Defender XDR Unified Audit Logs
Hi, There used to be Unified Audit Logs -option in Defender XDR Settings under "Endpoints". This option has now disappeared. Trying to search for Defender XDR events, such as isolating devices etc. using the Purview Audit search, I don't get any results. From the XDR Action center history I can see that isolation actions have been performed. I have Security Administrator permissions. Is there a way to enable/disable the XDR auditing from Defender XDR or Purview portals?MS Defender Azure Arc Logic App
What is the best procedure for configuring a Logic App for Microsoft Defender in an Azure Arc environment? We had a very unexpected experience during onboarding—after configuring the Logic App, we missed setting a cap, and within a week, it consumed over $18K USD. I believe there must be a way to fine-tune the configuration to optimize costs. From my perspective, no organization would adopt an environment with such high costs for Microsoft Defender Plan 2 without better cost control measures in place. Could you suggest best practices or optimizations to prevent such excessive consumption?Learn more about Microsoft Security Communities.
In the last five years, Microsoft has increased the emphasis on community programs – specifically within the security, compliance, and management space. These communities fall into two categories: Public and Private (or NDA only). In this blog, we will share a breakdown of each community and how to join.Microsoft Security in Action: Zero Trust Deployment Essentials for Digital Security
The Zero Trust framework is widely regarded as a key security model and a commonly referenced standard in modern cybersecurity. Unlike legacy perimeter-based models, Zero Trust assumes that adversaries will sometimes get access to some assets in the organization, and you must build your security strategy, architecture, processes, and skills accordingly. Implementing this framework requires a deliberate approach to deployment, configuration, and integration of tools. What is Zero Trust? At its core, Zero Trust operates on three guiding principles: Assume Breach (Assume Compromise): Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly. Verify Explicitly: Protect assets against attacker control by explicitly validating that all trust and security decisions use all relevant available information and telemetry. Use Least Privileged Access: Limit access of a potentially compromised asset, typically with just-in-time and just-enough-access (JIT/JEA) and risk-based policies like adaptive access control. Implementing a Zero Trust architecture is essential for organizations to enhance security and mitigate risks. Microsoft's Zero Trust framework essentially focuses on six key technological pillars: Identity, Endpoints, Data, Applications, Infrastructure, & Networks. This blog provides a structured approach to deploying each pillar. 1. Identity: Secure Access Starts Here Ensure secure and authenticated access to resources by verifying and enforcing policies on all user and service identities. Here are some key deployment steps to get started: Implement Strong Authentication: Enforce Multi-Factor Authentication (MFA) for all users to add an extra layer of security. Adopt phishing-resistant methods, such as password less authentication with biometrics or hardware tokens, to reduce reliance on traditional passwords. Leverage Conditional Access Policies: Define policies that grant or deny access based on real-time risk assessments, user roles, and compliance requirements. Restrict access from non-compliant or unmanaged devices to protect sensitive resources. Monitor and Protect Identities: Use tools like Microsoft Entra ID Protection to detect and respond to identity-based threats. Regularly review and audit user access rights to ensure adherence to the principle of least privilege. Integrate threat signals from diverse security solutions to enhance detection and response capabilities. 2. Endpoints: Protect the Frontlines Endpoints are frequent attack targets. A robust endpoint strategy ensures secure, compliant devices across your ecosystem. Here are some key deployment steps to get started: Implement Device Enrollment: Deploy Microsoft Intune for comprehensive device management, including policy enforcement and compliance monitoring. Enable self-service registration for BYOD to maintain visibility. Enforce Device Compliance Policies: Set and enforce policies requiring devices to meet security standards, such as up-to-date antivirus software and OS patches. Block access from devices that do not comply with established security policies. Utilize and Integrate Endpoint Detection and Response (EDR): Deploy Microsoft Defender for Endpoint to detect, investigate, and respond to advanced threats on endpoints and integrate with Conditional Access. Enable automated remediation to quickly address identified issues. Apply Data Loss Prevention (DLP): Leverage DLP policies alongside Insider Risk Management (IRM) to restrict sensitive data movement, such as copying corporate data to external drives, and address potential insider threats with adaptive protection. 