𝐌𝐚𝐧𝐚𝐠𝐞 𝐲𝐨𝐮𝐫 𝐝𝐞𝐯𝐢𝐜𝐞𝐬 𝐰𝐢𝐭𝐡 𝐞𝐚𝐬𝐞 𝐮𝐬𝐢𝐧𝐠 𝐝𝐲𝐧𝐚𝐦𝐢𝐜 𝐫𝐮𝐥𝐞𝐬 𝐟𝐨𝐫 𝐝𝐞𝐯𝐢𝐜𝐞 𝐭𝐚𝐠𝐠𝐢𝐧𝐠 𝐢𝐧 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫

We are excited to announce that dynamic rules for tagging devices is now generally available. This feature enables security teams to create and manage rules that automatically assign and remove tags from devices based on user-defined criteria directly in the Microsoft Defender portal.

Dynamic tags:

- simplify tag management,

- reduce manual efforts,

- facilitate efficient device tracking,

- simplify compliance by automatically categorizing non-compliant devices

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/manage-your-devices-with-ease-using-dynamic-rules-for-device/ba-p/4024988

#edr #xdr #defender #defenderxdr #microsoft365defender #endpoint #management #tag #device #compliance #microsoft #microsoftsecurity #soc #cloudsecurity #cloud #cloudnative

Investigating initial access in compromised email accounts using Microsoft 365 Defender: https://www.michalos.net/2023/10/03/investigating-initial-access-in-compromised-email-accounts-using-microsoft-365-defender/

#AdvancedHunting #dfir #kql #kustoquerylanguage #microsoft365defender

𝗥𝗲𝘀𝗽𝗼𝗻𝗱 𝘁𝗼 𝘁𝗵𝗿𝗲𝗮𝘁𝘀 𝗮𝗰𝗿𝗼𝘀𝘀 𝘁𝗲𝗻𝗮𝗻𝘁𝘀 𝗺𝗼𝗿𝗲 𝗲𝗳𝗳𝗲𝗰𝘁𝗶𝘃𝗲𝗹𝘆 𝘄𝗶𝘁𝗵 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝟯𝟲𝟱 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿 𝗺𝘂𝗹𝘁𝗶-𝘁𝗲𝗻𝗮𝗻𝘁 𝘀𝘂𝗽𝗽𝗼𝗿𝘁

Today we are excited to expand our current public preview for multi-tenant environments in Microsoft 365 Defender, which provides large organizations with the much-needed visibility and ease of use across their distributed environments.

This addition marks the first wave of improvements, with a focus on global SOC investigation flows, including a consolidated view of incidents across tenants, device inventory, vulnerability management, the ability to perform advanced hunting across data in multiple tenants, and more

https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/respond-to-threats-across-tenants-more-effectively-with/ba-p/3901174

#microsoft #microsoft365defender #multitenant #soc #xdr #edr #azure #coudsecurity #managedserviceprovider #threat #threathunting

Adversary-in-The-Middle & Business Email Compromisedthreat hunting with KQL

Find out essential points for threat hunting, focusing on how to track "potential" AiTM/BEC activities using Kusto Query Language (KQL) in Microsoft 365 Defender

https://techcommunity.microsoft.com/t5/azure-data-explorer-blog/aitm-amp-bec-threat-hunting-with-kql/ba-p/3885166

#bec #AiTM #hunting #m365defender #microsoft365defender #threathunting #microsoft #azure #soc #phishing #kql #kusto #cloudsecurity

𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐃𝐞𝐟𝐞𝐧𝐝𝐞𝐫 𝐟𝐨𝐫 𝐈𝐝𝐞𝐧𝐭𝐢𝐭𝐲 𝐞𝐱𝐩𝐚𝐧𝐝𝐬 𝐢𝐭𝐬 𝐜𝐨𝐯𝐞𝐫𝐚𝐠𝐞 𝐰𝐢𝐭𝐡 𝐧𝐞𝐰 𝐀𝐃 𝐂𝐒 𝐬𝐞𝐧𝐬𝐨𝐫

Sensor that can be deployed on Active Directory Certificate Services (AD CS) servers. This new sensor builds on the existing detections for suspicious certificate usage available today and extends Defender for Identities capabilities and coverage more comprehensively across identity environments.

AD CS is a role in Windows Server that allows you to create and manage public key infrastructure (PKI) certificates.

New detections:

➡️Domain-controller certificate issuance for a non-DC

➡️Suspicious disable of audit logs of AD CS

➡️Suspicious deletion of the certificate database

➡️Suspicious modifications to the AD CS settings (coming soon)

https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/microsoft-defender-for-identity-expands-its-coverage-with-new-ad/ba-p/3894215

#defenderforidentity #xdr #mdi #azure #microsoft #micrsoftsecurity #soc #adcs #pki #windows #server #cybersecurity #microsoft365defender #cloudsecurity #identity

Microsoft Defender for Office 365 has been recognized as a leader in The Forrester Wave ™: Enterprise Email Security, Q2 2023 report.

