Microsoft SIEM and XDR Weekly Wrap - Issue #33

Cyber Shenanigans: Where Firewalls and Follies Collide

Apr 25, 2025

Things from Me

Happy Friday, folks!

Sure, here's a shorter version of the introduction:

Welcome to our latest newsletter! In this edition, we cover critical updates and best practices for enhancing your digital security and governance.

We discuss the upcoming requirement for service principals in Microsoft Entra ID starting March 2026, explore Data Security Posture Management within Microsoft Purview, and provide a guide to replicating classic content search workflows in the new Purview Content Search.

Additionally, we highlight how Microsoft Purview protections can be leveraged for Microsoft 365 Copilot, and share best practices for inventorying and classifying data using Microsoft Purview.

Lots of Purview this week, right? But for good reason. We have Microsoft Build coming up next month and there may be some sort of announcement made during that week. <nudge, nudge - wink, wink>

I’m still waiting on approval, but I hope to be at Microsoft Build as a representative in my new role here at Microsoft. We’ll see.

But I will definitely see many of you next month at the Microsoft 365 Community Conference in Vegas. I used to travel to Vegas for conferences at least twice a year for 20 years or so, but this is my first trip back since the Covid gap. I’m really looking forward to it.

…

That’s it from me for this week.

Talk soon.

-Rod

Things that are Related

Securing our future: April 2025 progress report on Microsoft’s Secure Future Initiative - The Microsoft Secure Future Initiative (SFI) stands as the largest cybersecurity engineering project in history and most extensive effort of its kind at Microsoft. Since inception, we’ve dedicated the equivalent of 34,000 engineers working full-time for 11 months to mitigate risks and address the highest priority security tasks. Now, we are sharing the second SFI progress report, which highlights progress made in our multi-year journey to improve the security posture of Microsoft, our customers, and the industry at large.

Hot off the press: April 2025 MCRA is here! - The latest release of the Microsoft Cybersecurity Reference Architectures (MCRA) is now available — and it's packed with major updates you won’t want to miss.

Kusto Detective Agency is back!

📅 Save the day: June 8th, 2025

📝 Register now: https://detective.kusto.io/register

📜 Competition rules: https://detective.kusto.io/CyberDutyRules

Things to Watch/Listen To

Rod’s Blog

After the Blog Episode 20: Data Governance Myths

Welcome back everyone to the “After the Blog” podcast – where I, Rod Trent – as your podcast host dive into additional details for recent blog posts that I think require a bit more context. In this case – in this episode – I’m going to provide more details for a recent blog post that outlines some of the myths for data governance…

Listen now

2 months ago · 1 like · Rod Trent

Security Copilot Things

Microsoft Sentinel Things

RSAC 2025 new Microsoft Sentinel connectors announcement - Discover the latest Microsoft Sentinel integrations from top partners to enhance your security with seamless connections, advanced analytics, and powerful threat response capabilities.

App Assure’s promise: Migrate to Sentinel with confidence - The App Assure team backs Microsoft Sentinel’s Codeless Connector Platform, ensuring ISVs deliver high-performance, secure integrations that make migrating to our cloud-native SIEM seamless and reliable.

The Microsoft Sentinel Attack Range - is a tool that allows security teams to create a small lab environment to simulate attacks and generate data in Microsoft Sentinel for detection testing and validation.

Sandfly: Creating Linux Alerts Incidents in Microsoft Azure Sentinel — With KQL Parser buildout - In this article, we will go over how to get the alert information parsed and useable so that it can be used for incident creation in Microsoft Sentinel.

Transitioning from the HTTP Data Collector API to the Log Ingestion API…What does it mean for me? - Many customers have recently received an email sharing the information that the HTTP Data Collector API will be retired on September 14, 2026. What exactly does that mean for you?

Fluent Bit #2 - Data Replay - In my previous post, I demonstrated how to set up basic aggregated logging for firewall events using Fluent Bit, effectively reducing log ingestion costs in a way similar to Sentinel’s Summary rules. In this follow-up, I will walk you through a practical solution for storing these logs cost-effectively in an Azure Storage Account and show how you can later bring them back into Sentinel for analysis.

Defender for Endpoint Things

Implementing Endpoint Security Configuration: A Guide to Fortifying Your Business - Endpoint security has become a critical element in safeguarding organizational assets in today’s threat landscape. By proactively defending endpoints such as laptops, desktops, and mobile devices, businesses can mitigate risks and ensure the integrity of their operations. Microsoft Intune offers a powerful platform for endpoint security configuration, enabling organizations to centralize and streamline security settings for managed devices. In this blog, we will delve into the best practices for implementing robust endpoint security configurations using Intune and its integration with Microsoft Defender for Endpoint.

Microsoft Purview Things

Best Practices and Prescriptive Guidance for Inventorying and Classifying Data using Microsoft Purview - Inventorying and classifying data effectively is crucial for achieving compliance, ensuring security, and enhancing decision-making. Microsoft Purview, a robust data governance solution, provides the tools necessary to streamline these processes. This blog post presents best practices and prescriptive guidance for leveraging Microsoft Purview to inventory and classify data, enabling your organization to extract maximum value while safeguarding sensitive information.

Microsoft Purview protections for Copilot - Use Microsoft Purview and Microsoft 365 Copilot together to build a secure, enterprise-ready foundation for generative AI.

Getting started with the new Purview Content Search - This guide is intended to help organizations who wish to replicate their existing classic content search workflows in the new Purview Content Search.

Exploring Data Security Posture Management (DSPM) within Microsoft Purview - Data is the lifeblood of organizations. While the opportunities presented by data are immense, they also come with growing challenges related to governance, compliance, and security. Among these challenges, managing an organization's data security posture has become increasingly critical as cyber threats grow more sophisticated. This brings us to the concept of Data Security Posture Management (DSPM), a cutting-edge approach to securing and governing data, and how it is seamlessly integrated into Microsoft Purview.

Microsoft Purview eDiscovery is getting a unified, streamlined experience starting May 26, 2025! - We are announcing three major updates to Microsoft Purview eDiscovery, enhancing our commitment to data security, privacy, and compliance.

Microsoft Entra Things

Service principal required for Microsoft Entra ID - Starting March 2026, Microsoft Entra ID will no longer support SP-less authentication behavior.

Advanced deployment guide for Conditional Access Policy templates - If you’re an admin responsible for securing your organization’s digital environment, you may already know that Conditional Access policies are critical to maintaining that security. That’s why FastTrack recently introduced the new Conditional Access advanced deployment guide to help you deploy multiple Microsoft-recommended policy templates at one time and simplify policy and authentication method management through automation.