Microsoft SIEM and XDR Weekly Wrap - Issue #36
Librariate
Things from Me
Happy Friday everyone!
This week let’s welcome new members to our growing community. As I noted last week, we are merging the contributions from THE Prompt newsletter for Security Copilot into this community. THE Prompt has been a huge success on its own, but as I’ve always done here, the newsletter follows Microsoft’s own direction. If you’re reading tea leaves…
I expect to adjust this newsletter’s name and logos to better incorporate the adjusted focus in the near future. I had actually intended on doing that this past week, but I have some family things going on that requires more of my focus.
…
On a personal note, some of you know already, but I also write fiction books. You can find all my existing and upcoming fiction books at https://RodsFictionBooks.com.
I have my latest full-length novel "Beyond the Snake Line" releasing electronically this weekend on Sunday, June 1st! The paperback is already available, and the Audible edition should be available sometime on Monday, June 2nd.
If Sci-Fi is something you enjoy, check it out: https://amzn.to/3FuiaYy
…
That’s it for me for this week. I have a lot going on that I’ll share in an upcoming issue.
Talk soon.
-Rod
Things that are Related
New Russia-affiliated actor Void Blizzard targets critical sectors for espionage - Microsoft Threat Intelligence Center has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard (LAUNDRY BEAR), who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. While Void Blizzard has a global reach, their cyberespionage activity disproportionately targets NATO member states and Ukraine, indicating that the actor is likely collecting intelligence to help support Russian strategic objectives. In particular, the threat actor’s prolific activity against networks in critical sectors poses a heightened risk to NATO member states and allies to Ukraine in general.
Public Preview: Granular RBAC in Azure Monitor Logs - Introducing the new Granular RBAC capability, enabling data access control at the row level in Azure Monitor Logs.
Exciting News for Nonprofits: Enhanced Security with Microsoft Enterprise E5 Add-On! - Nonprofit organizations can now take their cybersecurity to the next level with the Microsoft Enterprise E5 Security add-on! As part of Microsoft's nonprofit program, eligible organizations are granted 10 free Microsoft Business Premium licenses. This already provides robust security features, but now there's an opportunity to further enhance protection with the E5 Security add-on.
The Next Security Frontier: Humanoids - The humanoid robot market is projected to be massive in the coming decades. Estimates suggest it could surpass $5 trillion by 2050, with over 1 billion humanoids in use, primarily for industrial and commercial applications. Adoption is expected to accelerate in the late 2030s, driven by technological advancements and regulatory support.
Is Humanoid Robot Security Actually Just AI Security? - In recent years, humanoid robots have taken center stage in discussions about the future of technology. These machines, designed to mimic human appearance and behavior, are powered by sophisticated artificial intelligence (AI) systems. But does securing humanoid robots equate to securing AI? This blog post delves into the differences and similarities between humanoid robot security and AI security, and why mastering both is essential for anyone pursuing a career in humanoid robot security.
How to deploy AI safely - In this blog you will hear directly from Corporate Vice President and Deputy Chief Information Security Officer (CISO) for AI, Yonatan Zunger, about how to build a plan to deploy AI safely. This blog is part of a new ongoing series where our Deputy CISOs share their thoughts on what is most important in their respective domains. In this series you will get practical advice, forward-looking commentary on where the industry is going, things you should stop doing, and more.
Simplifying Azure Log Analytics Table Retention Management: A Modern Approach - If you've ever managed Azure Log Analytics workspaces at enterprise scale, you'll know the pain of manually configuring retention policies across dozens—or even hundreds—of tables. The Azure portal, whilst functional, becomes cumbersome when you need to update retention settings for multiple tables across different workspaces. Add to this the confusion of phantom tables (tables that appear in the API but contain no actual data) and varying plan types with different retention limits, and you've got a recipe for frustration.
Things in the News
Zscaler signed a definitive agreement to acquire Red Canary - Zscaler, Inc. (NASDAQ: ZS), the leader in cloud security, today announced it has signed a definitive agreement to acquire Red Canary, a recognized leader in Managed Detection and Response (MDR). With over 10 years of expertise in security operations (SecOps), Red Canary has enabled its extensive customer base to investigate threats up to 10 times faster with 99.6% accuracy, while streamlining workflows through automated remediation. Combined with Zscaler’s massive amounts of high-quality data—derived from the world's largest security cloud—and global intelligence from its ThreatLabz Security Research team, the combination will deliver a unified, agentic Security Operations Center (SOC) that combines AI-driven workflows with human expertise. These complementary capabilities will redefine how businesses detect, respond to, and mitigate modern cyber threats.
Security Copilot Things
Boosting Your SOC Operations with Optimized Automation Using Security Copilot - In this article, I describe the techniques I adopted to reduce SCU consumption in an automation solution for investigating potential user compromises. The prototype of the solution is available here: LINK.
Microsoft Sentinel Things
Leveraging Summary Rules in Microsoft Sentinel: A Practical Guide - In today's security landscape, organisations face an overwhelming volume of security data. Microsoft Sentinel, as a cloud-native SIEM solution, processes vast amounts of logs daily. However, the sheer volume can impact both performance and cost-efficiency. This is where Summary Rules come into play—a powerful feature that helps security teams distil raw data into actionable insights while optimising resources.
Demystifying Anomaly Detection in Microsoft Sentinel using KQL - Anomaly detection is a powerful tool in cybersecurity and IT monitoring, helping detect unusual patterns in data that could indicate a breach, failure, or unexpected behaviour. Microsoft Sentinel, using Kusto Query Language (KQL), offers built-in functions like series_decompose_anomalies and series_decompose_forecast that make this process both effective and approachable.
Protecting Your Microsoft Sentinel Solution from Deletion or Corruption - In this blog, we'll explore best practices to protect your Microsoft Sentinel environment from being deleted or corrupted. This includes locking the Log Analytics Workspace, backing up and restoring analytic rules using PowerShell, and additional strategies to ensure your Sentinel solution remains secure and resilient.
Defender for Cloud Things
Enable Advanced Protection for AI Workloads with Microsoft Defender for Cloud: As organizations use and develop AI applications, they need to address new and amplified security risks. Prepare your environment for secure AI adoption to safeguard your data and identify threats to your AI.
Defender for Endpoint Things
Discover how automatic attack disruption protects critical assets while ensuring business continuity - Discover how automatic attack disruption protects critical assets while ensuring business continuity.
Defender XDR Things
From on-premises to cloud: Graph-powered detection of hybrid attacks with Microsoft exposure graph - In this blog, we explain how the exposure graph, an integral part of our pre-breach security exposure solution, supercharges our post-breach threat protection capabilities to detect and respond to such multi-faceted threats.
Defender for Office Things
Auto-Remediation of Malicious Messages in Automated Investigation and Response (AIR) is GA - We are excited to announce the GA release of auto-remediation of malicious messages through automated investigation and response (AIR) expanding this powerful tool and deliver on full end to end automation of key SOC scenarios.
Defending against evolving identity attack techniques - While the examples in this blog do not represent the full range of phishing and social engineering attacks being leveraged against enterprises today, they demonstrate several efficient techniques of threat actors tracked by Microsoft Threat Intelligence. Understanding these techniques and hardening your organization with the guidance included here will help contribute to a significant part of your defense-in-depth approach.
Microsoft Purview Things
Unlocking Business Value with Microsoft Purview Data Governance Solutions - Effective data governance is crucial for ensuring that the data used in business operations, reports, and analysis is discoverable, accurate, trusted, and protected. With the proliferation of AI and evolving regulations, managing data quality has become as critical as data security. Microsoft Purview offers comprehensive data governance solutions that streamline metadata from disparate catalogs and sources, providing organizations with visibility, data confidence, and responsible innovation.
Empowering Secure AI Innovation: Data Security and Compliance for AI Agents - The surge in AI adoption is empowering employees across roles – from low-code makers to pro-code developers – to build and use AI in new ways. Business leaders are eager to support this momentum, but they also recognize the need to innovate responsibly with AI.
#MicrosoftPurview #Compliance #Cybersecurity #DataGovernance
Top Qualities and Skills to Land a Job Working with Microsoft Purview - Microsoft Purview, a cutting-edge solution for data governance, risk management, and compliance, is revolutionizing how organizations handle their digital assets. With its innovative tools for managing sensitive information and ensuring regulatory compliance, Microsoft Purview is becoming an essential platform for businesses worldwide. As more companies adopt these solutions, the demand for skilled professionals capable of leveraging Microsoft Purview has grown significantly. This blog post will explore the top qualities and skills required to land a job working with Microsoft Purview, giving you the edge in this competitive field.
Rethinking Data Security and Governance in the Era of AI - The era of AI is reshaping industries, enabling unprecedented innovations, and presenting new opportunities for organizations worldwide. But as organizations accelerate AI adoption, many are focused on a growing concern: their current data security and governance practices are not effectively built for the fast-paced AI innovation and ever-evolving regulatory landscape.
Manage AI Data Security Challenges with Microsoft Purview: Microsoft Purview helps you strengthen data security in AI environments, providing tools to manage challenges from AI technology.
Manage Compliance with Microsoft Purview with Microsoft 365 Copilot: Use Microsoft Purview for compliance management with Microsoft 365 Copilot. You'll learn how to handle compliance aspects of Copilot's AI functionalities through Purview.
Identify and Mitigate AI Data Security Risks: Microsoft Purview Data Security Posture Management (DSPM) for AI helps organizations monitor AI activity, enforce security policies, and prevent unauthorized data exposure.
Microsoft Entra Things
Understanding Conditional Access Policies in Microsoft Entra - For many nonprofits, data security can feel like walking a tightrope. Imagine an organization that provides housing assistance and collects personal information from clients—Social Security numbers, income details, and health records. A volunteer accidentally logs into the organization’s portal from an unsecured public Wi-Fi network. Without proper safeguards, this scenario could easily lead to a data breach.
Microsoft Entra access control and security now available in Azure AI Search - Built-in Microsoft Entra-based ACL and Azure RBAC enforcement from ingestion to query, now in public preview.
Monitoring & Assessing Risk with Microsoft Entra ID Protection - In this blog we will cover Microsoft Entra ID Protection can be effectively used to detect, investigate, and remediate risky activities. The blog outlines the platform's features, including real-time threat detection, AI-driven risk analysis, and tools for managing Conditional Access policies and authentication strategies, offering valuable insights for proactive identity security management.
The future of AI agents—and why OAuth must evolve - Today's AI agents are already impressive—they're helping software engineers write code, assisting site reliability teams in troubleshooting systems, and handling a variety of analytical tasks. Yet, as capable as these specialized agents are becoming, we're just beginning to glimpse their potential. The next wave of changes is approaching fast, bringing capabilities that will transform how we work across a wide variety of fields.
Securing the Keys to the Kingdom: Ensuring MFA for Microsoft Entra Privileged Roles with PowerShell - Ensuring multi-factor authentication (MFA) for your most privileged administrative accounts in Microsoft Entra ID.