Microsoft Defender XDR
Monthly news
August 2024 Edition

This is our monthly “What’s new” blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from July 2024.  Defender for Cloud has it’s own Monthly News post, have a look at their blog space.

Legend:

Product videos

Webcast (recordings)

Docs on Microsoft

Blogs on Microsoft

GitHub

External

Improvements

Previews / Announcements

Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel

(GA) The Microsoft unified security operations platform in the Microsoft Defender portal is generally available. This release brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Copilot in Microsoft Defender. For more information, see the following resources:

Blog post: General availability of the Microsoft unified security operations platform

Ninja Show episode: Unified Security Operations Platform GA launch
Documentation: Microsoft Sentinel in the Microsoft Defender portal
Documentation: Connect Microsoft Sentinel to Microsoft Defender XDR
Documentation: Microsoft Copilot in Microsoft Defender

(Preview) You can now customize columns in the Incidents and Alerts queues in the Microsoft Defender portal. You can add, remove, reorder columns to display the information you need. For more information, see how to customize columns in the incident queue and alert queue.

(GA) Filtering Defender for Cloud alerts by the associated alert subscription ID in the Incidents and Alerts queues is now generally available. For more information, see Defender for Cloud in Defender XDR.

Incidents with alerts where a compromised device communicated with an operational technology (OT) device are now visible in the Microsoft Defender portal through the Defender for IoT license and Defender for Endpoint’s device discovery capabilities. Using Defender for Endpoint data, Defender XDR automatically correlates these new OT alerts to incidents to provide a comprehensive attack story. To filter related incidents, see Prioritize incidents in the Microsoft Defender portal.

Blog: Make OT security a core part of your SOC strategy with Microsoft Defender XDR

(Preview) Critical assets are now part of the tags in the incident and alert queues. When a critical asset is involved in an incident or alert, the critical asset tag is displayed in the queues. For more information, see incident tags and the alert queue.

(Preview) Incidents are now arranged according to the latest automatic or manual updates made to an incident. Read about the last update time column in the incident queue.

Learning hub resources have moved from the Microsoft Defender portal to learn.microsoft.com. Access Microsoft Defender XDR Ninja training, learning paths, training modules and more. Browse the list of learning paths, and filter by product, role, level, and subject.

(GA) The UrlClickEvents table in advanced hunting is now generally available. Use this table to get information about Safe Links clicks from email messages, Microsoft Teams, and Office 365 apps in supported desktop, mobile, and web apps.

(GA) You can now release or move email messages from quarantine back to the user’s inbox directly from Take actions in advanced hunting and in custom detections. This allows security operators to manage false positives more efficiently and without losing context.

Microsoft Security Exposure Management

Microsoft Security Exposure Management is a security solution that provides a unified view of security posture across company assets and workloads. Security Exposure Management enriches asset information with security context that helps you to proactively manage attack surfaces, protect critical assets, and explore and mitigate exposure risk. Security Exposure Management is currently in public preview. Check out our documentation to learn more.

Microsoft Defender for IoT

Incidents with alerts where a compromised device communicated with an operational technology (OT) device are now visible in the Microsoft Defender portal through the Defender for IoT license and Defender for Endpoint’s device discovery capabilities. Using Defender for Endpoint data, Defender XDR automatically correlates these new OT alerts to incidents to provide a comprehensive attack story. To filter related incidents, see Prioritize incidents in the Microsoft Defender portal.

Blog: Make OT security a core part of your SOC strategy with Microsoft Defender XDR

Microsoft Defender for Endpoint

Reduce friction and protect faster with simplified Android onboarding. We’re excited to announce that a simplified onboarding experience in Defender for Endpoint on Android devices is now available in public preview. Read more here. 

Microsoft Defender for Cloud Apps

(Preview) In-browser protection for macOS users and newly supported policies. 
Edge browser users from macOS, scoped to session policies, are now protected with in-browser protection.

Learn more in our documentation. 

