Microsoft SIEM and XDR Weekly Wrap - Issue #34

Vegas Glitz to Layoff Blitz

Things from Me

Happy Friday, everyone!

Welcome back!

I hope this message finds you well.

I had the pleasure of attending the M365 conference in Las Vegas last week. It was an incredible experience where I had the opportunity to engage with our customers, understand their needs, and discuss how we can continue to improve our offerings. One of the highlights of the conference was delivering a highly valued session on Microsoft Security Copilot. The feedback was overwhelmingly positive, and it was great to see the enthusiasm and interest in our security solutions.

…

Addressing the elephant in the room.

The latest round of layoffs at Microsoft—impacting around 6,000 employees—is a stark reminder of the shifting tides in the tech industry. These cuts span various roles, including software developers, product managers, and technical program managers, as the company refocuses on artificial intelligence and streamlining operations.

For those affected, this moment is more than just a career transition—it’s a profound upheaval. Many dedicated professionals, who have poured their expertise and passion into shaping Microsoft’s innovations, now find themselves navigating uncertainty. As one former employee put it, “No matter how hard you work, how much you advocate for your company, or how much results and visibility you bring… none of that makes you immune to restructuring”.

Layoffs are never just numbers; they represent livelihoods, aspirations, and the ripple effects on families and communities. While Microsoft continues to invest heavily in AI and future technologies, it’s important to acknowledge the human cost of these decisions. To those impacted—your contributions mattered, and your next chapter holds promise. The tech world is vast, and your skills will find new ground to flourish.

…

That’s it from me for this week. Have a great week ahead.

Talk soon.

-Rod

Things to Attend

Upcoming Microsoft public webinars:

• May 20 (9:00AM) - Microsoft Sentinel | Unlocking the Power of the Unified SecOps: Mastering Multiple Workspaces and Tenants

• May 21 (9:00AM) - Microsoft Defender XDR | Mastering Microsoft Defender for Office 365: Configuration Best Practices

• May 22 (8:00AM) - Microsoft Defender for Cloud | What's New in Defender for Storage

• May 27 (8:00AM) - Microsoft Defender for Cloud | Defender for SQL on Machines Enhanced Agent Update

• May 28 (8:00AM) - Azure Network Security | Azure Firewall - Management, Monitoring and Troubleshooting

• May 29 (9:00AM) - Microsoft Sentinel | Explore New Case Management Features

• June 4 (8:00 AM) - Microsoft Purview | eDiscovery - New User Experience for Premium

• June 5 (8:00AM) - Azure Network Security | Boosting Azure DDoS Protection with First-Party Integrations

• June 10 (8:00AM) - Microsoft Purview | Purview for AI Network Level Integration

• June 26 (8:00AM) - Azure Network Security | Mastering Azure WAF Rulesets: Best Practices and Strategies

Register here: https://aka.ms/SecurityCommunity.

Things that are Related

​​How the Microsoft Secure Future Initiative brings Zero Trust to life - In this blog, you’ll learn more about how the Microsoft Secure Future Initiative (SFI)—a real-world case study on Zero Trust—aligns with Zero Trust strategies. We’ll share key updates from the April 2025 SFI progress report and practical Zero Trust guidance to help you strengthen your organization’s security posture. Whether you’re looking to enhance protection, reduce risk, or future-proof your environment, this blog offers actionable insights to support your journey toward a more secure future.

MCP KQL Server - A Model Context Protocol (MCP) server for executing Kusto Query Language (KQL) queries against Azure Data Explorer clusters. Seamlessly integrates with Claude Desktop and Visual Studio Code (VS Code).

