Monthly news - April 2024

Microsoft Copilot for Security

• (GA) Copilot in Microsoft Defender is now generally available. Copilot in Defender helps you investigate and respond to incidents faster and more effectively. Copilot provides guided responses, incident summaries and reports, helps you build KQL queries to hunt for threats, provide file and script analyses, and enable you to summarize relevant and actionable threat intelligence.
• Copilot in Defender customers can now export incident data to PDF. Use the exported data to easily share incident data, facilitating discussions with your security teams and other stakeholders. For details, see Export incident data to PDF.
• Copilot in Defender can help security teams quickly analyze suspicious files through AI-powered file analysis. The file analysis results contain an assessment of the file, including a detection name when the file is malicious/potentially unwanted, and important file data like certificates, API calls, and significant strings found within the file. For details, see File analysis. 
  The generated results displayed on the Copilot pane.
• Speed up device investigation with the device summary capability in Copilot in Defender. Copilot can generate a summary that contains the status of Defender XDR protection features like attack surface reduction, any significant user activity observed in the device, and insights from Microsoft Intune. For details, see Device Summary. 

Read this blog post "How Copilot for Security can transform your SOC" to learn about the new capabilities embedded in the Defender portal for Defender XDR and Microsoft Sentinel data.

Two exciting updates to advanced hunting: 

• New capabilities within results grid: For Json and array’s fields, you can right-click and update the existing query to include or exclude the field, or to extend the field to a new column. Learn more on our docs.
• Results limit increased to 30K: Advanced hunting results limit increased from 10K to 30K. Learn more on our docs.

Frost & Sullivan names Microsoft a Leader in the Frost Radar™: Managed Detection and Response, 2024
We are excited to share that Microsoft has been named a Leader by Frost & Sullivan in the Frost Radar™: Managed Detection and Response, 2024. Microsoft Defender Experts for XDR was highlighted as a key component of Microsoft’s managed detection and response (MDR) offering that triages, investigates, and responds to incidents to help organizations stop cyberattackers and prevent future compromise.

Two new GA announcements:

• Built-in scheduled scan for Defender for Endpoint on macOS in now generally available. 
• Troubleshooting mode for Defender for Endpoint on macOS. Have Tamper protection enabled on your macOS? No longer need to disable Tamper Protection in order to investigate or troubleshoot an issue, just enable Troubleshooting mode for macOS, now also generally available. 

New documentations:

• Overview of troubleshooting performance issues for Microsoft Defender for Endpoint on macOS
  Have a performance issue on MDE on macOS? Narrow down to what daemon is being impacted. 
• Troubleshoot Microsoft Defender Antivirus settings
  Trying to figure out where the Microsoft Defender Antivirus policy is coming down? Intune, Configuration Manager (formerly System Center Configuration Manager (SCCM)), Group Policy, PowerShell, WMI, etc...?
  

New Graph based API for viewing and managing Health issues. Now you can view and manage Defender for Identity health issues through the Graph API

[Preview] Defender for Cloud Apps now supports in-browser protection for end users who use the Edge browser. Edge browser users (from BYOD or corporate-owned devices), scoped to session policies, will enjoy a smooth app experience with no latency, no app compatibility issues, and a higher level of security."

User experience with in-browser protection

The Defender for Cloud Apps experience in the Microsoft Defender portal is now available for all Defender for Cloud Apps roles, including the following roles that were previously limited:

• App/Instance admin
• User group admin
• Cloud Discovery global admin
• Cloud Discovery report admin

For more information, see Built-in admin roles in Defender for Cloud Apps.

Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal can now use the new LastSeenForUser and UncommonForUser columns columns for queries and detections rules. Using this data assists in ruling out false positives and finding anomalies.

For more information, see Advanced Hunting "CloudAppEvents" Data schema.

Permissions Management: Defender XDR's RBAC Walkthrough for Defender for Office 365 

Microsoft Defender XDR unified role-based access control is the new permissions model across the various Defender workloads, and is a critical step forward in our “least privilege” permissions principle for Microsoft Defender for Office 365.

Announcing Threat Explorer enhancements, including persistent views, easier navigation between URL clicks and emails, custom timestamp filtering, and displaying remediation action results. This blog post shares details of the recently introduced UX enhancements and how security analysts can adopt them in their investigation & hunting workflows. 

Hunting and responding to QR code-based phishing attacks with Defender for Office 365. 

Blog covers how security teams can identify URLs embedded within QR codes in an email across their investigation and hunting workflows, including advanced hunting samples.

Vulnerability Descriptions enhanced with AI. Addressing software vulnerabilities can be challenging, especially when remediation and impact of the CVE may vary across different sources. To address this challenge, the Defender Vulnerability Management team has developed an enhanced description for CVEs using AI technology. 

Example of the updated vulnerability descriptions.