3. Data: Classify, Protect, and Govern Data security spans classification, access control, and lifecycle management. Here are some key deployment steps to get started: Classify and Label Data: Use Microsoft Purview Information Protection to discover and classify sensitive information based on predefined or custom policies. Apply sensitivity labels to data to dictate handling and protection requirements. Implement Data Loss Prevention (DLP): Configure DLP policies to prevent unauthorized sharing or transfer of sensitive data. Monitor and control data movement across endpoints, applications, and cloud services. Encrypt Data at Rest and in Transit: Ensure sensitive data is encrypted both when stored and during transmission. Use Microsoft Purview Information Protection for data security. 4. Applications: Manage and Secure Application Access Securing access to applications ensures that only authenticated and authorized users interact with enterprise resources. Here are some key deployment steps to get started: Implement Application Access Controls: Use Microsoft Entra ID to manage and secure access to applications, enforcing Conditional Access policies. Integrate SaaS and on-premises applications with Microsoft Entra ID for seamless authentication. Monitor Application Usage: Deploy Microsoft Defender for Cloud Apps to gain visibility into application usage and detect risky behaviors. Set up alerts for anomalous activities, such as unusual download patterns or access from unfamiliar locations. Ensure Application Compliance: Regularly assess applications for compliance with security policies and regulatory requirements. Implement measures such as Single Sign-On (SSO) and MFA for application access. 5. Infrastructure: Securing the Foundation It’s vital to protect the assets you have today providing business critical services your organization is creating each day. Cloud and on-premises infrastructure hosts crucial assets that are frequently targeted by attackers. Here are some key deployment steps to get started: Implement Security Baselines: Apply secure configurations to VMs, containers, and Azure services using Microsoft Defender for Cloud. Monitor and Protect Infrastructure: Deploy Microsoft Defender for Cloud to monitor infrastructure for vulnerabilities and threats. Segment workloads using Network Security Groups (NSGs). Enforce Least Privilege Access: Implement Just-In-Time (JIT) access and Privileged Identity Management (PIM). Just-in-time (JIT) mechanisms grant privileges on-demand when required. This technique helps by reducing the time exposure of privileges that are required for people, but are only rarely used. Regularly review access rights to align with current roles and responsibilities. 6. Networks: Safeguard Communication and Limit Lateral Movement Network segmentation and monitoring are critical to Zero Trust implementation. Here are some key deployment steps to get started: Implement Network Segmentation: Use Virtual Networks (VNets) and Network Security Groups (NSGs) to segment and control traffic flow. Secure Remote Access: Deploy Azure Virtual Network Gateway and Azure Bastion for secure remote access. Require device and user health verification for VPN access. Monitor Network Traffic: Use Microsoft Defender for Endpoint to analyze traffic and detect anomalies. Taking the First Step Toward Zero Trust Zero Trust isn’t just a security model—it’s a cultural shift. By implementing the six pillars comprehensively, organizations can potentially enhance their security posture while enabling seamless, secure access for users. Implementing Zero Trust can be complex and may require additional deployment approaches beyond those outlined here. Cybersecurity needs vary widely across organizations and deployment isn’t one-size-fits all, so these steps might not fully address your organization’s specific requirements. However, this guide is intended to provide a helpful starting point or checklist for planning your Zero Trust deployment. For a more detailed walkthrough and additional resources, visit Microsoft Zero Trust Implementation Guidance. The Microsoft Security in Action blog series is an evolving collection of posts that explores practical deployment strategies, real-world implementations, and best practices to help organizations secure their digital estate with Microsoft Security solutions. Stay tuned for our next blog on deploying and maximizing your investments in Microsoft Threat Protection solutions.Monthly news - January 2025
Microsoft Defender XDR Monthly news January 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from December 2024. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel (Preview) The Link to incident feature in advanced hunting now allows linking of Microsoft Sentinel query results. (Preview) You can now use the adx() operator to query tables stored in Azure Data Explorer. (GA) In advanced hunting, you can now add your frequently used schema tables, functions, queries, and detection rules in the Favorites sections under each tab for quicker access. Learn more on our docs. Hyperscale ML threat intelligence for early detection & disruption. This blog talks about Threat Intelligence Tracking via Dynamic Networks (TITAN) - a groundbreaking approach that uses the power of machine learning to transform threat intelligence and attack disruption by automatically neutralizing malicious activity at scale. You can now view Microsoft Sentinel Workbooks directly from Unified SOC Operations Platform. Learn more about it here. (Preview) Recommendations based on similar organizations - a first-of-its-kind capability for SOC optimizations. Recommendations based on similar organizations use peer-based