Microsoft SIEM and XDR Weekly Wrap - Issue #33

Superheroes Need Cybersecurity

May 02, 2025

Things from Me

Happy Friday everyone!

Welcome to this week's edition of our newsletter!

In this issue, you'll find articles on saving the world from AI action figure mayhem, using DSPM for AI data risk assessment, and exploring practical best practices to secure your data with Microsoft Purview. We also have updates on new Purview pricing options, enhancing cybersecurity for nonprofits with Microsoft Defender, and empowering SOC analysts with Microsoft Defender XDR.

NOTE: Please note that there will be no newsletter next week as I will be traveling. We'll be back the following week with more great content and updates.

Thank you for your understanding and continued support!

…

Who will I see next week?

I spent 20 years of my career speaking in Vegas 2-3 times each year. Then Covid hit and I've yet to be back. So, I’m excited to be back in Vegas next week. I hope it hasn't changed too much.

You can find me at the Microsoft booth several times during the week touting our private communities, and then later in the week talking about Security Copilot.

https://www.m365conf.com/#!/session/Modernizing%20Security%20Operations%20Using%20Security%20Copilot/7464

…

Have a great week ahead!

Talk soon.

-Rod

Things that are Related

Fine-Tuning KQL Query Performance: Best Practices - KQL (Kusto Query Language) has become a powerful tool for analyzing and exploring large datasets, especially in platforms like Azure Data Explorer and Log Analytics. However, as datasets grow and queries become more complex, performance optimization becomes crucial. In this blog, we’ll explore strategies to fine-tune KQL query performance. Specifically, we'll discuss how to minimize query complexity without sacrificing detailed logging and techniques to improve query performance for large datasets while maintaining accuracy.

Leveraging KQL to Analyze Malware Trends and Identify Recurring Threats - Gaining actionable insights from data is crucial for fortifying defenses. As organizations amass vast amounts of security logs and telemetry, the ability to extract meaningful patterns and trends from this data can be a game-changer. Enter KQL—Kusto Query Language—a powerful tool that empowers cybersecurity professionals to analyze, visualize, and act upon data with precision. This blog delves into how KQL can help analyze trends in malware detections over time and identify repeat offenders or recurring attack vectors, enabling a more strategic approach to defense.

Detecting non-privileged Windows Hello abuse - I recently followed a live session of Dirk-Jan Mollema and Ceri Coburn on how Windows Hello for Business can be abused as a non-privileged user. I was very intrigued by the concept of the attack they demonstrated, which is why a spend a couple of days thinking of ways how we can counter this attack with detective controls as blue teamers.

Part 6 - Beyond Passwords: Strengthening Security with Zero Trust and Phishing-Resistant Authentication - In this final installment, we'll explore how to implement a comprehensive Zero Trust approach to phishing mitigation through robust conditional access policies and phishing-resistant authentication methods. By combining these powerful controls, organisations can significantly reduce the risk posed by even the most advanced phishing techniques.

Using KQL to Enhance Threat Detection - Where cyber threats are evolving at an unprecedented pace, organizations must arm themselves with robust mechanisms to detect and respond to suspicious activities. KQL (Kusto Query Language), designed for querying structured data, has become an invaluable tool for cybersecurity experts. Its ability to sift through vast datasets and pinpoint anomalies makes it a cornerstone in threat detection and response strategies.

Adopting a Zero Trust Model with Microsoft Intune - Zero Trust is the gold standard for cybersecurity. As cyber threats grow in scope and sophistication, organizations need to adopt a security framework that assumes threats can originate both externally and internally and validates every access request regardless of its origin. Microsoft Intune, a robust endpoint management tool, is a cornerstone for implementing the Zero Trust model effectively. Let’s explore how Intune can help organizations adopt Zero Trust to protect their digital ecosystems.

