Microsoft SIEM and XDR Weekly Wrap - Issue #24
Work and Play
Things from Me
Happy Friday everyone!
Last week was an exhilarating adventure as I had the opportunity to speak for the AI Tour in New York City. Not only did I get to share insights about Security Copilot and connect with enthusiastic audiences, but my wife and I also immersed ourselves in the vibrant atmosphere of the Big Apple.
Our journey began with a serene stroll through Central Park, where we marveled at the lush greenery and picturesque landscapes. The tranquility of the park provided a perfect escape from the hustle and bustle of the city. We couldn't resist the charm of a classic NYC experience—a delicious street hot dog enjoyed on a park bench. My wife found a YouTube video that touted the best hot dog in NYC, and they weren’t wrong.
Next, we visited the Top of the Rock, where we were treated to breathtaking panoramic views of the city skyline. Standing atop the Rockefeller Center, we felt like we were on top of the world, soaking in the iconic sights of New York.
Times Square, with its dazzling lights and bustling energy, was another highlight of our trip. The vibrant atmosphere and colorful billboards left us in awe as we walked through one of the most famous intersections in the world.
Throughout our stay, we discovered the unique charm of New York City's diverse neighborhoods, from the historic streets of Greenwich Village to the trendy vibes of SoHo.
Our week in NYC was a perfect blend of work and leisure, filled with unforgettable moments and new experiences. As we bid farewell to the city that never sleeps, we carried with us cherished memories and a deeper appreciation for all that New York has to offer.
…
The newsletter has an exciting lineup of events, updates, and resources this week.
First up, don't miss the Security 101 sessions with, where you'll get a foundational introduction to cybersecurity. These sessions are vendor-agnostic and break down key concepts into short, digestible lessons.
There’s also have a series of Microsoft Security Webinars lined up for you, covering topics from Azure Network Security to Microsoft Defender for Cloud. Make sure to register and stay ahead of the curve with the latest in security practices.
In addition, Log Analytics Simple Mode is now generally available. This new feature makes data analysis simpler and more accessible than ever, with no coding required.
For those interested in Zero Trust, check out the guide on Zero Trust Deployment Essentials for Digital Security. This strategic approach will help you get started with deploying Microsoft's Zero Trust pillars.
Lastly, don't forget to tune into a brand-new weekly podcast/show called “Rod Trent's Monday Minutes” for the latest security stories and insights. This week, I delve into DeepSeek.
You can subscribe to never miss it on any of the following platforms:
Substack: https://rodtrent.substack.com/podcast
Apple Podcasts:
YouTube: https://www.youtube.com/playlist?list=PLsHyMQ1fyeuLA9SHopJ4oAWyEmekrI4hQ
Spotify:
Amazon Music: https://music.amazon.com/podcasts/b2a76e19-6a67-4a89-8a73-9388dbe1a8bd/after-the-blog-podcast
Audible: https://amzn.to/3ErvQ5P
…
Stay informed, stay secure, and enjoy this month's newsletter!
Talk soon.
-Rod
Things to Attend
Security 101: Come and learn Security 101 with my teammate Sarah Young. All through March: This vendor-agnostic course provides a foundational introduction to cybersecurity, breaking down key concepts into short, digestible lessons of 30--60 minutes each. Register to attend: https://developer.microsoft.com/en-us/reactor/series/S-1477/
Upcoming Microsoft Security Webinars
February 26 - Azure Network Security | Updating Your Azure Web Application Firewall Ruleset: Common Pitfalls and How to Avoid Them
March 5 - Microsoft Defender for Cloud | API Security Posture with Defender for Cloud
March 6 - Azure Network Security | Implementing Multi-Layered Security with Azure DDoS Protection and Azure WAF
March 12 - Microsoft Purview | Microsoft Purview AMA - Data Security, Compliance, and Governance
March 20 - Azure Network Security | What's New in Azure Firewall
Register: Microsoft Security Webinars
The Hidden Threat in Your Security Posture - Why Configuration Drift Matters - Thursday, February 27, 2025 - Senserva has partnered with industry leaders to bring much-needed drift solutions to customers. Join us for a deep dive into the state of security, exploring why drift management is critical and why experts are calling it the new patch management. Our expert panel features Rod Trent from Microsoft, Microsoft security leader Ricardo Nicolini (CTO of global security powerhouse Bulletproof), IT industry executive Jim Jungbauer, and Senserva's president Clay Babcock as moderator. This team brings comprehensive insight into today's security landscape.