insights to guide and accelerate your decision-making process. New documentation library for Microsoft's unified security operations platform. Find centralized documentation about Microsoft's unified SecOps platform in the Microsoft Defender portal. Microsoft's unified SecOps platform brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, Microsoft Security Exposure Management, and generative AI into the Defender portal. Learn about the features and functionality available with Microsoft's unified SecOps platform, then start to plan your deployment. SOC Optimization and Auxiliary Logs collaboration. We’re excited to announce the release of our updated recommendation, which now incorporates Auxiliary Logs! Previously, our recommendation focused on identifying unused tables and suggesting users either increase their utilization or switch the tables’ commitment tier to Basic Logs. With this update, we now recommend eligible tables be moved to Auxiliary Logs. The following new privacy documents for Microsoft Sentinel and Microsoft Defender XDR have been added: Data security and retention in Microsoft Defender XDR Geographical availability and data residency in Microsoft Sentinel Ninja Show Episodes: Attack Disruption: Live demo This episode features Threat Hunter and Microsoft MVP Mattias Borg as he explains the anatomy of an attack. Through a live demo of an attack in action, gain exclusive insights into what attackers do behind the scenes, the tools they use and how Microsoft Defender steps up to counter these threats, offering a robust defense to help keep your organization secure. Defender XDR’s Data Security Context with Insider Risk Management Join us as product experts Maayan Magenheim and Sravan Kumar Mera showcase the Public Preview of Microsoft Purview Insider Risk Management (IRM) integration into Defender XDR. Learn how Insider Risk and SOC analysts can now distinguish internal and external threats and gain critical insights, including exfiltration context and user activity tracking. Through a valuable demo, we explore the benefits for incident investigation, threat hunting, the correlation of IRM alerts with other DLP and identity protection alerts and more. Follow up LIVE AMA session Unlocking Advanced Cloud Detection & Response capabilities for containers Learn how the Microsoft Cloud Detection & Response solution empowers SOCs with faster, deeper investigations through near real-time detections, new cloud-native responses, and rich log collection. In this episode Product Managers Maayan Magenheim and Daniel Davrayev demo a real container related incident to show how these new capabilities enhance the entire incident response process, bridging knowledge gaps and proactively securing containerized workloads across multi-cloud environments. Threat Analytics - New Tool profile: SectopRAT (You need access to the Defender portal to read this profile.) Microsoft Sentinel (Preview) New AWS WAF connector. Use the Amazon Web Services (AWS) S3-based Web Application Firewall (WAF) connector to ingest AWS WAF logs, collected in AWS S3 buckets, to Microsoft Sentinel. Learn more on our docs. Agentless deployment for SAP applications. Microsoft Sentinel for SAP’s latest new capability re-uses the SAP Cloud Connector to profit from already existing setups, established integration processes, and well-understood SAP components. Ninja Show Episode Microsoft Sentinel Data tiering best practices In this episode product experts Yael Bergman and Maria de Sousa-Valadas introduce the powerful new Auxiliary Logs tier, now in Public Preview and explain how to use Summary rules to aggregate data from any log tier in Microsoft Sentinel and Log Analytics. Tune in to learn the full potential of these features, as well as practical tips and use cases to help you reduce ingestion costs and gain more insights from your verbose logs. Upcoming webinar Feb 20, 9AM PT: Mastering API Integration with Sentinel & Unified Security Platform Learn how to effectively integrate APIs with Sentinel and Unified Security Platform. This webinar will cover when to use APIs, how to set them up, potential challenges, and feature live demos to guide you through the process. Microsoft Defender Experts for XDR Defender Experts for XDR now offers scoped coverage for customers who wish to define a specific set of devices and/or users, based on geography, subsidiary, or function, for which they'd like Defender Experts to provide support. Experts on demand via Message Center. Select Ask Defender Experts directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat hunting questions. Experts can provide insight to better understand the complex threats your organization might face. Microsoft Defender for Identity New security posture assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15). Defender for Identity has added the new Prevent Certificate Enrollment with arbitrary Application Policies (ESC15) recommendation in Microsoft Secure Score. Learn more on our docs. Microsoft Security Exposure Management The following predefined classification rules were added to the critical assets list: Classification Description Locked Azure Kubernetes Service cluster This rule applies to Azure Kubernetes Service clusters that are safeguarded by a lock. Premium tier Azure Kubernetes Service cluster This rule applies to premium tier Azure Kubernetes Service clusters. Azure Kubernetes Service cluster with