Microsoft SIEM and XDR Weekly Wrap - Issue #27
Back for the Attack
Things from Me
Happy Friday everyone and great to see you again. I’m a couple weeks back from an amazing trip to Paris for my 35th wedding anniversary and Copenhagen for time with good friends and speaking at Experts Live Denmark.
Paris was amazing and was my best trip there I’ve ever had. Of course, my travel companion (my wife) had much to do with that experience.
At Experts Live I led a panel on the Microsoft Secure Future Initiative and delivered the State of the Union for Microsoft Security Copilot. In the Security Copilot session, I focused on our top 10 investments in the last year and demoed each.
If you’re interested in some of my Experts Live photos, check out my photo gallery:
…
I'm happy to announce that my next tech book is now ready for pre-order. Due in July, Microsoft Security Copilot: Master strategies for AI-driven cyber defense is the first-ever book covering the product that I've been focused on the last 3 years. Thanks to my co-author and colleague, Bi Yue Xu, for the heavy lift. She’s been an amazing as we’ve both had to navigate my busy schedule.
…
My next upcoming in-person event is the Microsoft 365 Community conference in Las Vegas, May 6-8, 2025.
I’d love to meet each of you in-person and have a discussion about Microsoft Security Copilot.
Join me at #M365Con in Vegas, May 6–8, and get ready for 200+ sessions, keynotes, workshops, and AMAs packed with content you can apply immediately. Register now to save $150 with code SAVE150. https://aka.ms/M365Con25
…
That’s it for me for this week. Thanks all for your continued dedication to this community and this newsletter! But don’t keep it to yourself. Share it with someone who needs it!
Talk soon.
-Rod
Things to Attend
Are you attending the RSA conference at the end of April? If so, we’re hoping you will come join the Microsoft Pre-Day at RSAC to learn how you can accelerate the secure adoption of AI. Visit https://aka.ms/RSAC2025events to save your spot!
Things that are Related
Microsoft 365 E5 Security is now available as an add-on to Microsoft 365 Business Premium - Microsoft 365 E5 Security is now available as an add-on for Microsoft 365 Business Premium—bringing next-level protection to businesses of all sizes.
Blog Series: Charting Your Path to Cyber Resiliency - Recently I was on a call with some Security leaders who were interested in how we at Microsoft could help them with cyber resiliency. But when I asked the questions "What does cyber resiliency mean to you?” and “What specific aspects of cyber resilience are you interested in improving?", they struggled to answer.
Building Secure Software from the Ground Up: Why It Matters for Nonprofits - Too often, security is treated as an afterthought, addressed only after a cyberattack or compliance requirement forces action. But waiting until something goes wrong can put donor data, volunteer or student data, and even the nonprofit’s overall mission at risk. The good news? Security doesn’t have to be reactive. It can be built into the software development process itself, ensuring applications are resilient from the start.
Securing Your Nonprofit Environment (Part 1) - Enabling Security Defaults - Keeping your nonprofit secure in Microsoft 365 starts with the right settings. Many nonprofits rely on Microsoft 365, but without the right security settings, they can be vulnerable to attacks. This blog series will walk you through practical steps to strengthen your cybersecurity, starting with enabling security defaults to add a strong layer of protection.
Securing Your Nonprofit Environment (Part 2): Best Practices to Secure Your Admin Accounts - Securing your Microsoft 365 admin accounts is critical for nonprofits, where every resource and every donor’s trust counts. With limited budgets and dedicated teams juggling multiple roles, protecting your digital assets is not just an IT issue—it’s a vital part of sustaining your mission. In this blog, we’ll discuss practical, conversational best practices tailored specifically for nonprofits to keep admin accounts secure.
Things to Watch/Listen To
Things to Have
Major Update to the "Developing Better Prompts for Microsoft Security Copilot" Workshop - I am thrilled to announce a significant update to our "Developing Better Prompts for Microsoft Security Copilot" workshop. This update brings a wealth of new content and enhancements designed to provide you with the most comprehensive and practical knowledge on prompt engineering for security applications.
Things from Partners
Quorum Cyber shortlisted at Microsoft's Security Excellence Awards 2025 - Quorum Cyber announces its triple award finalist status in the Microsoft Security Excellence Awards 2025.
Microsoft Sentinel Things
Automating Microsoft Sentinel Deployment with Azure DevOps CI/CD - This blog explores a comprehensive solution for automating Microsoft Sentinel deployments using Azure DevOps pipelines. By combining infrastructure-as-code (Bicep) with PowerShell automation, this solution streamlines the entire deployment process from infrastructure provisioning to content configuration.
Defender for Cloud Things
Strengthening Cloud Compliance and Governance with Microsoft Defender CSPM - Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) directly addresses these challenges. It delivers automated compliance checks, continuous monitoring, real-time policy enforcement, and streamlined reporting. This results in a proactive security posture, enabling rapid gap detection and remediation while aligning security with business objectives.
Azure AI Foundry: Securing generative AI models with Microsoft Security - New generative AI models with a broad range of capabilities are emerging every week. In this world of rapid innovation, when choosing the models to integrate into your AI system, it is crucial to make a thoughtful risk assessment that ensures a balance between leveraging new advancements and maintaining robust security. At Microsoft, we are focusing on making our AI development platform a secure and trustworthy place where you can explore and innovate with confidence.
Defender XDR Things
Malvertising campaign leads to info stealers hosted on GitHub - In early December 2024, Microsoft Threat Intelligence detected a large-scale malvertising campaign that impacted nearly one million devices globally in an opportunistic attack to steal information. The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms. The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.
Defending Against OAuth-Based Attacks with Automatic Attack Disruption - Over the past year, there has been a significant increase in nation-state attacks leveraging OAuth apps. Automatic disruption in Microsoft Defender XDR leverages AI and machine learning for real-time threat mitigation of suspicious OAuth activities. The speed and accuracy of automatic disruption helps to stop sophisticated attacks that are in progress and limit lateral movement and damage.
Defender for Cloud Apps Things
Role-Based Access Control scoping for "Behaviors" (Preview) - Defender for Cloud Apps customers can now configure Role-Based Access Control (RBAC) scoping for 'Behaviors.' This new capability allows administrators to define and manage access permissions more precisely. Administrators can ensure that users have the appropriate level of access to specific application data based on their roles and responsibilities. By using RBAC scoping, organizations can enhance their security posture, streamline operations, and reduce the risk of unauthorized access.
Level Up Your App Governance With MDA Workshop Series - Over the past two years, there has been a significant increase in nation-state attacks leveraging OAuth apps. These attacks often serve as entry points for privilege escalation, lateral movement, and damage. To effectively mitigate these risks, security teams need visibility and control over SaaS apps including GenAI apps to ensure that only trusted and compliant apps are in use.
Microsoft Purview Things
Did you know there's a Microsoft Purview community group on LinkedIn? Join here: https://www.linkedin.com/groups/14194139/
Improve your DLP maturity with DLP Analytics - DLP Analytics has the potential to transform the way that you protect your organization from data loss by identifying and closing data security risks. Let’s take a closer look and explore some of the advantages to enabling this great feature.
Microsoft Entra Things
Introducing Microsoft Entra Health alerts: An enhancement to tenant health monitoring - We’re excited to announce the launch of Microsoft Entra Health alerts, a new capability for detecting potential tenant health degradations, that layers on top of existing health metric data streams to enhance the observability of your tenant. The alerts feature exemplifies Microsoft Entra's commitment to quality and resilience, as discussed in a related May 2024 blog post. This functionality, already in use by thousands of tenants during its first month of public preview availability, enables our customers to effectively monitor and manage their tenants’ health.
Continuing with Microsoft Entra: Advanced Identity Management - In the previous blog Microsoft Entra Admin Center - Secure, Protect, & Manage, we explored the capabilities of the Microsoft Entra Admin Center, focusing on how it helps secure, protect, and manage your organization's identities and access. Building on that foundation, let's dive deeper into the advanced features and functionalities of Microsoft Entra ID, formerly known as Azure Active Directory, to further enhance your identity and access management strategy.
How-to sync EntraId group memberships into any system - We needed a fast way to check if a device or a user is member of one or multiple EntraID groups for an application we were building. Our application will have a list of EntraID groups we periodically would need to check the memberships for. The number of groups will vary depending on how the app is used. The app should not have a hard limit for the maximum number of groups, so our solution needs to scale.