Microsoft SIEM and XDR Weekly Wrap - Issue #31
The Rollercoaster Ride You Didn't Know You Needed
Things from Me
Happy Friday everyone!
Welcome to the latest edition of our newsletter, where we bring you the most exciting updates, events, and tips to keep you ahead in the game! 🎉
First up, mark your calendars for Things to Attend! We've got a lineup of Upcoming Purview webinars that are sure to pique your interest. Whether you're curious about data security, insider threats, or the latest in DLP, we've got a session for you.
But wait, there's more! Dive into Things that are Related for some must-read content on establishing comprehensive security policies for Intune-managed devices and the growing threat of token theft.
Feeling competitive? Join our Just another Kusto hacker ("JAKH") contest and show off your Kusto query skills.
And for those who prefer to watch or listen, check out Things to Watch/Listen To. The latest episode of "Talking Security – Let’s Talk" is live, bringing you the hottest security trends and updates.
Finally, don't miss out on Things to Have. We've got the latest updates on Microsoft Purview Information Protection client and more.
Hope you enjoy this edition and find it both informative and entertaining! 😊
Thanks all for your continued support for this community.
Talk soon.
-Rod
Things to Attend
Upcoming Purview webinars
⭐ May 6: Data Security - What's New in MIP?
⭐ May 7: Data Security - What's New in DLP?
⭐ May 8: Data Security – Insider Threats: Are They Real?
Register here: https://forms.office.com/r/AXdhNnPBhH
Things that are Related
How to Establish a Comprehensive Security Policy for Intune-Managed Devices - Developing a robust security policy for Intune-managed devices is no longer optional. Microsoft Intune, as part of the broader Endpoint Manager ecosystem, enables organizations to secure, manage, and monitor devices while safeguarding corporate assets. However, the effectiveness of Intune hinges on the strength of your underlying security policies. Here’s how you can establish a comprehensive policy that sets the stage for effective device management.
Bonus - The Growing Threat of Token Theft: How Attackers Exploit Stolen Authentication After Successful Phishing - In this bonus installment, we'll explore what the potential risks after a successful phishing attack when authentication tokens are captured. We'll examine how threat actors leverage these tokens to expand their access and the tools they use to exploit Microsoft 365 and Azure environments in particular.
Just another Kusto hacker ("JAKH") contest! - Your challenge is to write a Kusto query that outputs the string "Just another Kusto hacker". The query can be as simple or as complex as you like, as long as it is self-contained and can run on any Fabric EventHouse or Azure Data Explorer cluster.
Things to Watch/Listen To
Talking Security – Let’s Talk | March 2025 Update is Live! - Welcome back to another exciting episode of “Talking Security – Let’s Talk,” your go-to podcast for staying up to date with the fast-moving world of cybersecurity. Our March 2025 episode is now live, and this month, your hosts Frans Oudendorp and Pouyan Khabazi dive into the latest security trends, product updates, and industry developments that every security pro should have on their radar.
Things to Have
Updated Microsoft Purview Information Protection client released - The Microsoft Purview Information Protection client helps you classify and label data in your organization at the time of creation, as well as apply protection, based on encryption and usage rights for sensitive data. Labels, and protection are persistent, traveling with the data throughout its lifecycle, so that it’s detectable and controlled at all times – regardless of where it’s stored or with whom it’s shared – internally or externally.
Security Copilot and Sentinel MCP Server - A Python-based MCP server using FastMCP library that provides integration with Microsoft Security Copilot and Microsoft Sentinel using Azure Identity Authentication.
Microsoft Sentinel Things
Multi-workspace for Multi-tenant is now in Public Preview in Microsoft's Unified SecOps Platform - We are thrilled to announce that our unified security operations (SecOps) platform now supports multi workspaces for multiple tenants, currently available in public preview. This marks a significant advancement in our commitment to providing comprehensive security solutions tailored to the diverse needs of our customers. The unified platform integrates the capabilities of Microsoft Sentinel, Defender XDR, and more, offering a seamless and robust experience.
Troubleshooting Guide: Syslog Forwarding into Microsoft Sentinel - Navigating challenges while attempting to forward syslog logs to Microsoft Sentinel? This comprehensive troubleshooting guide is your go-to resource for addressing potential roadblocks in three critical areas: the Data Source Side, Syslog Server, and Microsoft Sentinel Side.
Unlocking the Power of Intune: Monitor and Analyze Device Data to Enhance Security and Compliance - Ensuring the health, compliance, and security of devices is a cornerstone of effective organizational management. Microsoft Intune’s robust reporting and analytics features empower IT administrators to monitor a fleet of devices, pinpoint security vulnerabilities, and maintain compliance with ease. With the added capability to integrate Intune data into Microsoft Sentinel, organizations can elevate their threat detection and response capabilities to new heights.
Defender for Cloud Things
Guidance for handling CVE-2025-30065 using Microsoft Security capabilities - A newly disclosed critical vulnerability (CVE-2025-30065) in Apache Parquet, a popular open-source file format used for big data processing, could allow remote code execution (RCE) if a system imports a specially crafted malicious Parquet file. This flaw, rated with the highest CVSS severity score of 10.0, affects the parquet-java library (formerly parquet-mr).
Protect what matters to your organization using filtering in Defender for Storage - Microsoft Defender for Storage is a cloud-native, agentless security solution within Microsoft Defender for Cloud, part of Microsoft’s CNAPP offering. With seamless onboarding, it helps safeguard your organization’s most valuable data by detecting and preventing malicious uploads, sensitive data exfiltration, and data corruption. Powered by Microsoft Threat Intelligence, it delivers advanced threat detection to enhance your storage security.
Defender for Endpoint Things
(Preview) Contain IP addresses of undiscovered devices: Containing IP addresses associated with devices that are undiscovered or are not onboarded to Defender for Endpoint is now in preview. Containing an IP address prevents attackers from spreading attacks to other non-compromised devices. See Contain IP addresses of undiscovered devices for more information.
Defender XDR Things
Automatic attack disruption: Enhanced containment for critical assets and shadow IT - We’re thrilled to introduce new, extended capabilities in automatic attack disruption, designed to further stop attackers and restrict them from moving laterally across the network by leveraging compromised devices. Specifically, within Microsoft Defender for Endpoint which disrupt ransomware on its own.
Defender for Cloud Apps Things
OAuthAppInfo table added to Defender XDR advanced hunting (Preview)
The OAuthAppInfo table is now available in Defender XDR advanced hunting, enabling security teams to explore and analyze OAuth app-related metadata with enhanced visibility.
This table provides details on Microsoft 365-connected OAuth applications that are registered with Microsoft Entra ID and accessible through the Defender for Cloud Apps app governance capability.
New Applications page in Defender XDR (Preview)
The new Applications page consolidates all SaaS and connected OAuth applications into a single, unified inventory. This centralized view streamlines application discovery, monitoring, and management, providing greater visibility and control across your environment.
The page surfaces key insights such as risk scores, usage patterns, publisher verification status, and privilege levels. These insights help you quickly identify and address high-risk or untagged applications.
For more information, see Application inventory overview
Defender Experts Things
Meet the Microsoft security experts who reinforce your SecOps 24/7 - Microsoft Defender Experts for XDR combines industry-leading Microsoft Defender products with our team of Microsoft security experts and analysts. We created a video series that offers a behind-the-scenes look at Defender Experts for XDR through conversations with our security professionals. You will learn about their roles, their approaches to cybersecurity, and how they work to keep organizations safe 24/7.
Microsoft Purview Things
What are the true benefits of Microsoft Purview? - Managing and securing information has become one of the most critical aspects of organizational success. With the explosion of cloud computing, multicloud setups, and the increasing complexity of regulatory requirements, organizations need tools that can simplify, secure, and streamline their data practices. Enter Microsoft Purview—a unified platform for data governance, security, and compliance that is transforming how businesses handle their data.
A Bird's Eye View with Microsoft Purview - Discover how nonprofits can enhance security, ensure compliance, and effectively manage data governance with Microsoft Purview. This guide will also provide insights on evaluating your current data governance and compliance measures.
Data Governance
In preview: Critical data elements (CDE) and objectives and key results (OKR) data are now available for self-service analytics and can be used alongside other Microsoft Purview metadata for analytics and insights.
In preview: Data Health controls users can configure the severity of rules they apply for each data health control.
Data Security Posture Management for AI
In preview: Data assessments now support on-demand classification as a remediation action to scan data for sensitive information from SharePoint sites and OneDrive accounts that report items as Data Not Scanned. From the flyout pane for the location, select the Identify tab, and then select the new option to Scan all items for sensitive information.
In preview: The recently released recommendation and one-click policy to secure interactions for Microsoft Copilot experiences now also includes Security Copilot. As a shortcut to this policy recommendation, use the banner at the top of the Overview page that displays Microsoft Purview now secures Copilot in Fabric and Microsoft Security Copilot interactions. and select the Learn more option.
Sensitivity labels
General availability (GA): When you protect a Teams meeting with a sensitivity label, you can automatically apply or recommend that the meeting is labeled with the highest priority sensitivity label from files shared for the meeting. Use the new label policy setting Apply inheritance between Teams meetings and artifacts and ensure that this policy is published to meeting organizers.
Defender for Office Things
SOC can see Microsoft analysis for Third-party add-in user report - We are pleased to announce that if you are using third-party report message solutions in Microsoft Outlook, such as Knowbe4, Hoxhunt, and Cofense, you can now configure Defender for Office 365 to automatically forward these suspicious messages to Microsoft for analysis.
Microsoft Entra Things
Unleashing the multicloud advantage: Identity and Access Management (IAM) - Expand your reach and accelerate growth by bringing your AWS-based app to Azure and selling through Azure Marketplace. This guide will break down key IAM differences between AWS and Microsoft Entra ID, helping you replicate your app’s identity management quickly and securely. Future posts will dive deeper into specific IAM configurations and best practices.
Management Made Simple with Administrative Units - Microsoft Entra ID - Microsoft Entra ID, formerly known as Azure Active Directory, is a part of Microsoft Entra that manages both internal and external resources for your organization. These resources can reside in your Azure subscription or within your Microsoft 365 Tenant. Consequently, Entra ID assists IT administrators in managing who requires access to these resources