Microsoft SIEM and XDR Weekly Wrap - Issue #26
From Cybersecurity to Love Security
Things from Me
Happy Friday everyone! I hope you had the best week possible!
…
REMINDER - Newsletter Schedule: As I noted in last week’s newsletter issue, I have several upcoming trips. The next trip starts on Monday, February 24th, with travel to Paris followed by Denmark.
First up, my wife and I will be celebrating our 35th wedding anniversary in Paris. After that, we’re traveling to Denmark to meet friends and then I’ll have a couple speaking opportunities – one in the Microsoft office in Copenhagen and then at Experts Live. (https://expertslive.dk/)
Due to extensive travel, the newsletter will take a two-week hiatus and resume on March 14th.
I also mentioned last week that I have some additional speaking opportunities coming up. Here’s my current schedule:
May 6 - 8, 2025 - Microsoft 365 Community Conference: https://www.m365conf.com/
June 11th, 2025 - Workplace Ninjas Norway 2025:
June 16-17, 2025 - Workplace Ninjas UK 2025:
I hope to see many of you this year in-person.
…
Travel can be tough sometimes, but I’m excited to be back in Denmark. Last year at this time, I introduced the world to Microsoft Security Copilot. This year, I will be giving a State of the Union and talking about all of this past year’s investments. Security Copilot has been a mighty lift, and I’ll talk about all of it.
But I’m most excited about celebrating 35 years of marriage with my wife. If you and I would’ve grown up together, I would’ve been the very last person you would’ve thought could make a marriage successful. But here we are. Four kids, two grandkids, and a multitude of memories, love, and family.
That’s it from me for now.
Talk in a couple weeks. Don’t miss me too much.
-Rod
Things to Attend
The Hidden Threat in Your Security Posture - Why Configuration Drift Matters - Master Data-Driven Security Drift Management for Microsoft Environments Date: Thursday, February 27, 2025 - Duration: 1 Hour (2:00 PM - 3:00 PM EST)
Yellowhat 2025 is here! Join on March 6th for a global livestream focused on Microsoft Security—and it’s completely FREE! Prepare for strategic discussions on topics like Microsoft Defender XDR and Attack Disruption, with insights from industry leaders to protect your enterprise. Don’t miss out! Register now at https://yellowhat.live for a day of inspiration and innovation. See you online!
Things to Watch/Listen To
Microsoft Sentinel Things
Introducing Threat Intelligence Ingestion Rules - Microsoft Sentinel just rolled out a powerful new public preview feature: Ingestion Rules. This feature lets you fine-tune your threat intelligence (TI) feeds before they are ingested to Microsoft Sentinel. You can now set custom conditions and actions on Indicators of Compromise (IoCs), Threat Actors, Attack Patterns, Identities, and their Relationships.
Integrating Fluent Bit with Microsoft Sentinel - If you’re using Fluent bit within your organization already for log processing, then integrating with Microsoft Sentinel is also a possibility as Fluent Bit has the output plugin for Azure Logs Ingestion API taking leverage from the Log Ingestion API which supports not only ingestion for custom tables but also for built-in tables.
Defender for Cloud Things
Protecting Azure AI Workloads using Threat Protection for AI in Defender for Cloud - This article describes how you can build a Generative AI Threat Protection program using the out of the box capabilities provided by Defender for Cloud.
New and enhanced multicloud regulatory compliance standards in Defender for Cloud - Today, we’re excited to share enhanced and expanded support of over 30 regulatory compliance frameworks in Defender for Cloud, across Azure, AWS, and GCP.
Microsoft Purview Things
General Availability: Dynamic watermarking for sensitivity labels in Word, Excel, and PowerPoint - Deter leakage and attribute leaks of highly sensitive information by configuring dynamic watermarking on protected sensitivity labels.
Microsoft Entra Things
Seamless and Secure Access to Digital Healthcare Records with Microsoft Entra Suite - Healthcare professionals who dedicate their skills to saving lives must also manage operational and safety challenges inherent to their roles. If you’re in charge of cybersecurity for a healthcare organization, you’re intimately familiar with the need to comply with government healthcare regulations that, for example, require securing access to systems that house patient health information (PHI), are used for overseeing controlled substances, or are necessary to enable the secure consumption of AI.
Seamless Security: Smartcard Logon from Entra-Only Machines to domain-joined Servers or AVDs - This article explains in detail how to enable smart card logon from Entra-joined machines to domain-joined server or AVDs without "line of sight" to a Domain Controller.
Control Authentication Flows with Conditional Access - Microsoft Entra ID offers a comprehensive range of authentication and authorization flows to ensure seamless access across various applications and devices. However, not all flows carry the same level of risk, and some may introduce potential vulnerabilities if not managed properly. To address this, Microsoft has introduced enhanced security controls through Conditional Access policies, allowing organizations to take a more granular approach to securing their environments.
New Microsoft-managed policies to raise your identity security posture - As part of our ongoing commitment to enhance security and protect our customers from evolving cyber threats, we are excited to announce the rollout of two new Microsoft-managed Conditional Access polices designed to limit device code flow and legacy authentication flows. These policies are aligned to the secure by default principle of our broader Secure Future Initiative, which aims to provide robust security measures to safeguard your organization by default.
Enhancing Security with Conditional Access for Workload Identities - Microsoft enables us to secure our service principals using their Workload Identities Premium license. In this blog, we’ll explore the potential risks associated with workload identities, how to analyze sign-in logs to identify threats, and strategies for mitigating those risks. We’ll also provide a step-by-step guide to setting up monitoring, including a KQL query to help summarize IP usage by workload identities.