I recently started a new KQL series to dig into some of the various advanced topics. Here’s what’s available so far:

Exploring the Power of the KQL Evaluate OperatorUnderstanding the KQL mv-expand OperatorUnderstanding the KQL Parse OperatorUnderstanding Tabular Expression Statements in Kusto Query Language (KQL)Understanding the Restrict Statement in Kusto Query Language (KQL)Creating Geospatial Visualizations with Kusto Query Language (KQL)Mastering Aggregation Functions in Kusto Query Language (KQL)Exploring Kusto.Cli: A Command-Line Utility for Kusto Query LanguageA Deep Dive into the KQL Join Operator

Things to Watch/Listen To

Security Copilot Things

THE PROMPT for Security Copilot

THE PROMPT for Security Copilot is a bi-weekly newsletter that covers Microsoft Security Copilot.

By Rod Trent

Microsoft Sentinel Things

A Little Slice of...USOP Custom Detection Rules - In the face of increasingly sophisticated cyber threats, organizations must adopt advanced security measures to protect their digital assets. Join us (Jon Shectman from #microsoft and Clive Watson from #quorumcyber) as we explore how to effectively create, adopt, and use custom detection rules in the Unified Security Operations Platform (USOP).

Announcing File Attachments for Case Management - We are excited to announce the public preview of File Attachments for Case Management. Comprehensive and localized information sharing is critical for making fast and accurate decisions in case investigations. Learn more about how Case Attachments can enhance your communication with your SOC team.

Automate Extraction of Microsoft Sentinel Analytical Rules from GitHub Solutions - It’s often helpful to have visibility into all the built-in analytical rules included within a solution—especially prior to deployment. Whether you're preparing for a client discussion or reviewing Microsoft recommendations, having a clear, exportable view of these rules is essential. That’s exactly what this PowerShell script delivers.

Sentinel Notebook: Guided Hunting - Domain Generation Algorithm (DGA) Detection - This notebook, titled “Guided Hunting - Domain Generation Algorithm (DGA) Detection”, provides a framework for investigating anomalous network activity by identifying domains generated by algorithms, which are often used by malware to evade detection. It integrates data from Log Analytics (DeviceNetworkEvents) and employs Python-based tools and libraries such as “msticpy”, “pandas”, and “scikit-learn” for analysis and visualization. DGA detection is crucial for cybersecurity as it helps identify and mitigate threats like botnets and malware that use dynamically generated domains for command-and-control communication, making it a key component in proactive threat hunting and network defense.

The Power of a Unified SIEM+XDR IdentityInfo Schema - We are excited to share that the updated IdentityInfo schema is planned to be available by May 12th! This upcoming enhancement will unify identity insights from SIEM (Microsoft Sentinel, UEBA) and XDR (Microsoft Defender for Identity) into a single, streamlined table - enhancing security operations, threat detection, and investigation workflows.

Risk-based Recommendation for SOC Optimization - This post is part of a blog series highlighting new SOC optimization capabilities designed to help SOC teams maximize security value and reduce costs, leveraging tailored dynamic recommendations. In this post, we will focus on Risk-Based Optimization, an exciting new capability that helps prioritize detection coverage based on the business risks most pertinent to your organization.

Microsoft Sentinel as a Next-Gen SIEM: Performance, Cost, and Real-World Impact - As cybersecurity threats become increasingly sophisticated, security teams demand SIEM solutions that deliver exceptional performance, scalability, and cost efficiency. Microsoft Sentinel has rapidly gained traction, offering cloud-native capabilities, advanced analytics, and flexible licensing models. This article provides a practical, insightful evaluation of Sentinel’s performance, cost-effectiveness, detailed comparisons with other leading SIEM platforms, and highlights real-world implementation outcomes.

CI/CD Implementation for Azure Sentinel Using Terraform - This blog walks through a modern CI/CD implementation using Terraform and Azure DevOps to automate the deployment and management of Azure Sentinel resources. We’ll provision the infrastructure, deploy analytic rules, configure workbooks, and prepare a pipeline to enable continuous integration and delivery.

Defender for Cloud Things

Assign recommendations to active users (Preview) - The Active User feature helps security administrators identify and assign recommendations to the most relevant users based on recent control plane activity. Each recommendation might have up to three active users recommended at the resource, resource group, or subscription level. Administrators can select a user from the list, assign the recommendation, and set a due date, which triggers a notification to the assigned user. This approach streamlines remediation workflows, reduces investigation time, and strengthens overall security posture.