For more information on this recognition, check out the full report here: https://reprints2.forrester.com/#/assets/2/108/RES178496/report

https://www.microsoft.com/en-us/security/blog/2023/06/12/forrester-names-microsoft-a-leader-in-the-2023-enterprise-email-security-wave/

#microsoft #office365 #security #leader #email #xdr #defender #microsoft365defender #mdo #emailprotection #emailsecurity #phishing #spam #SecOps #soc #analyst #bec #sandboxing #emailauthentication #collaboration #siem #ir #threatintelligence #azure #cloud #cloudsecurity #cloudnative

Automatically disrupt adversary-in-the-middle (AiTM) attacks with Microsoft XDR

Microsoft announced expansion of automatic attack disruption to include adversary-in-the-middle attacks (AiTM) attacks, in an addition to the previously announced public preview for business email compromise (BEC) and human-operated ransomware attacks.

https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/automatically-disrupt-adversary-in-the-middle-aitm-attacks-with/ba-p/3821751

#microsoft #email #business #AiTM #bec #xdr #azure #soc #securityplatform #defender #defenderforidentity #defenderforcloudapps #defenderforendpoint #microsoft365defender #cloudsecurity #securityanalytst

As if defenders haven't had enough headaches already, #Google decided recently to provide gTLD registrations for .zip and .mov domains opening new opportunities for threat actors for malicious activity.

Below is a #Microsoft #KQL query, with high recall for .zip and .mov network connections.

Also, as with any other domain TLD, if you type a non-existent file such as update.zip at the file explorer, user will be redirected to the relevant website (check first comment for PoC).

Query includes MITRE ATT&CK mapping.

➜ https://github.com/cyb3rmik3/KQL-threat-hunting-queries/blob/main/Threat%20Hunting/network-zipandmov-access.md

#MicrosoftSecurity #Microsoft365 #Microsoft365Defender #MicrosoftDefender #MITREATTACK

Microsoft Defender Threat Intelligence (Defender TI) is now available to licensed customers within the Microsoft 365 Defender (M365 Defender) portal, placing its powerful threat intelligence side-by-side with the advanced XDR functionality of M365 Defender.

Use Cases

➡ Advanced hunting with Defender TI IOCs against the logs and Events within Microsoft 365 Defender

➡Upload IOC to a storage account\public GitHub

➡Using KQL Externaldata operator as correlation source and proactive hunting and enabling custom detection on M365 Defender

➡M365 Defender Raw Event Detection

➡M365D Raw events flow into Sentinel with the M365 Defender Data connector

➡MDTI Feeds flow into Sentinel with MDTI Data connector

➡Manual TI correlation rule

https://techcommunity.microsoft.com/t5/microsoft-defender-threat/what-s-new-mdti-interoperability-with-microsoft-365-defender/ba-p/3799846

#DefenderTI #TI #threatintelligence #MicrosoftDefenderThreatIntelligence #xdr #soc #securityplatform #securityanalytst #m365defender #microsoft365defender #microsoft #azure #intelligence #ioc #threathunting #ttp

📢 Find out new Microsoft Entra Features:

➡Identity security / protecting Identities

🔸 Azure AD Recommendations

🔸 More information on why a sign-in was flagged “unfamiliar”

➡Identity modernization

🔸Converged Authentication Methods

🔸Granular device management using custom roles

🔸Azure AD Single-Sign-On enhancements

🔸Attribute Name format for SAML claims

🔸Apply RegEx Replace to the group claim content

🔸Multiple instances of the same application (IDP- and SP-initiated)

🔸 Persistent NameID for IDP-initiated apps

🔸AD FS migration advisor in Microsoft 365 admin center

➡Identity Governance

🔸New SCIM connector for ServiceNow

🔸Provisioning insights workbook

🔸 Expanding Privileged Identity Management (PIM) role activation across the Azure portal

➡Identity for multicloud

🔸Workload Identity Federation for Managed Identities

➡Passwordless

🔸Multiple Passwordless Phone Sign-in for iOS devices

https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/new-microsoft-entra-features-now-available/ba-p/2967447

#microsoft #azure #security #entra #azuread #azureactivedirectory #aad #epm #identity #pim #multicloud #passwordless #ios #saml #servicenow #sso #singlesignon #cloudidentity #governance #identitygovernance #iam #iag #microsoft365 #microsoft365defender