FPCH Admin AWS Posted February 6, 2023 FPCH Admin Posted February 6, 2023 Microsoft 365 Defender Monthly news February 2023 Edition [attachment=31752:name] This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from January 2023. NEW: At the end we now include a list of the latest threat analytics reports, as well as other Microsoft security blogs for you. Legend: [attachment=31753:name] Product videos [attachment=31754:name] Webcast (recordings) [attachment=31755:name] Docs on Microsoft [attachment=31756:name] Blogs on Microsoft [attachment=31757:name] GitHub [attachment=31758:name] External [attachment=31759:name] Product improvements [attachment=31760:name] Previews / Announcements Microsoft 365 Defender [attachment=31761:name] Build custom incident response actions with Microsoft 365 Defender APIs. Use the Microsoft 365 Defender APIs to perform custom actions in bulk. [attachment=31762:name] Use Microsoft 365 Defender role-based access control (RBAC) to centrally manage user permissions. The new Microsoft 365 Defender role-based access control (RBAC) capability, currently in public preview, enables customers to centrally control permissions across different security solutions within one single system with greater efficiency and consistency. More information on docs: Microsoft 365 Defender role-based access control (RBAC). [attachment=31763:name] Alert evidence are shown in the alert side panel. See all related alert evidence from the alert side panel at a glance - and click on each evidence to get more information. You can open the alert side panel from the incident queue, alerts in incident, device and user page, or any other experience where you investigate alerts in the portal. [attachment=31764:name] The new Microsoft Defender Experts for Hunting report is now available. The report's new interface now lets customers have more contextual details about the suspicious activities Defender Experts have observed in their environments. It also shows which suspicious activities have been continuously trending from month to month. [attachment=31765:name] Supporting search the schema in Advanced hunting. Search across the schema, queries, functions and custom detection rules is now available in Advanced hunting page. You can search for names of tables, columns, queries and rules to easily locate what you are looking for. [attachment=31766:name] Guided mode improvements in Advanced hunting. Using the guided mode in Advanced hunting you can craft queries using a friendly query builder. As we are improving the expereince, you can now: 1. Customize the sample size of the results from your query (set the number of results you wish to get back) 2. Add conditions from the results set to the query [attachment=31767:name] Supporting "all device groups" and "all organization" scoping in Custom detection rule and Alert suppression. When configuring a custom detection or alert suppression rule, the "all device groups" and "all organization" scoping was an ability saved only for the Admin users. M365D is now supporting the same capability for users exposed to all the existing device groups, saving time to select all separately [attachment=31768:name] The new Identity page including Identity timeline is now in public preview! Identity timeline is now available as part of the new Identity page in Microsoft 365 Defender! The updated User page in M365 Defender now has a new look and feel, with an expanded view of related assets and a new dedicated timeline tab. The timeline represents activities and alerts from the last 30 days, and it unifies the user’s identity entries across all available workloads (Defender for Identity/Defender for Cloud Apps/Defender for Endpoint). By using the timeline, you can easily focus on activities that the user performed (or were performed on them), in specific timeframes. Microsoft Defender for Endpoint [attachment=31769:name] Introducing tamper protection for exclusions. One of the most requested features for tamper protection is protection of antivirus exclusions. With that in mind, the Microsoft Defender team has implemented new functionality that allows (path, process, and extension) to be protected when deployed with Intune. [attachment=31770:name] Recovering from Attack Surface Reduction rule shortcut deletions. This blog contains information on how to recover from Attack Surface Reduction rule shortcut deletions and is being updated on a regular basis when new information becomes available. Microsoft Defender for Identity [attachment=31771:name] New health alert for verifying that Directory Services Object Auditing is configured correctly. If the Directory Services Object Auditing configuration does not include all the object types and permissions as required it can limit the sensors' ability to detect suspicious activities. [attachment=31772:name] New health alert for verifying that the sensor’s power settings are configured for optimal performance. If the operating system's power mode is not configured to the optimal processor performance it can impact the server's performance and the sensors' ability to detect suspicious activities. [attachment=31773:name] Redirecting accounts from Microsoft Defender for Identity to Microsoft 365 Defender. Starting January 31, 2023, the portal redirection setting will be automatically enabled for each tenant. Once the redirection setting is enabled, any requests to the standalone Defender for Identity portal (portal.atp.azure.com) will be redirected to Microsoft 365 Defender (Sign in to your account) along with any direct links to its functionality. Accounts accessing the former Microsoft Defender for Identity portal will be automatically routed to the Microsoft 365 Defender portal. Microsoft Defender for Office 365 [attachment=31774:name] Automatic Tenant Allow/Block List Expiration Management is now available in Defender for Office 365! Microsoft Defender Vulnerability Management [attachment=31775:name] Leverage authenticated scans to prevent attacks on your Windows devices. Authenticated scans for Windows provide the ability to remotely target by IP\range or hostname and scan Windows services by equipping the tool with credentials to remotely access the machines. Microsoft 365 Defender Threat Analytics Reports Threat Insights: OAuth consent phishing trust abuse. As detection and protection controls for traditional credential phishing increase, attackers are adopting OAuth consent phishing, a technique that tricks a user into allowing a malicious application to perform actions on behalf of their account without the need for credentials. SystemBC tool used in human-operated ransomware intrusions. SystemBC is a post-compromise commodity remote access trojan (RAT) and proxy tool that Microsoft researchers have observed multiple adversaries use in a diverse array of seemingly opportunistic ransomware attacks on targets across various sectors and geographies. These adversaries use SystemBC infections to deliver additional malware and maintain persistence in a compromised environment. To this end, multiple groups including DEV-0237, DEV-0832, and DEV-0882, continue to use SystemBC with, or as a substitute for, Cobalt Strike in compromises that ultimately result in the deployment of payloads like Play, Black Basta, and Zeppelin. DEV-1039 mass SQL server exploitation continues to deliver Mallox ransomware. Since at least mid-2022, the threat group that Microsoft tracks as DEV-1039, has deployed both Mallox (also known as Fargo) and GlobeImposter ransomware in mass opportunistic Microsoft SQL server vulnerability exploitation attacks. After initial exploitation, DEV-1039 delivers commodity malware like Remcos, and deploys Mallox, GlobeImposter, or BlueSky ransomware. CVE-2022-47966: Zoho ManageEngine unauthenticated SAML XML RCE vulnerability. A proof of concept (POC) for CVE-2022-47966 was released on Github on January 18, 2022. Microsoft observed an increase in ManagedEngine exploitation in our endpoint telemetry in the past seven days. Microsoft recommends patching this vulnerability as soon as possible. DEV-0300 ransomware activity. The group Microsoft tracks as DEV-0300 represents unattributed activity associated with ransomware attacks, including both pre-ransomware activities and ransomware deployment. As multiple cybercrime actors customize and reuse a range of common tools and techniques deployed in ransomware attacks and the relationships between actors change very rapidly, Microsoft labels observed ransomware-related activity that has not yet been associated with a known tracked group as DEV-0300. As more patterns are identified from this activity, it is often merged into existing Activity Groups or split into new, well-defined clusters. Continue reading... Quote Off Topic Forum - Unlike the Rest
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.