Things that are Related
Log Analytics Simple Mode is Now Generally Available - Simple Mode is here to make data analysis simpler and more accessible than ever! No coding required – just click, filter, and analyze!
Microsoft Security in Action: Zero Trust Deployment Essentials for Digital Security - Implementing Zero Trust requires a strategic approach. Learn how to get started with deploying Microsoft’s Zero Trust pillars with step-by-step guidance on securing identity, data, applications, infrastructure, and networks.
Validate critical information security skills with our new Certification - The cybersecurity landscape is constantly evolving, and organizations of all sizes must stay ahead of the curve to protect their networks and keep their data, systems, and digital assets safe. With the growth of AI and cloud computing, defenders and cyberattackers alike can change this landscape. As a result, business leaders are reassessing their digital defenses, especially around data governance. And while the technology is critical, it’s even more important to have a workforce with the skills and experience to maximize its potential, protect against cyberthreats, and detect and respond to any security incidents. In short, security skills in the era of AI are crucial.
Things to Watch/Listen To
Things to Have
Huawei Switch Parser for Microsoft Sentinel - https://github.com/le0li9ht/Microsoft-Sentinel-Queries/blob/main/Parsers/Huawei/SwitchParser.md
Managed Identity Permission Manager – v. 1.0.0.4 is out! - I’m thrilled to announce the release of Managed Identity Permission Manager v1.0.0.4, packed with new features, improvements, and fixes that enhance usability and functionality. This update reflects our commitment to continuously improving the tool based on user feedback and our vision for a more intuitive experience!
Microsoft Sentinel Things
Announcing Public Preview: New STIX Objects in Microsoft Sentinel - Security teams often struggle to understand the full context of an attack. In many cases, they rely solely on Indicators of Compromise (IoCs) without the broader insights provided by threat intelligence developed on Threat Actors, Attack Patterns, Identities - and the Relationships between each. This lack of context available to enrich their workflows limits their ability to connect the dots, prioritize threats effectively, and respond comprehensively to evolving attacks. To help customers build out a thorough, real-time understanding of threats, we are excited to announce the public preview of new Threat Intelligence (TI) object support in Microsoft Sentinel and in the Unified SOC Platform. In addition to Indicators of Compromise (IoCs), Microsoft Sentinel now supports Threat Actors, Attack Patterns, Identities, and Relationships. This enhancement empowers organizations to take their threat intelligence management to the next level.
Sentinel Xdr Easy Deploy - Rolling out a comprehensive Extended Detection and Response (XDR) setup can seem daunting, but with the right tools and guidance, the SIEM piece becomes a straightforward task. In this article, we’ll walk you through an easy-to-follow, step-by-step process for deploying a Log Analytics workspace to a new resource group, complete with Microsoft Sentinel, all necessary connectors from the content hub, analytics rules, and log types, in mere minutes using the ARM template provided here. Whether you’re a seasoned IT professional or just starting out, this guide will help you achieve a full XDR setup with minimal hassle. Let’s get started!
Boost SOC automation with AI: Speed up incident triage with Security Copilot and Microsoft Sentinel - In today's fast-paced digital landscape, efficient incident investigation is crucial for maintaining robust security. Azure Logic Apps play a central role in extending Microsoft Sentinel into a SOAR solution by automating routine processes, thereby delivering speed, consistency and reliability when handling certain Security Operations Center (SOC) processes. Security Copilot supports the integration of Logic Apps to automatically submit prompts or promptbooks whose outputs can then be used to bring AI-powered enrichments into incidents generated by Microsoft Sentinel.
Introducing the Unified Device Timeline Experience in Microsoft SIEM + XDR - We are thrilled to announce the launch of the Unified Device Timeline, a feature that integrates device activity timelines from Microsoft Sentinel and Defender XDR into a single, cohesive view. This feature streamlines security investigations by enabling analysts to access all relevant device activities in one place, reducing the need to switch between platforms and accelerating incident response times.
Optimize threat intelligence feeds with ingestion rules
Optimize threat intelligence feeds by filtering and enhancing objects before they're delivered to your workspace. Ingestion rules update threat intel object attributes, or filter objects out all together. For more information, see Understand threat intelligence ingestion rules.
