Microsoft SIEM and XDR Weekly Wrap - Issue #28
Tiger Fighting
Things from Me
Happy Friday everyone!
Welcome to the latest edition of the Microsoft SIEM and XDR Weekly Wrap - Issue. In this issue, I have a lot of exciting updates and insights to share with you.
First, I’m thrilled to invite you to Microsoft Secure on April 9. This one-hour online event is designed specifically for professionals like you. At Microsoft Secure, you'll discover AI innovations for the security lifecycle that are designed to give you smarter, faster, and stronger security.
Next, this issue delves into the StilachiRAT analysis. In November 2024, Microsoft Incident Response researchers uncovered a novel remote access trojan (RAT) named StilachiRAT. This RAT demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data.
Then there’s a link to a blog post on Automating Security. This post walks you through creating Microsoft Sentinel watchlists based on Entra ID group membership using Logic Apps.
Additionally, there’s an announcement the Security Copilot support for Azure Lighthouse in Microsoft Sentinel. This support is now available in Public Preview and is a significant step forward for Managed Security Service Providers (MSSPs) managing multiple customers.
And finally, don't miss the start of the blog series on Creating a CCP connector. This series provides a step-by-step guide on how to build your own Codeless Connector Platform (CCP) data connector for Microsoft Sentinel.
Talk soon
-Rod
Things to Attend
AI innovation requires AI security: Hear what’s new at Microsoft Secure - We’re excited to invite you to Microsoft Secure on April 9, a one-hour online event designed specifically for professionals like you. At Microsoft Secure, discover AI innovations for the security lifecycle designed to give you smarter, faster, stronger security.
Register now! https://aka.ms/MSSecure
Things that are Related
StilachiRAT analysis: From system reconnaissance to cryptocurrency theft - In November 2024, Microsoft Incident Response researchers uncovered a novel remote access trojan (RAT) we named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data. Analysis of the StilachiRAT’s WWStartupCtrl64.dll module that contains the RAT capabilities revealed the use of various methods to steal information from the target system, such as credentials stored in the browser, digital wallet information, data stored in the clipboard, as well as system information.
Things to Watch/Listen To
Things to Have
Add Deny permission on AD object.kql
Microsoft Sentinel Things
Automating Security: Creating Microsoft Sentinel Watchlists from Entra ID Group Membership - Security teams often need to maintain lists of important users, accounts, or entities for monitoring and detection purposes. Microsoft Sentinel watchlists provide a powerful way to store such data for correlation with security events. In this blog post, we'll walk through automating the creation of Sentinel watchlists based on Entra ID (formerly Azure AD) group membership using Logic Apps.
How to Build a Microsoft Sentinel Playbook to Send Alerts to GLPI via REST API - This guide walks through the process of creating a Microsoft Sentinel Playbook that automatically sends alerts to GLPI (Gestionnaire Libre de Parc Informatique) using its REST API. This integration allows security teams to create tickets in GLPI based on Sentinel alerts, ensuring streamlined incident management.
Security Copilot support for Azure Lighthouse in Microsoft Sentinel - Security Copilot support for Azure Lighthouse in Microsoft Sentinel use cases for Managed Security Service Providers (MSSPs) is now available in Public Preview—a significant step forward for MSSPs managing multiple customers.
Creating a CCP connector: Part 1 - In this blog series I’ll be going to walk you through a step by step guide on how to build your own Codeless Connector Platform (CCP) data connector for Microsoft Sentinel. If you don’t know what the CCP is, you might want to check out this article. The TL;DR is that it’s the most convenient way of ingesting logs into Sentinel.
Creating a CCP connector: Part 2 - Last time we left of having explored the API, now knowing how it handles things like authentication, the request we need to make, how to paginate over them and what parts of the response we want to use. In this blog we’ll be using that information to get the Graphical User Interface (GUI) of our CCP connector set up. Let’s get started!
Is your SIEM still enough? - Security Information and Event Management (SIEM) solutions have long been the backbone of security operations, ingesting logs, correlating events, and providing alerts for potential security incidents. But with modern attacks evolving faster than ever, is SIEM alone still enough to keep organizations protected?
Manage Microsoft Sentinel as code! - Managing Microsoft Sentinel through Infrastructure as Code (IaC) enables security teams to automate deployments, enforce consistency, and apply DevSecOps principles to SIEM management.
