Monthly news - May 2024

• AI-powered disruption of SaaS attacks: Microsoft Defender XDR is expanding its attack disruption capabilities to new scenarios that include OAuth app compromise within SaaS apps, disabling a malicious OAuth app & broadened compromised user coverage.
• Native support for Data Security & Operational Technology (OT): OT security is now integrated into XDR along with new insider risk management insights from Microsoft Purview that further brings Data Security into the SOC.
• End to end protection in the unified security operations platform: new features that benefit both Microsoft Sentinel & Defender XDR customers like unified custom detections, automation rules, and more, as well as new in-browser protection using Microsoft Edge to protect access to SaaS apps.

Device inventory in multitenant management in Microsoft Defender XDR is now available. The device inventory page in multitenant management lists all the devices in each tenant that you have access to. The page is like the Defender for Endpoint device inventory with the addition of the Tenant name column. Device management tasks like managing tags, device exclusion, and reporting inaccuracy becomes available for each device in the list. Learn more in our documentation.

Device inventory

New virtual Ninja Show episodes. Join us for a series of Copilot for Security technical

deep dives, learn more about Defender for Identity, Defender for Server and more. Reserve your calendar now for upcoming episodes, or watch previous episodes on demand  

Hunting in Azure subscriptions. This blog post delves into various strategies and methodologies designed to enhance our grasp of the scope and complexity of how threat actors' manoeuvre within Azure subscriptions, thereby fortifying our defenses against the ever-evolving landscape of cyberattacks.

New short & sweet videos. Watch these 3-5 minutes videos to learn more about:

• Get started with onboarding
• Get started with reporting
• Get started with incident response

Two new GA announcements:

• Tamper protection on antivirus exclusions for Configuration Manager is now generally available. Read the blog for more details:  
• Offline Security Intelligence Update on Linux is now generally available!
• Troubleshooting mode for macOS : Troubleshooting mode helps you identify instances where antivirus might be causing issues with your applications or system resources. To learn more, see Troubleshooting mode in Microsoft Defender for Endpoint on macOS.

Microsoft Defender Core service overview; monitors for sustained CPU usage, memory leaks, crashes and/or hangs, false positive (FP) storm of the Microsoft Defender Antivirus service.

Easily detect CVE-2024-21427 Windows Kerberos Security Feature Bypass Vulnerability. To help customers better identify and detect attempts to bypass security protocols according to this vulnerability, we have added a new activity within Advanced Hunting that monitors Kerberos AS authentication. Learn more on our documentation. 

You can now watch the recordings of the POCaaS ITDR webinar series:

• Session 1: ITDR Introduction and Prevention Capabilities
• Session 2: Detection
• Session 3: Investigation and Hunting
• Session 4: Response

This bog post discusses the newly introduced Defender for Identity Health issues management API. 

Health page

New Graph based API for viewing and managing Health issues. Now you can view and manage Defender for Identity health issues through the Graph API.

KuppingerCole leadership compass for ITDR. Microsoft named an overall leader in KuppingerCole Leadership Compass for ITDR.

App Governance is now available in GCCM. App Governance capabilities in Defender for Cloud Apps are now available to opt-in in GCCM environment, and soon to be available in the other gov clouds. (GCCH& DoD) - go ahead and enable it to increase your app protection.

Copy simulations in Attack Simulation Training is now generally available. We are excited to announce that in Attack Simulation Training, you can now copy an existing simulation and modify it to suit your need which will save you time and effort when creating new simulations based on previous ones. 

Also, Attack Simulation Training is now available for GCC High and DoD customers and has been released for Department of Defense (DoD) and Government Community Cloud High (GCC High) environments.

Gone Phishing Tournament™ Takeaways. In this blog, we would like to share the key takeaways from this report and provide insights on what it means to improve organizational resilience against phishing and social engineering attacks with tools like Attack Simulation and Training.

New short & sweet videos. Watch these 3-5 minutes videos to learn more about:

• Training Campaigns
• Simulation Automations

Last used date added to Tenant Allow/Block List entries for domains and email addresses, files, and URLs.

Enhanced clarity in submissions results: You can now see enhanced results within submissions across email, Microsoft Teams messages, email attachments, URLs, and user-reported messages. Learn more.

Take action replaces the Message actions drop down list on the Email tab (view) of the details area of the All email, Malware, or Phish views in Threat Explorer (Explorer). Learn more. 

Defender support for CVE-2024-3400 affecting Palo Alto Networks firewalls. Read more in this blog post.