multiple nodes This rule applies to Azure Kubernetes Service clusters with multiple nodes. Azure Arc Kubernetes cluster with multiple nodes This rule applies to Azure Arc clusters with multiple nodes. For more information, see, Predefined classifications Microsoft Defender for Office 365 Considerations for integrating non-Microsoft security services with Microsoft 365: Considerations and recommendations for deploying a defense-in-depth email security strategy using third-party security services. Defender for Office 365 now detects BEC attacks using large language model (LLM)-based filters to analyze an email's language and infer intent. Read this blog to learn more about it. Microsoft Defender for Endpoint Defender for Endpoint on iOS now supports iOS/iPadOS 16.x as the minimum version. Defender for Endpoint is ending support for iOS/iPadOS 15 on January 31, 2025. Moving forward, only devices running iOS/iPadOS 16 and later are supported. Learn more on our docs. Android low-touch onboarding is now General Available. Key benefits Faster setup on Android devices – Simplified Android onboarding supports silent sign-on and autogranting of certain permissions on a user's device. As such, users are required to grant only the necessary permissions to onboard to Defender for Endpoint. Intuitive guidance - A clear and intuitive flow to guide users through each step. Broad coverage with support across multiple Android profiles – Android enterprise BYOD, COPE, and fully managed. Configuring low-touch onboarding Although low-touch onboarding is disabled by default, security administrators can enable it through app configuration policies in Intune. See Android low-touch onboarding. . Ninja Show Episode: Defender for Endpoint RDP Telemetry In this episode Cyber Security Researcher Danielle Kuznets Nohi and Senior Product Manager Saar Cohen join us to discuss the importance of Remote Desktop Protocol in Human Operated Attacks considering the current threat landscape. Through a demo, witness critical visibility enhancements made to this important layer of telemetry and learn the powerful capabilities of this tool to identify vulnerable assets and provide deeper threat insights.
Defender MDO permissions broken (again)
Defender wasn't letting me approve pending AIR remediation options, something I do every day, with my usual custom RBAC role checked out. Nor could I move or delete emails. I also had Security Operator checked out. I checked out Security Admin and tried again, no dice. It wasn't until I checked out Global Admin until I got the permissions I needed.Monthly news - February 2025
Microsoft Defender XDR Monthly news February 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from January 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel (Public Preview) Creating a unified, security-focused case management system. We are excited to be introducing a new solution for case management, built specifically for SecOps teams, and integrated into the experience of Microsoft Sentinel and Defender XDR in the unified SecOps platform. With new case management functionality, available for any customer who has Microsoft Sentinel, customers can benefit from a purpose-built approach to managing and collaborating across security cases. (Public Preview) Device activity events from Microsoft Sentinel's device entity pages are now visible in the Timeline tab on the Device entity page in the Defender portal, in addition to remaining visible on the Sentinel events tab. These device activity events now include blocked, dropped, or denied network traffic originating from a given device. (Public Preview) Users with provisioned access to Microsoft Purview Insider Risk Management can now view and manage insider risk management alerts and hunt for insider risk management events and behaviors in the Microsoft Defender portal. For more information, see Investigate insider risk threats in the Microsoft Defender portal with insights from Microsoft Purview Insider Risk Management. (General Available) Advanced hunting context panes are now available in custom detection experiences. This allows you to access the advanced hunting feature without leaving your current workflow. For incidents and alerts generated by custom detections, you can select Run query to explore the results of the related custom detection. In the custom detection wizard's Set rule logic step, you can select View query results to verify the results of the query you are about to set. (General Available) The Link to incident feature in Microsoft Defender advanced hunting now allows linking of Microsoft Sentinel query results. In both the Microsoft Defender unified experience and in Defender XDR advanced hunting, you can now specify whether an entity is an impacted asset or related evidence. (General Available) Migrating custom detection queries to Continuous (near real-time or NRT) frequency is now generally available in advanced hunting. Using the Continuous (NRT) frequency increases your organization's ability to identify threats faster. It has minimal to no impact to your resource usage, and should thus be considered for any qualified custom detection rule in your organization. Migrate compatible KQL queries by following the steps in Continuous (NRT) frequency. Microsoft Sentinel Threat intelligence for Microsoft Sentinel in the Defender portal has changed! We've renamed the page Intel management and moved it with