Monthly news - April 2024

Monthly news - April 2024

Microsoft Defender XDR
Monthly news
April 2024 Edition


This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from March 2023.  

Product videos.png Product videos webcast recordings.png Webcast (recordings) Docs on MS.png Docs on Microsoft Blogs on MS.png Blogs on Microsoft
GitHub.png GitHub External.png External Product improvements.png Improvements Public Preview sign-up.png Previews / Announcements
Microsoft Defender XDR
Public Preview sign-up.png

Microsoft Copilot for Security


  • (GA) Copilot in Microsoft Defender is now generally available. Copilot in Defender helps you investigate and respond to incidents faster and more effectively. Copilot provides guided responses, incident summaries and reports, helps you build KQL queries to hunt for threats, provide file and script analyses, and enable you to summarize relevant and actionable threat intelligence.
  • Copilot in Defender customers can now export incident data to PDF. Use the exported data to easily share incident data, facilitating discussions with your security teams and other stakeholders. For details, see Export incident data to PDF.
  • Copilot in Defender can help security teams quickly analyze suspicious files through AI-powered file analysis. The file analysis results contain an assessment of the file, including a detection name when the file is malicious/potentially unwanted, and important file data like certificates, API calls, and significant strings found within the file. For details, see File analysis. 
    The generated results displayed on the Copilot pane.The generated results displayed on the Copilot pane.
  • Speed up device investigation with the device summary capability in Copilot in Defender. Copilot can generate a summary that contains the status of Defender XDR protection features like attack surface reduction, any significant user activity observed in the device, and insights from Microsoft Intune. For details, see Device Summary. 

Read this blog post "How Copilot for Security can transform your SOC" to learn about the new capabilities embedded in the Defender portal for Defender XDR and Microsoft Sentinel data.

Public Preview sign-up.png

Two exciting updates to advanced hunting

  • New capabilities within results grid: For Json and array’s fields, you can right-click and update the existing query to include or exclude the field, or to extend the field to a new column. Learn more on our docs.
  • Results limit increased to 30K: Advanced hunting results limit increased from 10K to 30K. Learn more on our docs.
Microsoft Security Experts
Blogs on MS.png

Frost & Sullivan names Microsoft a Leader in the Frost Radar™: Managed Detection and Response, 2024
We are excited to share that Microsoft has been named a Leader by Frost & Sullivan in the Frost Radar™: Managed Detection and Response, 2024. Microsoft Defender Experts for XDR was highlighted as a key component of Microsoft’s managed detection and response (MDR) offering that triages, investigates, and responds to incidents to help organizations stop cyberattackers and prevent future compromise.

Blogs on MS.png Follow the Breadcrumbs with Microsoft Incident Response and Defender for Identity: Working Together to Fight Identity. 
This blog post discusses how Microsoft Incident Response and Microsoft Defender for Identity work together to fight identity-based attacks. We demonstrate how Defender for Identity can be used to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions. 
Microsoft Defender for Endpoint
Public Preview sign-up.png

Two new GA announcements:

  • Built-in scheduled scan for Defender for Endpoint on macOS in now generally available. 
  • Troubleshooting mode for Defender for Endpoint on macOS. Have Tamper protection enabled on your macOS? No longer need to disable Tamper Protection in order to investigate or troubleshoot an issue, just enable Troubleshooting mode for macOS, now also generally available. 
Docs on MS.png

New documentations:

Public Preview sign-up.png We are extremely excited to share that Offline Security Intelligence Update feature for Defender for Endpoint on Linux is now in Public Preview! Absence of Offline Security Intelligence Update has been a key customer pain point and one of our top customer asks. With this feature coming in, customers get a way to update definitions on the endpoints which are not exposed to the internet as well as exercise better control over the download and deployment of signatures/definitions update.
Microsoft Defender for Identity
Public Preview sign-up.png New read-only permissions for viewing Defender for Identity settings. Now you can configure Defender for Identity users with read-only permissions to view Defender for Identity settings.
Public Preview sign-up.png

New Graph based API for viewing and managing Health issues. Now you can view and manage Defender for Identity health issues through the Graph API

Microsoft Defender for Cloud Apps
Public Preview sign-up.png

[Preview] Defender for Cloud Apps now supports in-browser protection for end users who use the Edge browser. Edge browser users (from BYOD or corporate-owned devices), scoped to session policies, will enjoy a smooth app experience with no latency, no app compatibility issues, and a higher level of security."

User experience with in-browser protectionUser experience with in-browser protection

Public Preview sign-up.png Defender for Cloud Apps in the Microsoft Defender portal now available to all Defender for Cloud Apps roles

The Defender for Cloud Apps experience in the Microsoft Defender portal is now available for all Defender for Cloud Apps roles, including the following roles that were previously limited:

  • App/Instance admin
  • User group admin
  • Cloud Discovery global admin
  • Cloud Discovery report admin

For more information, see Built-in admin roles in Defender for Cloud Apps.

