Microsoft SIEM and XDR Weekly Wrap - Issue #23
Turkey Triumph
Things from Me
Happy Friday everyone!
It’s always amazing to see the power of visuals, isn't it? Last week’s newsletter had an unexpected star—our humble turkey wrap! The funny part? It seemed to have had everyone flocking to read more. Clearly, our subscribers have great taste (pun intended). Who knew a simple, mouth-watering image could spark such an appetite for content? 😂 It’s a reminder that sometimes, it’s the little things that make the biggest impact. Now, who’s up for lunch?
…
I recently started a sub-podcast to my primary personal podcast, called Monday Minutes. If you’re interested, every Monday I take 5-10 minutes to cover some of the previous week’s hottest security stories and then talk about some of the oddest, strangest security stories of the week. I’m still evolving this, so I’m happy to receive feedback. You can find both of my personal podcasts here: https://rodtrent.substack.com/podcast
…
I’ll be in New York city at the Javits center next week. The AI Tour is swinging through New York and I’ll be on-hand to talk about - of all things - Security Copilot.
If you’re attending, please don’t hesitate to come find me to say ‘Hello’.
That said, I’ll be gone all week which means this newsletter will not deliver next week due to the rigors of the job. But I’ll (and the newsletter will) be back the week after.
…
You all know I write books, right? I’m surprised sometimes when I hear from people that didn’t know. In addition to the normal tech books I write for MS Press, Packt Publishing, and others, I also have written several fiction books (https://rodsfictionbooks.com/). Some of them are actually pretty popular. I hit best seller status recently with my Old Like Us series. I guess in some ways, I’m working on my retirement job. I’m sure I’ll be writing things for the rest of my professional and personal life.
But this week, I kicked off a new book series that is intended to fill a gap. The Pithy Guides are your shortcuts to mastery for any topic. Sometimes you just need to know what you need to know. Sometimes you just need a refresher or a flight’s worth of knowledge before a critical meeting. This is where the Pithy Guides come in.
Here’s what’s available so far:
The Pithy Guide to How to Mentor: Empowering the Next Generation of Leaders
The Pithy Guide to Generative AI: From Basics to Technical Mastery
The Pithy Guide to Cybersecurity: Strategies for Digital Life
In the near future, my hope is to invite others to help write for their own expert areas.
…
That’s it for me for this week. I hope your weekend is restful.
-Rod
P.S. Love this newsletter? Forward it to a friend, colleague, or family member.
Things to Attend
Microsoft AI Tour, New York City | Keynote - Thu, Jan 30, 2025, 10:00 AM - 11:00 AM (your local time) - Streaming live from New York City, the Microsoft AI Tour keynote features the latest insights for experts, industry leaders, and technical practitioners to learn how AI can unlock growth. Join Scott Guthrie, Executive Vice President, Cloud + AI Group at Microsoft, as he shares how you can accelerate your AI reinvention journey, including a major Surface for Business announcement.
Defender Experts: S.T.A.R. Forum - Strategies for Threat Awareness and Response, Episode 2 - Thu, Feb 27 - 11:00 AM - 12:00 PM EST - Online event - Want to sharpen your cybersecurity posture? Join Microsoft Defender Experts for a high-impact no-nonsense webinar on the latest threats and how to defend against them.
Things that are Related
Windows 11 security book - Microsoft is committed to putting security above all else, with products and services that are secure by design and secure by default. We synthesize more than 65 trillion signals daily to understand digital threats and criminal cyberactivity. Through the SFI initiative, we've dedicated the equivalent of 34,000 full-time engineers to the highest priority security tasks. We continuously apply what we learn from incidents to improve our security and privacy models, security architecture, and technical controls.
YellowHat on March 6th – Global Microsoft Security Livestream - Join a day filled with in-depth Microsoft Security talks and demonstrations, featuring solutions like Microsoft Defender (XDR), Microsoft Sentinel, Microsoft Purview, Microsoft Entra, AI-driven security, and more. Attendees will gain practical insights, real-world strategies, and opportunities to connect with security experts across the industry. The lineup includes a keynote by Raviv Tamir from Microsoft ILDC, along with sessions led by Roberto Rodriguez, Dirk-Jan Mollema, Mattias Borg, Thomas Neunheim, and other renowned MVP’s.
Event Date/Time:
March 6, 2025 (Online)
3:00 p.m. Central European Time (Amsterdam) to ~10:00 p.m. CET
6:00 a.m. Eastern Standard Time (New York) to ~1:00 p.m. EST
Things to Watch/Listen To
Security Copilot Things
Microsoft Sentinel Things
What’s new: Find the Sentinel content you need using AI search - Now, when you search for content in the content hub, you will find every item that you need, even if a part of a solution.
Hunt for identity-based threats with Security Copilot and Microsoft Sentinel - Identity-based attacks continue to be a major concern for organizations worldwide. According to Microsoft’s 2024 Digital Defense Report, identity and social engineering attacks have continued to rise, accounting for a substantial portion of all cyberattacks. These attacks have not only increased in frequency but have also become more sophisticated, leveraging advanced techniques to bypass traditional security measures. This underscores the urgent need for robust security measures that can effectively detect and mitigate these threats.