Security Copilot Things
Now available for pre-order! Microsoft Security Copilot: Master strategies for AI-driven cyber defense from Packt publishing
Defender for Cloud Things
Cost Calculator for Defender for Cloud - Did you know Microsoft Defender for Cloud has a built-in cost calculator to easily calculate the costs of protected resources in your cloud environment? No? Well, I didn’t either until I stumbled upon the button in the MDC portal myself. Apparently, Microsoft announced the preview for the MDC cost calculator last month, on February 19, 2025.
Defender for Cloud Apps Things
Microsoft Defender for Cloud Apps - Ninja Training - Follow this training and become the expert in the room in securing your organization's SaaS!
Defender for Endpoint Things
Hunting the Threats Using a Broader XDR with Defender for Endpoint - As cyber threats continue to evolve, security teams need more comprehensive detection, investigation, and response capabilities. Extended Detection and Response (XDR) solutions offer a proactive approach by correlating telemetry from various sources to detect sophisticated threats. Microsoft Defender for Endpoint (MDE) is a powerful XDR solution that enables security professionals to hunt threats across endpoints and beyond.
Securing Your Organization with Attack Surface Reduction (ASR) in Defender for Endpoint - This blog explores how ASR in Defender for Endpoint can enhance an organization's security posture and highlights three production use cases where ASR prevents cyber threats.
Defender XDR Things
Level up your defense: protect against attacks using stale user accounts - Maintaining a robust security posture is essential for any organization. Strong security not only protects sensitive information and assets from cyber threats but also ensures business continuity and fosters trust among clients and stakeholders. By implementing comprehensive security strategies, organizations can proactively identify and mitigate potential vulnerabilities, ultimately safeguarding their operations and reputation.
Sensor Disconnection Notifications with Microsoft Defender for IoT and Microsoft Sentinel - This new automated playbook sends real-time email notifications whenever a sensor disconnects from the cloud. This ensures you’re immediately alerted if there’s an issue, allowing you to take quick action to investigate and resolve the problem.
Microsoft Security Exposure Management Things
Unveiling the Shadows: Extended Critical Asset Protection with MSEM - As cybersecurity evolves, identifying critical assets becomes an essential step in exposure management, as it allows for the prioritization of the most significant assets. This task is challenging because each type of critical asset requires different data to indicate its criticality. The challenge is even greater when a critical asset is not managed by a security agent such as EDR or AV, making the relevant data unreachable. Breaking traditional boundaries, Microsoft Security Exposure Management leverages multiple insights and signals to provide enhanced visibility into both managed and unmanaged critical assets. This approach allows customers to enhance visibility and facilitates more proactive defense strategies by maintaining an up-to-date, prioritized inventory of assets.
Microsoft Purview Things
People of Purview: Victor Wingsing, Jr. - It is our pleasure to introduce you to Microsoft Purview practitioner and MVP, Victor Wingsing Jr., who hails from “the bright and sunny London, United Kingdom” and currently serves as a Senior Manager in Technology Consulting at Protiviti. Victor has been working on Exchange and Windows since 2006, when his first tech job gave him the opportunity to work on Windows XP Migration and Exchange 2007 administration, which was also his very first Microsoft Certification! He has been working with Purview for five years.
The Pithy Guide to Microsoft Purview
Defender for Office Things
Strengthening Email Security: Our New Approach to Non-RFC Compliant Emails - In our ongoing commitment to enhance email security and protect our users from malicious activities, we are making changes in handling emails with non RFC-compliant P2Sender addresses. This change reflects our dedication to combating email spoofing, impersonation, and the various evasion techniques employed by attackers.
Microsoft Entra Things
Tell us what you think: The Microsoft Entra blog team wants to hear from you! - To better serve your needs, we'd love to get your feedback about the content on the Microsoft Entra blog on Tech Community.
How to Use Azure Function to Deactivate Inactive Users - Managing user accounts manually in Microsoft Entra can quickly become tedious and error-prone, especially when it comes to disabling inactive users. Thankfully, you can easily automate this task by creating an Azure Function to Deactivate Inactive Users. This guide provides a beginner-friendly, step-by-step approach to automating user management in Microsoft Entra using Azure Functions and PowerShell. By following this process, you’ll maintain a secure, efficient, and cost-effective identity management system.
Entra Password Protection Smarter Security, Fewer Pop-Tarts - Passwords, let’s face it, can be a real pain. While going passwordless is ideal, many of us still rely on them. Fortunately, Microsoft Entra Password Protection offers a smart solution to enhance security by blocking weak and commonly used passwords. It utilizes both Microsoft’s global banned password list and allows for custom entries, ensuring that predictable choices like “Winter2024!” or “CompanyName123” are off-limits. For instance, if you’re in Texas and want to prevent the use of “Cowboys” as a password, you can easily add it to your banned list.