Matching analytics rule now generally available (GA)
Microsoft provides access to its premium threat intelligence through the Defender Threat Intelligence analytics rule which is now generally available (GA). For more information on how to take advantage of this rule, which generates high-fidelity alerts and incidents, see Use matching analytics to detect threats.
Defender for Cloud Things
Bringing AppSec and CloudSec Together: Microsoft Defender for Cloud Integrates with Endor Labs - Today, Microsoft Defender for Cloud and Endor Labs are bridging this divide with a native integration that delivers true code-to-runtime reachability. By combining Software Composition Analysis (SCA) with Cloud-Native Application Protection Platform (CNAPP) capabilities, security teams can pinpoint exploitable vulnerabilities from the moment code is written to the time it’s deployed in the cloud.
Defender for Endpoint Things
Block malicious command lines with Microsoft Defender for Endpoint - Defender for Endpoint uses advanced machine learning models to automatically scan, analyze, and classify command lines. Malicious command lines are blocked instantly within the client, while suspicious ones are sent to the cloud for further analysis using Microsoft’s freshest signals, most up-to-date threat intelligence, and advanced detection methods - including the CommandLineBerta model.
Defender XDR Things
Securing Identities: 10 recommendations for building a stronger identity security posture - In this blog we will focus on some key things to consider for your Active Directory (AD) footprints. Active Directory is a critical element of user authentication, and its complexity leaves many opportunities for potential misconfigurations, making it a prime target for attackers.Defender for Identity Things
Defender for Cloud Apps Things
Get visibility into DeepSeek with Microsoft Defender for Cloud Apps - Microsoft Defender for Cloud Apps helps you discover and protect more than 800 generative AI applications, now including DeepSeek. It provides the necessary overview of an app's usage in your organization, combined with the potential risk that the app poses for your organization. In fact, it profiles more than 90 separate risk attributes for each application in the Cloud App Catalog so you can make informed choices in a unified experience.
How to Use Tenant Allow/Block Lists in Microsoft Defender for Business - Elevate your email security with Microsoft Defender's Tenant Allow/Block Lists, where you control exactly who gets in and who stays out.
Microsoft Purview Things
Take the Purview Community Engagement Survey so we can deliver the technical expertise you need to make your job easier - You may have noticed that this Purview Community space has had a bit of a glow-up, and the great news is that it will continue to be tailored to meet the needs of its members. Our engineers, subject matter experts, MVPs, and enthusiastic technologists would like to bring you the content and engagements that you desire, and there's no better way to know what you want than to ask!
Defender for Business Things
Overview of Microsoft Defender for Business - Elevate your business security with Microsoft Defender for Business! Tailored for small and medium-sized businesses, this powerful tool offers enterprise-grade protection against ransomware, malware, phishing, and other cyber threats.
Defender for Office Things
Diagnose Safe/Blocked Senders Issues in Microsoft 365 - Part of our expanding list of Self-help diagnostics for issues in Exchange Online and Outlook, we’re happy to announce a new tool, which can help address or explain issues related to Microsoft 365 safe/blocked sender lists. It is designed to assist administrators in resolving these problems independently, without needing to contact support.
Microsoft Entra Things
Accelerating the Anomalous Sign-Ins detection with Microsoft Entra ID and Security Copilot - To enhance efficiency and accelerate the investigation process, organizations can leverage AI tools like Microsoft Security Copilot. By integrating Security Copilot with Microsoft Entra ID mainly AADUserRiskEvent and developing custom Promptbooks, organizations can investigate risky sign-ins, reduce manual workloads, and enable proactive decision-making to boost SOC efficiency in such scenarios.
Entra Password Protection Smarter Security, Fewer Pop-Tarts — Rubix - Alright, let’s be real—passwords are the worst. If you can, ditch them altogether and embrace the wonderful world of passwordless authentication. But if you’re stuck with passwords for the time being, at least let’s make them a little less terrible, shall we?
Leveraging Custom Security Attributes in Conditional Access Policies - Microsoft Entra ID provides robust tools for managing access to resources through Conditional Access (CA) policies. However, some service principals representing certain resources cannot be directly included in CA policies. To address this, we can use custom security attributes to control access to these resources. This blog will guide through the process of creating and applying custom security attributes to service principals, enabling or blocking them through Conditional Access policies.