| Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel |
| |
(Public Preview) IP addresses can now be excluded from automated responses in attack disruption. This feature allows you to exclude specific IPs from automated containment actions triggered by attack disruption. For more information, see Exclude assets from automated responses in automatic attack disruption.
|
| |
(Public Preview) The PrivilegedEntraPimRoles column is available for preview in the advanced hunting IdentityInfo table.
|
| | (General Available) You can now view how Security Copilot came up with the query suggestion in its responses in Microsoft Defender advanced hunting. Select See the logic behind the query below the query text to validate that the query aligns with your intent and needs, even if you don't have an expert-level understanding of KQL. |
| | We are excited to announce that we increase the Multi Tenant Organization (MTO) tenant limit - and now you can manage up to 100 tenants to your MTO view. With that, you can view incident, hunt, and see and manage all your data from one single pane of glass. This is only the first step to improve management at scale. Learn more in our docs. |
| | (General Available) Sentinel only is now in General Available for Unified Security Operations platform. Customers with no E5 license can now onboard their workspace and work in the unified platform for all features (single workspace only, for single tenant and for multi tenant) |
| | (General Available) Gov Clouds/ GCCH and DoD is now in General Available for Unified Security Operations platform. Customers with single workspace (for both multi tenant and single tenant) are now able to work in the unified platform on all features. |
| | Query assistant - KQL response explanation. The Security Copilot Query Assistant in Advanced Hunting generates KQL queries from requests in natural language, allowing hunting for threats, without having a deep knowledge in KQL and schema.
With this new feature, it is possible to review the logic behind the KQL queries generated by Copilot, including a breakdown of the query. This enhancement helps validate the query aligns with the intent and needs, even without deep understanding of KQL. |
| | (Public Preview) IP addresses can now be excluded from automated containment responses triggered by automatic attack disruption. |
| |
|
|
Microsoft Sentinel
|
| |
Threat Intelligence Ingestion rules: This feature lets you fine-tune your threat intelligence (TI) feeds before they are ingested to Microsoft Sentinel. You can now set custom conditions and actions on Indicators of Compromise (IoCs), Threat Actors, Attack Patterns, Identities, and their Relationships. Learn more in this blog post.
|
| | Missed the live session? Watch our recorded webinar on "SIEM as Code", a transformative approach shaping the future of SIEM. Learn how to implement it in Microsoft Sentinel using the repositories feature and explore best practices for automation and scalability. |
| |
|
|
Microsoft Defender Experts for XDR
|
| |
Published Scoped coverage in Microsoft Defender Experts for XDR. Microsoft Defender Experts for XDR offers scoped coverage for customers who wish to have Defender Experts cover only a section of their organization (for example, specific geography, subsidiary, or function) that requires security operations center (SOC) support or where their security support is limited. Learn more on our docs.
|
| |
|
|
Microsoft Defender for Identity
|
| | (General Available) New Identity Guide Tour
We've added an interactive guide tour in the Defender XDR portal to help you navigate identity security features, investigate alerts, and enhance your security posture with ease. |
| |
(General Available) New attack paths tab on the Identity profile page.
This tab provides visibility into potential attack paths leading to a critical identity or involving it within the path, helping assess security risks. For more information, see Overview of attack path within Exposure Management.
|
| |
(General Available) New and updated events in the Advanced hunting IdentityDirectoryEvents table.
We have added and updated various events in the IdentityDirectoryEvents table in Advanced Hunting. Learn more on our docs.
|
| |
(General Available) Identity page enhancements such as user timeline side panel, password last change field on the UI, devices tab filters and so on.
|
| |
Defender for Identity integration with Entra Privileged Identity Management (PIM) - SOC can now view identities in the Defender XDR portal that are eligible to elevate to privileged roles via Entra PIM. New tag and list of user's Entra privileged roles (eligible and assigned) were added to user page and side panel in the Defender XDR portal and Identity Info table.
|
| |
Privileged Access Management (PAM) vendors integration with MDI – CyberArk, Delinea and BeyondTrus. The integration provide the SOC with visibility for on-prem / Entra ID privileged identities managed in the PAM solution, adding new tag on privileged identities in Defender XDR user page, side panel and Identity Info table, allowing for incident prioritization, custom detections, advanced hunting and more. SOC can also initate a remediation action to 'enforce password rotation' on compromised privileged identity directly in the XDR Defender portal. Intagration need to be enabled by the customer in the Partners portal. Go to XDR Technical Partners catalog to see the new partners integrations, and access the PAM vendors marketplace.
|
| |
2 New Entra Detections and on-prem detection improvement.
Entra new detections: "suspicious multiple TAP creation for the same user account" and "suspicious alternative phone number addition".
Detection improvement in on-prem: "Blood hound python" - version udpate to cover FN.
|
| |
New recommendations for Identity Security Posture. In this blog we will focus on some key things to consider for your Active Directory (AD) footprints. Active Directory is a critical element of user authentication, and its complexity leaves many opportunities for potential misconfigurations, making it a prime target for attackers. To address these vulnerabilities, we’ve added 10 new recommendations aimed at strengthening your identity security posture and protecting against evolving threats.
|
| |
|
|
Microsoft Security Exposure Management
|
| |
The following predefined classification rules were added to the critical assets list:
- Azure Key Vault with high number of operations: This rule identifies and classifies Azure Key Vaults that experience a high volume of operations, indicating their criticality within the cloud environment.
- Security Operations Admin Device: This rule applies to critical devices used to configure, manage, and monitor the security within an organization are vital for security operations administration and are at high risk of cyber threats. They require top-level security measures to prevent unauthorized access.
For more information, see, Predefined classifications
|
| |
|
|
Microsoft Defender for Endpoint
|
| |
(General Available) Aggregated reporting in Microsoft Defender for Endpoint is now generally available. For more information, see Aggregated reporting in Microsoft Defender for Endpoint.
|
| |
Guidance for penetration testing and breach-and-attack-simulation scenarios with Defender for Endpoint. This new article describes common challenges and potential misconfigurations that might arise during penetration testing (pen testing) or using breach and attack simulation (BAS) tools. This article also describes how to submit potential false negatives for investigation.
|
| |
This article describes how to use Microsoft Defender for Endpoint Security Settings Management to manage Microsoft Defender Antivirus.
|
| |
|
|
Microsoft Blogs
|
| | Code injection attacks using publicly disclosed ASP.NET machine keys. |
| | The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation |
| | Storm-2372 conducts device code phishing campaign. |
| |
|
|
Threat Analytics Reports (access to the Defender XDR portal required)
|
| |
|
Microsoft