Public Preview sign-up.png New anomaly data for the advanced hunting CloudAppEvents table

Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal can now use the new LastSeenForUser and UncommonForUser columns columns for queries and detections rules. Using this data assists in ruling out false positives and finding anomalies.

For more information, see Advanced Hunting "CloudAppEvents" Data schema.

Microsoft Defender for Office 365
Blogs on MS.png

Permissions Management: Defender XDR's RBAC Walkthrough for Defender for Office 365 

Microsoft Defender XDR unified role-based access control is the new permissions model across the various Defender workloads, and is a critical step forward in our “least privilege” permissions principle for Microsoft Defender for Office 365.

Blogs on MS.png

Announcing Threat Explorer enhancements, including persistent views, easier navigation between URL clicks and emails, custom timestamp filtering, and displaying remediation action results. This blog post shares details of the recently introduced UX enhancements and how security analysts can adopt them in their investigation & hunting workflows. 

Public Preview sign-up.png Copy Attack simulation training (AST) simulations. Defender for Office 365 introduces a 'copy simulation action' button in Attack simulation training to duplicate existing simulations and make necessary edits to introduce fresh and tailored simulation scenarios. 
Public Preview sign-up.png Attack simulation training is now generally available for DoD tenants. 
Blogs on MS.png

Hunting and responding to QR code-based phishing attacks with Defender for Office 365. 

Blog covers how security teams can identify URLs embedded within QR codes in an email across their investigation and hunting workflows, including advanced hunting samples.

Microsoft Defender Vulnerability Management
Public Preview sign-up.png

Vulnerability Descriptions enhanced with AIAddressing software vulnerabilities can be challenging, especially when remediation and impact of the CVE may vary across different sources. To address this challenge, the Defender Vulnerability Management team has developed an enhanced description for CVEs using AI technology. 

Example of the updated vulnerability descriptions.Example of the updated vulnerability descriptions.

Threat Analytics Reports / Actor, activity & technique profiles (Portal access needed)
  Storm-1874. The threat actor Microsoft tracks as Storm-1874 is a financially motivated cybercriminal group known for deploying BlackCat, BlackSuit, and Knight ransomware. In February 2024, Microsoft Threat Intelligence identified Storm-1874 intrusion followed by deployment of BlackCat ransomware at organizations within the United States-based healthcare industry. 
  Vulnerability profile: CVE-2024-27198 and CVE-2024-27199 in JetBrains TeamCity. Versions of the JetBrains TeamCity build management server before 2023.11.4 are vulnerable to two authentication bypass flaws, CVE-2024-27198 and CVE-2024-27199. Disclosed in early March 2024, both vulnerabilities are rated as critical.
  Technique Profile: Bring your own vulnerable driver. In a Bring Your Own Vulnerable Driver (BYOVD) attack, also known as Living Off The Land Drivers (LOLDrivers), a threat actor drops a legitimate, signed driver containing an exploitable vulnerability onto a compromised system to exploit that vulnerability with a separate malicious tool. This technique differs from signed malicious drivers. While the signed driver in BYOVD is developed by a legitimate developer, a signed malicious driver is developed by a threat actor.
  Activity profile: Mango Sandstorm targets Israel-based organizations in high-volume phishing campaign. Since late February 2024, Microsoft has observed a high volume of activity attributed to Mango Sandstorm, an Iranian nation-state actor with ties to Iran’s Ministry of Intelligence and Security (MOIS). In a subset of this activity, Mango Sandstorm sent phishing emails to targets in the government and local government sectors in Israel.
  Activity profile: Tax season-related campaigns. Every year, cybercriminals use holidays and important events as opportunities to leverage social engineering to try and steal information from targets. The tax filing season presents one such opportunity, and can result in financial information being stolen, identity theft, and monetary loss. Threat actors use various techniques to craft their campaigns and mislead taxpayers into revealing sensitive information, making payments to fake services, or installing malicious payloads. These techniques include phishing emails, SMS phishing (smishing), malicious advertising, and voice phishing (vishing). Although these are well-known, longstanding techniques, they’re still highly effective. 
  Tool Profile: NukeKhet. Since at least 2019, Ruby Sleet (formerly CERIUM) has used its custom NukeKhet malware as a backdoor following spear phishing attacks, primarily against South Korean targets in both the public and private sectors.
  Actor profile: Luna Tempest. The actor Microsoft tracks as Luna Tempest (formerly Storm-0744) is a financially motivated cybercriminal group comprised primarily of Western-based individuals focusing on data theft and extortion. Luna Tempest relies on various social engineering techniques to gain access to a target.
  CVE-2024-28916 - vulnerability affects Gaming Services packages. CVE-2024-28916 is an escalation of privilege vulnerability affecting Gaming Services packages prior to version 19.87.13001.0, which are available for systems running Windows 10 or 11. A threat actor with privileges to create folders and performance traces on a compromised system could exploit the vulnerability to gain SYSTEM privileges.

Published on:

Learn more
Microsoft 365 Defender Blog articles
Microsoft 365 Defender Blog articles

Microsoft 365 Defender Blog articles

Share post:

Related posts

Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy