Microsoft SIEM and XDR Weekly Wrap - Issue #32

Thrilling Saga

Things from Me

Happy Friday everyone!

Welcome to this week's newsletter! We have an exciting lineup of topics that will keep you informed and engaged.

First, we delve into building resilient defenses with Microsoft Security, exploring a multi-layered approach to tackle sophisticated phishing attacks. Next, we introduce the AI Red Teaming Agent, a powerful tool to accelerate your AI safety and security journey with Azure AI Foundry.

We also have insightful articles on understanding and mitigating security risks in MCP implementations, and exploring the transformative Model Context Protocol (MCP) for AI interoperability. Additionally, learn how to optimize DDoS protection costs by adding IPs to existing plans.

Don't miss the latest episode of The Microsoft Security Insights Show, featuring Nathan Swift and a demo-heavy session on Microsoft Defender EASM and the TwistDNS algorithm.

Finally, we cover advanced topics in Microsoft Sentinel, including automated incident reporting systems, effective threat hunting techniques, and enhancing security visibility with summary rules for Fortinet logs.

Stay tuned for more updates and insights!

Talk soon.

-Rod

Things that are Related

Part 4 - Building Resilient Defences with Microsoft Security: A Multi-layered Approach - As phishing attacks have grown increasingly sophisticated, with tools capable of bypassing traditional security controls, building effective defences requires a multi-layered approach addressing technical, procedural, and human elements of security.

Introducing AI Red Teaming Agent: Accelerate your AI safety and security journey with Azure AI Foundry - Today we are excited to announce the public preview of the AI Red Teaming Agent for generative AI systems. We have integrated Microsoft AI Red Team’s open-source toolkit PyRIT (Python Risk Identification Tool) into Azure AI Foundry to complement its existing risk and safety evaluations with the ability to systematically evaluate how your AI model or application behaves when being probed by an adversary.

Understanding and mitigating security risks in MCP implementations - In this blog post, we’re going to look at some of the security risks that could be introduced to your environment when using Model Context Protocol (MCP), and what controls you can put in place to mitigate them.

Exploring the Model Context Protocol (MCP): A Cornerstone for AI Interoperability - The Model Context Protocol (MCP) represents a transformative leap in AI interoperability, offering a standardized interface that facilitates seamless interaction between AI models and external tools and resources. By breaking down data silos, MCP empowers organizations to integrate diverse systems with unprecedented efficiency. As AI continues to evolve, MCP emerges as a critical enabler for scalable, secure, and sustainable AI development.

Optimizing DDoS Protection Costs: Adding IPs to Existing DDoS Protection Plans - Azure DDoS Protection has been a key part of securing internet-facing applications in the cloud. The DDoS Network Protection SKU already provides robust capabilities for protecting resources at scale. However, in certain architectures, additional flexibility is beneficial. This allows organizations to align protection more closely with their security and cost management strategies.

Things to Watch/Listen To

The Microsoft Security Insights Show Episode 257 - Nathan Swift

Security Copilot Things

THE PROMPT for Security Copilot

THE PROMPT for Security Copilot is a bi-weekly newsletter that covers Microsoft Security Copilot.

By Rod Trent

Microsoft Sentinel Things

Building an Automated Sentinel Incident Reporting System with Azure Logic Apps - Sentinel Alerts to Actionable Insights: Streamlining Security Incident Communication with Power-Packed Logic Apps.

Health check your Sentinel - Part 1 - Microsoft has already done some work to "optimize" your Sentinel instance. Here are the kinds of recommendations from SOC Optimization capability.

Secrets to Effective Threat Hunting: Advanced Sentinel Playbook Configurations and Telemetry Analysis Techniques - Threat hunting is no longer a luxury reserved for elite security teams—it is now a cornerstone of proactive cybersecurity strategies. With the sophistication of modern threats and the increasing complexity of digital estates, organizations must leverage advanced tools and techniques to identify, neutralize, and preempt malicious activities. Microsoft Sentinel, a cloud-native SIEM and SOAR solution, empowers security teams with the ability to configure playbooks and analyze telemetry at scale. This blog explores the secrets to effective threat hunting, focusing on advanced Sentinel playbook configurations and telemetry analysis techniques.

Breach Defence Automation: Creating Your Hybrid Account Kill Switch with Microsoft Sentinel and Logic Apps - Introduction This is Part 4 of our six-part series on phishing attacks and defences. In previous instalments, we've explored various phishing attack types, examined advanced phishing frameworks, and delved into post-exploitation techniques.