Defender for Endpoint Things

(GA) New setting for "Allow Network Protection On Win Server" - to be able to manage Network Protection for Windows Server 2019 and later in Microsoft Defender for Endpoint Security Settings Management and Microsoft Intune.

Defender for Endpoint successfully passes the AV-Comparatives 2025 Anti-Tampering Test - AV-Comparatives has recognized Microsoft Defender for Endpoint for successfully thwarting all tampering attempts levied during the 2025 Anti-Tampering Test.

Defender XDR Things

• (Preview) You can now highlight your security operations achievements and the impact of Microsoft Defender using the unified security summary. The unified security summary is available in the Microsoft Defender portal and streamlines the process for SOC teams to generate security reports, saving time usually spent on collecting data from various sources and creating reports. For more information, see Visualize security impact with the unified security summary.

• Defender portal users who have onboarded Microsoft Sentinel and have enabled the User and Entity Behavior Analytics (UEBA) can now take advantage of the new unified IdentityInfo table in advanced hunting. This latest version now includes the largest possible set of fields common to both Defender and Azure portals.

• (Preview) The following advanced hunting schema tables are now available for preview to help you look through Microsoft Teams events and related information:

  • The MessageEvents table contains details about messages sent and received within your organization at the time of delivery

  • The MessagePostDeliveryEvents table contains information about security events that occurred after the delivery of a Microsoft Teams message in your organization

  • The MessageUrlInfo table contains information about URLs sent through Microsoft Teams messages in your organization

Defender for Cloud Apps Things

OAuth app information is now available in attack paths (Preview) - The Security Exposure Management platform now includes OAuth applications as part of the attack path and attack surface map experiences. This enhancement enables you to visualize how attackers could exploit OAuth apps to move laterally within your environment and access critical assets. By identifying these attack paths and investigating associated permissions, you can reduce exposure and improve the security posture of your Microsoft 365 services.

OAuthAppInfo table added to Defender XDR advanced hunting (Preview) - The table is now available in Defender XDR advanced hunting, enabling security teams to explore and analyze OAuth app-related metadata with enhanced visibility. This table provides details on Microsoft 365-connected OAuth applications that are registered with Microsoft Entra ID and accessible through the Defender for Cloud Apps app governance capability.

Defender Experts Things

Choosing between Microsoft Defender Experts for Hunting and Microsoft Defender Experts for XDR - Understand the unique capabilities of each service to decide which option best fits your security needs.

Microsoft Purview Things

Cool opportunity! Review your experience using the various Microsoft Purview products on Gartner Peer Insights and receive a $25 gift card!

Choose one or all!

• Purview eDiscovery

• Purview Insider Risk Management

• Purview Data Loss Prevention

• Purview Data Lifecycle Management

• Purview Communication Compliance

• Microsoft Purview

Getting Started with the New Purview eDiscovery (E3) - This guide is intended to help organizations who wish to replicate their existing classic eDiscovery (Standard) workflows in the new Purview eDiscovery.

People of Purview: Nikki Chapple - Meet Nikki Chapple, from the London area of the UK, Principal Cloud Architect at CloudWay, and Microsoft MVP and Customer Connection Program member! Nikki has worked with Microsoft products for over 10 years, although her IT career spans four decades, starting in the days of paper tape and punch cards! Her background is in enterprise architecture, translating business needs into practical technical solutions. Nikki specializes in data governance, security, and change management, helping organizations adopt Microsoft 365 in a way that prioritizes people, processes, and policy, not just technology.

UPDATE: Microsoft Purview pricing options for protecting AI apps and agents - Starting May 1, 2025, Microsoft Purview is expanding its consumption-based (PAYG) pricing to better align with how data flows through networks, GenAI apps, pipelines, and AI agents—not just users.