THE PROMPT for Microsoft Security - Issue #75
Officially #75, Secretly #324: Because Even Our Newsletter Has a Merger & Acquisition Story
Things from Me
Happy Friday everyone!
Issue #75. Seventy-five weeks of showing up, filtering the noise, and trying to make sense of a Microsoft Security landscape that refuses to sit still and honestly, I wouldn’t have it any other way.
Of course, in reality, this is way beyond issue #75. For those that have been here since the beginning, this newsletter was once a Sentinel-only newsletter that started in 2020. That newsletter was merged with this one in 2021 and has delivered every week since. So…let’s see…Grok tells me that’s a total of nearly 324 weeks or around 324 issues. But, yes, in its current form, we’re sitting at issue #75.
This week, the theme that keeps surfacing, whether in the Agentic SOC conversation, the AI-speed benchmarking discussion, or the identity blind spots hiding in plain sight, is that the gap between what attackers can do and what defenders are equipped to do is closing faster than most organizations realize. The good news: so is the tooling. Microsoft is shipping capabilities at a pace that would’ve seemed unrealistic even two years ago, and this issue is packed with proof.
As always, I’ve done the reading, so you don’t have to, but I’d encourage you to dig into the ones that matter most to your environment. The links are here; the context is yours to act on. Let’s get into it.
Thanks all for your continued attention.
-Rod
Things to Attend
Don’t miss these key opportunities to strengthen your security practice - Security is the baseline expectation in migration and modernization—and the partners who lead in security can drive faster adoption, smoother deployments, and stronger customer outcomes from day one.
Things that are Related
Inside the Observability Agent: How Deep Investigations and Reasoning Work - Today, investigating incidents often means navigating multiple tools, forming hypotheses manually, and guessing which signals matter. Deep investigation replaces that process with a structured system that explores multiple explanations, correlates signals across layers, and produces a data-backed root cause analysis.
DEEP DIVE: The Context Graph - The Missing System of Record for the Agentic SOC - Attackers operate at machine speed. The SOC does not. Sorry for the longer post but this issue has been bugging me for some time and warrants some attention from all of us.
Beyond the benchmark: Advancing security at AI speed - Every vulnerability has two clocks running. One belongs to the defender racing to find it; the other to the cyberattacker hoping to find it first. For as long as software has existed, those clocks have favored the attacker, because modern code is vast, interconnected, and changing every day, while security reviews happen at fixed moments in time. The space between “code shipped” and “code reviewed” is where risk quietly accumulates.
Evolve or Be Automated: A Security Veteran’s Take on the AI Frontier - The shift to cloud did it. SIEM and the move to security operations did it. EDR did it. Zero trust did it. Each time, the same pattern: a new way of working showed up, the people who leaned in early became the ones everyone else called for help, and the people who decided to “see how it plays out” spent the next three years catching up to where the early movers already were.
Things to Watch/Listen To
Things in the News
Forrester names Microsoft a Leader in the 2026 Extended Detection and Response Platforms Wave™ report - We are excited to share that Microsoft has been named a Leader in The Forrester Wave™: Extended Detection and Response Platforms, Q2 2026. Microsoft ranked the highest of any vendor evaluated in the Strategy category and is the only vendor to receive the highest score in Vision. Microsoft also received the highest possible scores across the current offering criteria of identity detection, cloud detection, SIEM replacement, Threat Intelligence, Threat hunting, Administrative controls, and Training.
Security Copilot Things
Security Copilot RBAC for Embedded Experience in Unified Security Platform - The evolution of Security Operations Centers (SOC) is increasingly driven by AI-powered capabilities that improve efficiency, accuracy, and response time. Microsoft Security Copilot represents a significant advancement in this space by embedding AI-driven assistance directly within security platforms such as Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Entra.
Microsoft Security Copilot: AI-Driven Security Operations at Greater Scale - By leveraging real-time security signals, global threat intelligence, and an organization’s own data, Security Copilot provides contextually relevant, actionable insights for a wide range of security scenarios — from incident response and threat hunting to vulnerability management and compliance.
Microsoft Sentinel Things
How BlueVoyant’s ASIM-First Strategy Simplifies Threat Detection in… - Earlier this year, BlueVoyant adopted a new detection strategy built on the Advanced Security Information Model (ASIM). For those unfamiliar, ASIM is Microsoft's normalisation layer that standardises log data across products into consistent schemas.
Transform your security operation with a unified experience in Defender - By March 31, 2027, all Microsoft Sentinel customers will be automatically transitioned to Defender. But this transition is about far more than a new interface. It’s an opportunity to modernize the SOC, streamline operations, and unlock capabilities designed for the AI-first era of security operations.