Things to Attend

Introducing Partner Month: May 2025 on The Microsoft Security Insights Show - Welcome to Partner Month on The Microsoft Security Insights Show! This May, we're excited to shine a spotlight on our incredible Microsoft partners who are innovating and building their own Agents for Microsoft Security Copilot. Join us each week as we delve into the latest advancements and hear from industry leaders who are transforming the landscape of cybersecurity.

Call of the Cyber Duty - Kusto detective agency - the next season of Kusto Detective is coming!

🎬 Check out the official trailer featuring the one and only Lior Suchard (yes, the world’s most famous mentalist!):

🔗 Register here (for free!):
https://detective.kusto.io/register

Things to Watch/Listen To

The Microsoft Security Insights Show

The Microsoft Security Insights Show Episode 259 - Rick Kotlarz

Advanced Prompt Engineering for Security Copilot. As a cybersecurity professional with over 20 years of experience, Rick specializes in cybersecurity architecture and IT risk management. He is passionate about artificial intelligence, continuous learning, exchanging ideas, and contributing to endeavors that help others achieve success…

Listen now

2 months ago · Rod Trent and Edward Walton

Things to Have

Securing your data with Microsoft Purview: a practical handbook - Get started with a dynamic approach to securing data, emphasizing the integration of people, processes, and technology in alignment with Microsoft’s best practices.

myITforum Joins Discord: A New Era of Community Engagement - Staying connected with peers, sharing insights, and tackling challenges together is critical. myITforum, long recognized as a hub for IT professionals, has taken a bold step forward by launching its new forums on Discord—ushering in a fresh era of real-time collaboration and engagement. myITforum’s original web-based forums were legendary, set the standard, and were used as the model for many other communities.

Microsoft Sentinel Things

Announcing General Availability: Microsoft Sentinel Solution for Microsoft Business Applications - This GA release consolidates previously separate Microsoft Sentinel integrations—covering Power Platform, Dynamics 365, and Copilot Studio—into a single solution. With centralized telemetry, prebuilt detections, and investigation tools, both administrators and security operations teams can proactively monitor, detect, and respond to threats across business-critical applications.

Sandfly: 📈📉 Microsoft Sentinel Monitoring & Overview Workbook/Dashboard — See your Linux threats… - You have the ability to connect by subscription, resource and workspace. You will also need to setup the function which is explained at the end of this.

Automatic Microsoft Sentinel Deployment - This repository contains scripts and configurations for automating the deployment and configuration of Microsoft Sentinel.

Advanced Microsoft Sentinel Workbook/Dashboard Design Concepts: color schemes, dynamic CSS content… - Looking for ways to make your workbooks or dashboards more colorful and dynamic? These ideas may be what you need and allow you much more control over designs!

Microsoft Sentinel for SAP: New Security Content Goes Beyond Agentless - Following up on my private preview announcement about Microsoft Sentinel for SAP going agentless - what a title during Agentic AI times, right? I'm thrilled to share even more capabilities that have been added to our security monitoring arsenal recently! Psst🤫 – you are also getting a sneak into the new community extensions area.

Mastering Sentinel Log Management: Your Ultimate Guide to Data Insights - Ever looked at your Microsoft Sentinel logs and thought, "Where exactly are all these gigabytes coming from?" 🤔 You're definitely not alone! Managing log volumes and understanding data ingestion per device and per table isn’t just a nice-to-have; it's crucial for staying efficient, keeping costs under control, and ensuring your SIEM runs smoothly.

Enhance mobile security with the Samsung Knox solution for Microsoft Sentinel - We are excited to announce the availability of a new solution from Samsung Knox Asset Intelligence that will deliver enhanced visibility into mobile threats. Microsoft and Samsung are working together to enhance mobile security. This collaboration combines Samsung's expertise in mobile devices with Microsoft Sentinel's advanced capabilities in threat hunting, investigation, and response offering enterprises new visibility and protection against mobile security threats on Samsung devices and builds on the longstanding collaboration between Microsoft Security and Samsung.

