Monthly news - February 2024

Protect faster with Microsoft Defender XDR’s latest UX enhancements. To help SOC teams protect faster, we are excited to share the general availability (GA) of the most recent user experience (UX) enhancements within Microsoft Defender XDR to improve efficiency and deliver an intuitive, smooth experience throughout the incident triage, investigation, and threat hunting processes for the SOC teams.

This includes the following enhancements:

• New functionality in the incident queue's available filters is now generally available. Prioritize incidents according to your preferred filters by creating filter sets and saving filter queries. Learn more about incident queue filters in Available filters.

• Defender for Cloud alerts integration with Defender XDR is now generally available. .

• Activity log is now available within an incident page. Use the activity log to view all audits and comments, and add comments to the log of an incident. For details, see Activity log.

• (Preview) Query history in advanced hunting is now available. You can now rerun or refine queries you have run recently. Up to 30 queries in the past 28 days can be loaded in the query history pane.

• (Preview) Additional features you can use to drill down further from your query results in advanced hunting are now available.

Microsoft Defender Threat Intelligence: Introducing Automatic File and URL (Detonation) Analysis. New enhancements to the file and URL analysis (detonation) capabilities in the threat intelligence blade within the Defender XDR user interface. 

Defender Experts for XDR now lets you receive managed response notifications and updates using Teams. You can also chat with Defender Experts regarding incidents where managed response is issued. Fore more information visit our documentation. 

Security Analyst Profile: Arlette Umuhire Sangwa. In our ongoing Defender Experts for XDR blog series, in this post we introduce you to Arlette Umuhire Sangwa, a dedicated and insightful analyst on the Defender Experts for XDR team. Arlette's role involves analyzing and recommending remediations to customers, leveraging the extensive telemetry from various Microsoft Defender suites of products. 

Test your configurations and experience Defender Experts Notifications early. 

We have released the Sample Defender Experts Notification feature which will enable customers to:

• Get the Defender Experts Notification experience earlier than when the actual Defender Experts Notification is sent by our experts upon detecting malicious activities in their environment.
• Test the email notifications configuration done by customers for Defender Experts Notifications.
• Test the playbooks/rules set up in SIEM/SOC tools for Defender Experts Notifications.

Defender Experts’ recommendations for impactful security posture management. This blog post discusses some of the security controls and configurations the Defender Experts' find most impactful in the real world.

Dynamic rules for tagging devices is now generally available. This feature enables security teams to create and manage rules that automatically assign and remove tags from devices based on user-defined criteria directly in the Microsoft Defender portal. 

Revised Device Control Documentation and Samples. This repository contains samples and resources for Defender for Endpoint Device Control for Windows and Defender for Endpoint Device Control for Mac

Identity in focus: Exploring the new ITDR experience within Microsoft Defender. This blog discusses some new enhancements to how our customers can find and engage with their Identity security capabilities.  

ITDR Dashboard

In this video John Savil explores bring signals in from our Active Directory into our complete Identity Threat Detection and Response solution! 

You can now view Active Directory group entity-related activities and alerts from the last 180 days in Microsoft Defender XDR, such as group membership changes, LDAP queries and so on.

To access the group timeline page, select Open timeline on the group details pane.

For more information, see Investigation steps for suspicious groups.

Defender for Cloud Apps now supports SaaS security posture management (SSPM) across multiple instances of the same app. For example, if you have multiple instances of AWS, you can configure Secure Score recommendations for each instance individually. Each instance will show up as a separate item on the App Connectors page.
For more information, see our documentation: SaaS security posture management (SSPM).

(Preview) Limitation removed for the number of files that can be controlled for uploading in session policies. Session policies now support control over uploading folders with more than 100 files, with no limit to the number of files that can be included in the upload.

For more information, see Protect apps with Defender for Cloud Apps Conditional Access App Control.

Train your users to be more resilient against QR code phishing. In partnership with Fortra’s Terranova Security, we have launched two new QR code phishing training modules aimed at educating users against QR code-based phishing attacks.  

Printed QR Codes on a poster

Providing intent while submitting is now generally available: Admins can identify if they're submitting an item to Microsoft for a second opinion or they're submitting the message because it's malicious and was missed by Microsoft. With this change, Microsoft analysis of admin submitted messages (email and Microsoft Teams), URLs, and email attachments is further streamlined and results in a more accurate analysis. Learn more.