improve your cloud security posture. 

Microsoft Defender Experts Services Expanded Coverage Upcoming Preview. 

The upcoming preview of our Defender Experts services expanded coverage scheduled for June 2024 extends the capabilities to include customers’ cloud estates with servers and virtual machines running in Microsoft Azure and on-premises via Defender for Servers in Microsoft Defender for Cloud. In addition, our coverage will utilize third-party network signals to enhance investigations, create more avenues to generate leads for comprehensive threat hunting, and accelerate response earlier in the attack chain.

Simplify triage with the new Alert Timeline. 

This blog introduces the latest feature to our rich reporting feature set - the alert timeline - a new view that minimizes the time needed for triage and investigation without compromising the quality of analysis.  

Offline Security Intelligence Update is now generally available.

Organizations can now update security intelligence (also referred to as “signatures”) on Linux endpoints with limited or no exposure to the internet using a local hosting server. Details in this blog. 

Easily detect CVE-2024-21427 with Defender for Identity.

This blog details the new activity added to the Advanced Hunting experience in the Defender portal which can help you spot potential attempts to exploit this vulnerability.  

App Governance capabilities are now available in GCCH & DoD. App Governance capabilities in Defender for Cloud Apps are now available to opt-in in GCCH& DoD - go ahead and enable it to increase your app protection.

Defender for Cloud Apps now provides new in-browser protection capabilities via Microsoft Edge to enable security teams to seamlessly manage how a user can interact with in-app data based on their risk profile. The in-browser protection removes the need for proxies, improving both security and productivity, based on session policies that are applied directly to the browser. Details in this blog. 

A block message from Defender for Cloud Apps to prevent the download of a sensitive file within the Edge browser

Automated responses to users via Automated Investigation and Response (AIR) is now generally available. Details in this blog. 

Enhanced Response Action Experience from Threat Explorer. 

You can now take multiple actions at the same time on messages via Threat Explorer. This feature makes it easier and faster for SecOps to deal with email threats by giving you logical grouping of actions, contextual availability of actions, and support for tenant level block URLs and files. Details in this blog. 

Email Protection Basics in Microsoft 365 Part Five: Mastering Overrides.

This blog is the fifth and final part of the "email protection basics" blog series,  and it covers the different overrides, why you may need them, and why it isn’t a good idea to keep them permanently.