THE PROMPT for Microsoft Security - Issue #73
Security Copilot, Black Hat vibes, and enough syslog noise to power a small country
Things from Me
Happy Friday folks!
If you’re looking to build real-world skills with Security Copilot, Microsoft is offering a fantastic opportunity right now. They’re running a series of free, virtual, hands-on technical workshops specifically designed for practitioners who want to go deeper with Copilot across Entra, Intune, Purview, and Microsoft Threat Protection.
These sessions feature scenario-based instruction, live demos, practical exercises, and expert Q&A — all delivered across global time zones to make them accessible. Whether you’re focused on identity, endpoint, data security, or threat protection, there’s likely a workshop that fits your role and schedule.
👉 Register for a Security Copilot Virtual Workshop here
On a different note, I’m really excited to share that a signed copy of Unlearn Security: It’s not a technology problem. It never was. by Sameh Younis just landed on my desk.
This book takes a refreshing and much-needed approach — stepping away from the purely technical lens and instead focusing on a new way of seeing the world that anyone can apply in their current role. Whether you’re a business leader making decisions, a security practitioner looking for a better path, or someone tired of hearing “security is everyone’s job” without real guidance on what that means, this one feels different. I’m genuinely looking forward to digging in.
You can grab it on Amazon: https://amzn.to/4x5Ydgt
Finally, I’ll be attending Black Hat 2026 in Las Vegas this August. It’s always one of the best weeks of the year for connecting with sharp minds in the industry. If you’re going to be there, I’d love to say hello — drop me a note or catch me walking the halls.
Looking forward to catching up with all of you soon.
Talk soon.
-Rod
Before a recruiter ever sees it, an applicant tracking system parses, scores, and filters your résumé. Past the Bots shows you exactly what the machine extracts, why it gets dropped, and how to fix it. https://pastthebots.com
Things that are Related
Microsoft Build 2026: Securing code, agents, and models across the development lifecycle - At Microsoft Build 2026, we are announcing new security tools and capabilities to give developers clear guidance in real time, scale with the complexity of tasks, and provide security teams with a consistent view across the full lifecycle so innovation can move fast and securely without the business losing control. Learn more about our solutions to help secure your code, secure your agents, and secure your models.
Updating the taxonomy of failure modes in agentic AI systems: What a year of red teaming taught us - When the Microsoft AI Red Team published the Taxonomy of Failure Modes in Agentic AI Systems in April 2025, the goal was a shared vocabulary for a threat landscape that did not fit existing frameworks. The v1.0 taxonomy was largely forward-looking, built on practitioner interviews, cross-company threat modeling, and our own early operational experience.
Securing Local Agents, Claws, Runtimes - The next wave of AI is more than just powerful models. We’re now seeing intelligent agents that run locally on our devices, interacting directly with sensitive data, apps, and systems. Some operate persistently: monitoring, planning, and executing tasks over time instead of just responding to one-off prompts. We call these more sustained, autonomous processes “claws.” Together, local agents and claws are changing how work gets done. They also introduce a new risk surface for organizations: these agents often run with deep access and minimal oversight on endpoints, meaning a single misstep or malicious input could lead to misuse of data, unintended system changes, or other real-world impacts.
Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign - Microsoft Threat Intelligence identified a large-scale npm supply chain attack affecting 32 maliciously modified packages across more than 90 versions under the @redhat-cloud-services npm scope. The compromise originated from the upstream RedHatInsights/javascript-clients Continuous Integration and Continuous Delivery (CI/CD) pipeline, allowing attackers to publish trojanized packages through the legitimate GitHub Actions OpenID Connect (OIDC) publishing workflow. As a result, the malicious packages carried authentic provenance signatures while embedding the campaign marker “Miasma: The Spreading Blight.”
