Microsoft SIEM and XDR Weekly Wrap - Issue #29

From SIEM to LOLs

Things from Me

Happy Friday everyone!

March is almost over. I know it’s hard to believe. I tell the wife every year around the end of March that Christmas is just around the corner. She laughs off the comment, but then I’m proven correct when the rest of the year flies by and we’re hosting our kids and grandkids for Christmas Eve.

For those that don’t know, a couple of my colleagues and I host a weekly live show and podcast called “The Microsoft Security Insights Show.” The MSI Show has gathered a large following over the years, and we currently reach over 10,000 listeners/watchers per week. So, I guess we’re doing something right. You can find the show how you find podcasts now. We hope you’ll become a regular listener or join us live on Mondays at 5pm EST to interact with our guests.

This March was our 3rd annual Women in Cybersecurity month and we’re coming up on the finale on March 31st. March has flown by, and I can’t believe we’re already on the cusp of our last episode.

I’d love to invite each you to join us on Monday, March 31st as the MSI Show closes out its 3rd annual Women in Cybersecurity month with a day-long event on Microsoft Reactor!

Register to join us! https://developer.microsoft.com/reactor/events/25104/

This is the show’s first big event, but we’re planning even more with in-person/hybrid events on the drawing board. Stay tuned for more.

…

For one more MSI Show note, May will be our annual partner month. This year we’ll be highlighting our Security Copilot partners who have already built Agents for Security Copilot. Agents are the next, cool thing. You’ll definitely want to be on-hand to see this enriching goodness. Keep tabs on the schedule:

https://www.microsoftsecurityinsights.com/p/show-schedule#%C2%A7may-partner-month

…

On a more personal note, my fiction works are now available as Audible Audiobooks! I know some of you have been waiting on this.

https://www.amazon.com/author/rodtrent

…

That’s it from me for this week.

Talk soon.

-Rod

Things to Attend

Transitioning from Legacy SIEM to Cloud-Native SIEM with Microsoft Sentinel and Aujas Cybersecurity - In the webinar "Transitioning from Legacy SIEM to Cloud-Native Security with Microsoft Sentinel and Aujas Cybersecurity," experts will discuss the challenges of traditional SIEMs and how a cloud-native approach enhances detection, response, and overall SOC efficiency. Learn best practices for a smooth migration and discover how to optimize your security infrastructure for the evolving threat landscape.

Things that are Related

Deprecation of Microsoft Defender Application Guard: Transitioning to Enhanced Security Solutions - For Windows 11 users, MDAG will continue to be supported until the end of support for Windows 11 23H2, which is November 10, 2026. After this date, Microsoft may turn off APIs necessary for MDAG to function, which could render the feature non-operational.

Part 2 - The Phishing Threat Landscape: Understanding Attack Types and Techniques - Phishing remains one of the most prevalent attack vectors worldwide. Despite growing awareness, these attacks succeed by targeting human psychology—exploiting trust, creating urgency, and bypassing technical controls. This article examines the types of phishing attacks organizations face today and their evolving tactics.

Enhance AI security and governance across multi-model and multi-cloud environments - Generative AI adoption is accelerating, with AI transformation happening in real-time across various industries. This rapid adoption is reshaping how organizations operate and innovate, but it also introduces new challenges that require careful attention.

Blog Series: Charting Your Path to Cyber Resiliency - Cyber resiliency is an organization’s ability to build and manage technology systems that limit the impact of cyberattacks. It helps organizations maintain operations, securely and effectively, when cyberattacks occur. As Microsoft notes, “An organization can never have perfect security, but it can become resilient to security attacks.”

Things to Watch/Listen To

The Microsoft Security Insights Show Episode 254 - WIC Month, Ritu Lamba

Security Copilot Things

Stay ahead of evolving threats with the latest AI in Intune - Microsoft Intune is transforming endpoint management and extending AI innovation for IT with the introduction of Security Copilot agents. Agents empower organizations to improve their security posture, boost productivity, and simplify IT operations, while helping to address the constant pressure IT and security teams are under to manage complex endpoint environments and stay ahead of evolving threats.

THE PROMPT for Security Copilot

THE PROMPT for Security Copilot is a bi-weekly newsletter that covers Microsoft Security Copilot.