Modular playbook architectures - Sometimes we end up building problems for ourselves when creating automations in Microsoft Sentinel… We can end up with playbooks that are complicated, difficult to maintain, hard to change.
Improve SecOps collaboration with case management - Many SecOps teams use Microsoft Sentinel or Microsoft Defender to do security work, and rely on 3rd party tools to manage cases. The majority of these systems are not tuned to the unique needs of SecOps, resulting in generic views and data, lack of security context to efficiently resolve cases, increased time to respond, not to mention the incremental cost of implementing another system. Overreliance on 3rd party ticketing systems for communication and collaboration, inside and outside of the SOC, results in insufficient collaboration capabilities which are not fully integrated with SecOps workflows.
Defender for Cloud Things
Microsoft Defender for Cloud - Elevating Runtime Protection - In today's rapidly evolving digital landscape, runtime security is crucial for maintaining the integrity of applications in containerized environments. As threats become increasingly sophisticated, the demand for more adaptive protection continues to rise. Attackers are no longer relying on generic exploits — they are actively targeting vulnerabilities in container configurations, runtime processes, and shared resources. From injecting malicious code to escalating privileges and exploiting kernel vulnerabilities, their tactics are constantly evolving.
Defender XDR Things
Case management to improve SecOps Collaboration - Third party tools are a common part of any IT tech stack, but they often lack the functionality required for the unique needs of security operations. They may require significant customization or workarounds to address case management in the SOC, or lack the ability to collect details like threat intelligence that are critical for resolving an incident. They also may require context switching into different portals, keeping teams from working as efficiently as possible.
Defender for Endpoint Things
Get greater visibility with aggregated reporting of endpoint telemetry signals - Endpoint security solutions collect large amounts of data from across your network in order to detect intruders. These signals are quickly processed to generate prompt, valuable security alerts and insights with a high signal-to-noise ratio while allowing operational continuity. During this process, certain data is typically dropped to reduce noise and optimize product performance and efficiency. This allows more complex signal logic to be applied to the significant data that is collected. With this approach, signals are continually filtered until high fidelity indicators of attack or compromise are found.
Defender for Identity Things
Introducing the new Defender for Identity sensor management API - Microsoft Defender for Identity is a cloud-based security solution that helps monitor and protect identities and infrastructure across your organization. Defender for Identity is a core component of Microsoft Defender XDR, leveraging signals from both on-premises Active Directory and cloud identities to help you better identify, detect, and investigate advanced cyberthreats directed at your organization.
Microsoft Purview Things
Setup endpoint DLP evidence collection on your azure storage blob - Welcome to our comprehensive step-by-step guide to assist you in setting up your azure storage blob to collect files that match data loss prevention policies from devices!
Microsoft Entra Things
New Identity Secure Score recommendations in General Availability - Since the launch of Microsoft Entra recommendations and the announcement of various recommendation releases, we would like to highlight that 11 new Identity Secure Score recommendations are now generally available. These recommendations are designed to strengthen your organization's security posture and offer actionable insights to help identify and effectively mitigate risks.
Customize authentication experiences and URL domains for external apps - Following our previous blogs on security defaults, and branding enhancements, we are sharing with you that it’s now possible to have a seamless IAM experience while decreasing your chances to have a breach thus increasing significantly your security levels. In this blog, Mihai Popa, Principal Product Manager on the Microsoft Entra Product team, will talk about how we achieve all this with the release of OpenID Connect and Custom URL Domains that are now available in Microsoft Entra External ID.
User Behavior Analysis using Gen-AI | Security Copilot and Entra - Cyber security incidents often require entity analysis to understand blast radius, to investigate deeper, to take containment actions, to provide long-term resolutions etc. What if you could trigger an automated analysis, and create post analysis actions with Security Copilot? Here’s how!
Enhancing Security with Entra PIM and Conditional Access Policy using Authentication Context - Organizations face an ever-evolving set of threats targeting privileged accounts. These accounts often have elevated permissions, making them a high-value target for attackers. To mitigate these risks, Microsoft Entra’s Privileged Identity Management (PIM) and Conditional Access Policies offer robust solutions to manage, monitor, and secure privileged access. When combined with Authentication Context, organizations can adopt a highly granular approach to securing their resources, ensuring compliance with the Zero Trust security model.
Exploring Microsoft Entra Private Access - Part 2 — Rubix - Welcome back – let’s continue our series on Microsoft Entra Private Access! If you missed Part 1, you can check it out here: Exploring Microsoft Entra Private Access. Let’s dive into the nitty-gritty of installing the GSA client, applying Conditional Access policies, and tackling some basic troubleshooting.
Api-driven provisioning | Entra ID - In today's fast-paced digital world, lots of organizations still rely on manual processes to create and manage user accounts. This not only takes up valuable time but also increases the risk of errors and inefficiencies. Fortunately, with the arrival of automatic provisioning through Microsoft Entra ID, businesses can make their user management processes more streamlined, enhancing productivity and security. This article delves into the use and benefits of Microsoft Entra's API-driven user provisioning.