Creating a CCP connector: Part 4 - In today’s blog we’re going to tie up the remaining loose ends: by the end you will have your very own CCP connector deployed and running inside your Sentinel workspace.

Defender for Cloud Things

RSAC™ 2025: Unveiling new innovations in cloud and AI security - Today at RSAC™ 2025, we’re thrilled to unveil innovations that further bolster our cloud-native and AI security capabilities in Defender for Cloud.

General Availability of on-demand scanning in Defender for Storage - In addition to on-upload malware protection, on-demand malware protection is now generally available in Defender for Storage. This article will focus on the recent general availability release of on-demand scanning, its benefits, and how security administrators can begin utilizing this feature today.

Guidance for handling CVE-2025-31324 using Microsoft Security capabilities - Recently, a CVSS 10 vulnerability, CVE-2025-31324, affecting the "Visual Composer" component of the SAP NetWeaver application server, has been published, putting organizations at risk. In this blog post, we will show you how to effectively manage this CVE if your organization is affected by it.

Defender XDR Things

Empowering SOC Analysts: Investigating Identity Threats with Microsoft Defender XDR - Identities have been a top threat vector forever. However, the rise of cloud identity attacks and an ever increasingly complex digital estate has made a tough problem even harder. Securing identities has always required a close partnership between two different functional teams – the identity and access management teams that are responsible for managing, authenticating, and authorizing user access to protected systems and data; and the security teams that detect and respond to threats across the entire digital estate.

Enhancing Cybersecurity for Nonprofits with Microsoft Defender - Learn about the importance of cybersecurity for nonprofits and how Microsoft Defender can protect sensitive data and systems, with practical tips and best practices for maintaining a secure environment.

Microsoft Purview Things

Microsoft Purview Surveys: Help us help you!

New Purview pricing options for protecting AI apps and agents - To help customers effectively secure and govern data in the era of AI, the Microsoft Purview business model is evolving to keep pace with where your data lives, flows, and is accessed. This evolution offers a mix of entitlement (per-user-per-month, PUPM) and consumptive (pay-as-you-go, PAYG) options to best meet your needs in this ever-changing technology environment.

Explore practical best practices to secure your data with Microsoft Purview - At Microsoft, we help empower data security leaders to keep their most valuable assets—data—safe, and now we’re publishing Securing your data with Microsoft Purview: A practical handbook. This guide is designed for data security leaders to initiate and enhance data security practices, leveraging the extensive experience of Microsoft subject matter experts (SMEs) and relevant customer insights. The guide aims to help customers efficiently and effectively implement data security with Microsoft Purview, maximizing the solution’s value by focusing on an integrated strategy.

The Crucial Role of Data Security Posture Management in the AI Era - In an era where artificial intelligence (AI) is rapidly transforming business operations, the importance of Data Security Posture Management (DSPM) cannot be overstated. Data Security Posture Management plays an important role in modern digital infrastructure by providing a comprehensive framework to manage and mitigate data security risks.

How to use DSPM for AI Data Risk Assessment to Address Internal Oversharing - Learn how to use Microsoft Purview Data Security Posture Management for AI Data Risk Assessment to address oversharing concerns when deploying Microsoft 365 Copilot.

Announcing Public Preview of DLP for M365 Copilot in Word, Excel, and PowerPoint - Today, we are excited to announce the public preview of Data Loss Prevention (DLP) for M365 Copilot in Word, Excel, and PowerPoint. This development extends the capabilities you rely on for safeguarding data in M365 Copilot Chat, bringing DLP protections to everyday Copilot scenarios within these core productivity apps.

Microsoft Entra Things

Saving the World from AI Action Figure Mayhem (With a Little Help from Entra Internet Access) - It seems like everywhere you turn these days, someone’s showing off their new custom AI Action Figure. You know, a slightly terrifying mix between a superhero, a robot, and your Uncle Bob after two cups of coffee. And while some of these creations are harmless fun, in a work environment... maybe we don’t need everyone dropping everything to design the next AI SuperCatMan.