By Rod Trent

Microsoft Sentinel Things

Are you getting the most out of Threat Intelligence in Sentinel? - Correlating threat intelligence feeds with your Security Information and Event Management (SIEM) data can significantly enhance your organization's cybersecurity posture.

Forward Logs To Microsoft Sentinel With A Private Link - In today’s hybrid and multi-cloud world, securing log data is critical for any organization's cybersecurity posture. Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution that centralizes security data, enabling advanced threat detection, proactive hunting, and rapid incident response. By integrating Azure Arc and leveraging Private Link with Private Endpoints, organizations can extend secure connectivity directly into Microsoft Sentinel from on-premises or other cloud environments without exposing data over public networks.

Creating a CCP connector: Part 3 - The Codeless Connector Platform is quite the complex product, so we’ll need a couple of blogs to get going, but I promise that this blog has the thing you’re truly interested in: We’ll be “programming” the actual API call that Sentinel makes. Let’s get started!

New capabilities coming to Microsoft Sentinel this Spring - We are excited to share the latest advances coming to Microsoft Sentinel over the next few months as we transform the SOC (Security Operations Center) with industry-leading capabilities. As threats continue to scale in velocity and sophistication, security analysts need more powerful tooling optimized for their workflows. This spring, customers can expect significant innovations across the SecOps lifecycle with simplified operational experiences, enhanced visibility and insights and greater AI-driven outcomes, all of which will help security teams to combat the emerging threat.

Microsoft Sentinel - Custom ASIM Parser for Solarwind Data source - This step-by-step guide for creating a custom Advanced Security Information Model (ASIM) parser for Solarwind data sources in Microsoft Sentinel details the processes of collecting logs, identifying schemas, mapping fields, developing parsers using Kusto Query Language (KQL), testing, and deploying the parser to enhance security event detection and data analysis.

Microsoft Sentinel Project Deployment Tracker - This article describes about the workbook on “Microsoft Sentinel Project Deployment Tracker” to track the completion status of Microsoft sentinel deployment and the comprehensive overview of the data that has begun reporting.

Defender for Cloud Things

New innovations to protect custom AI applications with Defender for Cloud - We are excited to announce the general availability (GA) of threat protection for AI services, a capability that enhances threat protection in Microsoft Defender for Cloud. Starting May 1, 2025, the new Defender for AI Services plan will support models in Azure AI and Azure OpenAI Services.

Securing your organization from 'IngressNightmare' using Microsoft Security capabilities - On March 24, 2025, multiple vulnerabilities (CVE-2025-1097 (), CVE-2025-1098(8.8), CVE-2025-24514 (8.8) and CVE-2025-1974(9.8) were disclosed in ingress-nginx, a widely used Kubernetes Ingress controller. An Ingress controller manages external HTTP/S traffic and directs it to services in a Kubernetes cluster. The most severe vulnerability, identified as CVE-2025-1974, has been assigned a CVSS score of 9.8. Exploitation of these vulnerabilities allows attackers to execute arbitrary code within the ingress-nginx controller container.

Defender XDR Things

Protect your SaaS applications from OAuth threats with attack path, advanced hunting and more! - Microsoft Defender for Cloud Apps introduces new capabilities to combat OAuth attacks. New features include OAuth data in the Exposure Management attack path, a unified application inventory, and OAuth insights for Advanced Hunting.

What’s new in Microsoft Defender XDR at Secure 2025 - Protecting your organization against cybersecurity threats is more challenging than ever before. As part of our 2025 Microsoft Secure cybersecurity conference announcements, we’re sharing new product features that spotlight our AI-first, end-to-end security innovations designed to help - including autonomous AI agents in the Security Operations Center (SOC), as well as automatic detection and response capabilities. We also share information on how you can expand your protection by bringing data security and collaboration tools closer to the SOC. Read on to learn more about how these capabilities can help your organization stay ahead of today’s advanced threat actors.