Introducing New Additions to Microsoft Sentinel Normalization and ASIM - Security teams deal with logs from dozens of sources, each with its own schema. This pain point makes it harder to write detections that work everywhere. The Advanced Security Information Model (ASIM) solves this by normalizing logs into a common schema, so a single analytic rule can cover a wide variety of sources without worrying about the source schema.
Microsoft Sentinel in Microsoft Defender: Anatomy of the change - Incidents, alerts, correlation, and data—what actually changes with the new platform, and why it works in your favor. When you open Microsoft Sentinel in Microsoft Defender for the first time, the shift feels immediate: investigations are cleaner, workflows are more connected, and analysts can move through incidents with far less context switching.
Detection and automation, reimagined - If you build detections for a living, the move to Defender is one of the most meaningful shifts to your workflow in years—and for most teams, it’s a welcome one. Your existing analytics rules don’t disappear. Your playbooks don’t need to be rewritten. Your workbooks continue to function exactly as they do today. What changes is the scope of what you can detect, automate, and investigate from a single experience.
Defender for Cloud Things
Closing the loop on container security: From code to runtime in the AI era - Containers are the backbone of modern cloud-native apps — and increasingly, the infrastructure powering AI, from AI assistants to a new wave of intelligent agents. They also blur the line between build, deploy, and runtime: a single code change can become a running workload in minutes. A misconfiguration committed in the morning can be deployed in minutes and exploited before noon. At that speed, container security can no longer be a point-in-time check, it has to work as one continuous loop.
Defender XDR Things
Securing the invisible workforce - Non-human identities are now the majority of the identity estate in most enterprises. Service principals access organizational resources across SharePoint, Azure, and Microsoft 365, Service accounts run critical business processes on-premises, OAuth apps move data across SaaS boundaries, and AI agents increasingly operate autonomously at machine speed.
Defender Experts Things
Crypto Clipper uses Tor and worm-like propagation for persistence and control - Microsoft Threat Intelligence and Microsoft Defender Experts identified a Windows-based cryptocurrency clipper that has affected users since February of 2026. Clipper malware relies on stealing clipboard data and parsing it for valuable assets.
Microsoft Purview Things
The Hard Truth About Rolling Out Microsoft Purview Unified Catalog and How I’d Configure It - You turned on Microsoft Purview to bring order to your data. Six weeks later, Collection Admin has sprawled across the org, nobody owns a single data product, and your catalog is somehow locked down and wide open at the same time. That is not a tooling problem. That is a rollout problem.
The Copilot DLP Blind Spot: Prompt Uploads - Microsoft Purview DLP for Microsoft 365 Copilot and Copilot Chat can inspect prompt text for sensitive information and block processing. Files that users upload directly into a prompt, however, are currently not scanned for their content. This applies to sensitive data such as credentials just as much as to potential prompt injection content. Governance must therefore not stop at the existence of a control, but understand where that control does not apply.
Defender for Office Things
Microsoft Defender email security benchmarking: Key insights from one year of data - A year ago, we set out to change how email security effectiveness is measured. With our first benchmarking report in July 2025, we committed to publishing real-world performance data, not synthetic tests, so security teams could make decisions grounded in evidence. With each quarterly update, we refined our methodology, expanded our analysis, and listened to customer and partner feedback.
Microsoft Defender for Office 365 Plan 1 is now rolling out to Microsoft 365 E3 and Office 365 E3 - Starting today, Microsoft Defender for Office 365 Plan 1 is rolling out to customers with Microsoft 365 E3/G3 and Office 365 E3/G3 licenses, with rollout expected to complete in August 2026. For security teams, this means added protection against phishing, malware, and malicious links across email and collaboration, without needing to purchase or deploy a separate email security solution. It also means some protections will turn on automatically, so now is the right time to review your configuration and prepare for any changes to mail flow, policies, and end-user experience.
Defender Threat Intelligence Things
From package to postinstall payload: Inside the Mastra npm supply chain compromise - Microsoft Threat Intelligence observed a large-scale npm supply chain attack affecting 140+ packages across the mastra and @mastra scopes on the npm registry. Microsoft shared its findings with the npm security team, and the compromised packages have been removed and the attacker’s publish access to the @mastra scope has been revoked. The compromise originated from the takeover of the ehindero npm maintainer account, which had publish rights across the Mastra ecosystem and was used to publish poisoned package versions that introduced easy-day-js, a malicious typosquat of the popular dayjs library.
Microsoft Entra Things
AI is accelerating cyberattacks—here’s how to stay ahead - See how Microsoft unifies identity and security signals to help teams prevent, detect, and respond to AI-accelerated attacks faster.
Fun Thing This Week
