In recent years, an increasing number of customers have requested options to extend retention in Microsoft Defender XDR beyond the default 30 days at a low cost, all with the requirement of having the KQL experience available. Blog information: Feature is... Het bericht How to store Defender XDR data for years in Sentinel data lake without expensive ingestion cost verscheen eerst op Jeffrey Appel - Microsoft Security blog.| Jeffrey Appel – Microsoft Security blog
Microsoft released the new Microsoft Sentinel data lake in public preview this month. With the data lake feature, it is possible to scale and store data more easily for less cost. The new Microsoft Sentinel data lake is a new...| Jeffrey Appel - Microsoft Security blog
In Defender for Office Automated Investigation and Response (AIR) is important. Microsoft has improved the features surrounding Auto-Remediation of Malicious Messages in the Automated Investigation and Response (AIR) capability over the past months, aiming to avoid manual actions when malicious...| Jeffrey Appel - Microsoft Security blog
With the use of Security Copilot, it is possible to enrich and triage alerts automatically using GenAI data. Microsoft recently developed new SOC automation playbooks to accelerate AI-automated triage based on Security Copilot and Microsoft Sentinel. Since the launch of...| Jeffrey Appel - Microsoft Security blog
Recently, Microsoft announced a new protection plan for AI workloads as part of the Microsoft Defender for Cloud suite. AI security is becoming more important as AI continues to rise, with more products and companies leveraging its capabilities.” This version...| Jeffrey Appel - Microsoft Security blog
Microsoft Defender XDR includes a powerful response capability with the name Attack Disruption. As part of the Defender XDR solution attack disruption capabilities can protect the environment against sophisticated, high-impact attacks. Attack Disruption works automatically; however, it still needs manual...| Jeffrey Appel - Microsoft Security blog
Since August 2024 there has been a sophisticated phishing campaign actively leveraging the device code authorization flow. Currently, there is a wide range of attacks targeting a wide range of sectors including government/ IT services and critical industries. The attack... Het bericht How to protect against Device Code Flow abuse (Storm-2372 attacks) and block the authentication flow verscheen eerst op Jeffrey Appel - Microsoft Security blog.| Jeffrey Appel – Microsoft Security blog
OAuth apps are still an important target for attackers to misuse in organizations. Since the MFA baseline is improved with number matching and additional controls attackers are finding new ways to gain access to environments/ and collect data. One of...| Jeffrey Appel - Microsoft Security blog
Adversary-in-the-middle phishing attacks are still more common in use. Since the removal of basic authentication from Exchange Online more and more attackers are using more modern attacks like adversary-in-the-middle phishing, cookie theft, QR code phishing, and other used attacks. Last...| Jeffrey Appel - Microsoft Security blog
It is time for part 6 of the Microsoft Defender for Endpoint (MDE) series. All previous parts were focused on onboarding and configuration and Microsoft Defender Vulnerability Management. Now it is time for the initial testing of the Defender for...| Jeffrey Appel - Microsoft Security blog
It is time for part 4A of the ultimate Microsoft Defender for Endpoint (MDE) series. Part 4 explains the AV/ next-generation protection component. Now it is time for some more detailed policy explanation, what do we need to enable, which...| Jeffrey Appel - Microsoft Security blog
It is time for part 5 of the Microsoft Defender for Endpoint (MDE) series. All previous parts were focused on the Defender for Endpoint onboarding and configuration. Now it is time for the initial usage of the Defender for Endpoint...| Jeffrey Appel - Microsoft Security blog
It is time for part 4 of the ultimate Microsoft Defender for Endpoint (MDE) series. All previous parts were focused on the initial Defender for Endpoint onboarding. Now it is time for the initial configuration of the additional components part...| Jeffrey Appel - Microsoft Security blog
It is time for part 4B of the ultimate Microsoft Defender for Endpoint (MDE) series. Part 4A explains the AV policy baseline. Now it is time for some more detailed information for the Attack Surface reduction and additional protection layers of...| Jeffrey Appel - Microsoft Security blog
Recently Microsoft announced a couple of new improvements related to the new security settings management for Windows, macOS, and Linux as part of Defender for Endpoint. In the past years, there was always a bit of a cap between the...| Jeffrey Appel - Microsoft Security blog
When using Defender for Endpoint it is important to make sure the agent are healthy. I performed many reviews/ configurations in the past years and onboarded around a million devices to Defender for Endpoint for small and larger “enterprise” customers....| Jeffrey Appel - Microsoft Security blog
OAuth apps are still an important target for attackers to misuse in organizations. Since the MFA baseline is improved with number matching and additional controls attackers are finding new ways to gain access to environments/ and collect data. One of...| Jeffrey Appel - Microsoft Security blog
Microsoft Copilot for Security is a new tool based on AI, it takes signals from various sources to use the data as additional input and research layer. Microsoft Copilot for Security is integrated into a specialized language model that includes...| Jeffrey Appel - Microsoft Security blog
Microsoft announced last year a new feature with the name; Automatic Attack Disruption in Defender XDR (Microsoft 365 Defender). Since October last year, Microsoft expanded the Automatic attack disruption feature with the support of human-operated attacks and the ability of...| Jeffrey Appel - Microsoft Security blog
Recently threat actors like Midnight Blizzard use the OAuth applications in tenants that they can misuse for malicious activity. Actors use compromised user accounts to create/ modify and grant permissions to OAuth applications in tenants and move across test and...| Jeffrey Appel - Microsoft Security blog
In the past months, there has been a growing increase in QR Code phishing, since attackers are using new creative ways to bypass existing protections. QR Code phishing is commonly used to bypass existing protections and steal/ collect tokens/ user...| Jeffrey Appel - Microsoft Security blog
Microsoft Defender XDR is expanding in the full attack stage. With the new Deception capability in Microsoft Defender XDR, it is possible to detect attackers early in the kill chain and disrupt advanced attacks. Deception is a new feature for...| Jeffrey Appel - Microsoft Security blog
Microsoft released in the past months additional protections for Microsoft Teams. The new Office protection is part of the Defender for Office product and protects against more modern phishing methods via chat messages. In the past years, phishing was mainly...| Jeffrey Appel - Microsoft Security blog
Microsoft Defender for Endpoint (MDE) is part of Microsoft Defender XDR and can be deployed via multiple configurations. During my experience with the product, I deployed/ reviewed and evaluated many Defender for Endpoint instances and configured new instances for many...| Jeffrey Appel - Microsoft Security blog
Last year Microsoft announced a new feature called; Automatic attack disruption which uses correlated insights from the Microsoft 365 ecosystem and powerful AI models to stop sophisticated attack techniques while the attack is in progress. Automatic attack disruption supports the...| Jeffrey Appel - Microsoft Security blog