THE PROMPT for Microsoft Security - Issue #43
Defending the Cloud, One Log at a Time with Coffee in Hand
Things from Me
Good Friday everyone!
Welcome back to all those that have been here for a while and welcome to those that have signed on to join us this week. I truly appreciate your continued support for this community. The Microsoft security platform is always on the move. There are constant updates, changes, and improvements that warrant keeping track of. That’s a part of what this newsletter is all about - helping you keep track. But there’s also another component that’s equally important and that is sharing the excellent work and coverage of others in the community.
If you are someone that talks about or creates content covering Microsoft security platform products, drop me a line when you have something new and I’ll highlight it here in the weekly newsletter. I’m always happy to amplify and promote our great community. This newsletter does produce a very real readership bump when content is highlighted here. Each week this newsletter reaches over 30k readers through inboxes and the web.
The easiest ways to get in touch with me are through LinkedIn, X, and Bluesky (in that order).
…
Help us improve Defender for Cloud Documentation
We’re working to improve Microsoft Defender for Cloud documentation and want your feedback. This short survey (3–5 mins) will help us understand what’s working, what’s missing, and how we can better support your needs.
…
I’ve been asked a bunch already if I’ll be in attendance for Blackhat or Defcon next year. The answer is “No” unfortunately. However, I do have a bunch of upcoming opportunities between now and May of next year to hear me speak and connect in-person which I’ll share in an upcoming newsletter.
That’s it from me for this week.
Talk soon.
-Rod
Things that are Related
Bring Auxiliary Logs to the next level - Azure Monitor logs are trusted by hundreds of thousands of organizations to monitor mission critical workloads. Today we are announcing a series of major advancements to our Auxiliary Logs, the Azure Monitor plan that is designed for high volume logs, making it more cost-effective and improving the tools for use.
AI Security Essentials: What Companies Worry About and How Microsoft Helps - Ensuring the security of AI systems is a central concern for enterprises. This article outlines the primary concerns companies face when adopting AI technologies and examines Microsoft Security tools developed to address these risks. For those building with Azure OpenAI, integrating generative AI into business operations, or managing sensitive data, Microsoft provides a range of security measures designed to support safe and effective implementation.
Optimize Azure Firewall logs with selective logging - Azure Firewall now supports ingestion-time transformation of logs in Azure Log Analytics. With this new feature, organizations can optimize their log ingestion by filtering unnecessary data before it's stored — improving both operational efficiency and cost management.
Modernize your identity defense with Microsoft Identity Threat Detection and Response - A unified approach to identity threat detection and response (ITDR) is no longer a luxury; it’s a necessity. Whether you are an identity admin or a security operations center (SOC) analyst, minimizing your risk starts with eliminating gaps in protection.
Things to Attend
Defender Experts: S.T.A.R. Forum - Strategies for Threat Awareness and Response, Episode 4 - Post-Breach Browsers: The Hidden Threat You’re Overlooking - Tue, Aug 19 - 12:00 PM - 1:00 PM EDT - Modern browsers aren’t just attack entry points; they’re post-breach goldmines. In this episode, Microsoft Defender Experts are joined by JBO, the architect behind cross-platform research at Microsoft Defender and a leading voice in offensive security, exploitation, and vulnerability research.
Things to Watch/Listen To
Things in Techcommunity
Purview Data Catalog API for querying Business domain/data product updates - I'm using in-built Purview DataMap APIs for querying latest updates of technical collections, assets (Discovery - Query - REST API (Azure Purview) | Microsoft Learn) and creating progress dashboard and was wondering if there exists similar API for Purview Data Catalog to query Business domain/data product updates
Blocking Downloads in Purview - Hi guys, hoping someone can help out with this : is there a way to block the download of sensitive documents in Purview? ; e:g, you've created a Highly Confidential sensitivity label and as part of the configuration you'd like to enforce a No Download rule for any document with that label applied. I'm struggling to find a simple way of doing this.
Things to Have
Enabled Data Connectors (Microsoft Sentinel - KQL)
//Ensure Health Monitoring is enabled
SentinelHealth
| where TimeGenerated > ago(7d)
| where SentinelResourceType contains "Data connector"
| where OperationName == "Data fetch status change"
| summarize arg_max(TimeGenerated, *) by SentinelResourceName
| where Status == "Success"
| project SentinelResourceName, Status, TimeGenerated, Description, ExtendedPropertiesArista Wireless Manager Parser
Microsoft Sentinel Things
What should I log in my data lake? - We’ve been asked a few times to update our What should I log in my SIEM? post. Since the Sentinel data lake is now available it seems like the perfect time to do so. You might be thinking “Ugh. This is even more confusing. Not only do I have to figure out which logs to ingest but I have to decide where to put them.” We’re here to make that a little easier for you.