(Preview) Configure and embed a custom support URL in Block pages.
Customize the Defender for Cloud Apps block experience for apps that are blocked using Cloud Discovery. Learn more in our documentation. 

(GA) Filtering Defender for Cloud alerts by the associated alert subscription ID in the Incidents and Alerts queues is now generally available. For more information, see Defender for Cloud in Defender XDR.

Microsoft Defender for Office 365

Bulk Senders Insight: Optimizing Bulk Email Management for Enterprises. We’re excited to introduce Bulk Senders Insight – a sophisticated simulation tool designed to empower admins in fine-tuning bulk email policies. This tool offers real-time simulations that help identify the optimal BCL and identify potential FPs and FNs based on user preferences across your tenant. This feature will be rolling out to your tenants from August. Watch for a Message Center post about this.

Announcing quarantine release integration in Defender for Office 365 hunting experience!! This enhancement allows Security Operators to address false positives more efficiently and with greater flexibility.

Announcing Defender for Office 365 API’s for retrieving threat data and remediating emails. These new Defender for Office 365 API’s enable security teams to leverage threat information and response capabilities of Defender for Office 365 inside automation and security orchestration tools of their choice.

(GA) The UrlClickEvents table in advanced hunting is now generally available. Use this table to get information about Safe Links clicks from email messages, Microsoft Teams, and Office 365 apps in supported desktop, mobile, and web apps.

(GA) You can now release or move email messages from quarantine back to the user’s inbox directly from Take actions in advanced hunting and in custom detections. This allows security operators to manage false positives more efficiently and without losing context.

Tenant Allow/Block List in Microsoft 365 GCC, GCC High, DoD and and Office 365 operated by 21Vianet environments: The Tenant Allow/Block List is now available in these environments. They are on parity with the WW commercial experiences. Learn more in our documentation.

45 days after last used date: The value Remove allow entry after > 45 days after last used date is now the default on new allow entries from submissions and existing allow entries in the Tenant Allow/Block List. Learn more in our documentation.

Microsoft Defender Vulnerability Management

Guidance for handling “regreSSHion” (CVE-2024-6387) using Microsoft Security capabilities. 

Using Export API with Defender Vulnerability Management. Defender Vulnerability Management provides an export API that allows programmatic access to vulnerability data. The API can be used to automate vulnerability management tasks, integrate vulnerability data with other security tools, and generate custom reports and dashboards. In this blog, we share guidance and best practices for using Defender Vulnerability Management Export API. 

Microsoft Security Blogs 

Mitigating Skeleton Key, a new type of generative AI jailbreak technique
Microsoft recently discovered a new type of generative AI jailbreak method called Skeleton Key that could impact the implementations of some large and small language models. This new method has the potential to subvert either the built-in model safety or platform safety systems and produce any content.

Onyx Sleet uses array of malware to gather intelligence for North Korea
On July 25, 2024, the United States Department of Justice (DOJ) indicted an individual linked to the North Korean threat actor that Microsoft tracks as Onyx Sleet. Microsoft Threat Intelligence collaborated with the Federal Bureau of Investigation (FBI) in tracking activity associated with Onyx Sleet. We will continue to closely monitor Onyx Sleet’s activity to assess changes following the indictment.

Vulnerabilities in PanelView Plus devices could lead to remote code execution
Microsoft discovered and responsibly disclosed two vulnerabilities in Rockwell’s PanelView Plus that could be remotely exploited by unauthenticated attackers, allowing them to perform remote code execution (RCE) and denial-of-service (DoS). PanelView Plus devices are graphic terminals, which are known as human machine interface (HMI) and are used in the industrial space.

Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption
Microsoft Security researchers have observed a vulnerability used by various ransomware operators to get full administrative access to domain-joined ESXi hypervisors and encrypt the virtual machines running on them. The vulnerability involves creating a group called “ESX Admins” in Active Directory and adding an attacker-controlled user account to this group.

​Microsoft Tech Community – Latest Blogs –Read More