Enhancing Security Visibility With Microsoft Sentinel Summary Rules For Fortinet Logs And Threat Intelligence - Microsoft Sentinel is a powerful cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution to help organizations aggregate, analyze, and act on security data. One of its recent innovations, Summary Rules with Auxiliary Logs, offers significant advantages in performance and cost by precompiling and aggregating raw log data into concise tables.

Part 5 - Advanced Phishing Detection and Response with Microsoft Sentinel and the Unified SOC - Despite our best preventative efforts, sophisticated phishing attacks will occasionally succeed. When prevention fails, rapid detection becomes critical to limiting the impact of a compromise. Microsoft Sentinel and the new Unified Security Operations Platform provide powerful capabilities for identifying potentially phished users and orchestrating swift responses to contain and remediate threats.

Microsoft Purview Things

Exploring the Different Areas of Microsoft Purview - Microsoft Purview is a comprehensive suite of solutions designed to help organizations manage, govern, and protect their data estate. As enterprises increasingly rely on data to drive decision-making and innovation, Purview offers advanced capabilities to ensure data security, regulatory compliance, and seamless governance across diverse environments, from on-premises to multi-cloud and SaaS applications. Let’s explore the different areas of Microsoft Purview and understand how they collectively empower organizations to maximize the business value of their data while mitigating risks.

Purview for Security and Fabric Copilot interactions has entered Public Preview - Outlines the requirements for capturing prompts and responses for Copilot in Fabric and Security Copilot.

How to deploy Microsoft Purview DSPM for AI to secure your AI apps - Learn how to secure and govern the interactions of Microsoft Copilot experiences, Enterprise AI apps, and all other AI apps with Microsoft Purview Data Security Posture Management (DSPM) for AI.

Data Governance Myths: Dispel Common Misconceptions - Data governance is a cornerstone of modern business operations. It ensures that data, one of the most valuable assets of any organization, is protected, accessible, and utilized effectively. However, myths and misconceptions surrounding compliance and governance often cloud understanding and hinder progress. In this blog post, we’ll dispel common myths about data governance and compliance to foster clarity and confidence in managing organizational data.

Comprehensive Guide to Configuring Advanced Auditing - Unfortunately, the default configuration for Advanced Auditing is not ideal. Not all events enabled out of the box, and there is no built-in mechanism to apply better settings by default… This means we have to create policies and also implement automation to ensure all audit records are being generated for our users.

Microsoft Purview: New data security controls for the browser & network - Protect your organization’s data with Microsoft Purview. Gain complete visibility into potential data leaks, from AI applications to unmanaged cloud services, and take immediate action to prevent unwanted data sharing. Microsoft Purview unifies data security controls across Microsoft 365 apps, the Edge browser, Windows and macOS endpoints, and even network communications over HTTPS — all in one place.

Best Practices for Managing Data Security and Compliance with Microsoft Purview During Hybrid Migration - Migrating data from on-premises systems to the cloud can open doors to scalability, flexibility, and enhanced operational efficiency. However, this process also presents challenges in ensuring data security and compliance, especially in hybrid environments where some data remains on-premises while the rest transitions to the cloud. Microsoft Purview, an integrated data governance solution, offers robust tools to ensure security, compliance, and governance for such scenarios. This blog post outlines best practices for leveraging Microsoft Purview to manage data security and compliance during hybrid migration.

Upcoming changes to Microsoft Purview eDiscovery - Today, we are announcing three significant updates to the Microsoft Purview eDiscovery products and services. These updates reinforce our commitment to meeting and exceeding the data security, privacy, and compliance requirements of our customers. Effective May 26, 2025, the following changes will take effect:

1. Content Search will transition to the new unified Purview eDiscovery experience.

2. The eDiscovery (Standard) classic experience will transition to the new unified Purview eDiscovery experience.

3. The eDiscovery export PowerShell cmdlet parameters will be retired.

Defender for Office Things

Microsoft Entra Things

Securing a Global Giant: Inside IKEA's Identity Strategy with Martin - In this insightful discussion, Martin Sandren from IKEA joins Entra Chat to discuss the evolving landscape of IAM.

Insights and reporting of Conditional Access policies - Conditional Access policies play a key role in keeping your organization's resources secure in Entra ID. Keeping an eye on these policies helps ensure they're doing their job and gives you valuable insights into their effectiveness. In this guide, I'll show you how to set up the reports with Log Analytics Workspace and diagnostic settings to monitor and report on these policies.

Step-by-Step Guide : How to enable QR code authentication for Microsoft Entra ID (Preview) ? - Microsoft Entra ID now supports QR authentication, a method specifically designed for frontline workers who use shared devices. This provides a convenient and secure login experience for these workers.