Tier change: failed to update retention settings - Internal server error - If you're kicking the tires on the Sentinel data lake and gettting the error “Tier Change xxx table: failed to update retention settings - Internal server error” when you’re trying to send all the table data to the Data lake tier, I’ve got the solution for you. Well, it’s really not a solution but an explanation.
Detecting Epsilon Red Ransomware with Microsoft Sentinel and Defender XDR -Recent findings show attackers employing sophisticated social engineering tactics. They’re particularly effective because they mimic familiar services, making their scams less noticeable. The recent ClickFix-themed pages blend into everyday online interactions, fooling victims into clicking malicious links and unknowingly triggering ransomware downloads (yes people still get caught out).
Tiers and tables and more! Oh my! - If you’ve enabled the new Sentinel data lake, you’re probably already checking out thew new Tables blade in the Defender Portal. This is where you can choose where to send your logs — to the Analytics tier or the Data lake tier. But there is also a set of tables called the XDR default tier.
Defender for Endpoint Things
Determine Onboarding Methods in Defender for Endpoint - Part 1 - Defender for Endpoint provides multiple methods for onboarding devices to its platform. These methods allow administrators to choose the best approach based on the scale of deployment or the specific requirements of their device fleet.
Defender for Office Things
Protection against multi-modal attacks with Microsoft Defender - Multi-modal (or hybrid) attacks are increasingly used by threat actors to orchestrate multi-phase campaigns. In Part 1 of our blog series, we explored how attackers use email bombing as a distraction technique to overwhelm users and bypass security controls. Today, we’re expanding that conversation to showcase how Microsoft Defender can detect and correlate certain hybrid, multi-modal attacks that span across email, Teams, identity, and endpoint vectors; and how these insights surface in the Microsoft Defender portal.
Microsoft Purview Things
How to Block Upload to WeTransfer, DropBox & Google Drive (but Allowing Download) – using Microsoft Purview Data Loss Prevention (DLP) - This blog was made due to recent policy changes related to WeTransfer cloud storage service. The changes raised general concerns of company data was used to train AI models if they were sent through services like WeTransfer, DropBox and Google Drive.
Defender External Attack Surface Management Things
Breaking down the Microsoft Defender External Attack Surface Management opportunities for queries in Advanced Hunting & Log Analytics Workspace - Following latest Microsoft Defender XDR July 2025 news, it was announced that Microsoft Defender External Attack Surface Management (MDEASM) can be integrated within the Exposure Management (XSPM) blade in Unified Security Operations platform. This brings a set of new opportunities for KQL queries development, inside XSPM.
Defender Threat Intelligence Things
Spotlight: Analyzing a Spotlight-based macOS TCC vulnerability - Microsoft Threat Intelligence has discovered a macOS vulnerability that could allow attackers to steal private data of files normally protected by Transparency, Consent, and Control (TCC), such as files in the Downloads folder, as well as caches utilized by Apple Intelligence.
Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats - Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been targeting embassies located in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware. ApolloShadow has the capability to install a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Secret Blizzard to maintain persistence on diplomatic devices, likely for intelligence collection. This campaign, which has been ongoing since at least 2024, poses a high risk to foreign embassies, diplomatic entities, and other sensitive organizations operating in Moscow, particularly to those entities who rely on local internet providers.
Microsoft Entra Things
Announcing GA of Bicep templates support for Microsoft Entra ID resources - We're thrilled to announce that Bicep templates for Microsoft Entra ID resources is generally available from July 29th, 2025. Bicep templates bring declarative infrastructure as code (IaC) capabilities to Microsoft Graph resources. This new capability will initially be available for core Microsoft Entra ID resources.
Securing Guest Access in Microsoft 365 | Cyclotron - As part of Cyclotron’s extensive security work with enterprise Microsoft 365 clients, we are often asked to help define strong security models for guest access. Here, we define suggested controls to secure guests of both individual consumer types, such as gmail.com accounts, and B2B types such as partner organizations.
AI Agents and the Future of Identity: What’s on the minds of your peers? - Identity professionals from around the world gathered in June to discuss agent identity, governance, security, and agent-to-agent experiences.
A fresh look for the Microsoft authentication background - Microsoft is releasing a new default background image for Microsoft Entra and consumer authentication flows. No action is required of users or admins.