other threat intelligence workflows. There's no change for customers using Microsoft Sentinel in the Azure experience. Learn more on our docs. Unlock advanced hunting with new STIX objects by opting in to new threat intelligence tables. Tables supporting the new STIX object schema are in private preview. In order to view threat intelligence for STIX objects and unlock the hunting model that uses them, request to opt in with this form. Ingest your threat intelligence into the new tables, ThreatIntelIndicator and ThreatIntelObjects alongside with or instead of the current table, ThreatIntelligenceIndicator, with this opt-in process. For more information, see the blog announcement New STIX objects in Microsoft Sentinel. Threat intelligence upload API now supports more STIX objects. The upload API supports the following STIX objects: indicator attack-pattern identity threat-actor relationship For more information, see the following articles: Connect your threat intelligence platform with the upload API (Preview) Import threat intelligence to Microsoft Sentinel with the upload API (Preview) New STIX objects in Microsoft Sentinel Both premium and standard Microsoft Defender Threat Intelligence data connectors are now generally available (GA) in content hub. For more information, see the following articles: Explore Defender Threat Intelligence licenses Enable the Microsoft Defender Threat Intelligence data connector (Public Preview) Bicep template support for repositories. Use Bicep templates alongside or as a replacement of ARM JSON templates in Microsoft Sentinel repositories. Bicep provides an intuitive way to create templates of Azure resources and Microsoft Sentinel content items. Not only is it easier to develop new content items, Bicep makes reviewing and updating content easier for anyone that's a part of the continuous integration and delivery of your Microsoft Sentinel content. View granular solution content in the Microsoft Sentinel content hub. You can now view the individual content available in a specific solution directly from the Content hub, even before you've installed the solution. This new visibility helps you understand the content available to you, and more easily identify, plan, and install the specific solutions you need. For more information, see Discover content. Microsoft Defender for Cloud Apps Get visibility into your DeepSeek use with Defender for Cloud Apps. Defender for Cloud Apps helps you discover and protect more than 800 generative AI applications, now including DeepSeek. It provides the necessary overview of an app's usage in your organization, combined with the potential risk that the app poses for your organization. In fact, it profiles more than 90 separate risk attributes for each application in the Cloud App Catalog so you can make informed choices in a unified experience. Learn more in this blog post. Microsoft Defender for Identity Introducing the new Defender for Identity sensor management API. This blog discusses the new Defender for Identity sensor management API.This blog discusses Microsoft Security Exposure Management Metrics enhancements The metrics have been enhanced to show the improvement of the exposure levels with a progress bar, progressing from left to right and from 0% (indicating high exposure) to 100% (indicating no exposure). In addition, the metrics weight is now displayed as high, medium, or low, based on the metric's importance to the initiative. The weight can also be defined as risk accepted. For more information, see, Working with metrics Microsoft Defender for Office 365 Use the built-in Report button in Outlook: The built-in Report button in Outlook for iOS and Android version 4.2446 or later now supports the user reported settings experience to report messages as Phishing, Junk, and Not Junk. Build custom email security reports and dashboards with workbooks in Microsoft Sentinel. In this blog, we will showcase how you can use workbooks in Microsoft Sentinel to build a custom dashboard for Defender for Office 365. We will also share an example workbook that is now available and can be customized based on your organization’s needs. Microsoft Defender for Endpoint (Public Preview) Aggregated reporting in Defender for Endpoint: Aggregated reporting extends signal reporting intervals to significantly reduce the size of reported events while preserving essential event properties. This feature is available for Defender for Endpoint Plan 2. For more information, see Aggregated reporting in Defender for Endpoint. (Public Preview) Defender for Endpoint extends support to ARM-based Linux servers. As the demand for ARM64 servers continues to rise, we are thrilled to announce that Microsoft Defender for Endpoint now supports ARM64 based Linux servers in Public Preview. This update marks a new milestone in our commitment to providing comprehensive endpoint security across all devices and platforms. More details in this announcement blog. Microsoft Defender for IoT Aggregating multiple alerts violations with the same parameters. To reduce alert fatigue, multiple versions of the same alert violation and with the same parameters are grouped together and listed in the alerts table as one item. The alert details pane lists each of the identical alert violations in the Violations tab and the appropriate remediation actions are listed in the Take action tab. For more information, see our docs.3 internal obstacles to overcome for comprehensive security