Is 94% of your syslog just noise? Now you can filter it out before ingestion. - If you run Azure Monitor at scale, you already know the problem: your syslog, Windows event, and performance counter streams generate far more data than your team actually queries. Informational-severity messages, redundant counters, raw XML payloads that no one parses. All of it flows into your Log Analytics workspace, and all of it shows up on your bill. In the scenarios we tested with preview customers, teams were ingesting 10 to 20 times more data than they needed. What if you could filter, aggregate, and reshape that data before it ever reaches the workspace?
Migrating to Unified SecOps Without Breaking Detection - The migration to Microsoft unified security operations and the Sentinel data lake is not a rip-and-replace project. It is not a portal cleanup exercise. It is an operating model change that touches detection engineering, threat hunting, incident response, retention, cost, and ownership. If you rush it, you can break the detections you already trust. That is the risk most teams underestimate.
Things to Have
AADProvisioningLogs — Threat Hunting & Detection Pack - KQL detection / hunting pack for Microsoft Sentinel targeting the Microsoft Entra provisioning service (AADProvisioningLogs) plus hybrid coverage of the Entra Connect Sync service account (SigninLogs, AADNonInteractiveUserSignInLogs, AuditLogs).
Things in the News
Hackers easily fool Instagram’s new AI identity verification, humiliating Meta once again - There’s plenty of talk about how AI chatbots will take everyone’s jobs by the end of the decade, but so far, few companies have gone all in on the supposed wave of the future. One such company that did take the plunge, however, is Meta. After recently laying off 8,000 employees in favor of an AI workforce, Zuckerberg is already reaping the repercussions of little-to-no human oversight as AI just caused one of the most devastating Instagram account breaches in its history.
Microsoft Sentinel Things
Sentinel-As-Code: Wave 4, the docs nobody wanted to write - Nobody likes writing documentation. Even when you do write it, it starts dying the moment you save the file. Someone tweaks a setting in the portal, swaps a connector, changes a detection rule, and your carefully written workspace document is quietly drifting out of date for whoever reads it next. (That's assuming anyone still reads documentation these days, rather than pasting it into an AI and asking it to explain the whole thing like they're five.)
Series: Sentinel to Defender Portal - Automation, Playbooks and SOAR - That single line from Microsoft's automation documentation is worth sitting with before anything else in this article. If your SOC automation strategy was built around alert-triggered playbooks firing on Defender XDR signals, those playbooks do not fire in the Unified portal in the same way. The constraint is not a bug or a gap that will be patched quietly. It is a consequence of how the Defender XDR engine owns incident creation in the Unified portal, and understanding it is the starting point for understanding everything else about SOAR in this environment.
Defender for Cloud Things
Now Generally Available: Microsoft Defender for open source relational databases on AWS RDS - Open‑source (OSS) relational databases are becoming increasingly critical and increasingly targeted in organization of all sizes. As organizations adopt multicloud architectures, these databases often run across Azure and Amazon Web Services (AWS), while security tools remain fragmented. The result is inconsistent visibility into sensitive data, disconnected alerts, and limited insight into how database exposure translates into real risk.
Start Secure, Stay Secure: How Microsoft is Closing the Gap from Code to Runtime - Help identify and prioritize exploitable vulnerabilities from code to runtime using codename MDASH and the Microsoft Defender and GitHub Code Security (part of the former GitHub Advanced Security suite) native integration.
Defender XDR Things
Malicious npm packages abuse dependency confusion to profile developer environments - Microsoft Threat Intelligence has uncovered an active supply chain attack involving malicious npm packages registered under organizational scopes that mirror real internal corporate namespaces, employing dependency confusion technique to deploy an obfuscated reconnaissance payload.
Microsoft Purview Things
Microsoft Purview enables developers with strong data security across AI apps and agents - Build AI apps and agents faster—without compromising on data security or compliance. See how Microsoft Purview helps developers protect sensitive data across local agents, Foundry, GitHub Copilot, and more.
Entra Things
Run Global Secure Access with confidence: Introducing the GSA Operations Guide - Use the new Operations Guide to adopt alert-first workflows, standardize operations, and run Global Secure Access more reliably every day.