Defender for Cloud Apps Things

Protect SaaS apps from OAuth threats with attack path, advanced hunting and more - Over the past two years, nation-state attacks using OAuth apps have surged. To combat this threat and to help customers focus on the most important exposure points, Microsoft Defender for Cloud Apps introduces several new capabilities. OAuth applications are now integrated into the attack path experience within Exposure Management, providing an overview of the attack paths that a bad actor might take to access Microsoft 365 SaaS apps like Outlook and Teams. Additionally, a unified application inventory allows customers to manage both user-to-SaaS and OAuth-to-SaaS interactions with an 'action center' so that they can block or disable apps and create policies aligned to exposure points. Lastly, information about OAuth applications is now included in the Attack Surface Map and Advanced Hunting experience for comprehensive threat investigation and more effective threat hunting.

Microsoft Purview Things

Microsoft Purview – Data Security Posture Management (DSPM) for AI - In an age where Artificial Intelligence (AI) is rapidly transforming industries, ensuring the security and compliance of AI integrations is paramount. Microsoft Purview Data Security Posture Management (DSPM) for AI helps organizations monitor AI activity, enforce security policies, and prevent unauthorized data exposure.

Announcing Alert Triage Agents in Microsoft Purview, powered by Security Copilot - Automate the triage of potential data and user risks to prioritize alerts posing the greatest risk to your organization.

Mitigating insider risks in the age of AI with Microsoft Purview Insider Risk Management - New GenAI signals, enhanced capabilities and agentic workflows in Insider Risk Mangement to help you protect your data.

Strengthen data security posture in the era of AI with Microsoft Purview - Today, we are announcing Microsoft Purview Data Security Investigations (DSI), a new generative AI-powered solution that helps data security teams quickly understand and mitigate risks associated with sensitive data exposure. DSI further expands Microsoft Purview data security offerings, introducing AI-powered deep content analysis to uncover key sensitive data and security risks within incident-related data across multiple languages.

Protecting sensitive information in the era of AI with Microsoft Purview Information Protection - To help organizations navigate these challenges, Microsoft Purview Information Protection continues to advance its capabilities, enabling organizations to discover, classify, label, and protect sensitive information not only within Microsoft 365, but also across select non-Microsoft 365 data sources. In this blog, we will highlight the new enhancements and capabilities that make it easier to secure sensitive data, provide visibility, and enforce compliance policies.

Building layered protection: New Microsoft Purview data security controls for the browser & network - We are evolving Purview data security solutions to the modern AI era by extending capabilities to the network layer and Microsoft Edge for Business.

Prevent data loss across your ever-expanding data estate with Microsoft Purview Data Loss Prevention - Today, we are happy to announce over 25 new capabilities in Purview DLP that help expand visibility & protection beyond Microsoft 365, simplify the day-to-day admin experience, and enhance existing protections.

Introducing Microsoft Purview Data Security Investigations - Investigate data security, risk and leak cases faster by leveraging AI-driven insights with Microsoft Purview Data Security Investigations.

Defender for Office Things

General Availability for Collaboration Security for Microsoft Teams - Today we’re excited to announce the General Availability of collaboration security for Microsoft Teams. This new enhancement in Microsoft Defender for Office 365 helps protect against phishing, malware, and advanced attacks for Teams users, thanks to a robust set of protection capabilities and security workflows. Some of these features have been in public preview, and we are now introducing new capabilities to ensure users can fully leverage these enhanced features.

Defender Threat Intelligence Things

Introducing the Threat Intelligence Briefing Agent - The Security Copilot Threat Intelligence Briefing Agent produces timely, hyper-relevant threat intelligence reports in just minutes.

Microsoft Entra Things

Insights from the Secure Employee Access report reveal the need for unified access security - Traditional, highly specialized, and siloed approaches to securing employee access aren’t cutting it anymore. In fact, 98% of security leaders believe closer collaboration between identity and network teams would enhance security and efficiency. This is just one of the findings of the Secure Employee Access in the Age of AI report where we surveyed 300 security leaders to learn how their security strategies and investments are evolving as they tackle novel security challenges and enable secure AI transformation. This report focuses on key statistics and actionable insights to reimagine how to protect identities and access to applications and resources in your organization.

New innovations in Microsoft Entra to strengthen AI security and identity protection - I hope you’re as excited as I am about what feels like day-by-day advancements in AI and how it’s changing the game for how we work – and just as importantly, how we secure our organizations. AI is accelerating decision-making, automating protections, and strengthening defenses. But AI itself needs protection. As your org adopts AI, you’re being challenged to ensure identities, data, and access remain secure against emerging threats.