Organizations today face relentless security challenges, fending off an average of 59 data security incidents each year. 1 At an average cost of $15 million, 2 successful exploits can be devasting. To address these risks, organizations need a comprehensive defense, including committed leadership and cutting-edge tools. At Microsoft, safeguarding data, technology, and secure AI adoption is a year-round priority. In fact, Charlie Bell, executive vice president of Microsoft Security, recently underscored Microsoft’s “unique responsibility in safeguarding the future for our customers and community.” As part of meeting this responsibility, Microsoft’s advanced security solutions include Microsoft Defender XDR, a platform designed to provide holistic security against today’s complex threats. While solutions like Microsoft Defender XDR are invaluable, getting them deployed can sometimes be challenging. Organizations may face internal hurdles—conflicting priorities, resource limitations, even resistance to change—that can slow or stall implementation of essential security tools. In this article, we’ll explore three common hurdles and discuss how, by deploying Microsoft security products, you can help ensure a more secure future at your organization. 3 common internal obstacles to achieving comprehensive security 1. Reluctance to replace individual, legacy solutions In the past, organizations commonly implemented individual security tools for different, siloed areas of the organization. Today, we know this fragmented approach weakens data security. In fact, according to Microsoft’s 2024 State of Multicloud Security Risk Report, organizations using multiple individual point solutions experience 2.8 times as many data security incidents as those using fewer, integrated tools. Here's a table comparing the performance of individual point solutions vs. Microsoft Defender XDR, the industry-leading unified security platform. 3 Is sunk cost fallacy to blame? “Security is an area significantly impacted by behavioral economics." 4 Sunk cost fallacy can lead cybersecurity professionals to resist replacing existing systems, even when evidence suggests it's necessary. According to Forbes: “The biggest risk in viewing cybersecurity as a sunk cost is inaction. In other words, thinking that you are safe because you haven’t yet suffered a major breach. Remember this maxim: Everyone is vulnerable." 5 To move past sunk-cost fallacy, Forbes says decision-makers need to understand that “the implementation of robust security measures can deliver substantial value beyond just mitigating risks.” By examining ROI and a products’ impact on improving security, reducing complexity, and streamlining operations “...businesses can start recognizing cybersecurity as a driver of competitive advantage, innovation and operational efficiency,” instead of as simply a cost center 6 [Emphasis added]. As an example of the potential for ROI, a 2022 Forrester TEI study found that a composite company achieved an ROI of 242% over three years and a net present value (NPV) of $17 million from switching to Microsoft Defender. It's easy to overestimate the value of individual or legacy security solutions but the clear security advantages and proven ROI of Microsoft Defender XDR demonstrate that replacing legacy systems can be well worth the effort. 2. Concerns about ensuring secure integration If not managed carefully, integrations involving newly opened communication, authentication, or data transfer channels can introduce vulnerabilities that become attack vectors. Microsoft’s 2024 State of Multicloud Security Risk Report notes that “...misconfigured APIs were one of the leading causes of cloud data breaches in 2023.” As a unified security platform, Microsoft Defender XDR mitigates such risks through a multilayered approach, through a multilayered approach, offering centralized management (including identity access), comprehensive visibility, and stronger security controls to help prevent human error. This approach “help[s] security teams proactively detect and monitor misconfigurations so they can remediate as needed." 7 Consistent, automated security with Microsoft Defender XDR Microsoft Defender XDR integrates seamlessly with other Microsoft security tools, Microsoft 365 products, and AI, delivering consistent, automated security across the entire stack. For example: Microsoft Defender XDR is embedded with Microsoft Sentinel, a cloud-native, AI-powered SIEM solution that aids Microsoft Defender XDR in addressing top cyberthreats like ransomware through: Improved visibility across domains: By ingesting data from an organization's infrastructure, devices, users, applications, and cloud environments, Microsoft Sentinel gives security teams a broad view of security threats. Enriched data with machine learning: Sentinel employs machine learning to enrich data with Microsoft threat intelligence, powering threat hunting, detection, investigation, and response across an ecosystem. Reduced alert fatigue: Filtering billions of signals, correlating them into alerts, and prioritizing incidents helps SOC teams handle alerts more efficiently, minimizing fatigue and enabling focused remediation. Microsoft Defender integrates with Azure’s Microsoft Defender for Cloud, a cloud-native application protection platform (CNAPP) that secures workloads across Amazon Web Services, Google Cloud Platform, and Azure Cloud Services with constant cyberthreat monitoring at the code level. This capability allows: Broad attack investigation: Security teams can investigate threats across cloud resources, devices, and identities. Workload-specific protections: Dedicated protections extend to servers, containers, storage, databases, and more. Actionable security recommendations: Defender for Cloud provides insights to improve overall security posture and prevent breaches. 3. Resource, staff, and time constraints Resource constraints, staff shortages, and time limitations are intensifying today’s already challenging cybersecurity landscape and can, understandably, impede deployments of new security products. For example: Resource constraints: Many organizations face limited budgets for security tools, technology, and personnel, leading them to continue with patchwork solutions or delay implementing critical security measures, potentially leaving gaps in security. Staff shortages: As cyber threats become more sophisticated, global demand for skilled IT and security professionals continues to grow while supply hasn’t been able to keep up. 8 When insufficient staff results in missed security tasks, reduced monitoring, and slower incident responses, organizations can be left vulnerable to risk. Limited time: Time constraints are a problem as old as time itself, but for IT teams with already heavy workloads, one more thing to do is more than stressful, it can leave systems vulnerable and increase windows of opportunity for bad actors. FastTrack resources to help you get Microsoft Defender up and running For Microsoft 365 customers experiencing any of the issues mentioned above, FastTrack for Microsoft 365 is here to help with accessible resources, automated, prescriptive setup guides, and even one-on-one assistance. Here’s how to start: 1. Visit the Microsoft 365 Setup site Review openly accessible setup resources at the Microsoft 365 Setup site. Both business and IT leaders will find value in perusing detailed Microsoft Defender setup guides, on-demand videos, and helpful blogs to plan for safe, efficient Microsoft Defender deployment workloads. 2. Sign in to the Microsoft Admin Center (MAC) and start deploying Microsoft Defender using FastTrack’s automated setup guides When you deploy Microsoft Defender XDR from the MAC using advanced deployment guides, you’re taking the most accurate, efficient, and secure deployment path possible. These automated guides combine detailed documentation with step-by-step instructions tailored specifically for your environment to give you streamlined guidance from beginning to end. Start by setting up Microsoft Defender Zero Trust security model for your organization. 3. Request assistance from FastTrack for Microsoft 365 Customers with eligible licenses can request remote, one-on-one assistance from FastTrack before, during, or even post-deployment of Microsoft Defender. Take the next step to implement unified protection Security is too crucial—and the cost of breaches are too high—to let any impediments, real or potential, delay or dissuade you from fully implementing your security investments. When you deploy Microsoft Defender, you’re protecting your organization with a unified security platform that combines multiple security functions—including endpoint, identity, and cloud security—under a single tool. Start protecting your entire digital estate today: Keep your organization, data, and users safe by implementing the comprehensive power of Microsoft Defender, the industry-leading XDR solution that reduces costs and overhead while helping you keep your organization secure across all domains from costly cybercrime. To learn more about improving your security posture with Microsoft Defender, check out our recent webinar: Supercharging your SOC: Unlock the power of endpoint security in Microsoft Defender XDR. Footnotes 1 Microsoft’s 2024 State of Multicloud Security Risk Report 2 Microsoft’s Global Cybersecurity Outlook Insight Report, 2022 3 Microsoft Defender was named an XDR leader in The Forrester Wave: XDR platforms, Q2 2024 4 3 Ways Behavioral Economics Obstructs Cybersecurity 5 Closing the cybersecurity skills gap 6 Cybersecurity As a Strategic Investment (forbes.com) 7 2024-State-of-Multicloud-Security-Risk-Report.pdf (microsoft.com) 8 Closing the cybersecurity skills gap (microsoft.com)
Extremely Slow Performance Since Defender Was Pushed on Us
Compliance, Security, Protection, and Defender are all extremely slow, with responses from screen to screen ranging from 30 seconds to multiple minutes between clicking items and waiting for Microsoft cloud to return results. I have a GB link and speed test well over 600 Mbps so it's not on my end. It appears the cutover in late January to this new "Defender" platform has been extremely detrimental to the Office portal response times in these portals. What is being done to resolve this?
RE: Microsoft Defender for Office 365 data connector
Hello, I have an issue enabling the Microsoft Defender for Office 365 settings in the Defender XDR connector for Microsoft Sentinel. The error is attached. It seems related to: Categories AdvancedHunting-EmailAttachmentInfo, AdvancedHunting-EmailEvents, AdvancedHunting-EmailUrlInfo, AdvancedHunting-EmailPostDeliveryEvents are not supported... I am not sure what it relates to, but could it be licensing concerns? Jason
